Slashdot Mirror
Slashback: Flashmob, Currency, Verification
Reminder of your scheduled spontaneous appointment. Zero_K writes "As previously posted on Slashdot and the NY Times, the University of San Francisco's, Computer Science department is building a 'flash mob' supercomputer on April 3rd. On their newly updated official web-site (Main Site, ISO's) the team has now posted the ISO image of their custom morphix that will be used to boot all the computers into the cluster, documentation is on the website (under 'downloads') and on the CD (index.html). I personally plan on downloading and testing this ISO tonight. And after the cluster is taken off line, there will be a massive LAN PARTY (Possibly one of the biggest in San Francisco...) On a 10-Gigabit LAN...Oh sweetness ... So if you are in or around the SF Bay Area on April 3rd, be sure to sign up and bring your laptop or desktop to campus and help make history."
Whaddya mean, "no pun intended"? Rudiger writes "After the dust (no pun intended) has settled around the whole Operation Dust Bunny thing, McAfee updates their signature database classifying Dust Bunny as an application. To be more specific: 'This program is detected as a "potentially unwanted application."' They also say 'This is not a virus or trojan.' Should we leave it to the experts this time?"
Would you read Atlas Shrugged on this screen? An anonymous reader writes "The so-called 'electronic paper,' being a high-clarity monochrome display to become a foundation for comfortable and inexpensive 'electronic papers,' has finally shown its face. The new electronic paper, which looks a bit like an iPod, has 10MB memory, keyboard, Memory Stick PRO slot, voice recorder, speaker, and headphones output, and USB2.0 interface."
(We mentioned the device yesterday, but this link provides better images of it.)
Now they're Pragmatic Publishers as well -- much success! AndyHunt writes "As you may have heard, the Pragmatic Programmers have started their own publishing company (see Slashdot reviews here and here). We've just signed our first outside author: Mike Clark, editor of the JUnit FAQ and developer of JUnitPerf and JDepend. He'll be writing the eagerly-anticipated Pragmatic Project Automation book, the third volume in our Jolt Productivity award-winning series."
Exactly how many bits, Ma'am? And in what order, did you say? jlcooke writes "Two months (almost to the day) after getting slashdotted for an innocent post to sci.crypt - the MD5CRK project has launched. The aim is to get the thousands of applications and websites to drop MD5 for SHA-1 or SHA-256 by finding a counter-example of a security requirement in MD5. Press Release is here."
How to take criticism, by example. slashdot_commentator writes "Eric S. Raymond has recently written a wonderful piece explaining to the Linux zealot why it may not be the operating system of choice of all users. (Or what user aspects open source developers need to focus on to further Linux World Domination.) The op-ed specifically focuses on the CUPS printing system. (But it would be a mistake to dismiss it as a screed against CUPS.) The CUPS authors surprisingly acknowledged ESR's points, and he wrote a followup to the article."
Hitting them where it figuratively hurts. Ian Wilson writes with a followup to the Slashdot post earlier this month on "website thieves stealing content and designs from others, taken from silicon.com. Well, now silicon.com is reporting that it has contacted the offending site's advertisers and forced them to stop paying ad revenues - thus effectively crippling the illegal site - after all, no revenue, no reason to the run the site."
Express your appreciation with PizzaPal. Chuck writes "After you guys published the article on $20 bills exploding when microwaved, a co-worker of mine went to put his soup in the microwave and found a $20 bill in it. Too bad it was an older one, but someone around the office must have left it in there after reading your article. The co-worker then took me out to lunch. Thanks, Slashdot!"
Hmm... put an 802.11b interface on this thing, and it won't matter that it has a trivially small amount of memory...
"Freedom means freedom for everybody" -- Dick Cheney
Its yoru own fault for having it installed. Yank the thing out by the short hairs and install a real anti virus program.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
If we are trying to get people to move away from MD5 sums, what do we use? CRC?
There are only 10 kinds of people in this world... those who understand binary and those who don't
Anyone wanna outsource the infrastructure and SW for the Lan party to us indians? ;-)
Jokes apart, i'd really like to fly down to USA top be a part of the lan party and see how those guys manage things.Its one thing to have a lan party with 100 ppl but using up complete subnets is one different league!
Lord of the Binges.
The point is that, unlike a command tool for techies that should give them lots of choices, the goal of a GUI is to present the user with as few decision points as possible.
Remember the Macintosh dictum that the user should never have to tell the machine anything that it knows or can deduce for itself.
this is as clueful as it gets. Most app designers should heed him
Time flies like an arrow, fruit flies like a banana.
I see this every single day. The open source community (as it were) is full of people who want to use and like operating systems like Linux and BSD but are just too fucking afraid of even uttering anything that might reveal their ignorance (and I don't use that word in a negative sense) of whatever it it they're trying to accomplish with their computers.
Slashdot and USENET are full of endless threads about how easy it is to do this-or-that and if you haven't figured it out you must be supremely stupid and lazy. "What, you want it in a fucking silver plate?". Normal people (the ones not buying into open source right now) are petrified at this. They eventually either figure out how to do it ($deity bless Google) or just give up.
Without gross generalizations of course, I can't claim that everyone is this way. But there seems to be a troubling majority of zealots who are just so fantastically out there in their claims that [insert technology here] is so easy to use that even a "brain dead Windoze luser" must be able to figure it out, so they just cannot figure out why everyone hasn't dumped "M$". I mean, it's all so easy and efortless.
Maybe this will indeed be a wake up call for everyone.
