Personally, I think the cloak of silence around companies that do evil things to their employees is awful. They should be named. It should be out in the open, and people should know. Maybe employers would work harder to find managers who were worth the salaries they were paid if their management's screwups became public knowledge. Especially for something like this.
If what this anonymous reader says is true, I can't see how the company could win any kind of lawsuit. Sure, it might make them more likely to try. And if they did I'm sure a judge would be happy to award the defendents significant damages for the company trying to waste their time and the courts time with a frivolous intimidation lawsuit.
Well, this is true, and that's why you'd need the Bittorrent people to help with this. I'm sure there's a way to do it without giving the ISP control over what people can download.
So, basically the only reason my DSL connection is $110/mo instead of $10/mo is the local telephone company? I had no idea that the margins were so stupidly high. This makes a couple of business ideas I have even more likely to be good ideas.
Or they get together with the bittorrent people and work out a way they can run a caching server so they aren't fetching the same thing 5000 times from outside their network and wasting bandwidth.
I there had been some sort of push for decent caching or multicast support in the first place it's possible bittorrent would never have happened. If they're having infrastructure problems now, they only have their own lack of foresight to blame.
I do not trust Hillary Clinton at all. She is a blatant political opportunist of the worst sort. I have no doubt that she would talk loudly about privacy when anybody was looking, then implement totally opposite policies to gain political favor.
Of couse, completely leaving out that they could've asked the guy that owns the site! There are several chains of actions here that do not involve the court system and involves all parties being treated fairly. And none of them were followed. I can't be happy about this.
Be careful with comments like that. While I sympathize with you and might've done something similar, your credit card company might try to get you for fraud if they ever link that comment to you.
And when all I'm interested in is a general overview of something, it's often a good place to go. But I agree that using it as a source for a college paper is unwise. Not just because of the innacuracies, but because when you are doing research, you need to get to original sources. Wikipedia by its very nature is not an original source.
One thing I impressive about Wikipedia is just how obsessively detailed some of the entries are. Some of those details may or may not be correct, but the level of detail is far greater than any encyclopedia I've ever used. And even a detail that's wrong or innacurate still gives you something to look for when you're going over original sources.
I'm sorry, there are purposes to which hash functions are put to in which even a 'stage 1' (by your nomenclature) break creates serious weaknesses. Basically it creates a situation in which any document of any kind that Alice creates and Bob signs can have a malicious substitute also created by Alice that Bob will have apparently signed.
The biggest example of this in modern usage is a Certificate Authority or PGP key signature. I would call both of those pretty important.
The required abilities of cryptographic hash functions are all important.
It IS true that there still are some uses of a hash function is good for even if it isn't resistant to the creation of two messages that collide. But I don't think going around analyzing all protocols to see which ones the hash function is still good for is a worthwhile pursuit, mostly because I think the time needed for a serious analysis is much greater than most people are willing to spend. It's much better to just create a new hash function which does have collision resistance and use that instead.
I have heard, but don't have a source, that elliptic curve is broken by quantum computing as well. I did a bunch of research when doing the initial design of CAKE because I figure that quantum computing will be a solved engineering problem at some point.
I believe this trend can be bucked by various individual corporations while remaining generally true for all of them. Sociopathic behavior is a very strong draw for corporations because of all the forces surrounding their existence and maintainence. For example, I generally like google because I think they try hard to buck this. I don't think they will succeed forever, but I respect that they recognize that their corporation has moral and ethical responsibilities.
When I'm moderating I do. And I often do when I'm following a discussion thread. But, it is also infeasible to have a core group of editors do all the moderating. I think there is a balance to be struck, and I think Digg is on the 'the mass mind has too much power' side of that balance.
I won't 'Digg' things. I don't like that site, and don't like the idea behind it. People in aggregate are often blindly shortsighted and I do not trust them to make good decisions about what I should read.
Well, the postscript example is possible to exploit in a context that's not quite so contrived...
In Mercurial, revisions are identified with hashes of their contents. So, you can submit a change to something like a postscript file that nobody will review the source of. Then, later, you can trick someone involved in the project from pulling a repository copy from you that has the evil version of the Postscript file. With any luck, you can get the evil version to infect the project with nobody realizing it until someone notices the strange behavior.
The problem is that the submission is likely to eventually be traced back to you once the strange behavior is noticed. But the reputation of the project would be severely tarnished and you might be able to get access to the systems of various people who used it.
It would be surprisingly hard to exorcise the bad version from the various distributed repositories. You'd have to just replace the file and state that any version before X is potentially infected. And even then a badly done merge might easily re-introduce the file.
