Re:So what's the big deal for the rest of us?
on
SHA-1 Broken
·
· Score: 1
I agree with you, but even a birthday attack still only results in a reduction of the probability that using SHA-1 to validate any arbitrary message will might yield a false result. How much of a reduction in probability? Proabably not enough to break trust in the near future, considering that it was already at calculable risk by using fixed-length hashes.
The question I have with newer hashes is the same. How much does moving to SHA-512 improve the probability of a not having false result and is the improvement meaningful? They will never be perfect, for a fixed length hash taken against a field of infinite input messages must mean that there is an infinite number of messages that can generate any particular hash; fortunately, almost all of the messages that can generate the same hash will be nonsense to any particular application.
My big concern is that I've seen so many people panicking over this, thinking a sure thing is now broken. Few people realize that these hashes can never provide absolute certainty, just a level of confidence for content authenticity.
Re:Broken, but not for everything...
on
SHA-1 Broken
·
· Score: 4, Insightful
You never could trust it 100%! That was the idea! The algorithm gives you a very high probability of authenticity, not any kind of guarantee (unless the original message is shorter than the output of the hash and everyone who hashes it later absolutely knows the length of the original message).
It's an assurance, that's all. The only guarantee is a one-time pad, and Bruce Schneier's website is full of info on why these aren't practical!
So what's the big deal for the rest of us?
on
SHA-1 Broken
·
· Score: 5, Interesting
I've been reading about hash collisions for the last few years and haven't figured out why this is a crisis problem.
I'm not a cryptographer, just a nerdy engineer, but let me explain my rationale: a hash algorithm takes an arbitrary message and generates a fixed-length signature that has a high probability (10**50 or better for most modern algorithms) of being the original.
Let's assume that your hash algorithm generates a 128-bit hash. Anyone who knows anything about probability can see that is the original message is greater than 128 bits, there MUST be more than one message that will generate the same hash. For long messages, there may be thousands or millions of messages out of a filed of 10**50 (or better) that have the same hash, although many of them will be meaningless garbage.
So SHA-1 has been broken by a group of cryptographers/mathematicians. Does this really mean that they can generate can alter any message in a way that will generate the same hash as the original, thus fooling the math that we use to validate content? No Way! I read Bruce Scheier's Cryptogram every month and he often makes the same argument.
So yes, this means that from a long-term systems security standpoint, we should all move to stronger hashes. Does it mean that SHA-1-based transactions are inherently secure right now?
Ditto for stuff like those Belkin "pre-standard" 802.11n access-points. Non-techie users will buy them now, not understanding that they may/may not be upgradable to the standard and if they're not upgradable, Belkin has no responsibility to the customer for having sold a now useless product.
So we wind up paying, sometimes over and over, so companies can fight it out in the marketplace. The marketplace is indeed an efficient means of sorting out winning from losing ideas and marketing schemes, but it often makes losers out of consumers.
I would suggest that most reviewers will give at least a minimally positive review to anything that's not blatantly offensive to their sensibilities. The reviewers may be rich, but they also live by those human dynamics that occur when people become part of an exclusive group.
This reminds me of those "teen fashion boards" at local department stores, where the store lets popular and attractive high school girls join an exclusive club to recommend products to other girls. How many of these girls will actually say that the store's products really suck? Group dynamics will have them trying to say something positive about everything. Negative reviews will tend to result from groupthink and herding behaviors.
A really good point. I started writing software again several years ago when I realized two problems with COTS software for specialized problems:
1. The capabilites may not be available on the market at any price.
2. The capabilites may have such limited mass market appeal that they exist only in the outskirts of COTS packages, and are badly done and/or not supported well (remember Willie Sutton's answer to why he robbed banks?).
It's important to realize the difference between "unique, difficult to fill" requirements and "having things just the way you want them". The latter results in reinventing the wheel.
Just think how the immortality thing might work against you if you wound up in a universe consisting only of political talk shows...with no wormhole to jump out again!
I live in Maryland and the state has offered free online filing of state tax returns for several years. It's quick, easy, free, and returns submitted from the e-file web site require no signature. I usually see a refund in my bank account within 4 days of submitting the return.
It's a shame that the federal system can't do anything that makes this much sense. Between the stupid-assed tax code and all the corporations that make boatloads of bucks handling taxes, we're screwed!
