Re:Whirlpool paper: an eye opener.
on
SHA-1 Broken
·
· Score: 1
But think about it a bit more. The NSA has the best hardware on the planet. Therefore, what they want is a hash that is vulnerable to people with said hardware, but not vulnerable to those without. Which is exactly what a perfect hashing algorithm would be. Remember what they did with DES? They fixed it so that differential cryptanalysis wouldn't work, making it more perfect. And they shortened the key length so that they could crack it with their hardware, but no one else had enough to crack it. I think they'll be as disappointed by this as anyone.
Re:Unfortunately the SHA series seems to be suspec
on
SHA-1 Broken
·
· Score: 1
Yes, I am surprised. SHA-1 was designed from the ground up to be secure (iirc unlike MD5 which was only designed to stop random corruption, not malicious modification) and I thought it ought to be. The length will always need to be increased as computers get more powerful, but a hashing algorithm that always makes it a lot harder to create two docs with the same hash than compute the hash of a document should be doable.
Re:Now what do we use?
on
SHA-1 Broken
·
· Score: 1
My first response is RIPEMD
Re:Now what do we use?
on
SHA-1 Broken
·
· Score: 1
No, that's no more secure than the most secure of SHA-1 and MD5. i.e. not secure.
Re:Don't panic! 'Broken' is not Cracked
on
SHA-1 Broken
·
· Score: 1
What about RIPEMD (or one of the longer versions therof)? IIRC there aren't any known attacks like this on it.
Re:Not a problem (yet)
on
SHA-1 Broken
·
· Score: 1
Assuming you know one algorithm is more secure than the other, you're better off just using a double-length version of the more secure algorithm (SHA-256 in this case I think). MD5 and SHA-1 are related in that they have a common ancestor some way back, so having the two hashes does not fully square the difficulty of cracking it. Wheras doubling the length of the SHA hash ought to. However, if the two algorithms are unrelated and both believed to be reasonably secure (prior to this story I would have used RIPEMD and SHA as examples) then that is worth doing.
Forced labour would hardly be "rewarding" what he did. It's just punishing him in a way that gives more benefit to the rest of society.
And I think you're being excessively hard. If that's how things should work, why don't we just execute everyone, first time, for any crime? We believe people can be reformed, that they should go to prison or do community work or pay a fine, somehow pay their debt to society, and then be allowed to start over.
The fact that there are enough devoted kde programmers of sufficient quality to have written kde as it currently stands suggests there is a significant proportion of gurus as you put it who at the very least support kde. And anecdotal evidence is no evidence at all; unless you can point me to some representative survey or similar showing gurus use gnome, quite simply I don't believe you.
I think it is. All I'm advocating is you not being able to be subpoenaed for something you wrote in said blog. Which seems fair enough, because it leaves you no more protected than if you didn't write in the blog at all.
It's not practical, but it is possible. It's already done with the cds for some ridiculously expensive programs (although only a small part of the disc).
I can say there's no evidence, and no reason to believe it, and they likely got confused by my echlon-baiting habits. If they have evidence, I am either able to refute it or not, I don't need to know who said it to be able to refute it. If they don't have any evidence, why would anyone believe them?
Linux won't be "the best platform" as long as everything that runs on it is cross-platform stuff. Linux needs a native toolkit, one that wastes no time or effort on cross-platform features. Qt will always be hamstrung by Troll Tech's commercial interests in shipping a cross-platform toolkit.
Why? When I see a toolkit that looks better, or looks reasonably good and performs much better, then maybe I'll believe that the crossplatform nature is causing problems. GTK is not aiming to be crossplatform (the win32 port is an ugly unsupported hack and I don't think there even is a native OSX port) yet this doesn't give it any noticeable advantages over Qt.
But it wouldn't be. I have written lots of different software under lots of different licenses. A toolkit that forces me to make everything either GPL or proprietary is a non-starter.
Well, OK then. But under what circumstances do you need to make something that is nonproprietary but can't be GPL? Other than system programming for one of the BSDs (which is unlikely to need to be graphical) I can't think of anything
Remember Qt is not only C++ but actually pushes that to the extent that it needs a separate preprocessor.
Yes, that alone is a good reason not to use it.
How so? I see it as a sign that C++ isn't really powerful enough for Qt, use Python when I can, and carry on. Why is this a reason not to use it?
I only speak German. But I can usually get an idea of Danish that I hear. Not enough to have a conversation, but enough to know vaguely what they're talking about.
You're right, but the thing is that if you can run the program, you can reverse engineer it. That's how DeCSS was first cracked - they didn't actually "crack" the encryption, they got the key from iirc the Xing player, possibly just by strings|grep through the binary. The key is still there as a string in all the decoders I've seen. You used to be able to do some really nasty things to stop reverse engineering under dos (remap random bios interrupts around so that they are essential to your program) but even then programs were reverse engineered, and these days there's a limit to what you can do on a multitasking system without interfering with other programs, and all it takes is one software maker to not scramble their program properly. The best they can try is to make it hard enough not to be worth bothering, but people enjoy reverse engineering a real challenge and do it in their spare time, so I don't really think it's doable.
