Slashdot Mirror

← Back to Stories (view on slashdot.org)

Finding MD5 Collisions With Chinese Lottery

Posted by simoniker on from the soon-to-be-distributed-slashdotting dept.

Stanislav Shalunov writes "Jean-Luc Cooke posted a Usenet article describing a distributed webpage-based effort (Chinese Lottery) to find a collision in the MD5 function. All you need to do to participate in the effort is visit the URL that loads the code. The author comments: 'What is interesting about this approach - when we reach final release stage - is that any website that adds this small snippet of code to their pages will have their visitors working on the problem for the duration of their visit to the site'."

28 of 303 comments (clear)

  1. Uhh.. by TCM · · Score: 5, Insightful

    From the link:

    You run an Applet, it reports to us the search results. Distributed computing without installing anything...and without people knowing you're stealing their idle CPU time. ;)

    I don't know about you but I wouldn't lean out the window with the fact that I'm stealing from others.

    Idle CPU time might be unused but I still want to know what my box is doing and why.

    --
    Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
    1. Re:Uhh.. by Phillup · · Score: 4, Insightful

      I personally wouldn't call it "stealing". You pretty much agreed to run Java. Yes, you could be a clueless noob and knot *know* that your browser has it enabled... but, nobody is *making* you run java applets.

      I don't shove it down your pipe... you ask for it.

      Of course this line of reasoning could be extended too far... like the case of all the porn pop-ups... but, even there... I tend to feel that the user is ultimately in control (or should be!) of their own computer. Install Mozilla and don't suffer the pop-ups.

      Better yet... and this is the approach I myself practice... go away. Any time I find a site that ticks me off (bad Java/JavaScript that causes browser naughtiness), I add them to my banned list on my proxy... and never have to suffer the site again.

      Not even unintentionally.

      ---

      Not only that... but my CPU monitor went to a hundred percent.

      Yeah, it is a low priority thread... but... I did notice.

      P.S. "you" does not mean you personally...

      --

      --Phillip

      Can you say BIRTH TAX
    2. Re:Uhh.. by cmallinson · · Score: 3, Insightful
      I personally wouldn't call it "stealing". You pretty much agreed to run Java. Yes, you could be a clueless noob and knot *know* that your browser has it enabled... but, nobody is *making* you run java applets.

      I don't shove it down your pipe... you ask for it.

      OK, come on. Leaving Java enabled is a very poor definition of "asking for it". What percentage of internet users know the difference between Java and JavaScript, and can determine which one if any should be turned off or on? I would say less than 1-2%. Taking advantage of the rest is just not cool.

  2. Oh, lovely, distributed Javascript computing by Anonymous Coward · · Score: 5, Interesting

    Perhaps we could tie this to some sort of micropayment system. You come do distributed work on my website, and you get to view it. Some third party pays me for the cycles, and I have a new revenue stream!

    1. Re:Oh, lovely, distributed Javascript computing by illustir · · Score: 3, Insightful

      Why don't the slashdot editors who put this online embed the code in the story page? That way the slashdotting would have some use at least.

      --
      -- Alper
  3. That's really interesting... by herrvinny · · Score: 5, Informative

    That's a really interesting way of doing it. For the people who don't know, here's a quick explanation:

    Java Applets, because of the sandbox they're run in, can't open up a network connection to any website, except for the websie they came from. Presumably, what they're doing is creating a small Java applet, that when loaded, executes some logic, then opens up a network connection back home and sends the results.

    Fascinating. This way, you don't have to bother installing something and hope it doesn't fsck up your computer. It might be slightly less efficient than a dedicated, installed program, but this way, they can harness the power of a computer just casually browsing a web page. Very innovative.

  4. Re:Are there any known MD5 collisions today? by mattdm · · Score: 4, Funny

    Well, if there were, that'd make the question this project is trying to answer remarkably easy.

  5. bitch, bitch, bitch by Anonymous Coward · · Score: 3, Funny

    First thing it does when the applet loaded was to bitch at me for not accepting cookies. Just like my wife.