We're the reason that bullshit sells. We're the ones that have to have the new toy, the new drug to try and satisfy our technology cravings.
When I was a kid, industry pulled the same crap on housewives by putting the same detergent in a packaging label "new and improved". Media outlets provide crap programming because that's what people will watch, which sells advertising..Marketers have found equally fertile ground in technology.
If you want better products, quit buying the bullshit. Fewer dollars chasing the same products will weed out the bad. This is basic economics, people!
There's a big difference between finding an easy mate and launching into a true life-long adventure. I guess what I was really saying is that I married no shrinking violet. When we were dating we each realized that we were both full of crap and figured that such a level of honesty had to be the basis of a great partnership. That was 15 years ago...
It's not for the faint of heart, but neither is much in life that's worthwhile!
Since the idea seems to be to stimulate interest and thought, I think a better approach if to present truly "off the wall" problems for the kids to deal with. I think back to the old British Junkyard wars where they had people do things like grind coffee using only wind power.
Maybe "off the wall" projects might be like the following:
Create a machine to make waffles automatically, without human intervention
Create a system to predict a person's shoe size using seemingly unrelated measurements, such as head circumfrence, hand size, etc.
Create a machine to automatically spread a pile of dirt evenly about a room (the opposite of what a Roomba does).
The ultimate point is to get them thinking outside the box. Employers can find lots of people who can tinker some and play with existing toys. Developing people who can take a rough concept and run with it to create a new way of looking at things is gold. That's the kind of talent that created this Internet thingy...
That's because they're idiots. I (an engineer) married a woman (another engineer) with a powerful personality, and we get along fine. It's a matter of whether you want real partnership (with all it's hassles) or an any employer/employee controlling relationship.
The section on "Cautious investors" reminds me of a PBS show on sex and relationships. A scientist took a picture of a "manly man" and a very feminine looking man and set up a computer to morph between them. They set women in front of the screen watching the pictures morph back and forth and asked two questions:
1. Click on the person you'd like to party/sleep with.
2. Click on the person you'd like to marry and raise a family with.
The women overwhelming chose just below the extreme of the "manly man" to party/sleep with and about halfway between the "manly man" and the effeminate man to marry and raise a family with.
When asked about their choices, they tended to say that the "manly man" type would be exciting to hang with but would make a rotten life partner. They also said that the guy halfway inbetween would make a great life partner, but wouldn't be exciting.
Made sense why those of us not of the biker/tough guy genre often feel ignored. I guess they're not ready for anything serious...
This is the same type of reasonaing that the Bell System used to claim millions in losses in the 911 hacker case. The company used a complicated formula to compute losses on a document that they sold copies of for $14. The court's didn't buy it in the 80's and should buy it now...
The problem with this idea is after that last great malware battle is fought on your computer, the last malware creator left standing has still his wares on your machine, still spying on you, still working to steal your private info.
It seems to me that Internet namespace should be treated under Real Estate law, rather than trademark/copyright law. This changes the "Cybersquatting" argument to a "Land Speculation" argument. Domain namespace exhibits most all the scarceness attributes of land and few Copyright attributes.
Under a Real Estate treatment, anyone could lawfully purchase an unregistered name, speculating that someone will come along later, decide that the name is useful for their purposes, and pay the going rate or walk. A name simply becomes an asset that can be sold and resold at a price the market will bear. The main difference would be that "a deal is a deal", meaning that when a registry sells a name, it's sold and not subject to litigation by others who missed the opportunity.
What we have with copyrights and domain names seems (using a Real Estate metaphor) more like someone lawfully buys some land, then Wal-Mart comes along and sues the buyer for the land because they planned to build a store there in 5 years. It's only a form of squatting if someone occupies land (or a domain name) without purchasing it lawfully. The place this argument fails to equate to copyright law and names would be the implicit assumption that ONLY Wal-Mart could build a store on your land, limiting who could buy the land later (effectively creating a monopoly).
The current system penalizes those who invest/speculate for the benefit of those who fail to exercise due diligence and can afford lawyers.
We all tend to write e-mails using the same wording and tone as if we were speaking to someone with whom we are familiar. We generally take a more formal and respectful aproach we normally take when writing for an unfamiliar audience.
If we took the more formal and respectful approach with our familiars, they'd either be insulted or think we were upset with them. So why should we expect to use a less stringent style for relatively unfamiliar audiences that don't have the benefit of seeing our facial expressions and body language?
