That is just a practical application of the weakness that was demonstrated in 2004. The original demonstration of the weakness just got people saying that it would be easy to tell the difference between a legitimate file and a file crafted to have the same hash value. The article you mention seems to have been a reaction to this demonstrating how it can be applied. Such applications should have been obvious to everyone from the original result.
I am somewhat aware of this history. Thank you for clarifying and mentioning the attack that's even better than this one.
Strangely enough, a lot of people haven't gotten the message. A lot of people keep on claiming MD5 is perfectly fine in cases where this attack is possible. I've had to fight it so many times. I don't understand people.
And really, I think it's only a matter of time (and not much time at that) before the same issue crops up for SHA-1 given the weaknesses that are currently known.
Switching a hash algorithm out isn't that hard. And if you're writing new code, using a good one as opposed to a bad one is even easier. I don't understand why people resist and try to claim the old one is 'just fine' for whatever it is they're doing.
Unfortunately, the links to the postscript files in question are no longer valid.:-( If I recall correctly though, the blocks of garbage in the middle were exactly the same size in both files.
I google for 'md5 postscript attack' and found this: Hash Collisions (The Poisoned Message Attack). Using this technique they were able to make either document say exactly and precisely what they wanted it to say. The postscript merely makes a decision about what display code to run based on the contents of some garbage in the middle of the file that's different in each file. The rest of both files are the same.
That's an ignorant defense. There is a really nice example of someone creating two Postscript files that both generate perfectly intelligible pages that contain the same hash. Doing this and still hiding the exploit just requires sticking it in code that nobody will review. You have the exploit code and the non-exploit code in the same file and have a decision based on a bunch of random garbage that's different in the two files.
People are always saying "Oh, collisions aren't important for this application.". And they're almost always wrong. Stop trying to be a security expert and just quit using an algorithm when it's broken instead of coming up with excuses not to change it.
Is this the attack by djb that even he hasn't posted clear details of? Or is this a previous attack that Schneier and company solved with their 2nd round tweaks that improved diffusion?
I'm really curious as to why Blue Midnight Wish wasn't selected. I've read a bunch of the papers and nobody seemed to be able to come up with any reasonable reason it was weak, and it's very fast.
I've been following the progress on the SHA-3 Zoo and I haven't seen anything indicating Skein is broken. I've been following Skein with particular interest because I like how it can be tweaked in various ways to serve particular needs.
Tangential? What are you talking about? The cryptographic uses of hashes are the whole reason SHA-1, SHA-2 224,256,384,512 were created in the first place. It's also the reason the competition is being run.
I would also submit that your use case is not as security insensitive as you might think.
If the bugs actively hunted down people who weren't infected, I would say vaccines are worthless. Antibiotics are more the equivalent of a piece of removal software than they are a piece of antivirus software.
The ecosystem analogies aren't valid because the computer virus ecosystem doesn't naturally evolve. It's driven by the people who profit from it. And those people will make sure that the viruses your PC is exposed to are the ones you don't have a defense against.
Additionally, I consider most AV software to be a malware trojan in itself with how it takes over your computer and pops up useless warnings about this, that or the other thing. It's all about selling you a completely false sense that you've done something effective about the problem. It doesn't work.
It always was. It only catches some of what's out there, and once your system has caught something, you're hose. Time for a wipe and re-install. The stuff it doesn't catch is what you'll get. I recommend against it for everybody I know. Too many people think that somehow having antivirus software actually does something useful, or that their PCs will be magically immune because they have it.
The only real defense against viruses is software that is written from the start to have as few security holes as possible, making sure you keep up on patches, and being careful about what you agree to when you computer asks you if you're sure about something.
People who are already participating in a scam getting scammed even worse than they originally thought isn't much of a surprise to me.
Re:This treatment may not work, might be dangerous
on
Aging Reversed In Mice
·
· Score: 1
Well, I'm not a biologist, but I do pay a lot of attention to low-level biochemistry articles that come out in various places...
