Agreed, I don't see how they think cryptographers could have some kind of magic to break this. The designers of Gauss did everything right, salting and stretching their hashes, so there is not much we can do but try and stumble across that correct configuration.
This is not at all how it works. Nobody has the key, the key is derived from local configuration values using a cryptographic hash function. Just as your hard drive may be encrypted with a key that is generated from your password, this payload is encrypted with a key that is generated from a very long password which is a combination of specific settings on the machine. If you run it on a machine with the settings exactly right, it will unlock. If you run it on any other machine, it will not and you will get no information about what they key is. Since there are so many possible combinations of settings (particularly it is looking at all the programs in your program files folder in combination with all the directories in your path variable) it is unlikely that people will just stumble across the correct one.
1) Enumerate all directories in the computers PATH variable
2) Enumerate all files in the %PROGRAMFILES% directory whose file name starts with a non-latin-alphabet unicode character (i.e. arabic)
3) Hash every pair from the previous two lists with MD5 and check against a known hash
If the hashes match, then it has found the correct configuration. This means it is looking for a computer with a specific directory or file in the %PROGRAMFILES% directory, in combination with a specific directory in its path variable. This hash is salted and stretched so they obviously knew what they were doing.
Once it knows it has the correct configuration, it rehashes that pair with a different salt to get an RC4 encryption key which unlocks the payload. Different salts are used in the validation and decryption stages so that the validation hash (which is stored in the binary and known to everybody) does not give any information about the target configuration or the encryption key. Given the number of possible combinations of known files that could be in %PROGRAMFILES% and directories that could be in %PATH%, combined with the fact that the target configuration is likely one that is not publicly known, it will be very difficult to break this unless the targeted party comes forth.
Am I alone here? I think it is pretty cool. I hear a lot of "change for the sake of change" being bad around here, but why is staying the same for the sake of staying the same a good thing? One of the biggest draws (for me) to Linux was that it was something new and different. Why are people suddenly so set in their ways that anything remotely different from their crufty old UI is instantly the worst thing ever? What happened to the spirit of "new and cool"? Maybe Metro isn't for everybody, and maybe it won't last, but it is certainly different and, dare I say it, kind of fun.
It is probably true that there are many programming jobs where you don't use the kind of advanced math you are talking about. However, there are some that do, and the kicker is those tend to be the most fun ones. Why limit yourself by passing up a chance to not only gain some knowledge that might help your career, but also understand more about the world? It is absolutely true that math is the language of nature. I promise you will never regret taking more math classes, but you sure might regret not taking them.
Its called lambda calculus because it is a model of calculating, it has almost nothing to do with the infinitesimal calculus that most people mean when they say "calculus".
When people say that SHA-1 is collision resistant they mean that, through all the uses and applications of SHA-1 for the last 20 or so years, no one has ever found two inputs that result in the same hash. No matter the scale of your application, the chance of finding one is incredibly small. You need approximately 2^64 inputs to find a collision, which means your table for keeping track of these things will be on the order of 2^64 * 256k (value in table) * 128 bits (index in table) = 2^94 bits or about 219 yottabytes. According to wolfram alpha, that is 3.7*10^9 times the size of the internet. Good luck with that.
Except that: 1) Developers and artists make more money than that 2) There are additional departments (marketing, testing, HR, accounting, etc) and costs (infrastructure, certification, publishing) 3) Games don't sell for $80 4) The developer only gets a fraction of the retail price 5) A game that sells a million copies is considered extremely successful
This is the social equivalent of security through obscurity, correct? If we encourage people to release exploits so that bugs can be fixed, why not the same thing here?
You can't simultaneously thing wikileaks and government transparency are good things and this is a bad thing. The data was already available, this app just puts a more accessible spin on it. Whether the data should be available or not, that we can talk about...