  6. Not ethical by Bill_Royle · · Score: 3, Insightful

    I respect the effort and ingenuity, but the rationale that "hey, we're helping solve a problem" somehow justifies stealing someone else's resources... it's just wrong.

    Be upfront with people - tell them why it's so important, what can be accomplished with it, and what it does. You'd be surprised - people might help out of *gasp* the goodness of their own hearts. A good example might be SETI, etc.

    1. Re:Not ethical by pla · · Score: 4, Interesting

      I respect the effort and ingenuity, but the rationale that "hey, we're helping solve a problem" somehow justifies stealing someone else's resources... it's just wrong.

      Although letting visitors know about this would certainly seem nicer, I don't think I'd actually consider it as outright unethical.

      For one thing, considering the number of websites out there that try to feed outright malicious code into our browsers, this looks very very tame by comparison. It uses a few CPU cycles, but has no long-term effects on the visitor.

      For another, this seems no different that sending the visitor a few banner ads - Just a way of "paying" for the content. For most of the world, bandwidth costs far more than CPU time, so in effect, this "charges" the user less per visit than most advertisements. From some quick n' dirty calculations, the bandwidth for 35k of banner ads costs me 0.082 cents, while the electricity for a full hour of CPU time (on a PIII/933) costs me only 0.0045 cents... Literally 18 times more.


      Finally, I can (and do) keep Javascript disabled in my browser. Advertisements, on the other hand, I do my best to block, but a few still manage to sneak through.

    2. Re:Not ethical by Phillup · · Score: 5, Insightful

      While I completely agree with your sentiment about being upfront... I don't agree with calling it "stealing".

      Who clicked on the link?

      Who has Java enabled on their browser?

      Who has cookies enabled on their browser?

      It isn't like he is doing anything "tricky" or using some "bug" to pull this off. The page doesn't "trap" you. It doesn't eat your CPU and make it impossible to quit the app or go to another page. And, for me, it didn't crash anything.

      I *really* don't understand how this can even remotely be considered stealing. Every single item is being used *as*designed* both by the web author and you.

      The way I see it... someone jumped in a pool... and now they are bitching about your clothes being wet?

      --

      --Phillip

      Can you say BIRTH TAX
  7. Not very intensive. by LoneIguana · · Score: 4, Informative

    It certainly isn't using very many cpu cycles, the OS reports that my webbrowser is using less than 1% of the available cpu power

  8. ./ effect = benefit?? by bluelip · · Score: 4, Funny

    put the snippet on slashdot.org. The collisions should all be found within an hour.

    --

    Yep, I never spell check.
    More incorrect spellings can be found he
  9. Re:Would be great for LOTR by deadsaijinx* · · Score: 3, Insightful

    Have you ever tried even using a dedicated renderfarm? The complications that can arise if you don't have all the textures and files locally, not to mention the fact that rendering is so heavy a tax on the CPU people would NEVER want to do it. Plus, that would involve them releasing files that go into making the movie. And so on and so forth, The idea is so terrible I couldn't imagine anyone ever trying it. Peace out and try to talk about something you konw for once.

    --
    YOU SUCK BALLS!
  10. Normal Thread Priority by cybermancer · · Score: 4, Funny

    Interesting idea, but most distributed computing tasks that run in the background run at low priority. Since this is running inside your browser (more or less) it will run at the priority of the browser. Unless your browser is running at low priority then this process will push all the lower priority processes out of process cycles.

    This could prevent contact with ET!

    --
    "Anything is possible with enough programmers, time and pizza." (Substitute caffeine for time as needed.)
    1. Re:Normal Thread Priority by mlk · · Score: 5, Informative

      Java applets run as a different process to the browser, and it can (and very likely does) create a new thread, and set its priority to low.

      --
      Wow, I should not post when knackered.
  11. the slashdot effect by Peeet · · Score: 3, Funny

    It's about time that the monster (us) is used for good and not evil.

    Oooh! I thought of another way...
    Just Click here.