This is basically a trickier way to get someone else to sign something for you.
And the case of a certificate authority is interesting too. The very nature of a CA is to sign documents made by someone else.
But, no, I can't really think of situations in which its really useful unless the attacker is in some way getting someone else to lend their authority or reputation to the attacker.
My question is, how trivial is it to create, say, a binary that features the command "take over user's computer" whilst keeping the same hash as the original.
These algorithms are block oriented. As soon as you have two blocks that collide, you can use those two blocks to make a code path decision. If you have one of the two colliding blocks, the 'good' path is chosen. If you have the other of the two colliding blocks, the 'evil' path is chosen. It doesn't matter what the two blocks are. Any two blocks will do.
Sure the 'good' path and the 'evil' path are both in the same binary. But if you can manage to get them into the binary instead of the source, the will never be found by review. If, for example, you are an evil Debian packager this isn't that hard.
It is relatively easy with MD5. It would probably require less than a week of time on a modern computer, possibly only hours.
If you spent 10 million on an SHA-1 cracking box, it's estimated that it would take about 127 days to find two colliding files.
Here is a PDF that's my source for this information.
An additional problem is that you can embed interesting things in.pdf,.ps or even HTML documents. You could embed both the evil code, and the good code. Then use a colliding block someone found a long time ago to choose between the evil code and the good code. So, once even one collision is found, it's possible to leverage that one collision into all kinds of existing documents because of the block nature of the two algorithms.
I expect that.pdf and.ps documents rarely see code review looking for evil code. So it's quite likely something like this would go compeltely undetected until the evil version was released into the wild causing a ton of confusion and lost time before someone figured out what was wrong.
SHA-2 is a new family of hash algorithms. But that's kind of like saying that Twofish is a new cipher algorithm that isn't Blowfish. Realistically, if someone finds a major flaw in Blowfish that wasn't anticipated in the design of Twofish, it's quite possible that Twofish has the same flaw because they're built along the same lines, despite being different algorithms.
The SHA-2 family is designed by the same people who designed the SHA-1 algorithm, and they were designed before the flaws in SHA-1 were discovered. And from what I understand, the internal structure of SHA-1 and algorithms in the SHA-2 family are very similar.
I disagree with your assessment of MD5 and the majority of uses of it. There is a property of MD5 which is broken. It is possible to construct two bytestrings that have the same MD5 hash. In fact, it's relatively easy to.
This breaks an important property that most people assume is true about cryptographic hash functions. I think it's actually very hard, in practice, to determine whether or not losing that property renders a particular system more vulnerable to attack. I don't believe that downplaying the associated risk does anybody any favors. I believe MD5 should be treated as "Effort should be made to remove the use of this algorithm from any existing code unless a convincing case can be made that the break doesn't affect it.".
SHA-1 is similarly 'broken'. But, the break in SHA-1 is not currently computationally trivial to exploit. It is just less computationally expensive than it should be to generate two bytestrings with the same SHA-1 hash than it should be given the length of the hash. But once people start discovering weaknesses in algorithms, it's common that someone refines the technique to make the weakness worse. So, I would treat SHA-1 as "No new code should use this, and it should be removed from existing code if the required effort isn't very large.".
The biggest problem is that there isn't a clear algorithm to move to from SHA-1. SHA-256 and SHA-512 are based on the same principles as SHA-1, so there is worry (but no proof) that the break in SHA-1 could be extended to these two hash functions as well. But WHIRLPOOL, the other major contender, has received very little scrutiny.
There are plenty of things in science that are proven beyond a doubt, from the act that pouring water into a glass container will not suddenly be on the ground to the mixing of multiple chemicals injecting that into a person and appling an outside invisible ray will help to cure illness.
Those aren't proven beyond a doubt. Especially the second of those two. But even the first is perfectly open to a single experiment proving it false.
The theory that we are affecting the climate in a major way won't ever have that level of confidence until we can create a repeatable experiment on multiple earth-like planets. But, IMHO, that still doesn't mean that if someone feels that the data they are writing a paper about supports that theory that they shouldn't say so.
And I don't care if the Bush administration has done it less or more. It's wrong no matter how much of it is done or by who.
That stuff about the Grand Canyon has been proven absolutly false and the only people not interest in the truth are thoses that keep spreading stuff like that.
Thank you. I've posted links to those in my blog as a retraction from when I posted the original story. And I'm hunting around for people who got the link to me and posting links to that in the comments.