The fish thing has to do with iodine which most people get from iodized salt nowadays. Why should we ignore technological advances in favor of a "natural" diet? We obviously trust in technology for lots of other aspects of our lives, why is this one sacrosanct? We do all kinds of unnatural things. My point is not that people shouldn't eat meat, but that we should do whatever makes us happy and be honest with ourselves about it. If you truly have no problem eating animals, more power to you. I just think it is disingenuous when people put forth the idea that you cannot be healthy on a vegetarian diet so that they can assuage their personal guilt over eating animals. Many people (I am not talking about you, just some people I know from my experience) use this argument to mask the fact that they are too lazy or glutinous to make the necessary diet changes. The same way obese people won't adjust their diet to save their own lives, people who otherwise would not eat meat cling to this false idea that it is impossible to be healthy without it.
That is my whole point! We shouldn't be looking to what is "natural" we should do what makes us happy. I am not saying you shouldn't eat meat if that is what you want, but don't tell people that it is necessary to be healthy then deride them for their personal choices.
How is that the moral? At a stretch, the moral is that 5000 year ago we had to kill animals to survive. We also walked around naked and had no written language. More aptly, the moral is that the vegetarian woman had no survival training and could not forage for food that would keep her alive. Nowadays we have modern agriculture and it is perfectly viable to life off plants. Nobody has scientifically proven that you need meat to be healthy, that would be big time news and we would all have heard about it. What you need is certain vitamins, minerals, proteins etc. which you absolutely can get from the right plants and (if you want to be lazy) supplements.
To counter your anecdote, I haven't eaten meat in many years and I feel better than ever. Have I just scientifically proven that you can't eat meat and be healthy? Of course not.
Yeah, I think if I was given some kind of ground up and flavored bug protein I would eat it no problem, but it is tough to get over the hurdle of a crunchy bug shaped thing in your mouth.
What evidence do you have for it being not natural? It is true that without some extra care you will probably have low levels of B12, but if they didn't fortify salt with iodine everybody would be deficient in that too. The "normal" diet is culturally based around meat, but that doesn't mean that you can't survive fine without it. Besides, lots of things we do and consider normal are unnatural. Wearing clothes, shaving, drinking the milk of other mammals, those are not natural things.
You can say that about any game or problem, given enough computation you can try every possible configuration until you win. Even chess is like this, albeit with much more work than sudoku. The fun is in not doing it that way, but trying to keep it all in your head and use your natural human reasoning and intuition to figure it out.
If everything goes right then Linux is great. I would say even easier to use than Windows if you are not a computer person. The problem is when things don't go right. In my opinion, major Linux distros have two big failings in terms of general adoption: support for new hardware and complex package management. If you buy a brand new laptop and try to put Linux on it you are likely to have many components not working right (from my experience, touchpad and video especially). This is not anybody's fault since maintainers are always playing catch up with new stuff, but it is a big problem. When I say package management is complex I mean it has lots of things that can go wrong. I currently have two laptops, one with Ubuntu and one with Fedora, and they are both stuck at old release versions because the update process failed with a cryptic package error. Fedora at least was nice enough to roll back and leave me with a usable system. Ubuntu now only boots to the command line. How would you expect a non-technical person to deal with that situation, especially considering there is no error to type into google it just drops you to a terminal?
What are you talking about? Any game that is ported to Linux will also be ported to Mac because they are basically the same. They also already have Steam for Macs.
Probably because you know how to at least narrow down the problem and then properly form a search query. If you don't know anything about Linux your question would be "my screen is black, what do I do?" You cannot expect average users to post log files, manually apply patches, recompile, etc. Don't get me wrong, I like Linux in principle because it allows you to do those things, but it is not ready for non-technical people.
Not that I agree with the GP, but from a cryptographic standpoint that is not really diversifying since all those schemes are based on the the hardness of integer factorization or discrete logarithm (which are intimately related, algorithms for one usually imply similar algorithms for the other).
Factoring is not believed to be NP-complete so it would not have the kind of widespread implications you are talking about. Not that it wouldn't be an important discovery, but it would not prove P=NP or anything like that. It is one of a few candidates for the complexity class NP-intermediate. There were originally more of these that were eventually found to be in P, so I don't think it would be earth shattering (from a pure mathematics perspective) if factoring were also found to be in P.
Slashdot Mirror
Agreed, I don't see how they think cryptographers could have some kind of magic to break this. The designers of Gauss did everything right, salting and stretching their hashes, so there is not much we can do but try and stumble across that correct configuration.