If you wrote code to generate the checksum(s) and it's not working then you have a problem between the keyboard and chair, not with the algorithm. That's a standard that is not OS, platform or language specific.
So you spend all these resources to find one collision amongst 2^128 combinations.... not really that useful. Sure it is significant, but does it really bring down the entire MD5 infrastructure?
To really destroy MD5, you need to either be able to reverse the plaintext from the hash, or build a lookup table where you can get the plaintext from the hash.
Both of these seem infeasible, especially the lookup table, so things like Paypal using MD5, which the web site uses as an example, doesn't seem quite true.
for a 7.5" by 5" device with 800x600 4-tone grayscale and 10 megs they want how much??? Damn thing probably doesn't even have a decent processor, can't do 1/10th the things a 5 yr old Palm could do and they're charging $400?!? Did I warp back to 1984? Sure it's not a Mac?
Let Dell copy it and sell them for $149.
my karma will be here long after I'm gone
Apart from this, does it support any other format? I'd love to have something like this to read the countless PDF and HTML books I have, but if I had to buy them again in BBeB format, it's not quite as cool.
LOL. You mention in your own post that MD5 is 128 bits long. If you just restrict yourself to documents that are, say, 10mb big, that means there are 2^81920 possible plaintext documents for each MD5 hash. Granted, only some of them will look remotely like english, STILL... 2^81920 is quite enough to come up with many plaintext documents per hash. If you restrict yourself to keys
As far as I've understood it, the primary purpose is to demonstrate that cracking MD5 is realistic. If this project can then anyone with decent resources (the MD5CRK FAQ claims $100,000 would be enough) can do it. Also, additional collisions will most likely be found soon after the first one (the probability of finding collisions increases), and the data collected from the search can be used for future efforts (e.g. for analysis that might reveal actual statistical flaws in the algorithm).
Is it really so much to ask that people learn how to use the tool they choose to use properly? Is it so much to ask that people know how to read?
When they shouldn't have to read or choose, it's lacking for an app to make them choose. In ESR's case, he shouldn't have had to make the decision as the system had all the info it needed to answer the question itself.
Yes, this takes more effort on the part of the programmer and that's probably why it's not done yet, but it's near-sighted to argue against a change that only improves the user experience. Not only does Aunt Tilly now have a good chance of getting her printer setup, I don't have to work nearly as hard reading manuals and experimenting with settings to get mine working. Why read the manual if you don't have to?
MD5 is not weak for password hashing.
But why did you bother reimplementing it? There are loads of free, public domain implementations, unless you are working in some fringe language (no shame in that).
> to...be able to reverse the plaintext from the hash
THE plaintext? Firstly, there cannot be only one plaintext. By the pigeonhole principle, a few byte sum cannot be unique for all multi-megabyte texts.
Besides, if that were possible, MD5 would not be destroyed; it would become the world's best compression.
ESR says, "Let's go back to the queue type selection screen. Remember that one? It looks like this: Locally connected, Networked CUPS (IPP), Networked Unix (LPD), Networked Windows (SMB), Networked Novell (NCP), Networked JetDirect". He then goes on to say that all of this should be autodetected and then the irrelevant options grayed out. According to him, each host do a Christmas tree scan (!!) of the local network to see what printer types to prompt for.
:)
:)
First of all, he'd better stay the hell away from my network. I thank goodness that no other (non-script-kiddie) application on this planet performs unprompted scans like this. DHCP, of course, doesn't count.
Second, what if the printer is currently down? Or I'm configuring a machine to be installed offsite? I can think of any number of scenarios where I'd want to configure a network printer that isn't currently on the network.
A program should NEVER think that it's smarter than the user. What if CUPS doesn't detect "wvlan0" as a network interface? Well, it would gray out all the network printer options. But that's clearly wrong -- the user *knows* that the machine is networked. If CUPS allowed him to configure the network printer, everything would just work. Note that CUPS probably should put up a warning dialog "Warning: I could not detect a network -- do you want to continue," but it should not prevent or restrict anything.
ESR's solution relies on too much magic and will cause support nightmares. It is too system-dependent -- it might work on Red Hat, but it'll probably break on SuSE. Or an ARM-based machine. Or a token ring network. Etc. And when it breaks, the user will be surprised and have no other recourse than to consult the documentation.
Incidentally, graying something out is almost always wrong because it gives no indication as to why it's grayed out! You should let the user select it, then put up an informative dialog telling the user that what he's doing doesn't make sense, and what he or she might do to fix it. Always, always, always tell WHY.
Yes, the CUPS UI is flawed ("client-error-forbidden! client-error-forbidden!"), but ESR's proposal is even worse. It's a measly six-item menu! If Easy Software did try to implement it, after a ton of programmer time they'd have an interface that is more surprising, less informative, and more fragile. Not a step in the right direction.
The proper way to fix this unfriendly menu is to create a wizard The first page would allow you to select a locally-connected printer or, if there are no unconfigured local printers, a network printer (possibly launching a Samba browser to help). Wizards are great for reducing perceived complexity without reducing functionality.
Creating a good user interface is hard. I think that ESR just proved this.
That is bullshit. Of course two inputs can be found which produce the same message digest. This is the pigeonhole principle. Now the MD5CRK developers seem like smart people, and so it's more likely that they just haven't explained it very well.
They go on to say
But I don't see what that would achieve either: two strings of gibberish that happen to have the same MD5 sum. Find a way to produce two documents which both have meaning (perhaps two pieces of source code, or two different school reports) and have the same signature, and that would be impressive.
-- Ed Avis ed@membled.com