That amounts to the same thing. The only things that can be proven beyond a doubt are math theorems. That means that scientists are reduced to reporting only measurements if they want to fit this criteria. If a scientist states a conclusion that they feel the data supports and a politician disagrees with it, that conclusion will be removed. No hypothesis are proven conclusively by evidence. There are always other possible explanations.
That is a different question, but I still feel that someone playing games with certification when a meteorologist spouts an opinion about climate change isn't the right thing to do at this point. The debate has (wrongly) become heavily politicized, and you wouldn't be able to separate the politics from the science here.
The idea of doing this is just as ridiculous as Bush forcing all scientific papers produced by scientists employed by the government to go through political censors before being.
But, the linked to article is a horribly biased hatchet job that contains such gems as:
Intimidating scientists with calls for death trials, name calling and calls for decertification appears to be the accepted tactics of the climate alarmists. The real question is: Why do climate alarmists feel the need to resort to such low brow tactics when they have a compliant media willing to repeat their every assertion without question.
This is a ridiculous and disingenuous assertion, especially given the well documented policies of the Bush administration to do everything they can to supress research that doesn't support their view.
I find that entire site rather apalling. And the fact that it appears to be the website for a Senate committee concerned with the environment makes the blatant and obviously one-sided bias all the more awful.
But, the focus of this Slashdot article is on the person calling for decertification. And, as awfully disingenuous and biased as that site is, they have the guy dead to rights. That is not a reasonable thing to do. Calling for censorship of honest opinions is not something anybody of any political stripe should be doing and severely lowers the credibility of the person who asks that it be done.
First, I don't see where you're getting the idea that I would "regulate" a communication channel employing LEDs any different from one employing a broadcast antenna. All the basic components are the same: a transmitter, a receiver, and the potential for interference. Interference with a preexisting LED communication channel would be dealt with in the same manner as interference with preexisting radio communication channel. The carrier doesn't even have to be electromagnetic: a channel employing ultrasound, for example, would follow the same general rules.
Hmmm.... I'll have to think about it. Your idea is interesting, and seems to have merit.
I'm still suspicious that entrenched broadcasters would refuse to change regardless of whether it's cheaper for them in the long run or not. I think they are more interested in control of the spectrum than efficiently using it. Whether or not small broadcasters could sneak into the cracks and displace them from beneath is an interesting question.
But, I don't think your idea is so totally flawed as to be beyond consideration. I'll have to think about it more.:-)
The web needs some scheme for content based addressing. Like the urn:sha1 scheme used in gnutella. This (and some sort of reasonable caching scheme) would do a lot to alleviate problems like this. It could also help a lot with the Slashdot effect.
Slashdot Mirror
Personally, I think the cloak of silence around companies that do evil things to their employees is awful. They should be named. It should be out in the open, and people should know. Maybe employers would work harder to find managers who were worth the salaries they were paid if their management's screwups became public knowledge. Especially for something like this.
If what this anonymous reader says is true, I can't see how the company could win any kind of lawsuit. Sure, it might make them more likely to try. And if they did I'm sure a judge would be happy to award the defendents significant damages for the company trying to waste their time and the courts time with a frivolous intimidation lawsuit.
Well, this is true, and that's why you'd need the Bittorrent people to help with this. I'm sure there's a way to do it without giving the ISP control over what people can download.
So, basically the only reason my DSL connection is $110/mo instead of $10/mo is the local telephone company? I had no idea that the margins were so stupidly high. This makes a couple of business ideas I have even more likely to be good ideas.
Or they get together with the bittorrent people and work out a way they can run a caching server so they aren't fetching the same thing 5000 times from outside their network and wasting bandwidth.
I there had been some sort of push for decent caching or multicast support in the first place it's possible bittorrent would never have happened. If they're having infrastructure problems now, they only have their own lack of foresight to blame.
I do not trust Hillary Clinton at all. She is a blatant political opportunist of the worst sort. I have no doubt that she would talk loudly about privacy when anybody was looking, then implement totally opposite policies to gain political favor.
Of couse, completely leaving out that they could've asked the guy that owns the site! There are several chains of actions here that do not involve the court system and involves all parties being treated fairly. And none of them were followed. I can't be happy about this.
Be careful with comments like that. While I sympathize with you and might've done something similar, your credit card company might try to get you for fraud if they ever link that comment to you.
And when all I'm interested in is a general overview of something, it's often a good place to go. But I agree that using it as a source for a college paper is unwise. Not just because of the innacuracies, but because when you are doing research, you need to get to original sources. Wikipedia by its very nature is not an original source.
