Slashdot Mirror
Finding MD5 Collisions With Chinese Lottery
Stanislav Shalunov writes "Jean-Luc Cooke posted a Usenet article describing a distributed webpage-based effort (Chinese Lottery) to find a collision in the MD5 function. All you need to do to participate in the effort is visit the URL that loads the code. The author comments: 'What is interesting about this approach - when we reach final release stage - is that any website that adds this small snippet of code to their pages will have their visitors working on the problem for the duration of their visit to the site'."
From the link:
;)
You run an Applet, it reports to us the search results. Distributed computing without installing anything...and without people knowing you're stealing their idle CPU time.
I don't know about you but I wouldn't lean out the window with the fact that I'm stealing from others.
Idle CPU time might be unused but I still want to know what my box is doing and why.
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
Perhaps we could tie this to some sort of micropayment system. You come do distributed work on my website, and you get to view it. Some third party pays me for the cycles, and I have a new revenue stream!
Last time I looked into this, which was several years ago, there were no known different strings which had the same MD5 hash. I thought this was remarkable. Are there any known ones today?
Or any other movie that makes heavy use of CG. While fans are visiting the fan site, they'll be helping to produce the sequel.
Might be cheaper than render farms.
Dude. Spelling. Runon sentences. Work on them. You deserve to appear smarter than you do.
Just embed the applet into your HTML, view the source of that page - you'll get it.
That's a really interesting way of doing it. For the people who don't know, here's a quick explanation:
Java Applets, because of the sandbox they're run in, can't open up a network connection to any website, except for the websie they came from. Presumably, what they're doing is creating a small Java applet, that when loaded, executes some logic, then opens up a network connection back home and sends the results.
Fascinating. This way, you don't have to bother installing something and hope it doesn't fsck up your computer. It might be slightly less efficient than a dedicated, installed program, but this way, they can harness the power of a computer just casually browsing a web page. Very innovative.
Imagine a Beowolf cluster of these things... It would be the same as if Slashdot put the applet in the header or something - all of us geeks computing stuff for free... That would be a lot of computing, I think a couple people visit slashdot daily!
Make sure to take out the warning message "ok fine then, you don't want cookies..." that pops up when you disallow it yer cookies (buy yer own thx!). This was surely a debug message, it's not useful anymore ;)
Fragements too?
First thing it does when the applet loaded was to bitch at me for not accepting cookies. Just like my wife.
It's an applet, applets run on the clients computer and not on the server.
I respect the effort and ingenuity, but the rationale that "hey, we're helping solve a problem" somehow justifies stealing someone else's resources... it's just wrong.
Be upfront with people - tell them why it's so important, what can be accomplished with it, and what it does. You'd be surprised - people might help out of *gasp* the goodness of their own hearts. A good example might be SETI, etc.
if your server wants to implement any extra complication and/or CPU, you're doing something wrong.
The work is done by the clients, genius. A java applet is downloaded to their client and it does some computation.
It certainly isn't using very many cpu cycles, the OS reports that my webbrowser is using less than 1% of the available cpu power
put the snippet on slashdot.org. The collisions should all be found within an hour.
Yep, I never spell check.
More incorrect spellings can be found he
This doesn't do anything on servers. He's referring to websites putting a link to a java appplet in their pages. This applet does computations on the client side.
Interesting idea, but most distributed computing tasks that run in the background run at low priority. Since this is running inside your browser (more or less) it will run at the priority of the browser. Unless your browser is running at low priority then this process will push all the lower priority processes out of process cycles.
This could prevent contact with ET!
"Anything is possible with enough programmers, time and pizza." (Substitute caffeine for time as needed.)
It's about time that the monster (us) is used for good and not evil.
Oooh! I thought of another way...
Just Click here.
-P
The applet refers to the project's server, not your web server. I don't think they are asking you to host the data collection part, but rather just have your pages load the applet from their servers.
Your signatures belong to me.
