Once a large majority of states have non-contradictory laws, all governing the same thing in nearly the same way, it is time for the federal government to provide the one missing piece: consistency.
Please read your constitution. It is exactly this kind of gross misunderstanding of the role of the federal government that is responsible for the intrusive nanny state the USA has become.
But in what might seem like a contradiction, I do feel this is a federal matter, not a state matter. It definately fits within the interstate commerce clause. That means the states shouldn't have anything to do with this.
You see, the roles of state and federal government do not (in theory) overlap. The role of the federal governent is clearly defined in the constitution. All other concerns are those of local governments. Unfortunately, that is not the way it has played out...
Couldn't Cuba just export no-label cigars to Mexico, and then people could be buying "mexican" cigars? Seems like it would be difficult to determine the origin of a cigar if there was no identifiable markings on it.
That's exactly how it works...
[Canadian Duty-Free Shop] Me: Hey, aren't these Cuban cigars illegal in the US? Clerk: Not if that little paper band falls off between here and customs! (Please use the trash can on the left...)
DVD Backup products will have their licenses revoked.
Aside from Kaleidescape, I don't believe any DVD backup vendor had a license to begin with. So other than destroying Kaleidescape's jukebox product, the amendment has absolutely no affect whatsoever...
That's true, but note that "Clone Products" in this contract are only with respect to the other party. So Linux implementing *NIX isn't an issue since *NIX isn't a Microsoft product.
I tried this technique and found a local vendor with an Excel file full of CC's and CCVs! I called the contact, and apparently another Slashdot reader beat me to it. I imagine she'll get a hundred calls today...
Reminds me of the crypto saying, "Anyone who says the brute force method doesn't always work obviously isn't using enough of it."
"SHA-1 produces a 160-bit hash. That is, every message hashes down to a 160-bit number. Given that there are an infinite number of messages that hash to each possible value, there are an infinite number of possible collisions. But because the number of possible hashes is so large, the odds of finding one by chance is negligibly small (one in 280, to be exact). If you hashed 280 random messages, you'd find one pair that hashed to the same value. That's the "brute force" way of finding collisions, and it depends solely on the length of the hash value. "Breaking" the hash function means being able to find collisions faster than that. And that's what the Chinese did.
They can find collisions in SHA-1 in 269 calculations, about 2,000 times faster than brute force. Right now, that is just on the far edge of feasibility with current technology. Two comparable massive computations illustrate that point.
In 1999, a group of cryptographers built a DES cracker. It was able to perform 256 DES operations in 56 hours. The machine cost $250K to build, although duplicates could be made in the $50K-$75K range. Extrapolating that machine using Moore's Law, a similar machine built today could perform 260 calculations in 56 hours, and 269 calculations in three and a quarter years. Or, a machine that cost $25M-$38M could do 269 calculations in the same 56 hours.' 3.25 years (is less than) 5 years... (If the money's right.)
Yes, I know I'm missing a lot of detail. No, I don't want to beat this silly argument anymore. I'm just saying that using SHA1 to maintain data integrety for five years is a misuse of SHA1. I'm done.;)
Do SHA1 hashes have a even distribution? If so, a file with length (2^63)/256 could be altered, one bit at a time, to generate any hash you want. If you consider all files up to that length, you could get there much sooner.
(Yes, I understand such a file is ridiculously large... 32,768 TB... Imagine a Beowulf cluster of....:)
How many spaces are in this post? How about tabs? Yes, the stricter the data spec, the harder it is to alter without discovery. The orginal context was "disk"; the the data items I mentioned were certainly open to tampering. Now you want to redefine the data, that's fine. My observations still hold.
The main point was you could make it difficult but you couldn't make it impossible. The second point was that there was no way to define how difficult you could make it, only "more" or "less". (So how do you determine "enough"?)