I think it's simply a lack of respect for those we work with, cloaked in a false sense of productivity.
On the other hand, sounding intellegent seems seriously out of fashion these days...
The Law of Conservation of Energy says that you have to put at least as much energy into creating your fuel as you will derive from it. Whether you directly apply that energy (electrolysis) or nature's done it for you (sodium borate), you can't break the law.
There are lots of clean methods of creating power for electrolysis, but each have scalability problems. For example, I remember reading a while back that the global electricity load was around 64 Terawatts. To generate that load using alternative energy sources, here are the implications:
-Biomass requires using 85% of the world's arable land to grow crops to burn (not to eat).
-Solar, at current efficiencies requires covering almost all of the world's landmasses with solar panels (so much for growing crops).
-There's not enough suitable land on the planet to generate this much power using Wind turbines.
The list goes on and on. So until we can find more scalable clean energy, we'll just be living with oil, coal, and nuclear. Not pretty, but practical for the short term (which is all most humans care about anyway!).
I instead of rewarding those who have pirated their OS, I'd like to think that M$ might choose to reward poor fools like me who have been 100% software legal for over 2 decades.
No priase for the honorable! Another reason I like the Open Source unices. At least they don't bang you for bucks then gripe about about their profit margins!
I think of P2P much like having a wireless LAN in your house...that it's essentially inviting people into your systems that you otherwise wouldn't let in your house.
As a user, I can see that P2P could carry some bennies, but as an IT person, it makes little sense to secure your network, just to have someone using P2P letting outsiders in or bringing potentially tainted info in from the outside unattended.
Wouldn't it be fun to grab these Microsoft and SCO guys, shoot them up with Sodium Pentothal and find out what they really think, versus what they say to protect their empires?
Who knows? They could be true believers or closet Open Source types...
With the exception of the last few years, I think the FCC has traditionally shown a reasonable regulatory model: Create a structure that industry can work within and stay out of the way! The FAA is more intrusive, and has some serious mission conflicts, but at least it's safe to fly.
Recent forays into totally unregulated services include the cell phone industry, where the Government left it up to industry to determine the underlying technology and phones have to support at least 6 different standards to function on this continent, much less the rest of the world. Euorpeans have many more services available on their cell phones because governments used the standards process to set a single operating standard everywhere, creating a framework within which industry could build services.
I'd prefer have some minimal level of regulation up front to having space turn into what we see on our streets these days (imagine sitting in your spacecraft when the driver of the vehicle next to you breaks into "space rage"). Good or bad, the FAA model generally does keep idiots out of pilots chairs and makes crashes a fairly rare occurence.
I hate to be a wet blanket, but I can't help thinking back to the 90's when tech was booming. Tech was hiring so fast that there was fear of inflation because there were more tech jobs than people. During that time, legions of people entered tech from all walks of life, because they were hiring like crazy and paying amazing salaries. Companies I dealt with were hiring anyone with a pulse, and few that were questionable on that account.
Fast forward to the present. After the dot com bust, there are fewer tech comapnies to hire, but still legions of people who only entered the tech marketplace during the boom time. I can't help wondering if employers got less choosy during the 90's, creating an artificial view of the tech job marketplace. No longer in a boom time, employers may now be looking for the quality they used to expect before the dot com boom created a shortage.
Granted, the dot com boom brought a lot of great people to the field, but also brought a lot of people with little talent, but lots of good intentions. But could this be a structural correction in the tech job mearketplace, rather than just a slack period?
I just don't see how we could have such a major structural job shift during the 90's boom time without it being followed by another structural shift after it ended.
Many, if not most, of todays blockbuster drugs are a result of publicly-funded research. The taxpayers fund basic research so that drug companies can create patented drugs that nobody can afford. Look at all the AIDS drungs that are out of financial reach of 90+% of the worlds HIV victims.
If this is a problem with normal government-funded research, is will surely be an issue with products resulting from the spare CPU cycles of users.
There should be a provision limiting Intellectual Property rights of any resulting products to assure that humanity, not just corporations, will benefit from the largess of computer owners.
Slashdot Mirror
The question I have with newer hashes is the same. How much does moving to SHA-512 improve the probability of a not having false result and is the improvement meaningful? They will never be perfect, for a fixed length hash taken against a field of infinite input messages must mean that there is an infinite number of messages that can generate any particular hash; fortunately, almost all of the messages that can generate the same hash will be nonsense to any particular application.