I nearly got suspended from school because I installed seti@home on all the machines. With this, I can still maintain my EVIL distributed computing campaign, and do it without them knowing!
And why did you staple the trout to the RAM?
Actually applets are not allowed to open an internet connection to anywhere except where they came from so the data collection server must also be the web server.
"It is not how things are in the world that is mystical, but that it exists." -Ludwig Wittgenstein
Is this applet crashing anyone else's browser?
Read, you fucking moron.
but rather just have your pages load the applet from their servers
Dude. I'm assuming you meant run-on, in which case you have a sentence consisting of two nouns and nothing else. Apparently your judgment of smartness is authoritative.
"What? No, honey, I was just visiting www.babe-licious.org to, umm. Help with the, er, research! Research on MD5 collisions! Yeah!"
Freedom isn't free; its price is the well-being of others.
Here's the code:
:P
.html files through PHP, 'cause he's got a PHP header that isn't being sent - oh yeah and better html please.
<!-- try IFRAME, else use LAYER -->
<IFRAME SRC="http://www.jlcooke.ca/psearch/dmd5l.html" SCROLLING="NO" FRAMEBORDER="0" WIDTH="100" HEIGHT="32">
<LAYER SRC="http://www.jlcooke.ca/psearch/dmd5l.html" WIDTH="100" HEIGHT="32" CLIP="0,0,100,32"></LAYER>
</IFRAME>
It' s making an iframe that loads the applet, and just does its own thing - by loading in the iframe it can call back to their host, rather than yours
Someone should let him know that he needs to make his server parse
Let's put the research effort asside here and thing about the underlying concept here... basically, this is a distributed computing app being buried within webpages. Could commercial interests use this concept to get access to computing resources from their web users without telling them?
Won't this Java Applet only execute while you are at the page in which has the applet? I notice in Windows that the Java taskbar icon appears when I go to the website and stays there until I "close" the window...
How long will the applet execute since I doubt it will execute after you close the browser window or leave the website?
1. Create very small website with CPU draining applet and post a link to said website to Slashdot.
2. ??
3. Profit!
What's this Dotslash you talk about?
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
Oh, I understand now.
"It is not how things are in the world that is mystical, but that it exists." -Ludwig Wittgenstein
I believe the term was parasitic computing. Ideally the web master makes visitors aware to what's going on. You're using visitors' computing power to accomplish a neat sort of distributed computing. Great idea, if you're not just stealing resources
As someone who intentionally runs a low-performance box as a primary system (VIA Epia 533) I'd be pretty unhappy with some snarfing up a few cycles. Junked-up web sites with flash and excessive java/javascript are REALLY noticable when you're browsing at the low end of the power curve.
I run a cpu monitor in the background and when a site wants to run one of the more annoying classes of advertisements, utilization usually pegs... I can't imagine what something that intentionally sucked cycles would do.
cross domain cookies get rejected by lots of people, and is going to be the default behavior under xp sp2 and 2k3. I'll accept a cookie from the site I am trying to use, but 3rd party folks better stand down, either provide a service for that info or some money, its what everyone wants from me these days. $$$'s for a long distance land line service I have never used but can't avoid, number portability for a cell # that I don't publish and never plan on taking anywhere with me...surcharges for handling and processing and restocking fees. I am bloody fed up with it, either give me somthing for my money, or STEP OFF JACKSON...
:)
whew I feel better...Happy New Year all, be safe and have fun
errr....umm...*whooosh* *whoosh* Is this thing on ?
Yeah, but do we all run Java enabled browsers? (lynx, links, etc)
..and I have dialup.
I'm running No-Java-Opera right now:because the java enabled opera was 11 more megs..
Point is, geeky as we are, we're probably all expirementing with stuff.
NOT LIKE THAT YOU PERVERTS!!/
"The most looniest, zaniest, spontaneous, sporadic Impulsive thinker, compulsive drinker, addict"
Newbie here. I searched around for "md5" and "collision", but only found sites that seemed to already understand what a collision is. Well, can someone explain what an md5 collision is? I'd like to continue reading the article....
