I can't easily, with tools I have handy, produce an MD5 collision for that statement. I do not believe the current state of things would allow the creation of such a tool that could run in a reasonable length of time.
I do know that I can (pretty easily) give you two files which have the same hash. I could prepend both of those files to that statement, and I would get the same hash for both files, though they are different.
MD5 is broken for some purposes. When a crytographic algorithm is broken for the purposes it was originally designed for, people should stop using it. Partly because a chink in the armor may be exploited in unexpected ways in the future. And partly because people will keep on using it for purposes it doesn't work for if people who know better don't tell them that it's broken.
Cryptography is subtle, and if an algorithm has known flaws, it's hard to know when you're doing something that will trip across one. Hash algorithms are supposed to have a certain set of well-understood properties. MD5 no longer has them. It can still be used securely for some purposes, but each purpose requries a lot of careful thought to decide if the algorithm's flaws will make it vulnerable in that situation. It's best to just get everybody to stop using it altogether.
No, I am extremely concerned that people at large will continue to think that MD5 is fine when it's not. Why use MD5 when everybody who has MD5 has SHA1, which is fine?
It only takes me 2^40 operations to find another file that has the same hash. And I can find areas of the gcc compiler that it doesn't matter much if I change, like various parts of the documentation.
2^40 steps is how many it takes to break DES, and everybody thinks it's broken for that reason.
People should stop using MD5 as soon as possible. Algorithms that have been broken for their intended purpose should be abandon and their use discouraged, especially when there are perfectly good alternatives widely available.
Nobody has demonstrated collisions for SHA-1 yet. Nobody has clearly demonstrated that they can generate collisions for the full SHA-1 in less than the 2^160 steps you'd expect it to take.
My point is that people should be discouraged from using algorithms that have been broken for their intended purpose. For example, MD5 can no longer be trusted as a method for verifying downloads. If it's available and its use encouraged, people think that it's good for verifying things. It will still be used for verifying download, and we'll all wake up one day to discover that gcc has been back-doored to put a back door in every ssh implementation out there and in itself.
Yes, but I can show you existing collisions for MD5. Can you show me any collisions for SHA1? One algorithm has been broken, and it's possible to generate collisions for it. One hasn't been yet.
The tool should be removed anyway, and people should no longer be encouraged to use it. Mostly because if it's there, people will keep on trying to use it for purposes for which it is no longer safe, like file downloads. It's better to stop using it for everything than keep it around for the few purposes it still is good for.
Especially since there's a perfectly good replacement (SHA1) that practically everybody who has and MD5 sum generator already has.
I wouldn't recommend crc32 for large volumes of data. Mostly because if you have any errors, they'll likely be more than single bit errors, and for a large enough amount of data will swamp crc32's ability to detect them.
I don't trust a hash algorithm that has collisions for anything, not even verification. Part of this is because I have a strong bent towards viewing things from a cryptographic standpoint, but another reason is this... If the algorithm is sitting around, there for people to use, it will be abused because people will not be aware that it is broken for certain purposes. It's better to get rid of it altogether.
For example, MD5 is now completely unsuitable for use as a verification mechanism for downloads. Removal of the tool from distributions makes it harder for people to abuse it for this use, and more likely that they'll use SHA-1, which does not have any proven attacks yet.
I don't trust any hashing algorithm in which there are demonstrated collisions. You shouldn't either. Stop recommending anybody use MD5 when there's a perfectly good replacement available that practically everybody who has MD5 also has.
I wouldn't be surprised to discover that the fact that you can generate collisions in the algorithm means that its distribution for random input is far from flat, and it's probably a bad idea to use it for anything.
MD5 has been proven to have collisions. Use sha1sum, not md5sum. IMHO, the md5sum tool should be deprecated and removed from all future Linux distributions.
No, I propose the continued existance of the system we have now, you want a CD, a movie, a piece of software, whatever, you BUY it. I'd like to see one change, tho', which would be to split the cost of the media from the cost of the content on it. So if I scratch a CD, say, I should be able to get a new one for the cost of the media alone, since I've already bought the contents.
Sadly, if you haven't noticed, that system no longer seems to be working, and is devolving into the going from house to house method. Do you have any other suggestions, or would you prefer to spend a few more years denying reality until you can't tie your shoes without a patent license, or run a computer without a police chip in it to make sure you don't do anything that the government doesn't approve of?
Creating new ideas is CHEAP. Turning ideas into real products is hard, and expensive.
That doesn't change my basic premise. Charge people to create real products, don't charge them for copies of the products. If the artist/musician/author/engineer doesn't get paid, they shouldn't make the work.
Well, that sort of pure science is interesting, but it's not a product. You can't "cure AIDS @ home" because there is no software to do that, it takes expensive people and expensive equipment to work on it. You might kid yourself that you're helping real problems, but you are only doing so in the more indirect way.
