Finding MD5 Collisions With Chinese Lottery

Stanislav Shalunov writes "Jean-Luc Cooke posted a Usenet article describing a distributed webpage-based effort (Chinese Lottery) to find a collision in the MD5 function. All you need to do to participate in the effort is visit the URL that loads the code. The author comments: 'What is interesting about this approach - when we reach final release stage - is that any website that adds this small snippet of code to their pages will have their visitors working on the problem for the duration of their visit to the site'."

The Logic of Withdrawal

[A note of explanation: In the spring of 1967, my book Vietnam: The Logic of Withdrawal was published by Beacon Press. It was the first book on the war to call for immediate withdrawal, no conditions. Many liberals were saying: "Yes, we should leave Vietnam, but President Johnson can't just do it; it would be very hard to explain to the American people." My response, in the last chapter of my book, was to write a speech for Lyndon Johnson, explaining to the American people why he was ordering the immediate evacuation of American armed forces from Vietnam. No, Johnson did not make that speech, and the war went on. But I am undaunted, and willing to make my second attempt at speech writing. This time, I am writing a speech for whichever candidate emerges as Democratic Party nominee for President. My supposition is that the nation is ready for an all-out challenge to the Bush Administration, for its war policy and its assault on the well-being of the American people. And only such a forthright, courageous approach to the nation can win the election and save us from another four years of an Administration that is reckless with American lives and American values.]

My fellow Americans, I ask for your vote for President because I believe we are at a point in the history of our country where we have a serious decision to make. That decision will deeply affect not only our lives, but also the lives of our children and grandchildren.

At this moment in our nation's history, we are on a very dangerous course. We can remain on that course, or we can turn onto a bold new path to fulfill the promise of the Declaration of Independence, which guarantees everyone an equal right to life, liberty, and the pursuit of happiness.

The danger we are in today is that the war--a war without any foreseeable end--is not only taking the lives of our young but exhausting the great wealth of our nation. That wealth could be used to create prosperity for every American but is now being squandered on military interventions abroad that have nothing to do with making us more secure.

We should listen carefully to the men serving in this war.

Tim Predmore is a five-year veteran of the army. He is just finishing his tour of duty in Iraq. He writes: "We have all faced death in Iraq without reason or justification. How many more must die? How many more tears must be shed before Americans awake and demand the return of the men and women whose job it is to protect them rather than their leader's interest?"

What is national security? This Administration defines national security as sending our young men and women around the world to wage war on country after country--none of them strong enough to threaten us. I define national security as making sure every American has health care, employment, decent housing, a clean environment. I define national security as taking care of our people who are losing jobs, taking care of our senior citizens, taking care of our children.

Our current military budget is $400 billion a year, the largest in our history, larger even than when we were in the Cold War with the Soviet Union. And now we will be spending an additional $87 billion for the war in Iraq. At the same time, we are told that the government has cut funds for health care, education, the environment, and even school lunches for children. Most shocking of all is the cut, in billions of dollars, for veterans' benefits.

If I became President, I would immediately begin to use the great wealth of our nation to provide those things, which represent true security.

Immediately on taking office, I would propose to Congress, and use all my power to ensure that this legislation passes, that we institute a brand new health care system, one that builds on the success of our Medicare program, and that has been used effectively in other countries in the world.

I would call it Health Security, because it would guarantee to every man, woman, and child free medical care, including prescription drugs, paid fo

How do I add this to my site?

[Kyle+Hamilton]

Where do I get the stuff to add this to my site I think that maybe if you made it easy to put on peoples blogs then maybe it would add a lot of power to the project/idea -Kyle www.kylehamilton.net

Re:How do I add this to my site?

Dude. Spelling. Runon sentences. Work on them. You deserve to appear smarter than you do.

Re:How do I add this to my site?

[coene]

Just embed the applet into your HTML, view the source of that page - you'll get it.

Re:How do I add this to my site?

Runon sentences.

Fragements too?

Re:How do I add this to my site?

Dude. I'm assuming you meant run-on, in which case you have a sentence consisting of two nouns and nothing else. Apparently your judgment of smartness is authoritative.

Re:How do I add this to my site?

Linux is like living in a teepee. No Windows, no Gates, Apache in house.

Living in a teepee? No running water, no bathroom, yeah sounds like linux.

another writeup

[the+man+with+the+pla]

I saw a story about this a few days ago over at tubgirl tech archive

Re:another writeup

[Stalin]

No clicky clicky. Nasty nasty.

An Important Warning...

Mad Troll Disease is a fatal disease that has reached near-epidemic proportions. It is caused by failure to pay your $699 licensing fee to SCO. Please protect your health and don't forget to pay your $699 licensing fee.

Uhh..

[TCM]

From the link:

You run an Applet, it reports to us the search results. Distributed computing without installing anything...and without people knowing you're stealing their idle CPU time. ;)

I don't know about you but I wouldn't lean out the window with the fact that I'm stealing from others.

Idle CPU time might be unused but I still want to know what my box is doing and why.

Re:Uhh..

[shamilton]

Idle CPU cycles are used to pre-zero pages, among other little tasks.

Re:Uhh..

[Phillup]

I personally wouldn't call it "stealing". You pretty much agreed to run Java. Yes, you could be a clueless noob and knot *know* that your browser has it enabled... but, nobody is *making* you run java applets.

I don't shove it down your pipe... you ask for it.

Of course this line of reasoning could be extended too far... like the case of all the porn pop-ups... but, even there... I tend to feel that the user is ultimately in control (or should be!) of their own computer. Install Mozilla and don't suffer the pop-ups.

Better yet... and this is the approach I myself practice... go away. Any time I find a site that ticks me off (bad Java/JavaScript that causes browser naughtiness), I add them to my banned list on my proxy... and never have to suffer the site again.

Not even unintentionally.

---

Not only that... but my CPU monitor went to a hundred percent.

Yeah, it is a low priority thread... but... I did notice.

P.S. "you" does not mean you personally...

Re:Uhh..

[dotgain]

Doesn't seem to be running at a very low priority on my machine - it's taking 75%cpu running at a nice of "0". I am running portage at present, it's use went from about 80% to 7% or so.

It's chewing my cycles, not that I'm complaining, I brought it on, but it's doesn't seem to be running at a low priority by any means.

Re:Uhh..

[cmallinson]

I personally wouldn't call it "stealing". You pretty much agreed to run Java. Yes, you could be a clueless noob and knot *know* that your browser has it enabled... but, nobody is *making* you run java applets.

I don't shove it down your pipe... you ask for it.

OK, come on. Leaving Java enabled is a very poor definition of "asking for it". What percentage of internet users know the difference between Java and JavaScript, and can determine which one if any should be turned off or on? I would say less than 1-2%. Taking advantage of the rest is just not cool.

Re:Uhh..

Not for a long time. There are much more efficient ways to provide an illusion of a page full of zeros, such as COW-mapping a single dedicated zero page into any process that needs one. Some systems do memory scrubbing while idle, but that's different.

Re:Uhh..

[BagOBones]

low priority and low CPU use are not the same thing. low priority just means that almost any other program can take over the CPU any time it wants.

Re:Uhh..

[netsharc]

I opened the page, downloaded some pictures from my camera, and viewing them got to be so slow, something that's never happened before. I forgot about the page (I have a bad habit of abusing Opera's "Open in background Page" leaving 50+ tabs open at once), but I looked in Task Manager, and Opera was eating 100 MB RAM and 100 MB swap.. nice. But almost zero processor use, strangely.

Anyway I rebooted, so maybe it's that, maybe it's because I was messing with the swap files earlier today (well, last year, meaning yesterday :)

Re:Uhh..

[superpeach]

Flash ads steal more cpu time than this seems to.

Re:Uhh..

[slowbad]

As my core temp goes from 113F to 141F, I can either turn my air can on the system (upside down) or shut down.

At least there's no bacteria growing now on my fan-less heatsink...

--
Idle CPUs are the Devil's workshop

Re:Uhh..

[Phillup]

I do understand what you are saying.

But, at the end of the day... you look in the web server logs and you see a request from a computer asking for a Java applet.

What is it supposed to do... somehow know that the person in front of the browser was not smart enough to really make the call?

At some point you have to say that a valid request was made... and honor the request.

Re:Uhh..

[dotgain]

As I said, the javavm ran at a nice of "0", the default on a unix system. That means it will share CPU rougly equally with other processes on the box that run at the default also.

I also said I was running portage at the time, at a nice of +5. Had the applet have niced itself up to, say +10, (it seemed to do the equivalent on windows machines) it would have used much less CPU, because of the existence of a higher-priority running process, or two.

Re:Uhh..

Leaving Java enabled is a very poor definition of "asking for it".

No. Your browser saying "can I have this Java applet" is a very good definition of "asking for it".

Re:Uhh..

Uh, you need to zero physical pages before you hand them out for memory allocation requests. That can be done during idle time.

Oh, lovely, distributed Javascript computing

Perhaps we could tie this to some sort of micropayment system. You come do distributed work on my website, and you get to view it. Some third party pays me for the cycles, and I have a new revenue stream!

Re:Oh, lovely, distributed Javascript computing

[illustir]

Why don't the slashdot editors who put this online embed the code in the story page? That way the slashdotting would have some use at least.

Re:Oh, lovely, distributed Javascript computing

[Spad]

Java too!

Re:Oh, lovely, distributed Javascript computing

[sinistral]

It's not JavaScript, it's Java. Despite the names, they're vastly different.

Re:Oh, lovely, distributed Javascript computing

[trb]

Why don't the slashdot editors who put this online embed the code in the story page?

Maybe this slashdot article was a winner (encrypted) phoning home.

Re:Oh, lovely, distributed Javascript computing

No crap

Re:Oh, lovely, distributed Javascript computing

[smclean]

I wonder if thousands of instances of the applet running around the world could slashdot the actual server that the applet reports back to.

...Slashdotting it with "search results" as they called them.

I think that's why the story is from the soon-to-be-distributed-slashdotting department.

Re:Oh, lovely, distributed Javascript computing

[shibboleth]

Great idea but alas, Distributed Science Inc. (a/k/a The ProcessTree Network)'s old domain name is for sale and Popular Power is a dead business, suggesting a lack of profit potential in this business model as yet.

Are there any known MD5 collisions today?

[GGardner]

Last time I looked into this, which was several years ago, there were no known different strings which had the same MD5 hash. I thought this was remarkable. Are there any known ones today?

Re:Are there any known MD5 collisions today?

[mattdm]

Well, if there were, that'd make the question this project is trying to answer remarkably easy.

Re:Are there any known MD5 collisions today?

[Jordy]

Considering there are an infinite number of strings that will map to a single MD5, I'd say there is a chance we'll find one sooner or later.

Re:Are there any known MD5 collisions today?

[More+Karma+Than+God]

There must be some, otherwise MD5 could be used for lossless compression.

That's assuming the process can be reversed.

Re:Are there any known MD5 collisions today?

An md5 sum 20 bytes long.
If one applies md5 to all possible 21-byte strings, then there must be at least one collision.

Re:Are there any known MD5 collisions today?