My big concern is that I've seen so many people panicking over this, thinking a sure thing is now broken. Few people realize that these hashes can never provide absolute certainty, just a level of confidence for content authenticity.
It's an assurance, that's all. The only guarantee is a one-time pad, and Bruce Schneier's website is full of info on why these aren't practical!
I'm not a cryptographer, just a nerdy engineer, but let me explain my rationale: a hash algorithm takes an arbitrary message and generates a fixed-length signature that has a high probability (10**50 or better for most modern algorithms) of being the original.
Let's assume that your hash algorithm generates a 128-bit hash. Anyone who knows anything about probability can see that is the original message is greater than 128 bits, there MUST be more than one message that will generate the same hash. For long messages, there may be thousands or millions of messages out of a filed of 10**50 (or better) that have the same hash, although many of them will be meaningless garbage.
So SHA-1 has been broken by a group of cryptographers/mathematicians. Does this really mean that they can generate can alter any message in a way that will generate the same hash as the original, thus fooling the math that we use to validate content? No Way! I read Bruce Scheier's Cryptogram every month and he often makes the same argument.
So yes, this means that from a long-term systems security standpoint, we should all move to stronger hashes. Does it mean that SHA-1-based transactions are inherently secure right now?
I think not!
So we wind up paying, sometimes over and over, so companies can fight it out in the marketplace. The marketplace is indeed an efficient means of sorting out winning from losing ideas and marketing schemes, but it often makes losers out of consumers.
This reminds me of those "teen fashion boards" at local department stores, where the store lets popular and attractive high school girls join an exclusive club to recommend products to other girls. How many of these girls will actually say that the store's products really suck? Group dynamics will have them trying to say something positive about everything. Negative reviews will tend to result from groupthink and herding behaviors.
1. The capabilites may not be available on the market at any price.
2. The capabilites may have such limited mass market appeal that they exist only in the outskirts of COTS packages, and are badly done and/or not supported well (remember Willie Sutton's answer to why he robbed banks?).
It's important to realize the difference between "unique, difficult to fill" requirements and "having things just the way you want them". The latter results in reinventing the wheel.
Just think how the immortality thing might work against you if you wound up in a universe consisting only of political talk shows...with no wormhole to jump out again!
It's a shame that the federal system can't do anything that makes this much sense. Between the stupid-assed tax code and all the corporations that make boatloads of bucks handling taxes, we're screwed!
When I was a kid, industry pulled the same crap on housewives by putting the same detergent in a packaging label "new and improved". Media outlets provide crap programming because that's what people will watch, which sells advertising. .Marketers have found equally fertile ground in technology.
If you want better products, quit buying the bullshit. Fewer dollars chasing the same products will weed out the bad. This is basic economics, people!
It's not for the faint of heart, but neither is much in life that's worthwhile!
Maybe "off the wall" projects might be like the following:
- Create a machine to make waffles automatically, without human intervention
- Create a system to predict a person's shoe size using seemingly unrelated measurements, such as head circumfrence, hand size, etc.
- Create a machine to automatically spread a pile of dirt evenly about a room (the opposite of what a Roomba does).
The ultimate point is to get them thinking outside the box. Employers can find lots of people who can tinker some and play with existing toys. Developing people who can take a rough concept and run with it to create a new way of looking at things is gold. That's the kind of talent that created this Internet thingy...The section on "Cautious investors" reminds me of a PBS show on sex and relationships. A scientist took a picture of a "manly man" and a very feminine looking man and set up a computer to morph between them. They set women in front of the screen watching the pictures morph back and forth and asked two questions:
1. Click on the person you'd like to party/sleep with.
2. Click on the person you'd like to marry and raise a family with.
The women overwhelming chose just below the extreme of the "manly man" to party/sleep with and about halfway between the "manly man" and the effeminate man to marry and raise a family with.
When asked about their choices, they tended to say that the "manly man" type would be exciting to hang with but would make a rotten life partner. They also said that the guy halfway inbetween would make a great life partner, but wouldn't be exciting.
Made sense why those of us not of the biker/tough guy genre often feel ignored. I guess they're not ready for anything serious...
