Slashdot Mirror

← Back to Stories (view on slashdot.org)

Finding MD5 Collisions With Chinese Lottery

Posted by simoniker on from the soon-to-be-distributed-slashdotting dept.

Stanislav Shalunov writes "Jean-Luc Cooke posted a Usenet article describing a distributed webpage-based effort (Chinese Lottery) to find a collision in the MD5 function. All you need to do to participate in the effort is visit the URL that loads the code. The author comments: 'What is interesting about this approach - when we reach final release stage - is that any website that adds this small snippet of code to their pages will have their visitors working on the problem for the duration of their visit to the site'."

21 of 303 comments (clear)

  1. Uhh.. by TCM · · Score: 5, Insightful

    From the link:

    You run an Applet, it reports to us the search results. Distributed computing without installing anything...and without people knowing you're stealing their idle CPU time. ;)

    I don't know about you but I wouldn't lean out the window with the fact that I'm stealing from others.

    Idle CPU time might be unused but I still want to know what my box is doing and why.

    --
    Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
    1. Re:Uhh.. by Phillup · · Score: 4, Insightful

      I personally wouldn't call it "stealing". You pretty much agreed to run Java. Yes, you could be a clueless noob and knot *know* that your browser has it enabled... but, nobody is *making* you run java applets.

      I don't shove it down your pipe... you ask for it.

      Of course this line of reasoning could be extended too far... like the case of all the porn pop-ups... but, even there... I tend to feel that the user is ultimately in control (or should be!) of their own computer. Install Mozilla and don't suffer the pop-ups.

      Better yet... and this is the approach I myself practice... go away. Any time I find a site that ticks me off (bad Java/JavaScript that causes browser naughtiness), I add them to my banned list on my proxy... and never have to suffer the site again.

      Not even unintentionally.

      ---

      Not only that... but my CPU monitor went to a hundred percent.

      Yeah, it is a low priority thread... but... I did notice.

      P.S. "you" does not mean you personally...

      --

      --Phillip

      Can you say BIRTH TAX
    2. Re:Uhh.. by cmallinson · · Score: 3, Insightful
      I personally wouldn't call it "stealing". You pretty much agreed to run Java. Yes, you could be a clueless noob and knot *know* that your browser has it enabled... but, nobody is *making* you run java applets.

      I don't shove it down your pipe... you ask for it.

      OK, come on. Leaving Java enabled is a very poor definition of "asking for it". What percentage of internet users know the difference between Java and JavaScript, and can determine which one if any should be turned off or on? I would say less than 1-2%. Taking advantage of the rest is just not cool.

    3. Re:Uhh.. by Phillup · · Score: 2, Insightful

      I do understand what you are saying.

      But, at the end of the day... you look in the web server logs and you see a request from a computer asking for a Java applet.

      What is it supposed to do... somehow know that the person in front of the browser was not smart enough to really make the call?

      At some point you have to say that a valid request was made... and honor the request.

      --

      --Phillip

      Can you say BIRTH TAX
  2. Not ethical by Bill_Royle · · Score: 3, Insightful

    I respect the effort and ingenuity, but the rationale that "hey, we're helping solve a problem" somehow justifies stealing someone else's resources... it's just wrong.

    Be upfront with people - tell them why it's so important, what can be accomplished with it, and what it does. You'd be surprised - people might help out of *gasp* the goodness of their own hearts. A good example might be SETI, etc.

    1. Re:Not ethical by Anonymous Coward · · Score: 1, Insightful

      It's -not- stealing resources to run a java program when you visit a web page. That's what applets are designed for. Do you complain every time java loads? If so, why do you run it? This is more useful than the vast majority of applets; why pick on it in particular?
      They -are- upfront with people. It's not so important (the applet.) The stealing thing is a -joke-. Sheesh.

    2. Re:Not ethical by Phillup · · Score: 5, Insightful

      While I completely agree with your sentiment about being upfront... I don't agree with calling it "stealing".

      Who clicked on the link?

      Who has Java enabled on their browser?

      Who has cookies enabled on their browser?

      It isn't like he is doing anything "tricky" or using some "bug" to pull this off. The page doesn't "trap" you. It doesn't eat your CPU and make it impossible to quit the app or go to another page. And, for me, it didn't crash anything.

      I *really* don't understand how this can even remotely be considered stealing. Every single item is being used *as*designed* both by the web author and you.

      The way I see it... someone jumped in a pool... and now they are bitching about your clothes being wet?