A bit OT, but with the newer DeCSS versions (effdt.c) tatoos and/or memorizing it looks distinctly possible. Anyone fancy becoming a circumvention device? Ought to make the point even more than the t-shirts, if the DMCA makes me illegal.
What about having a DVD which was actually a set of photodiodes and LEDs with a chip, which played like a normal DVD if it was played at 1X speed only, but then appeared blank if you tried to play it faster? Expensive, yes, but doable.
Fair use would automatically extend since there's nothing in the wording to say you can't. Since copyright itself specifically does *not* extend to digital media according to how it has been written, yet has still been enforced, not allowing fair use makes no sense. However, since fair use is actually only a defense, not a right, you don't automatically get an entitlement to crack copy protection, and the 2600/DeCSS case would suggest you don't have such a right.
Bit by bit reading is impossible with consumer, probably even with pro, equipment. The closest you'll get is an error-corrected sector - 2048 bytes (or bits, and this is for CDs but DVDs work pretty much the same) for which there are 2378 (IIRC) on the physical disc. But you get a bit more information, perhaps (without being able to remember the details) how many errors were corrected. So they could set it to have a particular number of errors in specific sectors, and since there are no consumer recorders which will let you put errors into the data (again, it's 2048 byte sector as the minimum write unit, and some drives won't even give you that), that gives them a way to tell originals from copies. Of course that wouldn't make the copies unplayable, quite the opposite in fact, so I'm sure they're doing something more sneaky. But it shows it can be done.
The DVDscost pretty much 0. Heck, you can buy them for what, $.50 compared to $17 for the movie (I don't keep up on movie prices any more). And that's as a consumer, with no economies of scale or anything. What you pay for the DVD is pretty much pure profit.
Please, please, implement alpha transparency for PNGs. That's all I ask. CSS2 would be nice, but it's ok if you don't have time or whatever. But just get proper transparency working. Please.
No, there's your hole, right there. I'm sick of all these exceptions to every right everyone has as soon as you mention the t-word. You either believe in sources anonymity or you don't.
But ultimately there will be more harm done by making it a dicey question like this than having it as a point of law. If that wasn't how things worked, there would be no need for laws at all. Personally I think that, like attorney-client, the anonymity of a journalist's source should be guaranteed. Absolute. I think that would result in less harm in the long term. But if not, then it should be clear when that privilidge exists and when it doesn't. Because uncertainty on this can only harm people.
Yes, they should be allowed to keep it secret who warned them. If we don't let them, next time someone in a terrorist organisation who is having second thoughts won't warn the public and save lives, they'll just keep it secret for fear of being prosecuted.
But think about it a bit more. The NSA has the best hardware on the planet. Therefore, what they want is a hash that is vulnerable to people with said hardware, but not vulnerable to those without. Which is exactly what a perfect hashing algorithm would be. Remember what they did with DES? They fixed it so that differential cryptanalysis wouldn't work, making it more perfect. And they shortened the key length so that they could crack it with their hardware, but no one else had enough to crack it. I think they'll be as disappointed by this as anyone.
Yes, I am surprised. SHA-1 was designed from the ground up to be secure (iirc unlike MD5 which was only designed to stop random corruption, not malicious modification) and I thought it ought to be. The length will always need to be increased as computers get more powerful, but a hashing algorithm that always makes it a lot harder to create two docs with the same hash than compute the hash of a document should be doable.
My first response is RIPEMD
No, that's no more secure than the most secure of SHA-1 and MD5. i.e. not secure.
What about RIPEMD (or one of the longer versions therof)? IIRC there aren't any known attacks like this on it.
Assuming you know one algorithm is more secure than the other, you're better off just using a double-length version of the more secure algorithm (SHA-256 in this case I think). MD5 and SHA-1 are related in that they have a common ancestor some way back, so having the two hashes does not fully square the difficulty of cracking it. Wheras doubling the length of the SHA hash ought to. However, if the two algorithms are unrelated and both believed to be reasonably secure (prior to this story I would have used RIPEMD and SHA as examples) then that is worth doing.
And I think you're being excessively hard. If that's how things should work, why don't we just execute everyone, first time, for any crime? We believe people can be reformed, that they should go to prison or do community work or pay a fine, somehow pay their debt to society, and then be allowed to start over.
The fact that there are enough devoted kde programmers of sufficient quality to have written kde as it currently stands suggests there is a significant proportion of gurus as you put it who at the very least support kde. And anecdotal evidence is no evidence at all; unless you can point me to some representative survey or similar showing gurus use gnome, quite simply I don't believe you.
I think it is. All I'm advocating is you not being able to be subpoenaed for something you wrote in said blog. Which seems fair enough, because it leaves you no more protected than if you didn't write in the blog at all.