[iggymanz]

more accurate to say it's very unlikely two string have same md5 value - but raise two to the power of the number of bits in an md5 hash, and there's at least that probability that two strings will have same hash. Of course, question is with real world strings is it even more likely than that huge 1:n number that 2 will match??? Hence this project, which I don't think is ethical or good way to find out.

Re:Are there any known MD5 collisions today?

[ilsa]

Reason #83 that MD5 is an inadequate method of identifying MP3s. Hashsums are only "practically unique."

Re:Are there any known MD5 collisions today?

[lostchicken]

It can't be reversed. That's the point of MD5.

However, it is trivial to prove the fact that there are strings that have the same MD5 hash due to the fact that you can't represent 2^65 different numbers with only 2^64 keys.

Re:Are there any known MD5 collisions today?

[jrstewart]

Umm, the fact that hashsums are only "practically unique" isn't why they're an inadequate method of identifying MP3s (and that's not what Schneier is saying in the article). The reason they're inadequate is that depending on what encoder you use and the settings there will be a bunch of different MD5s of the same song.

The RIAA could get around this by setting up a battery of tools to try to get all of the relevent hashes, but it would be possible to create encoders that perturb the compression process to get different bits in the file while sounding essentially the same. A trivial way to do this would be to watermark your MP3s with random data.

Re:Are there any known MD5 collisions today?

[spongman]

moreover, most programs that hash MP3s fail to exclude the ID1/ID2 tags, so it's pretty simple (and common) for different MP3s to sound exactly the same.

Re:Are there any known MD5 collisions today?

[Jerf]

Uh, you need far, far less then "2^bits in the md5 hash". You only need the first 2^128 strings, plus one more, to ensure a collision, by a simple application of the pigeonhole principle. (Any 2^128+1 strings will do, so why not pick the smallest?)

You'll probably, to the point of effective certainty, need far less to find a collision.

The problem is that we created MD5 with the very goal of making it impossible to compute where those collisions will occur with anything less then brute force (which isn't to say that we've succeeded necessarily but to date nobody has produced a significantly better way), and 2^128 is a hell of a lot of strings.

Re:Are there any known MD5 collisions today?

[equilith]

To get some perspective on this, there aren't a lot of crypt() collisions. Tom Perrine and Devin Kowatch of The San Diego Supercomputer Center found only one crypt() collision that they categorized as "real": $C4U1N3R collided with SEEKETH. There were also 24 that were a result of characters in some passwords having the high bit set -- crypt() strips off the high bits.

Their Teracrack project (pdf; html) used a different approach: leverage their huge amount of high-speed network connections and storage space.

Royce

Re:Are there any known MD5 collisions today?

[iggymanz]

most md5 hashes are either 128 (hey, 2^128, the same number you gave!), or 160 bits

Re:Are there any known MD5 collisions today?

[Jerf]

I slapped MD5 into Google and looked on the first result page, which said 128-bits in the quote near the top. I knew there were other sizes, but since that matched the message I was replying to, I kept it ;-)

Of course the point generalizes to all hashing or error correcting algorithms; for n bits, 2^n+1 messages are guarenteed to collide.

Re:Are there any known MD5 collisions today?

[The+Snowman]

Last time I looked into this, which was several years ago, there were no known different strings which had the same MD5 hash. I thought this was remarkable. Are there any known ones today?

MD5 is a hash. Hashes have three defining characteristics. First, the same input always produces the same output. Second, a small change in input produces a large change in output. Third, collisions are relatively rare -- it should be uncommon for two input strings to produce the same output string. Of course, with 2^128 output values and an infinite number of input values, there are an infinite number of inputs that produce the same output, theoretically.

Anyway, there are a few strings that produce identical outputs, using two dictionary words. I cannot find them at this moment, although I know where I saw them. Google and on-site searching mechanisms aren't helping. Oh well. I tried.

Re:Are there any known MD5 collisions today?

[ottawanker]

It can't be reversed. That's the point of MD5.

No, but given fast enough hardware, and some other information about the file (say, size and type) it could be brute forced.

Re:Are there any known MD5 collisions today?

[Tom7]

All MD5 hashes are 128 bits, or it's not an MD5 hash. The SHA-1 algorithm, which is similar, produces 160 bits.

Re:Are there any known MD5 collisions today?

[Alsee]

given fast enough hardware... it could be brute forced.

Given a large enough mouth... I could swallow the sun :)

Lets say you had fast enough computer to make a hundred trillion brute force attempts per second. Then assume you have 100 trillion such computers. It would take more than 150 times the age of the universe to have a 50-50 chance of finding a file that matches that hash. Of course that does not mean you found the right file because there are an infinite number of files that match that hash.

-

Re:Are there any known MD5 collisions today?

[Tom7]

Considering there are an infinite number of strings that will map to a single MD5

That's probably, but not necessarily, true.

I'd say there is a chance we'll find one sooner or later.

Yeah, it's about 1 in 2^128. There aren't even enough electrons in the universe to write down all the possible MD5 hashes, not to mention the strings that might hash to them.

Re:Are there any known MD5 collisions today?

[Jordy]

That's probably, but not necessarily, true.

Sorry, I should have placed the caveat: "if MD5 doesn't have any flaws."

Yeah, it's about 1 in 2^128. There aren't even enough electrons in the universe to write down all the possible MD5 hashes, not to mention the strings that might hash to them.

You don't have to write down the entire string to generate its hash. You can simply keep feeding numbers into the algorithm until the end of time (assuming there is one).

Further, the estimates I've heard is that there is 10^80 to 10^88 electrons in the universe. 2^128 is roughly 10^38 giving you about 50 orders of magnitude in difference.

Re:Are there any known MD5 collisions today?

2^128 isn't 10^38, it is 3.4x10^38

Re:Are there any known MD5 collisions today?

[kasperd]

An md5 sum 20 bytes long.

No it is not. It is only 16 bytes. A SHA1 hash OTOH is 20 bytes long.

Re:Are there any known MD5 collisions today?

Well it's much easier than that. If you are given a specific MD5 hash it's true that it would take about 2^128 (if you bruteforce) to find a message hashing to that hash. However, just finding 2 messages that hashes to the same value is much easier. Thanks to the birthday paradox it takes just 2^64 operations on average and while bad, it's not impossible.

Re:Are there any known MD5 collisions today?

If there's good pr0n in that file who cares if it's the right one?

Re:Are there any known MD5 collisions today?

[thogard]

Years ago someone posted 8 or so pairs of crypt collisions however I don't think any of them where typeable passwords. I haven't been able to find the posting but it might still be in google somewhere and it was about about 87 or so. Whoever posted them never bothered to explain how they came up with them.

Re:Are there any known MD5 collisions today?

[Tom7]

Further, the estimates I've heard is that there is 10^80 to 10^88 electrons in the universe. 2^128 is roughly 10^38

Oops, you're right. That base really does make a difference, doesn't it? ;)

Re:Are there any known MD5 collisions today?

[Eivind]

Very funny. It's true that it's possible that two mp3s exist with the same md5-hash. But it's very very VERY unlikely.

There's 128bit in a md5 hash. The hash is pretty darn close to random. (that is, there's no known way of finding collisions significantly better than just trying randomly)

So, with 2^128+1 mp3s, you'd *certainly* have atleast two with identical hash. To get 50% chanse of a collision you'd need around sqrt(2^128) which happens to be 2^64 mp3s.

For comparison, there are about 2^32 (well, between 2^32 and 2^33) people on earth. So you'd expect to see the first collision around the same time when each and every person on earth has 2^32 or 4 billion unique mp3s. (remember, they must all be unique, people copying from eachothers or ripping with identical software getting bit-exact copies won't help.)

Very VERY unlikely to have happens. The odds that there exist today two or more mp3s that are different, but with the same md5-hash is certainly no larger than 1 in a million. Probably less than 1 in a billion.

Re:Are there any known MD5 collisions today?

I found two strings that produced the same md5 hash by accident about a 6 months ago. I assumed this was rare, but statisticaly acceptable, and until today, I didnt realize that it had never been done before.

So the big questions are:
1. do I win any money?
2. where do i send my results

Re:Are there any known MD5 collisions today?

[jlcooke]

Wrong.

The attack will be done in 1.17 * 2^64 operations. Read: birthday paradox. I've estimated the work time for the first collision as 100,000 CPU years (on my model of CPU).

RC5-64 took longer if you need a comparison.

Re:Are there any known MD5 collisions today?

[shadowmatter]

Yeah, it's about 1 in 2^128. There aren't even enough electrons in the universe to write down all the possible MD5 hashes, not to mention the strings that might hash to them.

With people hashing ramdonly generated strings and contributing to a universal list of MD5 hashes that have been generated, the chance of finding an MD5 collision is much higher.

If you are looking for a specific MD5 value, then the number of random strings you must hash must be on the order of the size of the hash's range. On average, you must hash roughly half the size of the range, or 2^128/2 = 2^127 random strings before finding a collision.

But if everyone is just picking a string at random, hashing it, and looking for a collision, then the chance of a collision occuring is much higher. It's based on the Birthday Paradox, a seeming "paradox" that if you have just 23 people in a room, there is over a 50% chance two of them will have the same birthday (most people assume 365/2). Now consider a hash function mapping people to their birthdays, and you'll see the application here. In fact, for a range of N possible values, only 1.17 x sqrt(N) random strings must be hashed before a collision is found by Stirling's approximation.

So, in fact, we must only consider O(2^64) random strings before finding a collision with MD5.

Re:Are there any known MD5 collisions today?

[yanestra]

Reason #83 that MD5 is an inadequate method of identifying MP3s. Hashsums are only "practically unique."

Music is only "practically unique", too.

Re:Are there any known MD5 collisions today?

[Paul+Crowley]

It is necessarily true that there are infinitely many MD5 collisions, by the pidgeonhole principle. However, there may be specific 128-bit strings that have 0 or 1 MD5 preimages.

Re:Are there any known MD5 collisions today?

[Paul+Crowley]

http://www.cs.berkeley.edu/~daw/my-posts/crypt-col lision

Re:Are there any known MD5 collisions today?

[Tom7]

On the other hand, this method comes at a large storage cost.
Also, 2^64 is still pretty damn intractable.

Re:Are there any known MD5 collisions today?

[Alsee]

Wrong. Read: birthday paradox

All true about birthday problems, but if you look back I wasn't responding to a birthday-type task, so my post was correct. Someone suggested "reversing MD5", brute-forcing the hash back into the original file. That's not a birthday type task, it not even uniquely solvable.

2^64

I did my math based on 160 bit hashes. I know there are both 128 and 160 versions, but I automatically think 160 becuase I've been doing massive research on Trusted Computing which always uses 160. The 160 birthday problem is 2^80, or several billion CPU years. It's not practical to mount even the most general birthday attack on Trusted Computing.

-

Re:Are there any known MD5 collisions today?

[shadowmatter]

I agree with you without a doubt. Although I read the other day that, in 2003, it was estimated that we generated 2 exabytes of data in digital form. That's 2 x 10^18 bytes. 2^64 = 1.844 x 10^19, and with 16 bytes per hash, that's 2.95 x 10^20 bytes required for 2^64 different MD5 hashes. So I guess the storage for this project may exist in the future.

But I'm just being pedantic. In all honesty, who the hell cares? Brute force isn't that exciting, but some mathematical analysis may produce results, see here.