    -P

  12. For anyone wanting the code... by Vaevictis666 · · Score: 4, Informative

    Here's the code:

    <!-- try IFRAME, else use LAYER -->
    <IFRAME SRC="http://www.jlcooke.ca/psearch/dmd5l.html" SCROLLING="NO" FRAMEBORDER="0" WIDTH="100" HEIGHT="32">
    <LAYER SRC="http://www.jlcooke.ca/psearch/dmd5l.html" WIDTH="100" HEIGHT="32" CLIP="0,0,100,32"></LAYER>
    </IFRAME>

    It' s making an iframe that loads the applet, and just does its own thing - by loading in the iframe it can call back to their host, rather than yours :P

    Someone should let him know that he needs to make his server parse .html files through PHP, 'cause he's got a PHP header that isn't being sent - oh yeah and better html please.

  13. New buisness plan by Anonymous Coward · · Score: 4, Funny

    1. Create very small website with CPU draining applet and post a link to said website to Slashdot.
    2. ??
    3. Profit!

  14. Parasitic computing by bigberk · · Score: 3, Insightful

    I believe the term was parasitic computing. Ideally the web master makes visitors aware to what's going on. You're using visitors' computing power to accomplish a neat sort of distributed computing. Great idea, if you're not just stealing resources

  15. no thanks by mercuryresearch · · Score: 3, Interesting

    As someone who intentionally runs a low-performance box as a primary system (VIA Epia 533) I'd be pretty unhappy with some snarfing up a few cycles. Junked-up web sites with flash and excessive java/javascript are REALLY noticable when you're browsing at the low end of the power curve.

    I run a cpu monitor in the background and when a site wants to run one of the more annoying classes of advertisements, utilization usually pegs... I can't imagine what something that intentionally sucked cycles would do.

  16. Re:Hmmm. by __aaitqo8496 · · Score: 5, Insightful

    I wonder if the good slashdot people would be willing to make this into a slashbox ?

  17. Re:RFI: "collision" means? by WTFmonkey · · Score: 4, Insightful
    The whoop is that MD5 is often used for "fingerprinting" or other unique identification on the internet (et al). Since we all know that what can go wrong will, the question is the definition and accuracy of the infamous phrase "computationally infeasible."

    Basically, in a world where everything was based on a thumbprint, would you want even the smallest chance, no matter how statistically unlikely, that someone else had the same thumbprint as you?

  18. Re:RFI: "collision" means? by Anonymous Coward · · Score: 4, Funny

    If two strings produce the same md5 hash, the universe ends. This project should probably be stopped.

  19. Argggh! It's not ready yet! by phr1 · · Score: 3, Informative

    It's really too early for Slashdot readers to try to run that code. As the usenet post said, it's alpha test. I'd actually call it pre-alpha. The usenet sci.crypt discussion is about ways to change the design so it can be hosted on multiple sites at the same time. Really, it would have been a lot better to wait for the author to make an announcement, before linking an ongoing discussion about a work in progress to the front page of Slashdot as if the code was ready for prime time. Ow!

  20. Finally a possible way to pay for web traffic? by waferhead · · Score: 4, Interesting

    Once they have gotten this working, and assuming there is a commercial need for these cycles that exceeds the cost in bandwith, a site could do as others have suggested, and require you to run this app (ala netzero etc) in order to acess content on the site.

    Beats pop up ads, anyway.

  21. Ulterior Motives . . . by Dausha · · Score: 3, Interesting

    But, could this not be used to build a hash table of all MD5 sums? If all possible MD5s were known by one source, what is to prevent them from using this as a simple lookup to crack MD5-based passwords? Even if they only focused on short strings (say, typical password length) they could go a long way to defeating another security mechanism.

    --
    What those who want activist courts fear is rule by the people.
  22. Re:Are there any known MD5 collisions today? by Tom7 · · Score: 3, Interesting

    Considering there are an infinite number of strings that will map to a single MD5

    That's probably, but not necessarily, true.

    I'd say there is a chance we'll find one sooner or later.

    Yeah, it's about 1 in 2^128. There aren't even enough electrons in the universe to write down all the possible MD5 hashes, not to mention the strings that might hash to them.