It doesn't take much to alter data without being obvious. Heck, just correct the human errors already there! Would that be obvious to you? "ACK! My data looks too clean! It's obviously been tampered with!";)
All hashes are broken by definition. You can't have a value, one in 2^63, represent any arbitrary file of arbitrary length. As large as 2^63 is, there are many more possible files. So it's not that a particular hash has more than one matching dataset. Every hash value has an infinite number of matching datasets. The value of the hash is entirely based on the difficulty in finding matching datasets, a job that gets progressively easier with each passing moment.
Short answer? Like all crypto, hashes buy you time, that's it. Unfortunately, the amount of time they buy you is constantly shrinking and isn't particularly obvious at any point.
As for finding a dataset that matches both an SHA1, an MD5, and whatever else you want to throw in (SHA1 of even bytes, whatever), while the job of finding such a dataset made be made more difficult, there are still an infinite number of correct answers.
It reminds me of discusions of infinity I vaguely remember. Can you have more or less infinity? If the entire real number set is infinity, would only positive reals be considered infinity/2? Of course not... But only positive reals is less than all reals, is it not?
However, what ar the odds that the dataset you produce will make sense in the given context?
Very high, actually. Presuming I have the original data to provide context, I can fiddle with white space, unallocated disk blocks, executables (since they are not likely to be executed from backup nor examined closely), whatever. Without the original data, then all bets are off. You have to assume an attcker would have access to the data in question.
Put an ad in the NY-time with the SHA-sum of your hard-disc, and you've got pretty good proof 5 years from now that it's been unchanged ever since.
I don't know about that... Five years is a long time to find a hash collision. So what happens to your strategy when a weakness is announced? Do you tell your auditors that it was good enough five years ago?
Let's put it another way... You give me a SHA1 hash and five years. If the money's right, I'll give you back a dataset that matches that hash within that five years... (Point: a hash is a strong indication, but not a lock...)
A better stat would be the prevalence of Vista on Redmond desktops. MS uses many desktops. And while Microsofties tend to use them in the "Microsoft way", they are a production-oriented crowd. Considering the driver issues and other Vista troubles being reported, folks in Redmond wouldn't stand for a PC that got in their way of actual work. That said, I wonder how they're doing with their own dogfood?
I also questioned the author's non-geek status. Especially when she closed the article with the words, "... turning my Microsoft Windows partition into blank oxide.".
She is obviously a non-geek... A geek would reallocate the recovered space back to Linux...
Do we really want to make it easier to identify malware sites so evil-doers will have a ready-made list of sites to entrap the unsuspecting? At least going through Google, you get a "head's up" first. With a direct link, you don't even get that...
While on the one hand it is nice to see this pressure to get rid of DRM for "purchased" tracks, it is pretty disappointing to see that the move will also come with an increase in price. They gave us something we didn't want in the first place, and now they're using the taking away of it to justify a higher price? WTF?
Show me one example of a record company holding a gun to a band member's head to make them sign a contract.
You could make an anti-trust argument... that the music publishers have an unfair advantage over musicians due to collusion and unfair business practices.
Otherwise, its just taking advantage of the stupid, which I believe is still legal...
"If all the changes succeed, the application commits the transaction and the changes are applied, but at any time up to that point the application can roll back the transaction and the changes are then discarded."
What, was my credit card declined for my upgrade to Vista Ultimate Edition?
"staff worked overtime for several months to rescan everything at an additional cost of $200,000."
Sounds like the data was worth $200,000...
I often have trouble dealing with business leads that can't seem to determine the value of their data. I ask them "What would the Russian Mafia pay for it?"...
Slashdot Mirror
Once a large majority of states have non-contradictory laws, all governing the same thing in nearly the same way, it is time for the federal government to provide the one missing piece: consistency.
Please read your constitution. It is exactly this kind of gross misunderstanding of the role of the federal government that is responsible for the intrusive nanny state the USA has become.
But in what might seem like a contradiction, I do feel this is a federal matter, not a state matter. It definately fits within the interstate commerce clause. That means the states shouldn't have anything to do with this.
You see, the roles of state and federal government do not (in theory) overlap. The role of the federal governent is clearly defined in the constitution. All other concerns are those of local governments. Unfortunately, that is not the way it has played out...