Real men use SHA anyways ;)

Cheers,

shadowmatter

Re:Are there any known MD5 collisions today?

[js7a]

1. Maybe, but don't get your hopes up.
2. RSA Labs

Rivest published MD5 in 1991, but he probably wants to sell some newfangled proprietary alternative that RSA already has patented. Tell them you have a collision, and that you want to offer it for a price, and ask how much they would be willing to pay.

The sad fact is that you'll probably not be offered more than a thousand since your collision was discovered by accident. If you had a method, though, the NSA might want to add three zeros to that.

THE CHINESE HAVE OVERTAKEN SLASHDOT!

OMG Slanty Slashdot has the purple pussy!

Would be great for LOTR

[t0qer]

Or any other movie that makes heavy use of CG. While fans are visiting the fan site, they'll be helping to produce the sequel.

Might be cheaper than render farms.

Re:Would be great for LOTR

[deadsaijinx*]

Have you ever tried even using a dedicated renderfarm? The complications that can arise if you don't have all the textures and files locally, not to mention the fact that rendering is so heavy a tax on the CPU people would NEVER want to do it. Plus, that would involve them releasing files that go into making the movie. And so on and so forth, The idea is so terrible I couldn't imagine anyone ever trying it. Peace out and try to talk about something you konw for once.

Re:Would be great for LOTR

[gordyf]

No, it would take too long just to upload the scene data to the client, let alone render anything useful within the average person's attention span.

Re:Would be great for LOTR

[Guppy06]

"Would be great for LOTR"

What, distributed royalty payments to somebody that's been dead for over 30 years?

Re:Would be great for LOTR

[protohiro1]

Holy crap what a nightmare. HELLO, PEOPLE, PUT YOUR TEXTURES ON THE SERVER!! Sorry, just a little rant. If I see one more 500 frame render with lovely black nothing mapped to the objects...I will hurt people. Seriously though, rendering does not lend itself very well to non-dedicated distibuted computing. The work units would be huge...but maybe some suckers would do it.

Hmmm....Maybe if you wrote some sort of encrypted mental ray or renderman client, in that it does the render from encrypted source files, decrypts them in chunks as they are read into the render, and then re-encrypts the pixels on the fly as they are rendered... A shame each work unit it for feature work would be like 100mb+, but give people who do a lot of units a prize or something. Of course, if it was film res frames...well each frame would be like 50mb of upload. And then their's the fact that people would need to make sure their pcs had enough ram to handle it so they didn't crash. Oh, and convincing Pixar or Mental Images to license you to run on an unlimited number of cpus all over the place would be a problem. I don't know if its worth it yet, not many people would sign up for something that would require huge piles of disk and bandwidth in addition to your idle cycles, assuming you could solve all the other problems. Maybe someday it will be possible though, I wouldn't rule it out completely.

Re:Would be great for LOTR

[Kent+Recal]

They'll adapt. Nemo 2 will be only 6000 frames (whole happy end in 50 frames!). But how? New projector technology runs the film at 1 frame/sec. And it's still a motion picture cuz every frame is morphed into the next.

Re:Would be great for LOTR

Actually, rendering algorithms lend themselves readily to parallelization. You don't need to assign a whole scene to each CPU; you could just as easily assign a few pixels. Thus the work units wouldn't have to be "huge", although I suppose they'd be in aggregate. Another interesting point: textures aren't nearly as prevalent in high end rendering as they are on your average bit of consumer-level hardware. Much of the work done by textures is performed instead by procedural shaders, which are obviously much smaller. Also, modern consumer-level graphics hardware could probably be exploited to accelerate things along greatly.

Fact of the matter, though, your average movie/effects studio can easily buy enough processing power/disk space these days to render their images. I expect the artistic work cycle would demand an in-house solution as well; current distributed computing projects aren't really so great about latency.

Re:Would be great for LOTR

[mcbridematt]

With graphics hardware getting better and better, why don't they just feed it through a Pro (Quadro probably, maybe FireGL, depends on what shaders you use.) video card with Aniso and Antistropic filtering turned up to the max?

I've seen a few cases where I could of easily been fooled that a frame rendered by a video card was rendered by RenderMan or something. The last few seconds of the Advanced Pixel Shader Test in 3dmark2001se come to mind.

Re:Would be great for LOTR

Hey Mr. High and Mighty..

Ever hear of an independant film? His idea could enable low-budget producers (who don't give a rat's ass about their files being released) to possibly create movies without the need of a render farm.

Peace out, and stop being an asshole.

really bad idea for real system administrators

[the+man+with+the+pla]

Hopefully I don't have to tell the 30 percent of slashdot readers who actually do unix system administration that this is a terrible idea to add this to your web sites. Distributed computing is fine for client boxes, but for servers...if your server wants to implement any extra complication and/or CPU, you're doing something wrong.

--
Gain karma with the database tool

Re:really bad idea for real system administrators

[MoonFog]

It's an applet, applets run on the clients computer and not on the server.

Re:really bad idea for real system administrators

if your server wants to implement any extra complication and/or CPU, you're doing something wrong.

The work is done by the clients, genius. A java applet is downloaded to their client and it does some computation.

Re:really bad idea for real system administrators

[Fnord]

This doesn't do anything on servers. He's referring to websites putting a link to a java appplet in their pages. This applet does computations on the client side.

Re:really bad idea for real system administrators

[fcrick]

The applet refers to the project's server, not your web server. I don't think they are asking you to host the data collection part, but rather just have your pages load the applet from their servers.

Re:really bad idea for real system administrators

[benna]

Actually applets are not allowed to open an internet connection to anywhere except where they came from so the data collection server must also be the web server.

Re:really bad idea for real system administrators

Read, you fucking moron.

but rather just have your pages load the applet from their servers

Re:really bad idea for real system administrators

[benna]

Oh, I understand now.

Re:really bad idea for real system administrators

[Magic5Ball]

It's an applet, applets run on the clients computer and not on the server.

It takes bandwidth to collect the results of the applets' work, and time on the same or a different server to record/process/log those results.

Re:really bad idea for real system administrators

[focitrixilous+P]

Dude. Do you want to know the tax on your server? 3 lines of simple HTML. That doesn't sound like much of an extra complication, or CPU usage. Even the tiny applet is loaded off Their Server, meaning you do nearly no work to help these guys. You can debate the ethics, sure, but saying this is a mistake because of server issues is wrong.

Re:really bad idea for real system administrators

[Geek+of+Tech]

Since they said all you have to do is put the code for the applet in the page, I don't think it would increase the server's bandwidth very much (a few bytes). And sense they didn't give you any way to collect results, it seems logical that they are sent back to jlcooke.ca. The results aren't collected by you. You just include code to the applet. You don't even have to have it locally.

Re:really bad idea for real system administrators

[0racle]

If I remember correctly, a Java applet by default can only ommunicate with the originating server.

That's really interesting...

[herrvinny]

That's a really interesting way of doing it. For the people who don't know, here's a quick explanation:

Java Applets, because of the sandbox they're run in, can't open up a network connection to any website, except for the websie they came from. Presumably, what they're doing is creating a small Java applet, that when loaded, executes some logic, then opens up a network connection back home and sends the results.

Fascinating. This way, you don't have to bother installing something and hope it doesn't fsck up your computer. It might be slightly less efficient than a dedicated, installed program, but this way, they can harness the power of a computer just casually browsing a web page. Very innovative.

Re:That's really interesting...

[Carnildo]

Fascinating. This way, you don't have to bother installing something and hope it doesn't fsck up your computer. It might be slightly less efficient than a dedicated, installed program, but this way, they can harness the power of a computer just casually browsing a web page. Very innovative.

Right. Now you visit a web page and hope it doesn't fsck up your web browser. Fun.

Re:That's really interesting...

[rob_from_ca]

Not only that, but using a java applet sandbox very effectively solves the trust problem in distributed computing; the whole "I'm not going to run it if I can't build it from source myself and audit the code" on the side of the client and the "We need to distribute binary only or people will make modified versions and corrupt our results" side of the project owners.

Good idea. Not a great idea to drop on generic webpages and force people to participate in order to view the page though.

Re:That's really interesting...

[herrvinny]

It's run in a sandbox, and the sandbox is pretty restrictive. No writing to the hard drive, no network access other than connecting back to the website the applet came from, a requirement that all applet created windows have a "WARNING: APPLET WINDOW" box on the bottom, etc. And the process of signing an applet is downright screwy and often doesn't work for all platforms.

Re:That's really interesting...

[TCM]

This way, you don't have to bother installing something and hope it doesn't fsck up your computer.

Last time I checked Mozilla didn't come with a JVM.

Re:That's really interesting...

Hopefully benefical projects like Folding@Home will get in on this idea.

Maybe each sites opening page will contain something like "Help out such and such project while browsing this site, click here or standard site click here"

Re:That's really interesting...

[herrvinny]

Install one. Java Installation Site. Here's the SDK, if you want it. It comes with a JVM. And yes, Sun's JVM runs in Mozilla.

Re:That's really interesting...

[bennomatic]

Does it solve the problem, or just work around it? I mean, people might have various reasons not to run a program on their machine, and privacy concerns might be one of them. With this system apparently reporting data to a central server no matter what site the applet is installed on, there are a multitude of privacy concerns, and that is certainly high on list of concerns for the audit-and-build-it-myself set.

Re:That's really interesting...

Nah, if I could be bothered I'd just alter one of the open source JVMs to interfere. The java secruity model protects the end user (to an extent, assuming the JVM security is perfect), not the project owner. You need Treacherous^WRrusted Computing to give the project owner some reassurance I haven't hacked my JVM, and even then there are ways around it.

Re:That's really interesting...

[jkcity]

it can store data on your hard drive using cookies though.

Re:That's really interesting...

[herrvinny]

The amount of data it can store in a cookie is virtually inconsequential. I don't know what the limit is, but I imagine it's somewhere in the low single digit KBs. The most it can do is maybe do some tracking, e.g. note that you've seen an advertisement before, and next time, show you another ad. And that type of implementation is better off just using HTTP cookies. Using Java servlets to handle anything like that would be better.

Re:That's really interesting...

[rob_from_ca]

Obviously. But right now, you're just as capable of reverse engineering the binary distribution of seti@home or whatever and tampering with things. But nonetheless this extra "security" is what's given as the reason for not open sourcing these distributed apps, and the java sandbox solution is a better way of doing it. At least then the user can trust the program not to violate privacy (accidentally or otherwise), or to introduce serious vulnerabilities.

Re:That's really interesting...

[Rich0]

Keep in mind that many websites use two-way communications with a Java applet. How is this a privacy violation?

A Java applet can't see what you're doing on your computer. It can't see your hard drive. It can't see what other processes are running, etc. It can only communicate within the confines of the browser window and well-marked pop-up windows that it can spawn. Security is enforced by the local JVM - which the user installs from a trusted source.

Java was designed the "right way". This isn't ActiveX - in which an applet can rummage though your files and send a copy of every one of them to whoever the applet author wants. Java applets run in a sandbox and can only execute a subset of the full Java language.

There really isn't anything to see here... Move along...

Re:That's really interesting...

Get a clue.