So, where do you think the AIDS researchers go when they need to know the shape of some particular surface protein on an immune cell? Since I'm around and contributing my CPU time, they don't have to pay for the multi-million dollar supercomputer it would take to do it without me. Seems to me like a fine contribution.
Besides, you didn't even bother adressing my willingness to directly fund particular efforts at making things I think would be very useful. A cure for AIDS certainly counts here. I'd probably be willing to give $60/yr for that. If I were in a high-risk group, I'd probably be willing to give a lot more.
The basic problem here is trying to charge people for copies of something when they are incredibly cheap to make. It's senseless to do so. When copies start being really cheap to make, you need to find some other means of compensation than giving the creators a way to tax making copies of their creation.
I agree with this, and try hard to shake this image in any forum I'm in. I don't put up with people treating me this way, and when I see people being treated that way, I patiently try to answer their questions.
It's not everybody.
It does get really hard to stay patient though, and I tend to leave if I find myself getting snappish.
Such an intelligent comment. The first side to weary of repeating itself to the other loses under this scheme.
Since the current economic system is very harmful, why don't you try being part of the solution, and think of one that will work instead of trying to paint all those who realize that it won't as short-sighted criminals? Or is that effort beyond you? Are you so poor in imagination that you can't possibly imagine any reality other than the one you exist in now? If that's true, you are certainly more of an intellectual 'property' leech than anybody you're criticizing.
So, do you propose a system in which we go from house to house every year demanding to get a detailed inventory of all the intellectual 'property' everybody is making use of to make sure they've paid for it all? In order to have a world in which intellectual 'property' exists, you have to have an enforcement regime that's way more expensive than any possible benefit that could be derived from the creation of said 'property'.
Counting lost opportunity costs (I can't use that piece of software and get the benefit of it because of the enforcement regime) and the direct costs of enforcement (how much of our court system is dedicate to battles over intellectual 'property'), I would guess that we are getting at least an order of magnitude less benefit from the various ideas people create than we could.
Creating new ideas is expensive. After that, they cost absolutely nothing. It seems to me that the economic system should be altered to reflect this reality. Instead we are now trying all kinds of hideously expensive methods of artificially restricting the free propogation of ideas in an effort to preserve some bizarre economic model that doesn't fit reality. Of course, it happens to benefit a bunch of people with entrenched interests who would actually prefer that it be hard for new ideas to make it out into the world, but I'm sure that all this effort expended to keep it around isn't because of them.
I think the best model for creating ideas is for all the people who have the foresight to realize they have something to gain from the idea to put up some money towards its creation.
For example, I know very little about biochemistry, but I fully realize how massively beneficial to me that advances in this field could be, so I spend a bunch of money and effort making sure that Folding@HOME is running on all the computers I control. I'm contributing my time and money (electric bills) towards this effort. If they had some sort of automatically deducting donation system by which I could put $50/month towards the project, I would. That would probably put my total monthly expenditure in time and money up to about $80/mo which is not at all a trivial amount.
First, I'm not sure the FCC is obsolete, but their regulations should loosen up. They should always be loose enough that consumer level techn that's more than a certain amount below average will have problems. Otherwise, there will be no incentive for it to get better. Having the spectrum be more free is in all of our best interests in the long run.
Also, this reply addresses some of your other points.
I always like pushing these things into the visual EM spectrum because that's where both the sending and receiving technologies are much more sophisticated than any artifacts we've created.
So, the fact that I can create something that flashes, say, blue in a random pattern that makes it nearly impossible to tell how blue something really is means that blue is excludable? Or does this mean that I would be hunted down and forced to turn off my blue flashing device in most situations outside of nightclubs?
Is blue rival? Does someone else's use of a blue light interfere with my use of a blue light? Do people get confused as to which blue light to be paying attention to at any given moment? Again, not unless someone is actively trying to be obnoxious. And again, we would hunt them down and force them to stop.
So, in some sense you are correct, the color blue is technically both excludable, and rival, should the blue using parties actively attempt to try to make it that way. The role of the government is not to keep more than one party from using blue. It's to make sure they don't get obnoxious about it and try to make their use exclude other uses.
What's obnoxious and excludes other uses is now changing because of technology. We (i.e. the government) need to recognize this fact and let people use blue more freely than they did in the past because those uses are no longer obnoxious, excluding uses.
A mollusc with primitive light sensing organs might very well be confused by the way we use light. But, clearly we are not, and our laws about how people use light are consequently very broad and unrestrictive.
Well, that might very well be, but how then to describe what they guy with the biggest stick and the strongest arms has? Might we use the word 'property'?
Can this hypothetical guy do the same thing with ideas or the EM spectrum?
The reason they do not want to go after the people is because, in reality, the vast majority of their constituents actually want to use it for these illegal purposes, and rather than change the law, they would rather try to destroy the people who make stuff that help them do it. It's the drug wars writ on an even larger canvas.