This is not at all how it works. Nobody has the key, the key is derived from local configuration values using a cryptographic hash function. Just as your hard drive may be encrypted with a key that is generated from your password, this payload is encrypted with a key that is generated from a very long password which is a combination of specific settings on the machine. If you run it on a machine with the settings exactly right, it will unlock. If you run it on any other machine, it will not and you will get no information about what they key is. Since there are so many possible combinations of settings (particularly it is looking at all the programs in your program files folder in combination with all the directories in your path variable) it is unlikely that people will just stumble across the correct one.
According to Kaspersky, the way it works is:
1) Enumerate all directories in the computers PATH variable
2) Enumerate all files in the %PROGRAMFILES% directory whose file name starts with a non-latin-alphabet unicode character (i.e. arabic)
3) Hash every pair from the previous two lists with MD5 and check against a known hash
If the hashes match, then it has found the correct configuration. This means it is looking for a computer with a specific directory or file in the %PROGRAMFILES% directory, in combination with a specific directory in its path variable. This hash is salted and stretched so they obviously knew what they were doing.
Once it knows it has the correct configuration, it rehashes that pair with a different salt to get an RC4 encryption key which unlocks the payload. Different salts are used in the validation and decryption stages so that the validation hash (which is stored in the binary and known to everybody) does not give any information about the target configuration or the encryption key. Given the number of possible combinations of known files that could be in %PROGRAMFILES% and directories that could be in %PATH%, combined with the fact that the target configuration is likely one that is not publicly known, it will be very difficult to break this unless the targeted party comes forth.
Am I alone here? I think it is pretty cool. I hear a lot of "change for the sake of change" being bad around here, but why is staying the same for the sake of staying the same a good thing? One of the biggest draws (for me) to Linux was that it was something new and different. Why are people suddenly so set in their ways that anything remotely different from their crufty old UI is instantly the worst thing ever? What happened to the spirit of "new and cool"? Maybe Metro isn't for everybody, and maybe it won't last, but it is certainly different and, dare I say it, kind of fun.
It is probably true that there are many programming jobs where you don't use the kind of advanced math you are talking about. However, there are some that do, and the kicker is those tend to be the most fun ones. Why limit yourself by passing up a chance to not only gain some knowledge that might help your career, but also understand more about the world? It is absolutely true that math is the language of nature. I promise you will never regret taking more math classes, but you sure might regret not taking them.
Its called lambda calculus because it is a model of calculating, it has almost nothing to do with the infinitesimal calculus that most people mean when they say "calculus".
When people say that SHA-1 is collision resistant they mean that, through all the uses and applications of SHA-1 for the last 20 or so years, no one has ever found two inputs that result in the same hash. No matter the scale of your application, the chance of finding one is incredibly small. You need approximately 2^64 inputs to find a collision, which means your table for keeping track of these things will be on the order of 2^64 * 256k (value in table) * 128 bits (index in table) = 2^94 bits or about 219 yottabytes. According to wolfram alpha, that is 3.7*10^9 times the size of the internet. Good luck with that.
Same way Minix was a rip-off of Unix?
Except that:
1) Developers and artists make more money than that
2) There are additional departments (marketing, testing, HR, accounting, etc) and costs (infrastructure, certification, publishing)
3) Games don't sell for $80
4) The developer only gets a fraction of the retail price
5) A game that sells a million copies is considered extremely successful
This is the social equivalent of security through obscurity, correct? If we encourage people to release exploits so that bugs can be fixed, why not the same thing here?
You can't simultaneously thing wikileaks and government transparency are good things and this is a bad thing. The data was already available, this app just puts a more accessible spin on it. Whether the data should be available or not, that we can talk about...
The fish thing has to do with iodine which most people get from iodized salt nowadays. Why should we ignore technological advances in favor of a "natural" diet? We obviously trust in technology for lots of other aspects of our lives, why is this one sacrosanct? We do all kinds of unnatural things. My point is not that people shouldn't eat meat, but that we should do whatever makes us happy and be honest with ourselves about it. If you truly have no problem eating animals, more power to you. I just think it is disingenuous when people put forth the idea that you cannot be healthy on a vegetarian diet so that they can assuage their personal guilt over eating animals. Many people (I am not talking about you, just some people I know from my experience) use this argument to mask the fact that they are too lazy or glutinous to make the necessary diet changes. The same way obese people won't adjust their diet to save their own lives, people who otherwise would not eat meat cling to this false idea that it is impossible to be healthy without it.