Re:That's really interesting...

[Kent+Recal]

Right. Now you visit a web page and hope it doesn't fsck up your web browser. Fun.

Reminds me of when I was using MSIE...

Re:That's really interesting...

[furballphat]

14kb, IIRC

Re:That's really interesting...

[Semi-Psychic+Nathan]

, anyone?

Re:That's really interesting...

[ryen]

>Install one. Java Installation Site. Here's the SDK, if you want it. It comes with a JVM.

uh, didn't you just say...
>you don't have to bother installing something and hope it doesn't fsck up your computer
??

Your explanation was redundant, btw.

Re:That's really interesting...

The Macromedia flash player is allowed to store 100KB per movie, so this pales in comparison.

Besides, anyone the is worried about cookies really needs to get their head out of their ass.

Hmmm.

[valkraider]

Imagine a Beowolf cluster of these things... It would be the same as if Slashdot put the applet in the header or something - all of us geeks computing stuff for free... That would be a lot of computing, I think a couple people visit slashdot daily!

Re:Hmmm.

[RetroGeek]

Imagine a Beowolf cluster of these things

But in effect that is what this is. So no imagination required.....

Re:Hmmm.

[__aaitqo8496]

I wonder if the good slashdot people would be willing to make this into a slashbox ?

Whoever made this...

[coene]

Make sure to take out the warning message "ok fine then, you don't want cookies..." that pops up when you disallow it yer cookies (buy yer own thx!). This was surely a debug message, it's not useful anymore ;)

Re:Whoever made this...

[speeDDemon+(nw)]

Look in the code urselves ppl, Not sure about the JAVA backend that its running in that lil IFRAME window, But the javascript is simple and straight forward look for the alert('so you dont want cookies');

Re:Whoever made this...

[coene]

So, you want me to guess their webadmin password and edit it myself?

Re:Whoever made this...

most likely theres like some backend code that checks then spits out that javascript alert conditionally - its prob'ly not hard coded if thats what you're implying

Re:Whoever made this...

[tomstdenis]

Um the site is run by the CEO of www.certainkey.com. I seriously doubt he uses an easily guessable password.

Tom

bitch, bitch, bitch

First thing it does when the applet loaded was to bitch at me for not accepting cookies. Just like my wife.

Re:bitch, bitch, bitch

weird. First thing it did with me was pull down my pants and start sucking me off, just like your wife.

Re:bitch, bitch, bitch

I added 'www' and didn't have to modify my cookie settings in IE:

http://www.jlcooke.ca/psearch/

Re:bitch, bitch, bitch

[cfuse]

First thing it does when the applet loaded was to bitch at me for not accepting cookies. Just like my wife.

With an attitude like yours I'd be watching who she offers them to next ...

OFFTOPIC

n/t

Not ethical

[Bill_Royle]

I respect the effort and ingenuity, but the rationale that "hey, we're helping solve a problem" somehow justifies stealing someone else's resources... it's just wrong.

Be upfront with people - tell them why it's so important, what can be accomplished with it, and what it does. You'd be surprised - people might help out of *gasp* the goodness of their own hearts. A good example might be SETI, etc.

Re:Not ethical

It's -not- stealing resources to run a java program when you visit a web page. That's what applets are designed for. Do you complain every time java loads? If so, why do you run it? This is more useful than the vast majority of applets; why pick on it in particular?
They -are- upfront with people. It's not so important (the applet.) The stealing thing is a -joke-. Sheesh.

Re:Not ethical

[understyled]

agreed. unauthorized program execution and the like is simply turning people off from the whole idea, making them suspect the need for such covert measures. whether the goings-on are used for good purposes or bad ones really is not so much an issue, as far as i'm concerned. those are all relative terms.

Re:Not ethical

[pla]

I respect the effort and ingenuity, but the rationale that "hey, we're helping solve a problem" somehow justifies stealing someone else's resources... it's just wrong.

Although letting visitors know about this would certainly seem nicer, I don't think I'd actually consider it as outright unethical.

For one thing, considering the number of websites out there that try to feed outright malicious code into our browsers, this looks very very tame by comparison. It uses a few CPU cycles, but has no long-term effects on the visitor.

For another, this seems no different that sending the visitor a few banner ads - Just a way of "paying" for the content. For most of the world, bandwidth costs far more than CPU time, so in effect, this "charges" the user less per visit than most advertisements. From some quick n' dirty calculations, the bandwidth for 35k of banner ads costs me 0.082 cents, while the electricity for a full hour of CPU time (on a PIII/933) costs me only 0.0045 cents... Literally 18 times more.


Finally, I can (and do) keep Javascript disabled in my browser. Advertisements, on the other hand, I do my best to block, but a few still manage to sneak through.

Re:Not ethical

[Phillup]

While I completely agree with your sentiment about being upfront... I don't agree with calling it "stealing".

Who clicked on the link?

Who has Java enabled on their browser?

Who has cookies enabled on their browser?

It isn't like he is doing anything "tricky" or using some "bug" to pull this off. The page doesn't "trap" you. It doesn't eat your CPU and make it impossible to quit the app or go to another page. And, for me, it didn't crash anything.

I *really* don't understand how this can even remotely be considered stealing. Every single item is being used *as*designed* both by the web author and you.

The way I see it... someone jumped in a pool... and now they are bitching about your clothes being wet?

Re:Not ethical

Indeed. Actually, that's a good point - given that java applets are mainly used for advertising, which is making YOUR computer do the work of the advertiser, installing a JVM and enabling applets is clearly granting third parties a strictly limited licence to use some of your CPU licence. If your OS doesn't let you limit the amount of CPU time consumed by the applet, that a limitation of your stupid OS, not the fault of the advertiser/other-work-user.

Re:Not ethical

[TCM]

Who clicked on the link?

If you talk about links in this story you're right of course. But the author is encouraging other webmasters to embed a (hidden) snippet in their site to use visitors' CPU cycles.

It isn't like he is doing anything "tricky" or using some "bug" to pull this off.

The fact that it's a hidden applet - or rather that it can be and is encouraged to be a hidden one - is "tricky" in my book.

Just take that sentence as quoted earlier: "Distributed computing without installing anything...and without people knowing you're stealing their idle CPU time. ;)" He may not have malicious intentions but this one pissed me off already.

Re:Not ethical

[lildogie]

Good point; if we wanted to break the key to somebody's crypted code, we just put up a web bug on a pr0n site and wait for their cpu's to come to us.

5096 bit keys, here I come.

Re:Not ethical

[whereiswaldo]

This sounds a lot like the argument where people who host websites should accept whatever traffic it gets, including a slashdotting.

Should web surfers be held to the same rationale? That whatever processing power the website requires of the client be granted, large or small?

Perhaps this comes down to "acceptable use" which is sort of a gray area on the net, IMO. I'm sure lots of people would like to scrape stock websites, search engine results, etc.. but bots seem to be always prohibited. On the other hand, search engines scrape the web to get their information for their benefit. The more I think about it, the more this system doesn't make much sense.

Re:Not ethical

[Peter+Cooper]

while the electricity for a full hour of CPU time (on a PIII/933) costs me only 0.0045 cents...

Where do you live? Let's assume your 'CPU time' refers to just your CPU, and let's be totally conservative, and say your CPU uses 50W (to edge the calculations in your favor).

So, you're saying that you pay 0.0045 cents for 50W/h, or 0.09 cents per kilowatt hour. Where I live, we pay about 10 cents per kilowatt hour, or 111 times what you claim to be paying. I think your sums were a bit off or you threw a decimal place somewhere you shouldn't have! :-)

Re:Not ethical

[irc.goatse.cx+troll]

"On the other hand, search engines scrape the web to get their information for their benefit. The more I think about it, the more this system doesn't make much sense."
I've thought about that a lot, and it really is hypocrasy. Even google is guilty of it, Set your user-agent ot LWP (a common perl module for pulling websites) and /search starts returning a 403 forbidden error.

Re:Not ethical

[pla]

111 times what you claim to be paying. I think your sums were a bit off or you threw a decimal place somewhere you shouldn't have!

Hmm... Checking my math, I see you have indeed found an error on my part. I used a CPU draw of 30W (roughly accurate for a PIII) and a power price of 15 cents per KW/h. And indeed screwed up the decimal place, by a factor of 100 (I gave the price in dollars, not cents).

So, rather than costing me 1/18th of what a banner ad does, it costs five times as much... Though for an hour. I still hold to my original point, however, since no one lingers at a web site for an hour at a time. Basically, this would break even with banner ads (for which I just checked, and did that math correctly <G>) after about 10 minutes of CPU time.

Thanks for keeping me honest.

Re:Not ethical

For one thing, considering the number of websites out there that try to feed outright malicious code into our browsers, this looks very very tame by comparison. It uses a few CPU cycles, but has no long-term effects on the visitor.

Wouldn't identical reasoning cause you to conclude that there's nothing wrong with punching someone? After all, you're not a murderer, and while it causes a few bruises it has no long-term effects.

Not very intensive.

[LoneIguana]

It certainly isn't using very many cpu cycles, the OS reports that my webbrowser is using less than 1% of the available cpu power

Re:Not very intensive.

[herrvinny]

The Usenet post noted that the applet ran a lowest priority thread, that's probably why. In addition, the browser caps the amount of processing power embedded applets have access to, otherwise, a malicious applet would be able to crash a system or render it unusable.

Re:Not very intensive.

[smart_ass]

With Mozilla I got the same ... but when I opened it up in IE 6.0 it hogged all resources.

Re:Not very intensive.

[LucidityZero]

No, no. You're wrong. IE 6.0 just hogs all resources by default.

Re:Not very intensive.

[FrozedSolid]

It could be the java plugin, whenever that loads all my cpu resources spike and IE freezes for a few seconds, and i'm on a 2.4ghz P4 w/ 512mb ram.

eesh.

./ effect = benefit??

[bluelip]

put the snippet on slashdot.org. The collisions should all be found within an hour.

Normal Thread Priority

[cybermancer]

Interesting idea, but most distributed computing tasks that run in the background run at low priority. Since this is running inside your browser (more or less) it will run at the priority of the browser. Unless your browser is running at low priority then this process will push all the lower priority processes out of process cycles.

This could prevent contact with ET!

Re:Normal Thread Priority

[mlk]

Java applets run as a different process to the browser, and it can (and very likely does) create a new thread, and set its priority to low.

Re:Normal Thread Priority

[gad_zuki!]

This is untrue, I'm running it right now and MozillaFirebird is using 100% of my processor.

I can't even watch an MPEG-II video without massive frame-rate skips. Run this thing and it will eat up your processor.

Re:Normal Thread Priority

[CTho9305]

Low-priority processes can use 100% of the processor so long as no other processes are waiting for the CPU.

Re:Normal Thread Priority

[mlk]

o/c it is using 100%.

I get video skipping if I leave UD running, you should disable any idle cpu eater when doing anything that actually needs the cpu.

Re:Normal Thread Priority

[gad_zuki!]

Understood, but that means it should not be interfering with video playback. It should gracefully allow the app in the foreground to take the CPU power it needs.

Re:Normal Thread Priority

[mlk]

sorry, missread some of that.
Moz uses the libarays, rather than starting an external application, but it still runs as a diffrent thread, with a low priority.