Where your argument falls apart: The bank - who is an expert in security...
The bank is an expert in risk management, not security. I believe this article just supports that fine distinction...
Couldn't Cuba just export no-label cigars to Mexico, and then people could be buying "mexican" cigars? Seems like it would be difficult to determine the origin of a cigar if there was no identifiable markings on it.
That's exactly how it works...
[Canadian Duty-Free Shop]
Me: Hey, aren't these Cuban cigars illegal in the US?
Clerk: Not if that little paper band falls off between here and customs! (Please use the trash can on the left...)
DVD Backup products will have their licenses revoked.
Aside from Kaleidescape, I don't believe any DVD backup vendor had a license to begin with. So other than destroying Kaleidescape's jukebox product, the amendment has absolutely no affect whatsoever...
The one quote that sums up the difference between IBM and Microsoft...
"Its amazing how really, terminally, completely broken shit can run for a damn long time..."
I can see you were writing up your list there in parallel. And you have some concurrency issues, I guess, with your system to hand out labels.
I had a smart-a$$ joke as well, but it can't compete with yours. Well done!
That's true, but note that "Clone Products" in this contract are only with respect to the other party. So Linux implementing *NIX isn't an issue since *NIX isn't a Microsoft product.
I guess you never heard of Xenix?
The power of Slashdot!
I tried this technique and found a local vendor with an Excel file full of CC's and CCVs! I called the contact, and apparently another Slashdot reader beat me to it. I imagine she'll get a hundred calls today...
Reminds me of the crypto saying, "Anyone who says the brute force method doesn't always work obviously isn't using enough of it."
OK, don't take my word for it, take Bruce's...
http://www.schneier.com/blog/archives/2005/02/cry
"SHA-1 produces a 160-bit hash. That is, every message hashes down to a 160-bit number. Given that there are an infinite number of messages that hash to each possible value, there are an infinite number of possible collisions. But because the number of possible hashes is so large, the odds of finding one by chance is negligibly small (one in 280, to be exact). If you hashed 280 random messages, you'd find one pair that hashed to the same value. That's the "brute force" way of finding collisions, and it depends solely on the length of the hash value. "Breaking" the hash function means being able to find collisions faster than that. And that's what the Chinese did.
They can find collisions in SHA-1 in 269 calculations, about 2,000 times faster than brute force. Right now, that is just on the far edge of feasibility with current technology. Two comparable massive computations illustrate that point.
In 1999, a group of cryptographers built a DES cracker. It was able to perform 256 DES operations in 56 hours. The machine cost $250K to build, although duplicates could be made in the $50K-$75K range. Extrapolating that machine using Moore's Law, a similar machine built today could perform 260 calculations in 56 hours, and 269 calculations in three and a quarter years. Or, a machine that cost $25M-$38M could do 269 calculations in the same 56 hours.' 3.25 years (is less than) 5 years... (If the money's right.)
Yes, I know I'm missing a lot of detail. No, I don't want to beat this silly argument anymore. I'm just saying that using SHA1 to maintain data integrety for five years is a misuse of SHA1. I'm done.
It doesn't need to be impossible. It just needs to take longer than the expected lifetime of the universe.
And how long is that exactly?
Yes, it would take the expected lifetime of the universe, if technology and research stood still from this point forward!
Do SHA1 hashes have a even distribution? If so, a file with length (2^63)/256 could be altered, one bit at a time, to generate any hash you want. If you consider all files up to that length, you could get there much sooner.
:)
(Yes, I understand such a file is ridiculously large... 32,768 TB... Imagine a Beowulf cluster of....
Let's rehash... (heehee!)
;)
How many spaces are in this post? How about tabs? Yes, the stricter the data spec, the harder it is to alter without discovery. The orginal context was "disk"; the the data items I mentioned were certainly open to tampering. Now you want to redefine the data, that's fine. My observations still hold.
The main point was you could make it difficult but you couldn't make it impossible. The second point was that there was no way to define how difficult you could make it, only "more" or "less". (So how do you determine "enough"?)