These mice were genetically engineered to make expression of telomerase contingent on the presence of another enzyme. This means that a switch was added in mice, not that a switch was found in mice that could be used in humans.
I don't think a cancer treatment lies hidden in here, but I do think a regeneration treatment is possible.
There are numerous classes of stem cells stored throughout the body. One possible treatment is to find these stores, take a few healthy, non-cancerous, non-DNA damaged cells out of them, treat them with telomerase in-vitro and put the cells with restored telomeres back in the appropriate spots.
Hopefully the cells with short telomeres would slowly die off over time and the cells with longer telomeres would replace them, and since these cells are the source of new cells for various tissues in the body, it would have the effect of resetting the 'telomere clock' for the whole body.
I have no clue if this would work. As I said, I'm not a biologist. But it seems plausible to me.
Re:This treatment may not work, might be dangerous
on
Aging Reversed In Mice
·
· Score: 1
I did RTFA, but I guess I just read it to confirm that they were indeed playing with telomerase in the way I expected from the summary. So I missed the bit about cancer.
Since a majority of Slashdotters don't RTFA, I think mentioning an important fact that was in the articles isn't bad, and I added some information that wasn't in the articles.
Re:This treatment may not work, might be dangerous
on
Aging Reversed In Mice
·
· Score: 1
Oh, and another good time to use "The Voice Of Authority" is when everyone is milling around and it's really urgent that something be done right now, and I'm pretty sure that the course of action I have in mind is at least better than doing nothing. But that crops up quite rarely.
Re:This treatment may not work, might be dangerous
on
Aging Reversed In Mice
·
· Score: 2
*chuckle* Is there anything about this that's wrong? Biology, particularly low-level biochemistry is an area of science that I pay a lot of attention to.
Though, I also take your point, and I will try to have a less decisive tone in the future. I've noticed that people tend to be less questioning than they should of "The Voice Of Authority", and so it's something I try to only use when I'm nearly certain I'm right. But you are correct that this isn't my field and so I should take that into account.
This treatment may not work, might be dangerous
on
Aging Reversed In Mice
·
· Score: 3, Informative
Cells do not normally produce telomerase on their own because not producing it protects against cancer. Turning on the gene that makes telomerase is one of the hurdles pre-cancerous cells have to cross on their way to becoming cancerous.
Also, as someone else pointed out, telomeres are just one aspect of aging. You can induce mice to age prematurely by restricting embryonic expression of telomerase, but that doesn't necessarily mean that mice that age normally will be similarly completely restored by adding it.
There are a number of degenerative diseases (macular degeneration and probably alzheimers) that happen because of inadequate waste removal. No amount of telomerase is going to cause all the little protein fragments lying around to be magically cleaned up and excreted.
You are saying that on the Internet people can have perfect information about prices and so the company with the lowest price will win.
This isn't really true. People might be able to have perfect information about prices, but other aspects of the transaction will be important to different people.
For example, people may choose to buy from Amazon because their prediction algorithm does a really good job of finding stuff they like and they want to give it as much data as possible. Or maybe a different company has a reputation for shipping things in a more timely fashion than Amazon. Or any number of other variables.
I would say that what the Internet takes away in terms of being able to confuse people about pricing it gives back in ways to allow you to differentiate yourself from your competitors.
You can apply this logic anywhere in the tax chain as an explanation for why that link in the chain should be able to avoid taxes. Your logic fails.
Taxes are passed with the idea of a certain mix of the tax income coming from particular places as a matter of policy. Circumventing that public policy makes a mockery of that process.
If they don't want to pay taxes, they can simply not do business in the places they don't want to pay taxes too. Otherwise they are taking advantage of something they aren't paying for.
That sounds like something to negotiate over, not a reason it will fail. Especially since you wouldn't be imposing the tariff based on the source, only the shipping method. Tell them that you'd welcome them imposing a similar tariff, because, you know, you would if your goal is really to reduce carbon emissions.