Re:Normal Thread Priority

[irc.goatse.cx+troll]

Assuming a good schedular, thats true. Big assumption though, from my experience:
windows 9x - bad
linux 2.2 - bad
windows nt - decent but not great.
freebsd 4.x - big improvement over 2.2, about par with patched 2.4 if not a little subpar.
linxu 2.4 - better, good once patched
linux 2.6 - best

These are by no means scientific results, just my personal experience. best = low priority tasks have zero effect, bad = low priority tasks have no difference.
Again, purely personal experience, not scientific. if someone wants to donate some hardware I've got the time for more scientific results.

the slashdot effect

[Peeet]

It's about time that the monster (us) is used for good and not evil.

Oooh! I thought of another way...
Just Click here.

-P

Re:the slashdot effect

Dude, that's some fscked up stuff on that site! Damn entertaining, too. Did you read the whole Linux lawsuit FAQ thing? Funny shiznit! Obligation to protect their Intellectual Property...by distributing source code through their own FTP servers. Ha!

An Important Warning

Mad Troll Disease is a fatal disease that has reached near-epidemic proportions. It is caused by failure to pay your $699 licensing fee to SCO. Please protect your health and don't forget to pay your $699 licensing fee.

Re:An Important Warning

... you forgot the "you cock-smoking tea-baggers" part. Please try again.

See ya in Gitmo ya Commie Bastard

We'll start heating the pliers now faggot.

Re:See ya in Gitmo ya Commie Bastard

Why, is your mom visiting?

Great, GREAT idea.

[SargeZT]

I nearly got suspended from school because I installed seti@home on all the machines. With this, I can still maintain my EVIL distributed computing campaign, and do it without them knowing!

Re:Great, GREAT idea.

I have absolutely no sympathy for you whatsoever. The first rule of distributed computing is that you install the clients ONLY on those systems for which you have permission to do so. Did you ask your school's sysadmin for permission to install Seti@home on every school system? No? Didn't think so.

At least with this system, the amount of resources you tie up is limited by you having a web browser open and pointing at the relevant web page. Even so, though, the first rule still applies.

Re:Great, GREAT idea.

[kupo+zero]

Not a great idea to let all of slashdot know your password to your MySQL database. Nice choice in a hard to guess password though. Never would have got it :P

Re:Great, GREAT idea.

Just so you know.. you're an idiot.

Re:Great, GREAT idea.

hehehehehe.... i couldn't stop the urge from poking around your site. NICE PORN!!!

Re:Great, GREAT idea.

[TeknoHog]

I nearly got suspended from school because I installed seti@home on all the machines.

Well, I used to run dnetc on a CERN cluster, so obviously I am more 0x539 than you!

Re:Great, GREAT idea.

lol - the text you changed it too looks like your cursing, and not actually thanking the user called "motherfucking shit" ;)

Re:Great, GREAT idea.

[ryen]

..limited by you having a web browser open...
actually, if they are running windows with the activex desktop turned on he can run this as one of those hidden activex desktop item thingies.

fucking troll

FREAKING MORRON!!!

you're supposed to put n/t in the title. N/T means NO TEXT so people with dialup LIKE ME don't have to waste time loading your stupid comment to see why you said its offtopic only to see NT!!!

Re:fucking troll

The extra 'R' you put in 'moron' slowed me down too, ya idiot.

Re:fucking troll

The motherfucking redundancy of your motherfucking comment, has made this motherfucking comment motherfucking redundant by motherfucking replying to the motherfucking redundant motherfucking comment. Motherfucker.

Re:fucking troll

Get a job a pay for some cable/dsl access, if you can't get it, move to a place that does. Now shut up modem bitch.

Re:fucking troll

Well fuckface, maybe he lives in a country area that has one way cable lines and is too far from the phone company office like me. Not so smart now are you asswipe.

Crashing

[Aviancer]

Is this applet crashing anyone else's browser?

Re:Crashing

[Peeet]

I think so - it made Gomez Peer crap its pants as well,
maybe it's "Microsofting" (-1 Flamebait) the other distributed computing programs.
Anyone have Seti@home running?

Re:Crashing

[lounger540]

After viewing then leaving the page, iexplorer continues to use 95% cpu time on my 2.4 until I kill it. I only noticed when five minutes later my CPU fan sped up, it never sped up before.

Re:Crashing

Yeah. crashed Firebird 0.7 ever... so... slowly... on my vaio TR1.

Feh.

Re:Crashing

No crash but... Am running Opera 7.23 on Win2K at
the moment. When the app starts the cpu usage
goes to 100% and stay there until the window for
the page is closed. Yetch.

Re:Crashing

[El+Catface]

Same here (Internet Explorer). I had surfed away, but he still got a good 30 minutes of CPU time out of me before I randomly ran 'netstat' and saw the connection to the server still open. My CPU usage was at 100% when I checked, but once I closed all Internet Explorer windows it returned to normal. Oh well, that's what I get for using IE. :)

If anything ever comes of this, I can see someone finding some rather more nefarious uses for this Java malarkey...

Any website adding this small snippet of code...

[amplt1337]

"What? No, honey, I was just visiting www.babe-licious.org to, umm. Help with the, er, research! Research on MD5 collisions! Yeah!"

For anyone wanting the code...

[Vaevictis666]

Here's the code:

<!-- try IFRAME, else use LAYER -->
<IFRAME SRC="http://www.jlcooke.ca/psearch/dmd5l.html" SCROLLING="NO" FRAMEBORDER="0" WIDTH="100" HEIGHT="32">
<LAYER SRC="http://www.jlcooke.ca/psearch/dmd5l.html" WIDTH="100" HEIGHT="32" CLIP="0,0,100,32"></LAYER>
</IFRAME>

It' s making an iframe that loads the applet, and just does its own thing - by loading in the iframe it can call back to their host, rather than yours :P

Someone should let him know that he needs to make his server parse .html files through PHP, 'cause he's got a PHP header that isn't being sent - oh yeah and better html please.

Re:For anyone wanting the code...

by loading in the iframe it can call back to their host, rather than yours :P

Actually, applets can contact the server they were loaded from.

E.g., read: http://java.sun.com/sfaq/#socketOrig

Re:For anyone wanting the code...

Dear Lazy,
Tell him yourself.

How to steal a virtual supercomupter?

[LostCluster]

Let's put the research effort asside here and thing about the underlying concept here... basically, this is a distributed computing app being buried within webpages. Could commercial interests use this concept to get access to computing resources from their web users without telling them?

Re:How to steal a virtual supercomupter?

"Could commercial interests use this concept to get access to computing resources from their web users without telling them?"

What? You mean like commerical interests sending unsolicited email?

Executing Time

Won't this Java Applet only execute while you are at the page in which has the applet? I notice in Windows that the Java taskbar icon appears when I go to the website and stays there until I "close" the window...

How long will the applet execute since I doubt it will execute after you close the browser window or leave the website?

Re:Executing Time

I believe you are correct and thus making this not a viable solution for the masses since the execution time is limited and finite (since it won't "start" up again until you go back to the website).

New buisness plan

1. Create very small website with CPU draining applet and post a link to said website to Slashdot.
2. ??
3. Profit!

Re:./ effect = benefit??

[TCM]

What's this Dotslash you talk about?

Parasitic computing

[bigberk]

I believe the term was parasitic computing. Ideally the web master makes visitors aware to what's going on. You're using visitors' computing power to accomplish a neat sort of distributed computing. Great idea, if you're not just stealing resources

Re:Parasitic computing

It's not stealing! It's copyright infringement! ... oops, wrong thread... sorry, everyone.

Re:Parasitic computing

[PReDiToR]

Combine this with the CPU cycles needed to send SPAM messages under MSFTs new hashing system, link it to a popular site and all the email tax in the world ain't gonna stop the UBE.

no thanks

[mercuryresearch]

As someone who intentionally runs a low-performance box as a primary system (VIA Epia 533) I'd be pretty unhappy with some snarfing up a few cycles. Junked-up web sites with flash and excessive java/javascript are REALLY noticable when you're browsing at the low end of the power curve.

I run a cpu monitor in the background and when a site wants to run one of the more annoying classes of advertisements, utilization usually pegs... I can't imagine what something that intentionally sucked cycles would do.

Re:no thanks

I agree, I have a laptop, and I know when I all of a sudden start sucking 100% CPU.

The fan starts humming and I can feel the computer's heat through my desk.

I also wouldn't want this to happen if I was on battery power.

Re:no thanks

[whitekolovrat]

blocking_ads_in_hosts_file = shekshee++

Re:no thanks

[Kris_J]

At work I can tell when the CPU load goes to 100% because my laptop's fan kicks in. At home it would have to fight with, depending on the PC, distributed.net or the new BOINC.

make it from the same domain

[Archfeld]

cross domain cookies get rejected by lots of people, and is going to be the default behavior under xp sp2 and 2k3. I'll accept a cookie from the site I am trying to use, but 3rd party folks better stand down, either provide a service for that info or some money, its what everyone wants from me these days. $$$'s for a long distance land line service I have never used but can't avoid, number portability for a cell # that I don't publish and never plan on taking anywhere with me...surcharges for handling and processing and restocking fees. I am bloody fed up with it, either give me somthing for my money, or STEP OFF JACKSON...

whew I feel better...Happy New Year all, be safe and have fun :)

Re:./ effect = benefit??

[Darth+Fredd]

Yeah, but do we all run Java enabled browsers? (lynx, links, etc)

I'm running No-Java-Opera right now:because the java enabled opera was 11 more megs.. ..and I have dialup.

Point is, geeky as we are, we're probably all expirementing with stuff.

NOT LIKE THAT YOU PERVERTS!!/

RFI: "collision" means?

Newbie here. I searched around for "md5" and "collision", but only found sites that seemed to already understand what a collision is. Well, can someone explain what an md5 collision is? I'd like to continue reading the article....
Is it simply that, since the hashing is a reduction operation, that multiple (different) messages can have the same hash? If so, then can someone explain the utility of searching for such things?...I'm afraid I can't see the dark implications of such a functionality. Thanks in advance.

Re:RFI: "collision" means?

[WTFmonkey]

The whoop is that MD5 is often used for "fingerprinting" or other unique identification on the internet (et al). Since we all know that what can go wrong will, the question is the definition and accuracy of the infamous phrase "computationally infeasible."

Basically, in a world where everything was based on a thumbprint, would you want even the smallest chance, no matter how statistically unlikely, that someone else had the same thumbprint as you?

Re:RFI: "collision" means?

If two strings produce the same md5 hash, the universe ends. This project should probably be stopped.

Re:RFI: "collision" means?

[tstoneman]

MD5 is a hashing algorithm. It will take an input of theoretically any size and create a 16 byte number that maps to this string. Most security algorithms use MD5 (or SHA-1 or some other hashing algorithm) to verify that the plaintext or cryptotext has not been altered during transit.

Obviously, since a string can be an almost infinite length, there has *got* to be collisions somewhere, but so far, no one has found any.

Realize that 16 bytes = 128 bits = 3.40282367e38 different outputs of MD5. Given that the half-life of a proton is 10e31 years, you need to do about 1 per second before half of the universe ends for good. Or, if you want to finish it in 100 years, you would need to 10e20 per second.

