Slashdot Mirror

← Back to Stories (view on slashdot.org)

Finnish Firm Claims Fake P2P Hash Technology

Posted by timothy on from the spy-vs.-spy-isn't-even-to-frame-2-yet dept.

An anonymous reader writes "As reported by The Inquirer, a Finnish company known as Viralg Oy claim to have developed software that can create a junk file with the same hash as a genuine p2p download. This, according to the company, can altogether stop the sharing of copywritten files by flooding p2p networks with corrupt/junk data, which then spreads through the network, causing less and less of the original file to be available. However, with the resolve of the p2p userbase, is this software really going to 'beat all Peer 2 Peer pirates at their own game,' or simply prove a minor annoyance?"

27 of 748 comments (clear)

  1. They have cracked strong hashes, huh? by Flywheels+of+Fire · · Score: 5, Informative
    This is not true. It might work on Kazaa but most other P2P networks use MD5 or better. Okay, they have found collisions but no one has found a way to generate file for a given key. So the claim by the finnish company is bogus.

    Or they have cracked even the strong hashes. In which case they are really cool. I know Mr. Torvalds is Finnish, but I doubt even he could come up with algorithms to do that.

    In their conceited press release, they have compared Spoofing vs DRP/a

    --
    Iran captures three CIA agents
    1. Re:They have cracked strong hashes, huh? by martok · · Score: 5, Insightful

      Indeed. In order for example to do this with
      BitTorrent, they would need to be able to
      generate colisions in sha1 hashes. The
      implications of which would go well beyond p2p.

    2. Re:They have cracked strong hashes, huh? by CharonX · · Score: 5, Insightful

      And the best:
      You cracked SHA-1. Oh well, time to switch to SHA-256

      --
      +++ MELON MELON MELON +++ Out of Cheese Error +++ redo from start +++
    3. Re:They have cracked strong hashes, huh? by Sycraft-fu · · Score: 5, Insightful

      I'm sure that they just found some P2P client that has a weak hash and managed to make a generator for that. Then they are either morons that don't know there's more than one hash algorithm, or they do and are just pimping it to try and get money.

      Either way, I give it about a 0 chance they figured out how to quickly find collisions in a strong hash space. If they had, they'd be talking to the NSA, not the RIAA.

    4. Re:They have cracked strong hashes, huh? by garbletext · · Score: 5, Funny

      Yeah! easily! i'm working on a free program that turns a 1KB hash into a 4 GB DVD ISO, or anything else you want! it turns out we don't need to share files, just write the hash down on a piece of paper and you can transmit ANY size file with almost NO bandwidth! and if you hash the hash, it gets smaller and smaller until it's just a zero or a one!

      I'll make millions!

    5. Re:They have cracked strong hashes, huh? by mboverload · · Score: 5, Informative

      Bittorrent clients ban IP's that send them a certain number of bad pieces.

    6. Re:They have cracked strong hashes, huh? by tryone · · Score: 5, Funny

      "hand this over, or we'll make sure you never see the sun ever again"

      Oh noes! The NSA are going to destroy the sun!

  2. Bite My Shiny Metal Ass by B3ryllium · · Score: 5, Funny

    Bah! Screw you guys. I'll just make my own P2P hash algorithm. With blackjack. And hookers. In fact, forget the P2p hash algorithm. And the blackjack.

  3. "Copyrighted" by As+Seen+On+TV · · Score: 5, Informative

    It's "copyrighted," not "copywritten." We're talking about rights, not writings.

  4. Coral Cache by Anonymous Coward · · Score: 5, Informative

    I took the liberty of pre-caching the site on Coral before it went live - http://www.viralg.com.nyud.net:8090/index.html. I think Slashdot should really consider doing this as part of the proceedure...this site won't last a minute under the weight of our collective, nerdy asses.

  5. Possible? Yeah by robpoe · · Score: 5, Interesting

    I've always thought it would be extremely possible to create a file with the same MD5 hash.

    Now, what the company has to do is create a file of the SAME FILE SIZE, with the same MD5 hash that's a fake .. then I'll be impressed.

    --
    = Grow a brain...
  6. Re:Just an annoyance by bherman · · Score: 5, Funny

    Except /. dupes!

    --
    Error: Sig not found.
  7. claims? by geoffspear · · Score: 5, Interesting
    I read the article and everything I could find by following links on their website, and found no reference to how their product supposedly works, or any claim having to do with identical hashes. Did the article submitter just make up the identical hash claim, or is there more information on this product available somewhere else?

    What hashing algorithm do they claim to have broken so completely? Sounds like BS to me.

    --
    Don't blame me; I'm never given mod points.
  8. Allow me to be one the first to say... by Ann+Elk · · Score: 5, Insightful

    Bullshit. "Virtual Algorithms" my ass.

    1. Re:Allow me to be one the first to say... by bigberk · · Score: 5, Insightful
      Bullshit. "Virtual Algorithms" my ass.
      You called it. They can either do proper MD5/SHA1 collisions with unchanged filesize, or they can't. My guess is, they can't.
  9. Re:Already done by B3ryllium · · Score: 5, Informative

    By the time this is submitted, it will probably already be redundant (even though it's informative :)) - but the hashes are used for parallel download streams of the same file. So, if you saturate the network with the same hash, you can corrupt the data when the client automatically assumes it's the same file and tries to merge it with the other incoming data.