Slashdot Mirror
I can't easily, with tools I have handy, produce an MD5 collision for that statement. I do not believe the current state of things would allow the creation of such a tool that could run in a reasonable length of time.
I do know that I can (pretty easily) give you two files which have the same hash. I could prepend both of those files to that statement, and I would get the same hash for both files, though they are different.
MD5 is broken for some purposes. When a crytographic algorithm is broken for the purposes it was originally designed for, people should stop using it. Partly because a chink in the armor may be exploited in unexpected ways in the future. And partly because people will keep on using it for purposes it doesn't work for if people who know better don't tell them that it's broken.
Cryptography is subtle, and if an algorithm has known flaws, it's hard to know when you're doing something that will trip across one. Hash algorithms are supposed to have a certain set of well-understood properties. MD5 no longer has them. It can still be used securely for some purposes, but each purpose requries a lot of careful thought to decide if the algorithm's flaws will make it vulnerable in that situation. It's best to just get everybody to stop using it altogether.
No, I am extremely concerned that people at large will continue to think that MD5 is fine when it's not. Why use MD5 when everybody who has MD5 has SHA1, which is fine?
But, I can show you particular collisions for MD5. Can you show me any particular collisions for SHA1?
It only takes me 2^40 operations to find another file that has the same hash. And I can find areas of the gcc compiler that it doesn't matter much if I change, like various parts of the documentation.
MD5 is broken. Stop using it.
Because I can show you a collision in MD5. It's not that hard.
2^40 steps is how many it takes to break DES, and everybody thinks it's broken for that reason.
People should stop using MD5 as soon as possible. Algorithms that have been broken for their intended purpose should be abandon and their use discouraged, especially when there are perfectly good alternatives widely available.
Nobody has demonstrated collisions for SHA-1 yet. Nobody has clearly demonstrated that they can generate collisions for the full SHA-1 in less than the 2^160 steps you'd expect it to take.
My point is that people should be discouraged from using algorithms that have been broken for their intended purpose. For example, MD5 can no longer be trusted as a method for verifying downloads. If it's available and its use encouraged, people think that it's good for verifying things. It will still be used for verifying download, and we'll all wake up one day to discover that gcc has been back-doored to put a back door in every ssh implementation out there and in itself.
Yes, but I can show you existing collisions for MD5. Can you show me any collisions for SHA1? One algorithm has been broken, and it's possible to generate collisions for it. One hasn't been yet.
The tool should be removed anyway, and people should no longer be encouraged to use it. Mostly because if it's there, people will keep on trying to use it for purposes for which it is no longer safe, like file downloads. It's better to stop using it for everything than keep it around for the few purposes it still is good for.
Especially since there's a perfectly good replacement (SHA1) that practically everybody who has and MD5 sum generator already has.
I wouldn't recommend crc32 for large volumes of data. Mostly because if you have any errors, they'll likely be more than single bit errors, and for a large enough amount of data will swamp crc32's ability to detect them.
I don't trust a hash algorithm that has collisions for anything, not even verification. Part of this is because I have a strong bent towards viewing things from a cryptographic standpoint, but another reason is this... If the algorithm is sitting around, there for people to use, it will be abused because people will not be aware that it is broken for certain purposes. It's better to get rid of it altogether.
For example, MD5 is now completely unsuitable for use as a verification mechanism for downloads. Removal of the tool from distributions makes it harder for people to abuse it for this use, and more likely that they'll use SHA-1, which does not have any proven attacks yet.
I don't trust any hashing algorithm in which there are demonstrated collisions. You shouldn't either. Stop recommending anybody use MD5 when there's a perfectly good replacement available that practically everybody who has MD5 also has.
I wouldn't be surprised to discover that the fact that you can generate collisions in the algorithm means that its distribution for random input is far from flat, and it's probably a bad idea to use it for anything.
So, show me a collision in SHA1. I dare you.
MD5 has been proven to have collisions. Use sha1sum, not md5sum. IMHO, the md5sum tool should be deprecated and removed from all future Linux distributions.
Is it relying on donations if I pay for something to be made that I think will be useful to me?
Sadly, if you haven't noticed, that system no longer seems to be working, and is devolving into the going from house to house method. Do you have any other suggestions, or would you prefer to spend a few more years denying reality until you can't tie your shoes without a patent license, or run a computer without a police chip in it to make sure you don't do anything that the government doesn't approve of?
That doesn't change my basic premise. Charge people to create real products, don't charge them for copies of the products. If the artist/musician/author/engineer doesn't get paid, they shouldn't make the work.
So, where do you think the AIDS researchers go when they need to know the shape of some particular surface protein on an immune cell? Since I'm around and contributing my CPU time, they don't have to pay for the multi-million dollar supercomputer it would take to do it without me. Seems to me like a fine contribution.