You better start some time soon!

Re:RFI: "collision" means?

[jrstewart]

The chance of an MD5 collision if MD5 were an ideal hashing algorithm is astronomically small. To get a 1% chance of a collision you'd have to test on the order of 2^63 samples (for the math behind this google for the birthday paradox; it's of the order of the sqrt of the size of the hash space) to find two that match. Never mind finding an MD5 which matches a chosen hash value.

This is a really big number.

Nobody's really concerned about MD5 hash collisions of reasonable corpii (corpuses?, forgive my pseudo-latin) if MD5 is actually a perfect hash, or somewhat close to it. What people are really concerned about is there being some weakness in MD5 where you can reverse the algorithm and given some MD5 hash (maybe not any hash, maybe just certain ones) and come up with strings which hash to that value.

For example, suppose that 2^127-1 is prime (it may well be but I'm too lazy to check). Then if you start pulling out random strings foo and using the remainder of foo mod 2^127-1 as your hash you'll also have a 1% chance of a random collision with a sample size of the order of roughly 2^63, as above. However there are some trivial collisions you can calculate, like 0*(2^127-1), 1*(2^127-1), 2*(2^127-1) all hash to the same value.

If the data you're feeding your hash algorithm is random (more or less) there's no reason to prefer the modulus algorithm over MD5. But if you're using it for cryptographic things the modulus algorithm is pretty useless, and it may turn out to fall down on many common inputs that MD5 gives good results for.

I may have goofed some of this, and there's lots more to be said about it but I've wasted enough time on this post as it is.

Re:RFI: "collision" means?

[StaticEngine]

Yeah, this guy is doing the collision testing on his server? So, what, he's caching every test input and Hash Value, and is going to flag a notice when the same Hash comes up twice? I hope he has a LOT of Hard Drive space to store the 2^128 different keys and input strings.

Re:RFI: "collision" means?

[tstoneman]

Actually, I think in the "Chinese Lottery" scenario, there is one string/hash pair that is chosen, and all the clients try other combinations of strings. Whoever gets the same hash will "win" the lottery. Thus, the web site wouldn't have to store anything except the returned plaintext that hashed to the same MD5 value.

I think the original "Chinese Lottery" scenario was if everyone one in China had a radio that was set to do encryption, and the Chinese government broadcasted a particular ciphertext that it wanted to encrypt, every radio would do the decryption using different strings until one of them got the answer. I think it would be under the guise of a lottery, so whichever citizen came back with the winning radio would receive a prize, and the Chinese government would have their cracked ciphertext.

Re:RFI: "collision" means?

[lxs]

You're basically correct. Theoretically many different inputs have the same md5 hash. However, the chances of finding two such inputs are very small. There is no real practical value to finding such a collision, other than to give a rough idea of what it takes computationally to find one. Since md5 is used to check the integrity of files like linux isos, it is important to know how secure the algorithm is.

It is a bit like SETI@home, It is very likely that we're not alone in the universe, but until we have empirical proof that we're not, nobody is truly satisfied.

Besides, if this was of true significance for national safety, funding would be found to run this on dedicated machines.

Re:RFI: "collision" means?

[davidstrauss]

If two strings produce the same md5 hash, the universe ends. This project should probably be stopped.

I'm pretty sure that happens quite regularly when the strings are identical.

Re:RFI: "collision" means?

an md5 collision is where you have two strings that will hash (through md5) into the same new string

md5 is a one way encryption process -

"whatever" -> md5 -> 32 character string of 'stuff'

it's used in many instances to store passwords. essentially you can't decrypt the hash, rather, you can only re-md5 a new string and compare.

there are an infinate amount of md5 collisions - findind them is a very tedious process indeed. there is a sideways-8 number of them because md5's are only 32 characters long, while strings have no limit on their size. the number of potential strings goes far further than the number of potential md5 strings (uhm.. i think its something like (36!) or something..

Re:RFI: "collision" means?

No. The md5 hash will just be replaced with something more complex (like SHA1)

Re:RFI: "collision" means?

[jlcooke]

No respectable cryptographer uses MD5 for signatures anymore, they havn't for years - the industry hasn't caught up yet (TripWire, VeriSign, .rpm, .deb, md5sum, some PRNGs, etc)

This is the essance of why I'm doing this.

Look around for evidance of this movment in crypto circles (ie don't listen to /. posters... :) )

Re:RFI: "collision" means?

[jrstewart]

I'll admit that I don't follow crypto very closely. Nonetheless, everything I said was true, assuming MD5 is a perfect hashing function. Which crypto circles have decided it's not (I think SHA1 is the preferred hash among people who are concerned with these kinds of things).

But how bad is MD5? Should we be concerned about using it for a file checksum? If anybody knows offhand what the (practical or theoretical) weaknesses of MD5 are, I'd love to know.

Presuming there are weaknesses to MD5, I'd presume that the chinese lottery program attempts to exploit them rather than just calculating random hashes and hoping to get lucky.

Happy new year!

Its offically 2004 in my Time zone! So Happy new year

nonono-it *does* tax the servers..

[Darth+Fredd]

..some. You use bandwidth for data throughput, you have the CPU usage..

All on the server side. Yes, the clients are the ones doing the Real Work, but you have to do something with the result of that work. And its the Doing that taxes your servers, if only a little bit.

Re:nonono-it *does* tax the servers..

[gordyf]

Well, no, all your server has to do is send one more line of html. Everything else is handled by their servers, not yours.

MOD PARENT DOWN - -1, FLAMEBAIT

This "Anonymous Coward" guy is always looking for a fight.

Back in the day

Back in the day when in my office we were having a competition to process as many rc5 keys for distributed.net we used to do almost anything to get a higher key processing rate. We would kick back late after work and install the rc5 client as a Windows NT service on all the machines of people who would never know better.

At the time I did seriously consider the distributed processing via a web page approach, either in flash (actionscript can whir away on problems while displaying some whizzy graphic to keep visitors entertained), or java, but thought that it was a little unethical to use up random peoples CPU time (the people in the office were fair game in our rc5 war, the general public were not).

Good idea accept its Java.

[JPriest]

... and it would take less time to do with a punch card reader.

This plus popunders? ne The other way to pay.

[IBitOBear]

OK, so an evil webmister makes a pop-under containing this kind of code and puts it up when you visit his porn site (optionally by mistyping "google" in your address bar.)

Heck, (google|SlashDot|your legitimate business) just has a tiny inset on their page: "This box is using your spare CPU cycles to help us pay for this site or service. Subscribers do not see this box. Click here to subscribe."

It could work.

In the popunder case it is vile and abusive. In the legitimite and well advertised case it is totally fair.

Re:This plus popunders? ne The other way to pay.

[PReDiToR]

Give them a TLD of yourdomain.cpu just so that you know you're surfing to a site that will use this technique.

Re:This plus popunders? ne The other way to pay.

[fred87]

What about people who have disabled java?

Re:This plus popunders? ne The other way to pay.

[IBitOBear]

How hard is this? If the applet can't be started the "extra light" version of the page would be displayed. The statefulness of the connection to the java applet, as verified by an "application level ping" could "ensure" that your customers are playing fair.

In other words, think: "You must allow java to see this page if you don't have a subscription."

Only with properly constructed teasers.

Argggh! It's not ready yet!

[phr1]

It's really too early for Slashdot readers to try to run that code. As the usenet post said, it's alpha test. I'd actually call it pre-alpha. The usenet sci.crypt discussion is about ways to change the design so it can be hosted on multiple sites at the same time. Really, it would have been a lot better to wait for the author to make an announcement, before linking an ongoing discussion about a work in progress to the front page of Slashdot as if the code was ready for prime time. Ow!

Bruce Green?

[Skiron]

Ummmm. Well, with M$ dumping their java thingy, and all and sundry having to use Sun's (good jog to!), sounds a great way to get XP's (you don't use that, do you?) Bruce Green of Death.

Short answer: yes

[The+Creator]

I read a whitepaper about it a few years back. Some smart guys had constructed a class of messages where some bits where irrelevant.

Re:Short answer: yes

[Tom7]

Really? Was it a reduced-round variant? If it's real MD5 I'd be very interested to see the paper.

Re:Short answer: yes

[The+Creator]

Well it was the compression function. The paper was written by Hans Dobbertin back in 96.

I guess i just forgot some details since then.

Re:Short answer: yes

[jlcooke]

a collision in MD5's transform was found. But not on the whole hash.

Difference? The md5() function includes padding. The md5_compress() collision is cited here:

http://citeseer.nj.nec.com/denboer93collisions.h tm l

MOD PARENT TROLL

Oh shut the f*ck up, troll.

Re:MOD PARENT TROLL

The FCC should regulate how much java code a company can release in a year.

Hey Sarge...

[Motherfucking+Shit]

Might want to check your webpage, man. The index file is missing, and among the directory listing is at least one file which reveals your MySQL password.

Re:Hey Sarge...

Might want to check your webpage, man.

Definitely deserves a +1 Funny. Why? Because it's true.

Re:Hey Sarge...

[MyHair]

must....resist....logging...in....

(He's right! And it's worse, but I won't say what's worse.)

Re:Hey Sarge...

Might want to check your webpage, man. The index file is missing, and among the directory listing is at least one file which reveals your MySQL password.

Don't worry. I fixed it for him ;)

seems a bit easy to highjack

[doublebackslash]

With this being posted here someone with more knowledge of java than me is going to have the idea to give back false results. That is the reason for an install, to give the project mamgers control.
I bet that sometime son they are going to be finding lots of collisions, all results from the same IP.
Hope they have some sort of filter.

Re:seems a bit easy to highjack

[herrvinny]

The source code isn't provided, unfortunately. But I am a Java guy, and the Java language does include encryption functionality. However, after reading the entire Usenet thread, he makes note that bandwidth is an issue, and even says he might host it on SourceForge because it has MySQL capability. Since he wants to conserve bandwidth, and most probably CPU time (reserve all he can for the calculations), my guess is he didn't use encryption, and just compresses and does something else funky with the stream back to the server. I'm just guessing though, I'm not going to go to the bother of analyzing the applet, sniffing the outbound packets, etc. This is a very cool project. I'm just a little enraged with myself for not having thought this up sooner ;-)

Re:seems a bit easy to highjack

[tunah]

But if I say that "foo" and "bar" have the same md5, it's trivial for the server to check otherwise.

I like the idea, but

[tulare]

It crashes Safari. Now, admittedly, I don't know whether this is a Safari bug, a Java bug, a bug in the applet, or some combination thereof, but here's what happens to me:
I load the thing in its own tab, have a look, look at the neat code that loads an IFRAME, etc. Ho-hum, nice idea, let's see where it goes, cmd-W to close the tab. Whups! The entire browser window closed, including all the tabs which I hadn't got around to checking yet! Safari is still running in the foreground, but I just lost its window.

Anyone interested enough to debug this? I'm not =P

Re:I like the idea, but

[kasperd]

It crashes Safari. Now, admittedly, I don't know whether this is a Safari bug, a Java bug, a bug in the applet, or some combination thereof

It cannot be a bug in the applet. An applet is not allowed to do anything, that could crash your browser. If an applet is actually able to crash the browser it is by definition a bug in the browser. (Here I consider the JVM to be a part of the browser, so the bug could be in either the browser or the JVM). Of course it might very well be a combination of bugs in browser and applet. But the most critical bug then is the browsers missing ability to gracefully handle bugs in the applet.