One thing I impressive about Wikipedia is just how obsessively detailed some of the entries are. Some of those details may or may not be correct, but the level of detail is far greater than any encyclopedia I've ever used. And even a detail that's wrong or innacurate still gives you something to look for when you're going over original sources.
I'm sorry, there are purposes to which hash functions are put to in which even a 'stage 1' (by your nomenclature) break creates serious weaknesses. Basically it creates a situation in which any document of any kind that Alice creates and Bob signs can have a malicious substitute also created by Alice that Bob will have apparently signed.
The biggest example of this in modern usage is a Certificate Authority or PGP key signature. I would call both of those pretty important.
The required abilities of cryptographic hash functions are all important.
It IS true that there still are some uses of a hash function is good for even if it isn't resistant to the creation of two messages that collide. But I don't think going around analyzing all protocols to see which ones the hash function is still good for is a worthwhile pursuit, mostly because I think the time needed for a serious analysis is much greater than most people are willing to spend. It's much better to just create a new hash function which does have collision resistance and use that instead.
I have heard, but don't have a source, that elliptic curve is broken by quantum computing as well. I did a bunch of research when doing the initial design of CAKE because I figure that quantum computing will be a solved engineering problem at some point.
I believe this trend can be bucked by various individual corporations while remaining generally true for all of them. Sociopathic behavior is a very strong draw for corporations because of all the forces surrounding their existence and maintainence. For example, I generally like google because I think they try hard to buck this. I don't think they will succeed forever, but I respect that they recognize that their corporation has moral and ethical responsibilities.
When I'm moderating I do. And I often do when I'm following a discussion thread. But, it is also infeasible to have a core group of editors do all the moderating. I think there is a balance to be struck, and I think Digg is on the 'the mass mind has too much power' side of that balance.
I won't 'Digg' things. I don't like that site, and don't like the idea behind it. People in aggregate are often blindly shortsighted and I do not trust them to make good decisions about what I should read.
Well, the postscript example is possible to exploit in a context that's not quite so contrived...
In Mercurial, revisions are identified with hashes of their contents. So, you can submit a change to something like a postscript file that nobody will review the source of. Then, later, you can trick someone involved in the project from pulling a repository copy from you that has the evil version of the Postscript file. With any luck, you can get the evil version to infect the project with nobody realizing it until someone notices the strange behavior.
The problem is that the submission is likely to eventually be traced back to you once the strange behavior is noticed. But the reputation of the project would be severely tarnished and you might be able to get access to the systems of various people who used it.
It would be surprisingly hard to exorcise the bad version from the various distributed repositories. You'd have to just replace the file and state that any version before X is potentially infected. And even then a badly done merge might easily re-introduce the file.
This is basically a trickier way to get someone else to sign something for you.
And the case of a certificate authority is interesting too. The very nature of a CA is to sign documents made by someone else.
But, no, I can't really think of situations in which its really useful unless the attacker is in some way getting someone else to lend their authority or reputation to the attacker.
These algorithms are block oriented. As soon as you have two blocks that collide, you can use those two blocks to make a code path decision. If you have one of the two colliding blocks, the 'good' path is chosen. If you have the other of the two colliding blocks, the 'evil' path is chosen. It doesn't matter what the two blocks are. Any two blocks will do.
Sure the 'good' path and the 'evil' path are both in the same binary. But if you can manage to get them into the binary instead of the source, the will never be found by review. If, for example, you are an evil Debian packager this isn't that hard.
Here is an example of this technique using Postscript.
It is relatively easy with MD5. It would probably require less than a week of time on a modern computer, possibly only hours.
If you spent 10 million on an SHA-1 cracking box, it's estimated that it would take about 127 days to find two colliding files.
Here is a PDF that's my source for this information.
An additional problem is that you can embed interesting things in .pdf, .ps or even HTML documents. You could embed both the evil code, and the good code. Then use a colliding block someone found a long time ago to choose between the evil code and the good code. So, once even one collision is found, it's possible to leverage that one collision into all kinds of existing documents because of the block nature of the two algorithms.
I expect that .pdf and .ps documents rarely see code review looking for evil code. So it's quite likely something like this would go compeltely undetected until the evil version was released into the wild causing a ton of confusion and lost time before someone figured out what was wrong.
SHA-2 is a new family of hash algorithms. But that's kind of like saying that Twofish is a new cipher algorithm that isn't Blowfish. Realistically, if someone finds a major flaw in Blowfish that wasn't anticipated in the design of Twofish, it's quite possible that Twofish has the same flaw because they're built along the same lines, despite being different algorithms.