      --

      --Phillip

      Can you say BIRTH TAX
  3. Re:Would be great for LOTR by deadsaijinx* · · Score: 3, Insightful

    Have you ever tried even using a dedicated renderfarm? The complications that can arise if you don't have all the textures and files locally, not to mention the fact that rendering is so heavy a tax on the CPU people would NEVER want to do it. Plus, that would involve them releasing files that go into making the movie. And so on and so forth, The idea is so terrible I couldn't imagine anyone ever trying it. Peace out and try to talk about something you konw for once.

    --
    YOU SUCK BALLS!
  4. Re:Would be great for LOTR by gordyf · · Score: 2, Insightful

    No, it would take too long just to upload the scene data to the client, let alone render anything useful within the average person's attention span.

  5. Re:Oh, lovely, distributed Javascript computing by illustir · · Score: 3, Insightful

    Why don't the slashdot editors who put this online embed the code in the story page? That way the slashdotting would have some use at least.

    --
    -- Alper
  6. How to steal a virtual supercomupter? by LostCluster · · Score: 2, Insightful

    Let's put the research effort asside here and thing about the underlying concept here... basically, this is a distributed computing app being buried within webpages. Could commercial interests use this concept to get access to computing resources from their web users without telling them?

  7. Parasitic computing by bigberk · · Score: 3, Insightful

    I believe the term was parasitic computing. Ideally the web master makes visitors aware to what's going on. You're using visitors' computing power to accomplish a neat sort of distributed computing. Great idea, if you're not just stealing resources

  8. Re:Hmmm. by __aaitqo8496 · · Score: 5, Insightful

    I wonder if the good slashdot people would be willing to make this into a slashbox ?

  9. Re:RFI: "collision" means? by WTFmonkey · · Score: 4, Insightful
    The whoop is that MD5 is often used for "fingerprinting" or other unique identification on the internet (et al). Since we all know that what can go wrong will, the question is the definition and accuracy of the infamous phrase "computationally infeasible."

    Basically, in a world where everything was based on a thumbprint, would you want even the smallest chance, no matter how statistically unlikely, that someone else had the same thumbprint as you?

  10. nonono-it *does* tax the servers.. by Darth+Fredd · · Score: 2, Insightful

    ..some. You use bandwidth for data throughput, you have the CPU usage..

    All on the server side. Yes, the clients are the ones doing the Real Work, but you have to do something with the result of that work. And its the Doing that taxes your servers, if only a little bit.

    --
    "The most looniest, zaniest, spontaneous, sporadic Impulsive thinker, compulsive drinker, addict"
  11. I really hope this doesn't catch on by digitalgimpus · · Score: 2, Insightful

    Not that I mind technology, and new tricks.

    But the last thing I want to see is every website hogging my CPU. Either selling computing power of their web visitors for profit, or using it for themselves.

    Imagine the next series of Spyware Trojans... rather than spy, they harness your CPU and sell the power. All without the knowlege of the computer owner.

    Interesting business model, but not something I want to see. I like my CPU. Note the word "my".

  12. Since when... by Anonymous Coward · · Score: 1, Insightful

    ...has it become acceptable to use anyones computing resources without their knowledge and consent?

    From where I come, this would be at least considered theft. It's stealing power (electricity) that you pay for, CPU cycles and RAM you might have other use for. It's using your resources that you pay for.

    It's premeditated - not some action of a whim. It's also targeted at any and all passers by - like if you just happened to stroll by a store they were all of a sudden stripping your credit card of "just small amounts" using some yet unknown method for scanning your card from a distance without neither your knowledge nor consent.

    Where I come from, such crimes can, and would, put people in jail.

  13. Re:Anti-Javascript Post... by Tweaker_Phreaker · · Score: 2, Insightful

    This uses Java not Javascript; learn the difference.

  14. Re:Are there any known MD5 collisions today? by spongman · · Score: 2, Insightful

    moreover, most programs that hash MP3s fail to exclude the ID1/ID2 tags, so it's pretty simple (and common) for different MP3s to sound exactly the same.

  15. Electrons in universe by Glorat · · Score: 2, Insightful

    My standard reply to this is that there are 2^128 possible hash sums which is many magnitudes more than the number of electrons in the universe! So you'd have a pretty hard time storing them all.

    As for the set of short strings, because this is such a limited set, if MD5 is any good (which it is), you won't find a collision in such a small subset.

    1. Re:Electrons in universe by Glass+of+Water · · Score: 2, Insightful
      What you describe is called a "salt". It's standard for storing hashed passwords and preventing against dictionary attacks, or comparing a user's passwords on two different systems. Maybe you know that already.

      Here's a pretty good recent thread on the subject from SecurityFocus' secprog list.

      --
      There are no trolls. There are no trees out here.