This is the same type of reasonaing that the Bell System used to claim millions in losses in the 911 hacker case. The company used a complicated formula to compute losses on a document that they sold copies of for $14. The court's didn't buy it in the 80's and should buy it now...
The problem with this idea is after that last great malware battle is fought on your computer, the last malware creator left standing has still his wares on your machine, still spying on you, still working to steal your private info.
Under a Real Estate treatment, anyone could lawfully purchase an unregistered name, speculating that someone will come along later, decide that the name is useful for their purposes, and pay the going rate or walk. A name simply becomes an asset that can be sold and resold at a price the market will bear. The main difference would be that "a deal is a deal", meaning that when a registry sells a name, it's sold and not subject to litigation by others who missed the opportunity.
What we have with copyrights and domain names seems (using a Real Estate metaphor) more like someone lawfully buys some land, then Wal-Mart comes along and sues the buyer for the land because they planned to build a store there in 5 years. It's only a form of squatting if someone occupies land (or a domain name) without purchasing it lawfully. The place this argument fails to equate to copyright law and names would be the implicit assumption that ONLY Wal-Mart could build a store on your land, limiting who could buy the land later (effectively creating a monopoly).
The current system penalizes those who invest/speculate for the benefit of those who fail to exercise due diligence and can afford lawyers.
If we took the more formal and respectful approach with our familiars, they'd either be insulted or think we were upset with them. So why should we expect to use a less stringent style for relatively unfamiliar audiences that don't have the benefit of seeing our facial expressions and body language?
I think it's simply a lack of respect for those we work with, cloaked in a false sense of productivity.
On the other hand, sounding intellegent seems seriously out of fashion these days...
There are lots of clean methods of creating power for electrolysis, but each have scalability problems. For example, I remember reading a while back that the global electricity load was around 64 Terawatts. To generate that load using alternative energy sources, here are the implications:
-Biomass requires using 85% of the world's arable land to grow crops to burn (not to eat).
-Solar, at current efficiencies requires covering almost all of the world's landmasses with solar panels (so much for growing crops).
-There's not enough suitable land on the planet to generate this much power using Wind turbines.
The list goes on and on. So until we can find more scalable clean energy, we'll just be living with oil, coal, and nuclear. Not pretty, but practical for the short term (which is all most humans care about anyway!).
No priase for the honorable! Another reason I like the Open Source unices. At least they don't bang you for bucks then gripe about about their profit margins!
Real men compile, although I often turn "girlie man" and use packaged software.
I think of P2P much like having a wireless LAN in your house...that it's essentially inviting people into your systems that you otherwise wouldn't let in your house.
As a user, I can see that P2P could carry some bennies, but as an IT person, it makes little sense to secure your network, just to have someone using P2P letting outsiders in or bringing potentially tainted info in from the outside unattended.
How do we acheive a balance here?
Who knows? They could be true believers or closet Open Source types...
Recent forays into totally unregulated services include the cell phone industry, where the Government left it up to industry to determine the underlying technology and phones have to support at least 6 different standards to function on this continent, much less the rest of the world. Euorpeans have many more services available on their cell phones because governments used the standards process to set a single operating standard everywhere, creating a framework within which industry could build services.
I'd prefer have some minimal level of regulation up front to having space turn into what we see on our streets these days (imagine sitting in your spacecraft when the driver of the vehicle next to you breaks into "space rage"). Good or bad, the FAA model generally does keep idiots out of pilots chairs and makes crashes a fairly rare occurence.
Fast forward to the present. After the dot com bust, there are fewer tech comapnies to hire, but still legions of people who only entered the tech marketplace during the boom time. I can't help wondering if employers got less choosy during the 90's, creating an artificial view of the tech job marketplace. No longer in a boom time, employers may now be looking for the quality they used to expect before the dot com boom created a shortage.
Granted, the dot com boom brought a lot of great people to the field, but also brought a lot of people with little talent, but lots of good intentions. But could this be a structural correction in the tech job mearketplace, rather than just a slack period?
I just don't see how we could have such a major structural job shift during the 90's boom time without it being followed by another structural shift after it ended.
If this is a problem with normal government-funded research, is will surely be an issue with products resulting from the spare CPU cycles of users.
There should be a provision limiting Intellectual Property rights of any resulting products to assure that humanity, not just corporations, will benefit from the largess of computer owners.
At least it's an activity that won't grow hair on your palms!