Is it simply that, since the hashing is a reduction operation, that multiple (different) messages can have the same hash? If so, then can someone explain the utility of searching for such things?...I'm afraid I can't see the dark implications of such a functionality. Thanks in advance.
It's an applet, applets run on the clients computer and not on the server.
It takes bandwidth to collect the results of the applets' work, and time on the same or a different server to record/process/log those results.
There are 1.1... kinds of people.
Dude. Do you want to know the tax on your server? 3 lines of simple HTML. That doesn't sound like much of an extra complication, or CPU usage. Even the tiny applet is loaded off Their Server, meaning you do nearly no work to help these guys. You can debate the ethics, sure, but saying this is a mistake because of server issues is wrong.
SAILING MISHAP
The extra 'R' you put in 'moron' slowed me down too, ya idiot.
..some. You use bandwidth for data throughput, you have the CPU usage..
All on the server side. Yes, the clients are the ones doing the Real Work, but you have to do something with the result of that work. And its the Doing that taxes your servers, if only a little bit.
"The most looniest, zaniest, spontaneous, sporadic Impulsive thinker, compulsive drinker, addict"
This "Anonymous Coward" guy is always looking for a fight.
Back in the day when in my office we were having a competition to process as many rc5 keys for distributed.net we used to do almost anything to get a higher key processing rate. We would kick back late after work and install the rc5 client as a Windows NT service on all the machines of people who would never know better.
At the time I did seriously consider the distributed processing via a web page approach, either in flash (actionscript can whir away on problems while displaying some whizzy graphic to keep visitors entertained), or java, but thought that it was a little unethical to use up random peoples CPU time (the people in the office were fair game in our rc5 war, the general public were not).
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
OK, so an evil webmister makes a pop-under containing this kind of code and puts it up when you visit his porn site (optionally by mistyping "google" in your address bar.)
Heck, (google|SlashDot|your legitimate business) just has a tiny inset on their page: "This box is using your spare CPU cycles to help us pay for this site or service. Subscribers do not see this box. Click here to subscribe."
It could work.
In the popunder case it is vile and abusive. In the legitimite and well advertised case it is totally fair.
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
It's really too early for Slashdot readers to try to run that code. As the usenet post said, it's alpha test. I'd actually call it pre-alpha. The usenet sci.crypt discussion is about ways to change the design so it can be hosted on multiple sites at the same time. Really, it would have been a lot better to wait for the author to make an announcement, before linking an ongoing discussion about a work in progress to the front page of Slashdot as if the code was ready for prime time. Ow!
Ummmm. Well, with M$ dumping their java thingy, and all and sundry having to use Sun's (good jog to!), sounds a great way to get XP's (you don't use that, do you?) Bruce Green of Death.
I read a whitepaper about it a few years back. Some smart guys had constructed a class of messages where some bits where irrelevant.
FRA: STFU GTFO
Oh shut the f*ck up, troll.
Might want to check your webpage, man. The index file is missing, and among the directory listing is at least one file which reveals your MySQL password.
"BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
With this being posted here someone with more knowledge of java than me is going to have the idea to give back false results. That is the reason for an install, to give the project mamgers control.
I bet that sometime son they are going to be finding lots of collisions, all results from the same IP.
Hope they have some sort of filter.
md5sum
d41d8cd98f00b204e9800998ecf8427e
It crashes Safari. Now, admittedly, I don't know whether this is a Safari bug, a Java bug, a bug in the applet, or some combination thereof, but here's what happens to me:
I load the thing in its own tab, have a look, look at the neat code that loads an IFRAME, etc. Ho-hum, nice idea, let's see where it goes, cmd-W to close the tab. Whups! The entire browser window closed, including all the tabs which I hadn't got around to checking yet! Safari is still running in the foreground, but I just lost its window.