I really hope this doesn't catch on

[digitalgimpus]

Not that I mind technology, and new tricks.

But the last thing I want to see is every website hogging my CPU. Either selling computing power of their web visitors for profit, or using it for themselves.

Imagine the next series of Spyware Trojans... rather than spy, they harness your CPU and sell the power. All without the knowlege of the computer owner.

Interesting business model, but not something I want to see. I like my CPU. Note the word "my".

Re:I really hope this doesn't catch on

[slugo3]

"brilliant digital" spyware which istalls with kazza i think, does just that. I have seen this on more and more machines lately

Re:I really hope this doesn't catch on

[ad0gg]

Imagine the next series of Spyware Trojans... rather than spy, they harness your CPU and sell the power. All without the knowlege of the computer owner.

But then some enviromentalist finds that the progams kills a few birds and is shutdown.

Re:I really hope this doesn't catch on

[Filopopulus]

I wouldn't mind.

I'd prefer to pay for some applications that I use with my CPU than with cash,

Oooh my god they are going to steal your CPU! Nonsense, IMO. Snooping in your private data like some programs do today is much worse. Using your CPU for someone else's computation in exchange for a nice application I'd call it a good business. But that's just me.

Re:I really hope this doesn't catch on

Here's an easy way to prevent that from happening: run your own DC project! That'll keep that capitalist scum off your back.

Implications of MD5 Collisions

So what would finding a collision really mean that we don't already know? There's an infinite number of strings, and a finite number of hashes, so obviously collisions exist. It's just horribly inconvenient to go out and find a good one for the purpose of forgery.

Anti-Javascript Post...

[evilviper]

This is just ONE MORE REASON YOU SHOULD DISABLE JAVASCRIPT.

Why is it when I say this stuff, nobody believes me?

If that's not enough, check-out my .sig (WARNING: Sig link is not FRIGGIN SAFE for work, home, or anywhere else).

Re:Anti-Javascript Post...

[Tweaker_Phreaker]

This uses Java not Javascript; learn the difference.

Re:Anti-Javascript Post...

[karlbowden]

Actually it uses both Java and Javascript.
If you disable Javascript, then this site will be unable to load it's java applet.

I have instead just disabled Java.

Re:Anti-Javascript Post...

[evilviper]

This uses Java not Javascript; learn the difference.

Didn't follow the link before I posted my message. However, your arguement is pointless.

You see, just because THIS ONE EXAMPLE uses Java, does not mean that java is necessary to perform the same function.

Javascript is fully capable of performing just about any matematical functions on your computer, and silently subitting that information back to the source.

As a matter of fact, java is more secure than javascript. With java, you are only allowed to send data back to the site that loaded the applet. With javascript, there is no such restriction, and it will be happy to submit the data to any website specified by the writer. Not to say that those safeguards are perfect, but it still provides a much higher level of security than javascript.

Re:Anti-Javascript Post...

You see, just because THIS ONE EXAMPLE uses Java, does not mean that java is necessary to perform the same function.

So, in summary,

1) This is not an example of a reason to disable javascript.
2) You are a fucktard.

Re:Anti-Javascript Post...

[evilviper]

1) This is not an example of a reason to disable javascript.

No, Mr. AC, this CONCEPT, is one reason to disable javascript.

I NEVER said this code was an "example of a reason to disable javascript." In fact, instead of your lies and BS, let's try reading EXACTLY what I said:

This is just ONE MORE REASON YOU SHOULD DISABLE JAVASCRIPT.

There you have it...

Since when...

...has it become acceptable to use anyones computing resources without their knowledge and consent?

From where I come, this would be at least considered theft. It's stealing power (electricity) that you pay for, CPU cycles and RAM you might have other use for. It's using your resources that you pay for.

It's premeditated - not some action of a whim. It's also targeted at any and all passers by - like if you just happened to stroll by a store they were all of a sudden stripping your credit card of "just small amounts" using some yet unknown method for scanning your card from a distance without neither your knowledge nor consent.

Where I come from, such crimes can, and would, put people in jail.

Next slashdot poll

[ralphus]

I'd like to see the next poll: Did you click on the link to run unknown code recently posted on Slashdot? * Yes, I'm a moron * Yes, but I audited it first * Yes, but I did it from enemy's computer * Yes, and I did it proudly from work, who knows how many security policies I broke, and who cares. * I click on EVERYTHING! * Nope

Wow. Something where a slashdotting

[jtnishi]

is a good thing.

Not Everyone is as quite so Advanced

[ledbetter]

Most people who browse websites are quite simply unaware that their computer even contains a concept called Idle CPU Cycles, or that there is any way to get a CPU % reading from their computer. Besides, not everyone is so miserly with their CPU time. Most users also have a short attention span.

If the user, whose browser visits such a website that opens up a number crunching applet, notices that their whole computer just became slower, then they'll leave the website. And the applet will be alive for less time. Therefore successful applet projects that are accepted and deployed by various webmasters, which want to obtain the most results would make sure that the applet is as unobtrusive as possible. Otherwise the user will browse away from the page (and or close the browser window all together), and the applet's lifespan will be short.

Re:Not Everyone is as quite so Advanced

[Deliveranc3]

You'd think the same would be true for ad/spy/mal/spamware but here we are :(

80G frames rendered through your browser!

[myowntrueself]

At 24 frames per second.

No kidding; some of this stuff weighs in that heavily. This was before fibre channel too.

Think Balrog scenes done with particle simulations... (it didn't last).

gogole.com????

[MyHair]

after reading the entire Usenet thread

Domain gogole.com? Well, it seems to work and looks like Google.... Yup, whois verifies it. Guess they decided to use those anti-immitation registered domains.

Re:gogole.com????

No, gogole.com is actually a very sophisticated domain squatter; here's the proof: link

Re:gogole.com????

goatse.cx is now considered evidence ?

CORRECTION

[MyHair]

Obviously, since a string can be an almost infinite length, there has *got* to be collisions somewhere, but so far, no one has found any.

Correction: No one has reported any. I, uh, have a friend--yeah, that's it--who found a few collisions but is afraid to report them because it always occurs between his beastiality files and his lengthy and frequent poetic love letters to some girl who claims he's stalking her.

WARNING! WARNING! DANGER WILL ROBINSON!

[Crypto+Gnome]

I dunno what they think they're doing, but they managed to consistently crash my browser in under 5 seconds.

YOU HAVE BEEN WARNED

• Windows XP PRO
• Athlon XP 2200+
• 1GB RAM
• Firebird 0.7+

Re:WARNING! WARNING! DANGER WILL ROBINSON!

[Vaevictis666]

Hmm... I'm running XP pro, Athlon XP 2500+, 512 ram, Firebird 0.7, and I have no problems...

Re:WARNING! WARNING! DANGER WILL ROBINSON!

Windows XP Home, Firebird 0.7, no problems whatsoever.

Re:WARNING! WARNING! DANGER WILL ROBINSON!

Wow, thanks for the detailed bug report, we'll get right on it.

A realization just occured to me. Specifically, where would we all be without devoted, selfless Internet citizens such as yourself taking the effort and time to contribute their energy where it can really make a difference.

Thanks again, really!

Missing option

[NTmatter]

I don't have a mouse, you insensitive clod!

Finally a possible way to pay for web traffic?

[waferhead]

Once they have gotten this working, and assuming there is a commercial need for these cycles that exceeds the cost in bandwith, a site could do as others have suggested, and require you to run this app (ala netzero etc) in order to acess content on the site.

Beats pop up ads, anyway.

Are you sure it was working?

[xant]

when i visited the page mozilla firebird cpu spiked up to 99 quite quickly, and quickly fell to 0/1-ish when i closed the tab.

WARNING! WARNING!

The applet will stay running even after you close the page that started it, using up 100% CPU time without your knowledge or approval.
Do NOT go to the site.

Re:WARNING! WARNING!

[xjimhb]

Yeah, this thing totally hung my browser (Mozilla 1.21), it would not do anything! I didn't check CPU utilization, but I did use "ps -Af" to see what was running. At first it has about 8 Java processes going, then it settled down to 3, with one of them defunct.

To recover, I had to do a "kill -9" on the Java processes, and that ended up also killing the browser. VERY ill-behaved!!!!

I am not going to try it again!

'Just' go to the web page...

[Kris_J]

I don't have Java enabled on my desktops AND I'm actually posting this from my mobile phone. How do I join in again?

Re:./ effect = benefit??

Until the central data-collection server was slashdotted with data from clients. ;>

Ulterior Motives . . .

[Dausha]

But, could this not be used to build a hash table of all MD5 sums? If all possible MD5s were known by one source, what is to prevent them from using this as a simple lookup to crack MD5-based passwords? Even if they only focused on short strings (say, typical password length) they could go a long way to defeating another security mechanism.

Re:Ulterior Motives . . .

[Bob+of+Dole]

The fact that there are 2^128 MD5 valid MD5 hashes is what's stopping them.
That's a whole lot of storage space.

curious i am

This chinese newyear er.. lottery system --

so they use your cpu cycles to generate these md5 hashes - yes? then they are transmitted back to the mother server, eh? are they just making a monster database of md5 hashes and comparing them ... i see everyone here is bitching about losing their cycles or whatever the hell i'm very curious as to how the system works in terms of client/server interaction and this 'chinese lottery' -- how the hell do they use this to find md5 collisions??

I don't get it

[mackman]

I've never understood what the big worry is about hash collisions. I mean, even if in theory you could find another message that hashes to the same value, it's many orders of magnitude harder to find a meaningful and believable substitute message that hashes to the same value. Even the Birthday attack seems pointless. Who cares if the hash is effectively half as long to find ANY two message that hash to the same value, I only care if somebody can find a message that matches MY message hash. Is it because cryptographers are obsessed with theoretical but impractical weaknesses, or am I just not understanding this right?

Re:I don't get it

[jlcooke]

Read van oorschot's paper cited in my sci.crypt post. You'll start gettign mad at VeriSign, Amazon, SourceForge, et al for using MD5.

Nutcase :-)

[MacFury]

.has it become acceptable to use anyones computing resources without their knowledge and consent?

Some sites are plain text, this uses up less CPU cycles than a flash intensive site.

One could argue that this applet provides no value to the end user, and that could be true. However, it could also help pay for the free content that the user is viewing.

It is neither inherently bad nor inherently good. I can see it going both ways. Porn sites will use it for god knows what. Places like SETI and Folding@home could use it to benefit mankind.

yuck

[Sivaram_Velauthapill]

Yuck... That is the WORST THING I have EVER seen in my life!!! I feel like throwing up. I can't believe someone would take a picture of that, let alone disgust others with it... I think humans have reached a new low with that picture :(:(:(

Sivaram Velauthapillai

Re:yuck

Welcome to the ways of Americans. The more American jobs you steal from us and bring to your country India, the more we will innundate your country with our culture.