Horses have incisors too and they are most definitely herbivores. We have lots of vestigial parts which do not serve a purpose any more.
That is my whole point! We shouldn't be looking to what is "natural" we should do what makes us happy. I am not saying you shouldn't eat meat if that is what you want, but don't tell people that it is necessary to be healthy then deride them for their personal choices.
Okay, maybe we had clothes but the oldest writings we have are less than 5000 years old.
If salt wasn't iodized meat eaters would be deficient in that too. How is this any different?
How is that the moral? At a stretch, the moral is that 5000 year ago we had to kill animals to survive. We also walked around naked and had no written language. More aptly, the moral is that the vegetarian woman had no survival training and could not forage for food that would keep her alive. Nowadays we have modern agriculture and it is perfectly viable to life off plants. Nobody has scientifically proven that you need meat to be healthy, that would be big time news and we would all have heard about it. What you need is certain vitamins, minerals, proteins etc. which you absolutely can get from the right plants and (if you want to be lazy) supplements.
To counter your anecdote, I haven't eaten meat in many years and I feel better than ever. Have I just scientifically proven that you can't eat meat and be healthy? Of course not.
Yeah, I think if I was given some kind of ground up and flavored bug protein I would eat it no problem, but it is tough to get over the hurdle of a crunchy bug shaped thing in your mouth.
What evidence do you have for it being not natural? It is true that without some extra care you will probably have low levels of B12, but if they didn't fortify salt with iodine everybody would be deficient in that too. The "normal" diet is culturally based around meat, but that doesn't mean that you can't survive fine without it. Besides, lots of things we do and consider normal are unnatural. Wearing clothes, shaving, drinking the milk of other mammals, those are not natural things.
You can say that about any game or problem, given enough computation you can try every possible configuration until you win. Even chess is like this, albeit with much more work than sudoku. The fun is in not doing it that way, but trying to keep it all in your head and use your natural human reasoning and intuition to figure it out.
If everything goes right then Linux is great. I would say even easier to use than Windows if you are not a computer person. The problem is when things don't go right. In my opinion, major Linux distros have two big failings in terms of general adoption: support for new hardware and complex package management. If you buy a brand new laptop and try to put Linux on it you are likely to have many components not working right (from my experience, touchpad and video especially). This is not anybody's fault since maintainers are always playing catch up with new stuff, but it is a big problem. When I say package management is complex I mean it has lots of things that can go wrong. I currently have two laptops, one with Ubuntu and one with Fedora, and they are both stuck at old release versions because the update process failed with a cryptic package error. Fedora at least was nice enough to roll back and leave me with a usable system. Ubuntu now only boots to the command line. How would you expect a non-technical person to deal with that situation, especially considering there is no error to type into google it just drops you to a terminal?
What are you talking about? Any game that is ported to Linux will also be ported to Mac because they are basically the same. They also already have Steam for Macs.
Probably because you know how to at least narrow down the problem and then properly form a search query. If you don't know anything about Linux your question would be "my screen is black, what do I do?" You cannot expect average users to post log files, manually apply patches, recompile, etc. Don't get me wrong, I like Linux in principle because it allows you to do those things, but it is not ready for non-technical people.
Not that I agree with the GP, but from a cryptographic standpoint that is not really diversifying since all those schemes are based on the the hardness of integer factorization or discrete logarithm (which are intimately related, algorithms for one usually imply similar algorithms for the other).
Factoring is not believed to be NP-complete so it would not have the kind of widespread implications you are talking about. Not that it wouldn't be an important discovery, but it would not prove P=NP or anything like that. It is one of a few candidates for the complexity class NP-intermediate. There were originally more of these that were eventually found to be in P, so I don't think it would be earth shattering (from a pure mathematics perspective) if factoring were also found to be in P.