It's not practical, but it is possible. It's already done with the cds for some ridiculously expensive programs (although only a small part of the disc).
I can say there's no evidence, and no reason to believe it, and they likely got confused by my echlon-baiting habits. If they have evidence, I am either able to refute it or not, I don't need to know who said it to be able to refute it. If they don't have any evidence, why would anyone believe them?
Why? When I see a toolkit that looks better, or looks reasonably good and performs much better, then maybe I'll believe that the crossplatform nature is causing problems. GTK is not aiming to be crossplatform (the win32 port is an ugly unsupported hack and I don't think there even is a native OSX port) yet this doesn't give it any noticeable advantages over Qt.
But it wouldn't be. I have written lots of different software under lots of different licenses. A toolkit that forces me to make everything either GPL or proprietary is a non-starter.
Well, OK then. But under what circumstances do you need to make something that is nonproprietary but can't be GPL? Other than system programming for one of the BSDs (which is unlikely to need to be graphical) I can't think of anything
Remember Qt is not only C++ but actually pushes that to the extent that it needs a separate preprocessor.
Yes, that alone is a good reason not to use it.
How so? I see it as a sign that C++ isn't really powerful enough for Qt, use Python when I can, and carry on. Why is this a reason not to use it?
I only speak German. But I can usually get an idea of Danish that I hear. Not enough to have a conversation, but enough to know vaguely what they're talking about.
You're right, but the thing is that if you can run the program, you can reverse engineer it. That's how DeCSS was first cracked - they didn't actually "crack" the encryption, they got the key from iirc the Xing player, possibly just by strings|grep through the binary. The key is still there as a string in all the decoders I've seen. You used to be able to do some really nasty things to stop reverse engineering under dos (remap random bios interrupts around so that they are essential to your program) but even then programs were reverse engineered, and these days there's a limit to what you can do on a multitasking system without interfering with other programs, and all it takes is one software maker to not scramble their program properly. The best they can try is to make it hard enough not to be worth bothering, but people enjoy reverse engineering a real challenge and do it in their spare time, so I don't really think it's doable.
A bit OT, but with the newer DeCSS versions (effdt.c) tatoos and/or memorizing it looks distinctly possible. Anyone fancy becoming a circumvention device? Ought to make the point even more than the t-shirts, if the DMCA makes me illegal.
What about having a DVD which was actually a set of photodiodes and LEDs with a chip, which played like a normal DVD if it was played at 1X speed only, but then appeared blank if you tried to play it faster? Expensive, yes, but doable.
Fair use would automatically extend since there's nothing in the wording to say you can't. Since copyright itself specifically does *not* extend to digital media according to how it has been written, yet has still been enforced, not allowing fair use makes no sense. However, since fair use is actually only a defense, not a right, you don't automatically get an entitlement to crack copy protection, and the 2600/DeCSS case would suggest you don't have such a right.
Bit by bit reading is impossible with consumer, probably even with pro, equipment. The closest you'll get is an error-corrected sector - 2048 bytes (or bits, and this is for CDs but DVDs work pretty much the same) for which there are 2378 (IIRC) on the physical disc. But you get a bit more information, perhaps (without being able to remember the details) how many errors were corrected. So they could set it to have a particular number of errors in specific sectors, and since there are no consumer recorders which will let you put errors into the data (again, it's 2048 byte sector as the minimum write unit, and some drives won't even give you that), that gives them a way to tell originals from copies. Of course that wouldn't make the copies unplayable, quite the opposite in fact, so I'm sure they're doing something more sneaky. But it shows it can be done.
The DVDscost pretty much 0. Heck, you can buy them for what, $.50 compared to $17 for the movie (I don't keep up on movie prices any more). And that's as a consumer, with no economies of scale or anything. What you pay for the DVD is pretty much pure profit.
Please, please, implement alpha transparency for PNGs. That's all I ask. CSS2 would be nice, but it's ok if you don't have time or whatever. But just get proper transparency working. Please.
Are you sure about the lawyer and psychiatrist examples? I've always been told (in the UK) that attorney-client is absolute.
Yes. Absolutely. If it's published so that it's available to everyone, it's journalism, and your journalistic privilidge should be absolute.
No, there's your hole, right there. I'm sick of all these exceptions to every right everyone has as soon as you mention the t-word. You either believe in sources anonymity or you don't.
But ultimately there will be more harm done by making it a dicey question like this than having it as a point of law. If that wasn't how things worked, there would be no need for laws at all. Personally I think that, like attorney-client, the anonymity of a journalist's source should be guaranteed. Absolute. I think that would result in less harm in the long term. But if not, then it should be clear when that privilidge exists and when it doesn't. Because uncertainty on this can only harm people.
Yes, they should be allowed to keep it secret who warned them. If we don't let them, next time someone in a terrorist organisation who is having second thoughts won't warn the public and save lives, they'll just keep it secret for fear of being prosecuted.