At this rate, your beloved country will be the exact same cesspool that you see here in a few years. I would fight all the North American influences that will tear your country apart and revolt against the global corporations that care more about their money and pocket books and don't give a damn about polluting your culture and society with the filth that you have just seen.

Take my word, in a few years, you'll see an Indian Britney Spears take off all her clothes at age 16 just so that horny Indian males will buy her CD. Arranged marriages will be a thing of the past and you will have to fight for your own wife.

Be warned. Act now against all these terrible Western influences before it's too late.

Re:yuck

[Sivaram_Velauthapill]

Your guess isn't exactly correct. I'm not in India; I'm in Canada (have been for over 10 years). I'm not even from India originally, although my ethnic group is similar and I'm from a country that is close to it.

In any case, this has nothing to do with American culture. I'm VERY liberatarian on these issues (although I'm not a liberatarian; I'm a socialist since I support the state). So things like sex, nudity, pornography, prostitution*, etc are ok. BUT this stuff is just unbelievable! When I say it is the worst thing I have seen in my WHOLE LIFE, I mean it. It is just so disgusting that I don't know what to make of it. Do people actualy ENJOY showing this? Man it's just so horrible...

(* I was government intervention when it comes to prostition though. )

Take my word, in a few years, you'll see an Indian Britney Spears take off all her clothes at age 16 just so that horny Indian males will buy her CD. Arranged marriages will be a thing of the past and you will have to fight for your own wife.

As I said, I'm not in India. Also, I'm not like typical South Asians who are conservative to some degree. I'm ok with women taking off their clothes. That's ok with me because it is their CHOICE. As long as people don't force someone to do stuff, I'm ok with it. Even though women in Western countries are more sexually exploited, they have more freedoms. They do things with their own will.

Arranged marriages? That is a sub-optimal solution and leads to abuse of women by men. Even though the high divorce rates in USA and Canada, for example, need to be lowered, at least people make their own choices--however wrong they are. Having said that, people like me would probably be better off with arranged marriages. In Canada or whatever, I don't think too many girls like people like me (who aren't good looking, have no money, don't have a good job, no fame, and to make matters worse a geek, who happens to be a socialist). Things just cannot get any worse for me :(

Anyway, I am not who I seem to be :)

Sivaram Velauthapillai

The most likely

The most likely cause of your crash is that you're an idiot and your system is poorly configured. Giving your operating system and especially your cpu speed/ram size is retarded. Maybe you should just give up, fuckwit.

Happy new year!

You can still suffer popups with Mozilla....

[Guspaz]

Popup advertisers have found a way around popup blockers, including Mozilla's built in one. The only way to avoid them is to disable javascript entirely.

PayPopup's popunder code employs just such a popup blocker blocker, if you will. It pops up popunders in Mozilla at will.

Re:You can still suffer popups with Mozilla....

[Kris_J]

I think paypopup.com is in my .hosts file as 127.0.0.1.

Re:You can still suffer popups with Mozilla....

[mattdm]

I just tried the demo at that site, and it doesn't work at all with popup blocking enabled in Mozilla Firebird 0.7. With blocking disabled, it works, but created a window so small the ad content wasn't visible.

I think the "way around" was based on too-forgiving logic in the original popup code, which tried to not block "legitimate" popup windows. The new system imploys a whitelist and explicit show-popups-for-this option, allowing the default rules to be much more harsh.

Re:You can still suffer popups with Mozilla....

[Guspaz]

I stopped putting such things in my hosts file. When I tried to load many websites (Example, TVtome), they would take several MINUTES to load while Mozilla waited for the advertisements to time out. More trouble than it's worth I say! I'll take the annoyance of the ads and get rid of the triple-digit load times :p

Re:You can still suffer popups with Mozilla....

[Guspaz]

I used Mozilla Firebird 0.7 for my testing. The popups appeared. Perhaps you have something else configured that takes Firebird away from it's default behaviour?

Re:You can still suffer popups with Mozilla....

[Kris_J]

That's funny, my PC immediately rejects any attempt to fetch web content from it. Pages load faster, not slower.

Re:You can still suffer popups with Mozilla....

[Guspaz]

I have an idea as to the possible cause; is your local machine running a web server? If so, you'd get instant 404 errors, causing the instant rejection. In my case I don't, so Firebird would time out trying to load the ad content.

Perhaps I should write a simple web server to simply reject everything with 404 errors for these kinds of situations.

Re:You can still suffer popups with Mozilla....

[Kris_J]

I did recently install Apache but the service is disabled and the big ad-killing hosts file was added earlier. I'd double-check everything I said, but I can't find a site that I still go to that uses an ad server listed in that hosts file.

Possibly you're running a personal firewall that refuses to respond to port 80 requests. My PC sends an instant "connection denied" response, not a 404.

Re:You can still suffer popups with Mozilla....

[Guspaz]

Unfortunately no, my only firewall is external in the form of an iptables firewall at the border of my network :(

A simple "telnet localhost 80" on the command prompt returns a (nearly) instant "Connection refused", so I guess that explanation must be discarded. I can't think of anything else to explain Firebird's behaviour. Perhaps it's a quirk in Firebird? It is a beta after all, such things are to be expected.

Finger up your purple pussy

Go and do it.

Re:Finger up your purple pussy

lol, you did everything except sign-in you fuckwit. YHBT! Thank you come again, ya little bitch...

You were in Clerks, right?

[Peter+Cooper]

Haha, you just sounded so like that customer in Clerks who complained after the guy was talking about jizz mopping.

Re:You were in Clerks, right?

[Sivaram_Velauthapill]

I'm not into Kevin Smith films. I don't really his stuff... However, I have been meaning to see Clerks for a while but when the opportunity came (was playing on tv), I wasn't in tthe mood. Anyway, I'm probably just like the guy you are talking about (haven't seen the film but based on your description it seems accurate). I am highly tolerant of sexuality but this has nothing to do with sex. It's just totally disgusting and serves no purpose whatsoever--or does it?

Sivaram Velauthapillai

Re:You were in Clerks, right?

[Peter+Cooper]

In that case, I'll directly rip the particular scene from the script for your perusal ;-) And to your question, yeah, it's a fetish, some people are particularly turned on by that stuff. Takes all sorts..

~~

Randal Graves: [reading a magazine] Have you ever wondered how much the average jizz-mopper makes per hour?
Dante Hicks: What's a jizz-mopper?
RG: He's the guy that cleans up the nudie booth after each guy jerks off.
DH: Nudie booth?
RG: Yeah, nudie booth. You've never been in a nudie booth?
DH: I guess not.
RG: Oh, it's great. There's this glass between you and these chicks, and they put on a show for you for like 10 bucks.
DH: What kinda show?

[Customer walks up to counter with a bottle of glass cleaner and a roll of paper towels.]

RG: They do the weirdest, craziest shit you like to see chicks do. They insert things into any opening on their body - ANY opening.
DH: Could we not talk about this right now?
RG: The jizz-mopper's job is to clean off the glass after each guy shoots a load. I don't know if you noticed, but cum leaves streaks if you don't clean it right away.
Offended Customer: I will never come to this place again!
DH: I'm sorry?
Offended Customer: Using filthy language in front of the customers, you both should be fired!
DH: I'm sorry, I guess we got carried away.
Offended Customer: I don't know if sorry could make up for it, you've highly offended me.
RG: Well if you thinks that's offensive, check this out!

[Shows him graphic picture from porn mag.]

RG: I think you can see her kidneys!

Without installing anything?

[Loonacy]

I clicked the link and it said -

This page contains information of a type (application/x-java-vm) that can only be viewed with the appropriate Plug-in. Click OK to download the plugin.

Seems like i have to install something after all.

Re:Without installing anything?

You are an idiot ! Ah ha ha ha ha ha ha !

Re:Without installing anything?

[herrvinny]

Yeah, you need a Java Virtual Machine. Grab it at www.java.com. Most computers already have a JVM already installed. The point is, you don't have to install this particular program, just the JVM.

Not nice(1)

> Idle CPU time might be unused but I still want to know what my box is doing and why.

My background compilation going on right now is niced (see nice(1) in the man pages on BSD, Linux or Unix systems) to make it just use the CPU cycles left by the browser and other interactive things. No idle CPU time left.

With such an CPU eating applet the compilation would stop till I leave the site and that I consider hostile behavior. nice(1) exists since Unix Version 4 so is nothing new. Authors of such distributed computing software should know about it.

Conciously installing a program on a machine of my choice and letting it eat up CPU is a better concept. I can choose if I want to let it run, when to do it (only at night for example) and even can control the priority it gets precisely.

Electrons in universe

[Glorat]

My standard reply to this is that there are 2^128 possible hash sums which is many magnitudes more than the number of electrons in the universe! So you'd have a pretty hard time storing them all.

As for the set of short strings, because this is such a limited set, if MD5 is any good (which it is), you won't find a collision in such a small subset.

Re:Electrons in universe

Yes but if you were a little clever and focused on strings of say 6-25 caracters from the latin-1 charset you can shrink the numbers quite a bit and get a really good list of passwords, that is small enough to search reasonably but big enough to be quite useable. Although I still think you would want help doing the calculations to build the table.

Re:Electrons in universe

[theguru]

If this kind of hash lookup atack were feasible (and it isn't yet) then it could be easily combatted by appending a known "secret phrase" to the end of the passwords before hashing. Even appending a single character to the beginning or end of a string would create a vastly different hash. Even if the secret phrase of a system were to become compromised, the entire hash lookup database would have to be regenerated from the source dictionary.

Also, I've thought about storing itterative hashes for passwords. Hash the password, hash the hash X times, where X is some small configured value. The hash algorithm is pretty fast.

Re:Electrons in universe

[jlcooke]

read the sci.crypt post, I site a paper from van oorschot from 1994 describing exactly how to get MD5 collision. In today dollars/moores law, it would cost $100,000....anyone with good credit can find collisions in MD5.

Re:Electrons in universe

[Glass+of+Water]

What you describe is called a "salt". It's standard for storing hashed passwords and preventing against dictionary attacks, or comparing a user's passwords on two different systems. Maybe you know that already.

Here's a pretty good recent thread on the subject from SecurityFocus' secprog list.

Re:Electrons in universe

[AnotherBlackHat]

My standard reply to this is that there are 2^128 possible hash sums which is many magnitudes more than the number of electrons in the universe!

According to my 66th edition of the handbook of chemistry and physics,
the earth is 5.979 * 10^24 Kilograms, which is about 5.3 * 10^25 moleculare weights of iron.
An Iron molecule (Fe2) is 55.847*2 or 111.694.
Avagadro's number is 6.022 * 10^23, so the number of molecules in 5.979 * 10^24 Kilograms of iron is
(6.022e23 * 5.979 * 10^24 * 1000 / 111.694) ~= 3.2 * 10^49, or roughly 2^164.

So appoxmately 2^164 molecules in the earth alone.

2^128 is more than you're going to store in your house (around 2^100 molecules),
but it's nowhere near the number of electrons in the universe.

-- this is not a .sig

Running two windows?

Just a thought, would running two IE windows of the applet help at all?

CPU cycles?

[Garek-MOH]

That applet is using almost 100% of my CPU cycle on my computer using IE. Others mentionned that it only used 1% of their CPU. Why that high for me?