Slashdot Mirror
So, it was intended as a joke, and not a hint that there's some terrible flaw in the skein algorithm? As a joke, it's pretty darned funny. :-)
That is just a practical application of the weakness that was demonstrated in 2004. The original demonstration of the weakness just got people saying that it would be easy to tell the difference between a legitimate file and a file crafted to have the same hash value. The article you mention seems to have been a reaction to this demonstrating how it can be applied. Such applications should have been obvious to everyone from the original result.
I am somewhat aware of this history. Thank you for clarifying and mentioning the attack that's even better than this one.
Strangely enough, a lot of people haven't gotten the message. A lot of people keep on claiming MD5 is perfectly fine in cases where this attack is possible. I've had to fight it so many times. I don't understand people.
And really, I think it's only a matter of time (and not much time at that) before the same issue crops up for SHA-1 given the weaknesses that are currently known.
Switching a hash algorithm out isn't that hard. And if you're writing new code, using a good one as opposed to a bad one is even easier. I don't understand why people resist and try to claim the old one is 'just fine' for whatever it is they're doing.
Unfortunately, the links to the postscript files in question are no longer valid. :-( If I recall correctly though, the blocks of garbage in the middle were exactly the same size in both files.
Thanks! Those two reasons make a lot of sense.
I google for 'md5 postscript attack' and found this: Hash Collisions (The Poisoned Message Attack). Using this technique they were able to make either document say exactly and precisely what they wanted it to say. The postscript merely makes a decision about what display code to run based on the contents of some garbage in the middle of the file that's different in each file. The rest of both files are the same.
That's an ignorant defense. There is a really nice example of someone creating two Postscript files that both generate perfectly intelligible pages that contain the same hash. Doing this and still hiding the exploit just requires sticking it in code that nobody will review. You have the exploit code and the non-exploit code in the same file and have a decision based on a bunch of random garbage that's different in the two files.
People are always saying "Oh, collisions aren't important for this application.". And they're almost always wrong. Stop trying to be a security expert and just quit using an algorithm when it's broken instead of coming up with excuses not to change it.
Well, that's amusing. But without details, it's only slightly better than saying "Skein sucks!".
Is this the attack by djb that even he hasn't posted clear details of? Or is this a previous attack that Schneier and company solved with their 2nd round tweaks that improved diffusion?
I'm really curious as to why Blue Midnight Wish wasn't selected. I've read a bunch of the papers and nobody seemed to be able to come up with any reasonable reason it was weak, and it's very fast.
I've been following the progress on the SHA-3 Zoo and I haven't seen anything indicating Skein is broken. I've been following Skein with particular interest because I like how it can be tweaked in various ways to serve particular needs.
Tangential? What are you talking about? The cryptographic uses of hashes are the whole reason SHA-1, SHA-2 224,256,384,512 were created in the first place. It's also the reason the competition is being run.
I would also submit that your use case is not as security insensitive as you might think.
Yes, that's a good way of putting it.
If the bugs actively hunted down people who weren't infected, I would say vaccines are worthless. Antibiotics are more the equivalent of a piece of removal software than they are a piece of antivirus software.
The ecosystem analogies aren't valid because the computer virus ecosystem doesn't naturally evolve. It's driven by the people who profit from it. And those people will make sure that the viruses your PC is exposed to are the ones you don't have a defense against.
Additionally, I consider most AV software to be a malware trojan in itself with how it takes over your computer and pops up useless warnings about this, that or the other thing. It's all about selling you a completely false sense that you've done something effective about the problem. It doesn't work.
It always was. It only catches some of what's out there, and once your system has caught something, you're hose. Time for a wipe and re-install. The stuff it doesn't catch is what you'll get. I recommend against it for everybody I know. Too many people think that somehow having antivirus software actually does something useful, or that their PCs will be magically immune because they have it.
The only real defense against viruses is software that is written from the start to have as few security holes as possible, making sure you keep up on patches, and being careful about what you agree to when you computer asks you if you're sure about something.