Anyone interested enough to debug this? I'm not =P
political_news.c: warning: comparison is always true due to limited range of data type
Not that I mind technology, and new tricks.
But the last thing I want to see is every website hogging my CPU. Either selling computing power of their web visitors for profit, or using it for themselves.
Imagine the next series of Spyware Trojans... rather than spy, they harness your CPU and sell the power. All without the knowlege of the computer owner.
Interesting business model, but not something I want to see. I like my CPU. Note the word "my".
So what would finding a collision really mean that we don't already know? There's an infinite number of strings, and a finite number of hashes, so obviously collisions exist. It's just horribly inconvenient to go out and find a good one for the purpose of forgery.
Stop the Slashdot effect! Don't read the articles!
This is just ONE MORE REASON YOU SHOULD DISABLE JAVASCRIPT.
.sig (WARNING: Sig link is not FRIGGIN SAFE for work, home, or anywhere else).
Why is it when I say this stuff, nobody believes me?
If that's not enough, check-out my
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
...has it become acceptable to use anyones computing resources without their knowledge and consent?
From where I come, this would be at least considered theft. It's stealing power (electricity) that you pay for, CPU cycles and RAM you might have other use for. It's using your resources that you pay for.
It's premeditated - not some action of a whim. It's also targeted at any and all passers by - like if you just happened to stroll by a store they were all of a sudden stripping your credit card of "just small amounts" using some yet unknown method for scanning your card from a distance without neither your knowledge nor consent.
Where I come from, such crimes can, and would, put people in jail.
If I remember correctly, a Java applet by default can only ommunicate with the originating server.
"I use a Mac because I'm just better than you are."
I'd like to see the next poll: Did you click on the link to run unknown code recently posted on Slashdot? * Yes, I'm a moron * Yes, but I audited it first * Yes, but I did it from enemy's computer * Yes, and I did it proudly from work, who knows how many security policies I broke, and who cares. * I click on EVERYTHING! * Nope
Revolutions are never about freedom or justice. They're about who's going to be top dog. -- Kilgore Trout
is a good thing.
Most people who browse websites are quite simply unaware that their computer even contains a concept called Idle CPU Cycles, or that there is any way to get a CPU % reading from their computer. Besides, not everyone is so miserly with their CPU time. Most users also have a short attention span.
If the user, whose browser visits such a website that opens up a number crunching applet, notices that their whole computer just became slower, then they'll leave the website. And the applet will be alive for less time. Therefore successful applet projects that are accepted and deployed by various webmasters, which want to obtain the most results would make sure that the applet is as unobtrusive as possible. Otherwise the user will browse away from the page (and or close the browser window all together), and the applet's lifespan will be short.
At 24 frames per second.
No kidding; some of this stuff weighs in that heavily. This was before fibre channel too.
Think Balrog scenes done with particle simulations... (it didn't last).
In the free world the media isn't government run; the government is media run.
after reading the entire Usenet thread
Domain gogole.com? Well, it seems to work and looks like Google.... Yup, whois verifies it. Guess they decided to use those anti-immitation registered domains.
Obviously, since a string can be an almost infinite length, there has *got* to be collisions somewhere, but so far, no one has found any.
Correction: No one has reported any. I, uh, have a friend--yeah, that's it--who found a few collisions but is afraid to report them because it always occurs between his beastiality files and his lengthy and frequent poetic love letters to some girl who claims he's stalking her.
YOU HAVE BEEN WARNED
Visit CryptoGnome in his home.
I don't have a mouse, you insensitive clod!
Once they have gotten this working, and assuming there is a commercial need for these cycles that exceeds the cost in bandwith, a site could do as others have suggested, and require you to run this app (ala netzero etc) in order to acess content on the site.
Beats pop up ads, anyway.
when i visited the page mozilla firebird cpu spiked up to 99 quite quickly, and quickly fell to 0/1-ish when i closed the tab.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
The applet will stay running even after you close the page that started it, using up 100% CPU time without your knowledge or approval.