  10. Only The Whole File? by TheFlyingGoat · · Score: 5, Insightful

    Don't most P2P programs use MD5? I was also under the assumption that P2P programs do a checksum on each piece of the file they receive, and if it's inaccurate it automatically re-downloads that part of the file. I've had pieces of a bittorrent download fail due to corruption and the client has just downloaded that part again.

    Seems like this company's setup would only work in very specific circumstances, meaning it won't have much of an effect at all.

    --
    You have enemies? Good. That means you've stood up for something, sometime in your life. --Winston Churchill
  11. Seems bogus to me by gtoomey · · Score: 5, Informative
    It takes 2^69 operations to find collisions with SHA1

    Unless they have lots of supercomputer time, seeding the occasional p2p file with bad data will be very expensive.

    1. Re:Seems bogus to me by pjrc · · Score: 5, Informative
      Remember that those 2^69 "operations" (each many CPU cycles) are for a SHA1 "collision" attack. A "preimage" attack that would be necessary to inject corrupt data into a p2p network using SHA1 (such as Bittorrent) is much harder and has not been discovered and published.

      Quoting from the linked page:

      Q: What is a collision attack and a preimage attack?
      A: A preimage attack would enable someone to find an input message that causes a hash function to produce a particular output. In contrast, a collision attack finds two messages with the same hash, but the attacker can't pick what the hash will be. The attacks announced at CRYPTO 2004 are collision attacks, not preimage attacks.

      --
      PJRC: Electronic Projects, 8051 Microcontroller Tools
  12. Agreed by John+Seminal · · Score: 5, Interesting
    I wonder why people who use P2P don't help each other out a little more. For example, you have someone with 200 files shared. They are downloading and sharing at the same time. Sometimes they download a bad file, and share it. It would make more sense to have a "unchecked" folder for downloads, then more it to the "checked" folder to share.

    What is neat, or not so neat depending on your point of view, are music files which deteriorate after a while. I don't know how they are made, but I have listened to music that sounds pretty good, but after the 10th playing it starts skipping. Or it could be those skips are not very noticable when first played, but once identified, they become annoying.

    --

    Rosco: "If brains were gunpowder, Enos couldn't blow his nose."

  13. If they crack the hash by miracle69 · · Score: 5, Funny

    I'm switching to hashish.

    --
    Linux - Because Mommy taught me to Share.
  14. Bad news for the music industry by nizo · · Score: 5, Funny

    What will they do when people like the files with random noise better than any of the current music?

    --
    I Am My Own Worst Enemy
  15. There is one way.... by Col.+Blackwolf · · Score: 5, Funny

    You can always ensure an identical hash and size by filling the file with identical data and then uploading the new file to the P2P network. Imagine how quick filesharing would stop if all of the major industry groups started doing this. P2P wouldn't stand a chance, no siree.

  16. Re:Just an annoyance by Dutchmaan · · Score: 5, Funny

    Don't you mean..

    "Life... uhhhh.. will..uhh... find a way!"

  17. This is so stupid by commodoresloat · · Score: 5, Insightful
    If the copyright issues were not present here and someone built a program that did something like this, they would be universally reviled as a malicious hacker. Hey! Here's a program that creates phony web pages with false information masquerading as legitimate pages! Here's one that copies Excel spreadsheets on the web and subtly pollutes the database with phony information, then stores multiple copies around with the same name! This handy tool attaches to a photocopy machine and randomly scrambles the words on the page you are photocopying!!

    P2P is a technology. Yes it can be used for copyright violations, just like a photocopy machine or tape recorder. But it also has amazing possibilities in terms of creating a universal organic archive. Crippling like this -- and through using lawsuits -- is an unnecessary attack on a system in its infancy.

    The copyright issues will work themselves out -- until the 20th century human art and ingenuity survived for thousands of years without the ability to make millions selling recorded music and video. If p2p has a major effect on the entertainment industry's ability to profit (and I'm still not convinced that it really will), human art and culture will survive. And people will continue to find ways to make a living creating art.

  18. As someone who actually _does_ have a P2P attack.. by Effugas · · Score: 5, Informative

    It's a couple pages in my paper here. Basically, the first 300Kb of Kazaa's files are hashed normally, then every 32Kb chunk of the file is hashed independently. This allows independent chunks to be downloaded out of order. These out of order chunks are recursively hashed against one another to create one final value, called a "kzhash", which is verified after the file is downloaded.

    The attack is to use the recently released collision -- which creates two blocks that, when mixed against the default initial state of MD5, emit the same system state. Every 32K, you can embed one or the other in the file you're transmitting, and kzhash can't tell. What can you do with this? Morph a file as it traverses the network; have an installation executable describe the systems its being installed on as it propogates through a network. With a fairly large installer, you'd get quite a few bits in there.

    You still don't get to do random noise, and while it's no Tiger Tree, kzhashing doesn't appear so exploitable that this group is likely to have anything. I could be wrong, but then, virtual algorithm? Right.

  19. Re:Just an annoyance by ePhil_One · · Score: 5, Funny

    Its a perfectly cromulent word...

    --
    You are in a maze of twisted little posts, all alike.