People who are already participating in a scam getting scammed even worse than they originally thought isn't much of a surprise to me.
I think a regeneration treatment is possible with minimal risk. I wrote about it in a different Slashdot reply.
Well, I'm not a biologist, but I do pay a lot of attention to low-level biochemistry articles that come out in various places...
These mice were genetically engineered to make expression of telomerase contingent on the presence of another enzyme. This means that a switch was added in mice, not that a switch was found in mice that could be used in humans.
I don't think a cancer treatment lies hidden in here, but I do think a regeneration treatment is possible.
There are numerous classes of stem cells stored throughout the body. One possible treatment is to find these stores, take a few healthy, non-cancerous, non-DNA damaged cells out of them, treat them with telomerase in-vitro and put the cells with restored telomeres back in the appropriate spots.
Hopefully the cells with short telomeres would slowly die off over time and the cells with longer telomeres would replace them, and since these cells are the source of new cells for various tissues in the body, it would have the effect of resetting the 'telomere clock' for the whole body.
I have no clue if this would work. As I said, I'm not a biologist. But it seems plausible to me.
I did RTFA, but I guess I just read it to confirm that they were indeed playing with telomerase in the way I expected from the summary. So I missed the bit about cancer.
Since a majority of Slashdotters don't RTFA, I think mentioning an important fact that was in the articles isn't bad, and I added some information that wasn't in the articles.
Oh, and another good time to use "The Voice Of Authority" is when everyone is milling around and it's really urgent that something be done right now, and I'm pretty sure that the course of action I have in mind is at least better than doing nothing. But that crops up quite rarely.
*chuckle* Is there anything about this that's wrong? Biology, particularly low-level biochemistry is an area of science that I pay a lot of attention to.
Though, I also take your point, and I will try to have a less decisive tone in the future. I've noticed that people tend to be less questioning than they should of "The Voice Of Authority", and so it's something I try to only use when I'm nearly certain I'm right. But you are correct that this isn't my field and so I should take that into account.
Cells do not normally produce telomerase on their own because not producing it protects against cancer. Turning on the gene that makes telomerase is one of the hurdles pre-cancerous cells have to cross on their way to becoming cancerous.
Also, as someone else pointed out, telomeres are just one aspect of aging. You can induce mice to age prematurely by restricting embryonic expression of telomerase, but that doesn't necessarily mean that mice that age normally will be similarly completely restored by adding it.
There are a number of degenerative diseases (macular degeneration and probably alzheimers) that happen because of inadequate waste removal. No amount of telomerase is going to cause all the little protein fragments lying around to be magically cleaned up and excreted.
I don't disagree with you. And I only need to lobby congress. They should end the sales tax exemption.
You are saying that on the Internet people can have perfect information about prices and so the company with the lowest price will win.
This isn't really true. People might be able to have perfect information about prices, but other aspects of the transaction will be important to different people.
For example, people may choose to buy from Amazon because their prediction algorithm does a really good job of finding stuff they like and they want to give it as much data as possible. Or maybe a different company has a reputation for shipping things in a more timely fashion than Amazon. Or any number of other variables.
I would say that what the Internet takes away in terms of being able to confuse people about pricing it gives back in ways to allow you to differentiate yourself from your competitors.
You can apply this logic anywhere in the tax chain as an explanation for why that link in the chain should be able to avoid taxes. Your logic fails.
Taxes are passed with the idea of a certain mix of the tax income coming from particular places as a matter of policy. Circumventing that public policy makes a mockery of that process.
If they don't want to pay taxes, they can simply not do business in the places they don't want to pay taxes too. Otherwise they are taking advantage of something they aren't paying for.
That sounds like something to negotiate over, not a reason it will fail. Especially since you wouldn't be imposing the tariff based on the source, only the shipping method. Tell them that you'd welcome them imposing a similar tariff, because, you know, you would if your goal is really to reduce carbon emissions.