The SHA-2 family is designed by the same people who designed the SHA-1 algorithm, and they were designed before the flaws in SHA-1 were discovered. And from what I understand, the internal structure of SHA-1 and algorithms in the SHA-2 family are very similar.
I disagree with your assessment of MD5 and the majority of uses of it. There is a property of MD5 which is broken. It is possible to construct two bytestrings that have the same MD5 hash. In fact, it's relatively easy to.
This breaks an important property that most people assume is true about cryptographic hash functions. I think it's actually very hard, in practice, to determine whether or not losing that property renders a particular system more vulnerable to attack. I don't believe that downplaying the associated risk does anybody any favors. I believe MD5 should be treated as "Effort should be made to remove the use of this algorithm from any existing code unless a convincing case can be made that the break doesn't affect it.".
SHA-1 is similarly 'broken'. But, the break in SHA-1 is not currently computationally trivial to exploit. It is just less computationally expensive than it should be to generate two bytestrings with the same SHA-1 hash than it should be given the length of the hash. But once people start discovering weaknesses in algorithms, it's common that someone refines the technique to make the weakness worse. So, I would treat SHA-1 as "No new code should use this, and it should be removed from existing code if the required effort isn't very large.".
The biggest problem is that there isn't a clear algorithm to move to from SHA-1. SHA-256 and SHA-512 are based on the same principles as SHA-1, so there is worry (but no proof) that the break in SHA-1 could be extended to these two hash functions as well. But WHIRLPOOL, the other major contender, has received very little scrutiny.
I've save a bunch of interesting links about hash functions on del.icio.us.
It contains a piece of misinformation that a later poster replied to with the information that debunks it.
Those aren't proven beyond a doubt. Especially the second of those two. But even the first is perfectly open to a single experiment proving it false.
The theory that we are affecting the climate in a major way won't ever have that level of confidence until we can create a repeatable experiment on multiple earth-like planets. But, IMHO, that still doesn't mean that if someone feels that the data they are writing a paper about supports that theory that they shouldn't say so.
And I don't care if the Bush administration has done it less or more. It's wrong no matter how much of it is done or by who.
Thank you. I've posted links to those in my blog as a retraction from when I posted the original story. And I'm hunting around for people who got the link to me and posting links to that in the comments.
That amounts to the same thing. The only things that can be proven beyond a doubt are math theorems. That means that scientists are reduced to reporting only measurements if they want to fit this criteria. If a scientist states a conclusion that they feel the data supports and a politician disagrees with it, that conclusion will be removed. No hypothesis are proven conclusively by evidence. There are always other possible explanations.
And given that this is the same administration that offers a book up for sale at the Grand Canyon stating that the Grand Canyon was created by Noah's flood and forbids rangers from stating what they think the age of the Grand Canyon is, I think it's clear that they aren't interested in truth.
That is a different question, but I still feel that someone playing games with certification when a meteorologist spouts an opinion about climate change isn't the right thing to do at this point. The debate has (wrongly) become heavily politicized, and you wouldn't be able to separate the politics from the science here.
The idea of doing this is just as ridiculous as Bush forcing all scientific papers produced by scientists employed by the government to go through political censors before being.
But, the linked to article is a horribly biased hatchet job that contains such gems as:
This is a ridiculous and disingenuous assertion, especially given the well documented policies of the Bush administration to do everything they can to supress research that doesn't support their view.
I find that entire site rather apalling. And the fact that it appears to be the website for a Senate committee concerned with the environment makes the blatant and obviously one-sided bias all the more awful.
But, the focus of this Slashdot article is on the person calling for decertification. And, as awfully disingenuous and biased as that site is, they have the guy dead to rights. That is not a reasonable thing to do. Calling for censorship of honest opinions is not something anybody of any political stripe should be doing and severely lowers the credibility of the person who asks that it be done.
Hmmm.... I'll have to think about it. Your idea is interesting, and seems to have merit.
I'm still suspicious that entrenched broadcasters would refuse to change regardless of whether it's cheaper for them in the long run or not. I think they are more interested in control of the spectrum than efficiently using it. Whether or not small broadcasters could sneak into the cracks and displace them from beneath is an interesting question.
But, I don't think your idea is so totally flawed as to be beyond consideration. I'll have to think about it more. :-)
The web needs some scheme for content based addressing. Like the urn:sha1 scheme used in gnutella. This (and some sort of reasonable caching scheme) would do a lot to alleviate problems like this. It could also help a lot with the Slashdot effect.