It doesn't take much to alter data without being obvious. Heck, just correct the human errors already there! Would that be obvious to you? "ACK! My data looks too clean! It's obviously been tampered with!"
All hashes are broken by definition. You can't have a value, one in 2^63, represent any arbitrary file of arbitrary length. As large as 2^63 is, there are many more possible files. So it's not that a particular hash has more than one matching dataset. Every hash value has an infinite number of matching datasets. The value of the hash is entirely based on the difficulty in finding matching datasets, a job that gets progressively easier with each passing moment.
Short answer? Like all crypto, hashes buy you time, that's it. Unfortunately, the amount of time they buy you is constantly shrinking and isn't particularly obvious at any point.
As for finding a dataset that matches both an SHA1, an MD5, and whatever else you want to throw in (SHA1 of even bytes, whatever), while the job of finding such a dataset made be made more difficult, there are still an infinite number of correct answers.
It reminds me of discusions of infinity I vaguely remember. Can you have more or less infinity? If the entire real number set is infinity, would only positive reals be considered infinity/2? Of course not... But only positive reals is less than all reals, is it not?
However, what ar the odds that the dataset you produce will make sense in the given context?
Very high, actually. Presuming I have the original data to provide context, I can fiddle with white space, unallocated disk blocks, executables (since they are not likely to be executed from backup nor examined closely), whatever. Without the original data, then all bets are off. You have to assume an attcker would have access to the data in question.
Cryptoanalysis of SHA1 has already weakened it...
Put an ad in the NY-time with the SHA-sum of your hard-disc, and you've got pretty good proof 5 years from now that it's been unchanged ever since.
I don't know about that... Five years is a long time to find a hash collision. So what happens to your strategy when a weakness is announced? Do you tell your auditors that it was good enough five years ago?
Let's put it another way... You give me a SHA1 hash and five years. If the money's right, I'll give you back a dataset that matches that hash within that five years... (Point: a hash is a strong indication, but not a lock...)
I've read better FUD by microsoft,
Now that's not really a fair comparison, is it?
A better stat would be the prevalence of Vista on Redmond desktops. MS uses many desktops. And while Microsofties tend to use them in the "Microsoft way", they are a production-oriented crowd. Considering the driver issues and other Vista troubles being reported, folks in Redmond wouldn't stand for a PC that got in their way of actual work. That said, I wonder how they're doing with their own dogfood?
I also questioned the author's non-geek status. Especially when she closed the article with the words, " ... turning my Microsoft Windows partition into blank oxide.".
She is obviously a non-geek... A geek would reallocate the recovered space back to Linux...
Beautiful! Is there a matinee this weekend? I'd like to bring the kids...
Do we really want to make it easier to identify malware sites so evil-doers will have a ready-made list of sites to entrap the unsuspecting? At least going through Google, you get a "head's up" first. With a direct link, you don't even get that...
While on the one hand it is nice to see this pressure to get rid of DRM for "purchased" tracks, it is pretty disappointing to see that the move will also come with an increase in price. They gave us something we didn't want in the first place, and now they're using the taking away of it to justify a higher price? WTF?
Because they are worth more (arguably...)
I'd say it's more of a problem of an idealistic viewpoint.
Dang, I coulda swore Bruce got over his idealistic viewpoint somewhere between Applied Cryptology and Secrets and Lies...
Show me one example of a record company holding a gun to a band member's head to make them sign a contract.
You could make an anti-trust argument... that the music publishers have an unfair advantage over musicians due to collusion and unfair business practices.
Otherwise, its just taking advantage of the stupid, which I believe is still legal...
"If all the changes succeed, the application commits the transaction and the changes are applied, but at any time up to that point the application can roll back the transaction and the changes are then discarded."
What, was my credit card declined for my upgrade to Vista Ultimate Edition?
"staff worked overtime for several months to rescan everything at an additional cost of $200,000."
Sounds like the data was worth $200,000...
I often have trouble dealing with business leads that can't seem to determine the value of their data. I ask them "What would the Russian Mafia pay for it?"...