Do NOT go to the site.
I don't have Java enabled on my desktops AND I'm actually posting this from my mobile phone. How do I join in again?
Until the central data-collection server was slashdotted with data from clients. ;>
But, could this not be used to build a hash table of all MD5 sums? If all possible MD5s were known by one source, what is to prevent them from using this as a simple lookup to crack MD5-based passwords? Even if they only focused on short strings (say, typical password length) they could go a long way to defeating another security mechanism.
What those who want activist courts fear is rule by the people.
The motherfucking redundancy of your motherfucking comment, has made this motherfucking comment motherfucking redundant by motherfucking replying to the motherfucking redundant motherfucking comment. Motherfucker.
so they use your cpu cycles to generate these md5 hashes - yes? then they are transmitted back to the mother server, eh? are they just making a monster database of md5 hashes and comparing them
I've never understood what the big worry is about hash collisions. I mean, even if in theory you could find another message that hashes to the same value, it's many orders of magnitude harder to find a meaningful and believable substitute message that hashes to the same value. Even the Birthday attack seems pointless. Who cares if the hash is effectively half as long to find ANY two message that hash to the same value, I only care if somebody can find a message that matches MY message hash. Is it because cryptographers are obsessed with theoretical but impractical weaknesses, or am I just not understanding this right?
Some sites are plain text, this uses up less CPU cycles than a flash intensive site.
One could argue that this applet provides no value to the end user, and that could be true. However, it could also help pay for the free content that the user is viewing.
It is neither inherently bad nor inherently good. I can see it going both ways. Porn sites will use it for god knows what. Places like SETI and Folding@home could use it to benefit mankind.
Yuck... That is the WORST THING I have EVER seen in my life!!! I feel like throwing up. I can't believe someone would take a picture of that, let alone disgust others with it... I think humans have reached a new low with that picture :(:(:(
Sivaram Velauthapillai
Sivaram Velauthapillai
Seeking the meaning of life... @slashdot of all places
The most likely cause of your crash is that you're an idiot and your system is poorly configured. Giving your operating system and especially your cpu speed/ram size is retarded. Maybe you should just give up, fuckwit.
Happy new year!
Get a job a pay for some cable/dsl access, if you can't get it, move to a place that does. Now shut up modem bitch.
Popup advertisers have found a way around popup blockers, including Mozilla's built in one. The only way to avoid them is to disable javascript entirely.
PayPopup's popunder code employs just such a popup blocker blocker, if you will. It pops up popunders in Mozilla at will.
Go and do it.
Haha, you just sounded so like that customer in Clerks who complained after the guy was talking about jizz mopping.
Seems like i have to install something after all.
> Idle CPU time might be unused but I still want to know what my box is doing and why.
My background compilation going on right now is niced (see nice(1) in the man pages on BSD, Linux or Unix systems) to make it just use the CPU cycles left by the browser and other interactive things. No idle CPU time left.
With such an CPU eating applet the compilation would stop till I leave the site and that I consider hostile behavior. nice(1) exists since Unix Version 4 so is nothing new. Authors of such distributed computing software should know about it.
Conciously installing a program on a machine of my choice and letting it eat up CPU is a better concept. I can choose if I want to let it run, when to do it (only at night for example) and even can control the priority it gets precisely.
My standard reply to this is that there are 2^128 possible hash sums which is many magnitudes more than the number of electrons in the universe! So you'd have a pretty hard time storing them all.
As for the set of short strings, because this is such a limited set, if MD5 is any good (which it is), you won't find a collision in such a small subset.
Just a thought, would running two IE windows of the applet help at all?
That applet is using almost 100% of my CPU cycle on my computer using IE. Others mentionned that it only used 1% of their CPU. Why that high for me?
Garek
Well fuckface, maybe he lives in a country area that has one way cable lines and is too far from the phone company office like me. Not so smart now are you asswipe.