Besides, you didn't even bother adressing my willingness to directly fund particular efforts at making things I think would be very useful. A cure for AIDS certainly counts here. I'd probably be willing to give $60/yr for that. If I were in a high-risk group, I'd probably be willing to give a lot more.
The basic problem here is trying to charge people for copies of something when they are incredibly cheap to make. It's senseless to do so. When copies start being really cheap to make, you need to find some other means of compensation than giving the creators a way to tax making copies of their creation.
I agree with this, and try hard to shake this image in any forum I'm in. I don't put up with people treating me this way, and when I see people being treated that way, I patiently try to answer their questions.
It's not everybody.
It does get really hard to stay patient though, and I tend to leave if I find myself getting snappish.
Such an intelligent comment. The first side to weary of repeating itself to the other loses under this scheme.
Since the current economic system is very harmful, why don't you try being part of the solution, and think of one that will work instead of trying to paint all those who realize that it won't as short-sighted criminals? Or is that effort beyond you? Are you so poor in imagination that you can't possibly imagine any reality other than the one you exist in now? If that's true, you are certainly more of an intellectual 'property' leech than anybody you're criticizing.
So, do you propose a system in which we go from house to house every year demanding to get a detailed inventory of all the intellectual 'property' everybody is making use of to make sure they've paid for it all? In order to have a world in which intellectual 'property' exists, you have to have an enforcement regime that's way more expensive than any possible benefit that could be derived from the creation of said 'property'.
Counting lost opportunity costs (I can't use that piece of software and get the benefit of it because of the enforcement regime) and the direct costs of enforcement (how much of our court system is dedicate to battles over intellectual 'property'), I would guess that we are getting at least an order of magnitude less benefit from the various ideas people create than we could.
Creating new ideas is expensive. After that, they cost absolutely nothing. It seems to me that the economic system should be altered to reflect this reality. Instead we are now trying all kinds of hideously expensive methods of artificially restricting the free propogation of ideas in an effort to preserve some bizarre economic model that doesn't fit reality. Of course, it happens to benefit a bunch of people with entrenched interests who would actually prefer that it be hard for new ideas to make it out into the world, but I'm sure that all this effort expended to keep it around isn't because of them.
I think the best model for creating ideas is for all the people who have the foresight to realize they have something to gain from the idea to put up some money towards its creation.
For example, I know very little about biochemistry, but I fully realize how massively beneficial to me that advances in this field could be, so I spend a bunch of money and effort making sure that Folding@HOME is running on all the computers I control. I'm contributing my time and money (electric bills) towards this effort. If they had some sort of automatically deducting donation system by which I could put $50/month towards the project, I would. That would probably put my total monthly expenditure in time and money up to about $80/mo which is not at all a trivial amount.
First, I'm not sure the FCC is obsolete, but their regulations should loosen up. They should always be loose enough that consumer level techn that's more than a certain amount below average will have problems. Otherwise, there will be no incentive for it to get better. Having the spectrum be more free is in all of our best interests in the long run.
Also, this reply addresses some of your other points.
Try reading this reply where I address those exact points.
I always like pushing these things into the visual EM spectrum because that's where both the sending and receiving technologies are much more sophisticated than any artifacts we've created.
So, the fact that I can create something that flashes, say, blue in a random pattern that makes it nearly impossible to tell how blue something really is means that blue is excludable? Or does this mean that I would be hunted down and forced to turn off my blue flashing device in most situations outside of nightclubs?
Is blue rival? Does someone else's use of a blue light interfere with my use of a blue light? Do people get confused as to which blue light to be paying attention to at any given moment? Again, not unless someone is actively trying to be obnoxious. And again, we would hunt them down and force them to stop.
So, in some sense you are correct, the color blue is technically both excludable, and rival, should the blue using parties actively attempt to try to make it that way. The role of the government is not to keep more than one party from using blue. It's to make sure they don't get obnoxious about it and try to make their use exclude other uses.
What's obnoxious and excludes other uses is now changing because of technology. We (i.e. the government) need to recognize this fact and let people use blue more freely than they did in the past because those uses are no longer obnoxious, excluding uses.
A mollusc with primitive light sensing organs might very well be confused by the way we use light. But, clearly we are not, and our laws about how people use light are consequently very broad and unrestrictive.
Well, that might very well be, but how then to describe what they guy with the biggest stick and the strongest arms has? Might we use the word 'property'?
Can this hypothetical guy do the same thing with ideas or the EM spectrum?
You are a masterful troll.
Yes, I think you're right. :-)
The reason they do not want to go after the people is because, in reality, the vast majority of their constituents actually want to use it for these illegal purposes, and rather than change the law, they would rather try to destroy the people who make stuff that help them do it. It's the drug wars writ on an even larger canvas.