Become a fan of Slashdot on Facebook


Forgot your password?

Comment Re:Weak attack (Score 3, Informative) 75

Unlike MD5, it is still impossible to get two different files that have the same standard SHA-1 checksum.

False. As long as there are potentially more bits in the input than there are in the output (read: the input can be longer than the resulting hash), any hashing algorithm will have collisions. It is the difficulty in generating these collisions that makes the algorithm strong or weak; and they are quite easy to generate for MD5.

Comment Re:what about git? (Score 1) 75

Interestingly, if you produce a language specification which permits fewer valid inputs than the number of possible hash outputs, it is in principle possible that no collisions will occur.

Yes, and knowing each possible valid input would allow you to build a rainbow table to decode each hash back to its original value (and not just to a value that will give you the same hash).

Indeed it would be a good exercise for a beginning cryptanalyst to try and construct a language such that valid inputs were guaranteed to get different md5sum outputs.

Only because they would, shortly thereafter, learn that hashes are, in fact, meant to not be reversible. Guaranteeing a 1-to-1 mapping (e.g. no collisions) makes them reversible, negating the point of the hash.

Comment Re:Samsung != Apple (Score 1) 142

You can quit attempting to put words into my mouth,

Where have I done this?

I have no intention of falling for your strawmen.

What strawmen?

Android's abysmal adoption rate of new OS versions is well known.

I never argued this.

Marshmallow is and will be irrelevant for months until it's adoption rates become significant

I don't care about anyone else's devices, only my own. The adoption rate for Marshmallow is 100% for the devices I am concerned about. That's as significant as it gets.

given how frequent new & different attacks have been released for android over the past few years I have little confidence that marshmallow will bring significant change because any new bug is still no more likely to be patched by upgrading to a fixed version than present versions of Android have been.

That's getting a little closer to what I've been trying to get out of you. Since it seems you have no concrete information regarding what I actually care about, I suppose time will tell.

That someone with the experience you claim would be so apparently clueless as to ignore these points and to keep bringing up "but how's marshmallow" like it makes any difference just shows that you still haven't understood the problem.

No, I understand the problem quite well. There are a number of known vulnerabilities in versions of Android that I don't use, which makes it not my problem. I am asking about the version I do use, because those vulnerabilities are my problem.

My children are adults now.

Then you must be old enough to have acquired the wisdom to discern when you and the person you are conversing with are talking about two different things, from two different perspectives. Please apply that wisdom here, as I've pointed this out several times by now.

During their childhood they were often complimented on how well behaved they were for their ages

As as I.

but I've seen what bad parenting does.

We all have. It often leads to discussions like this.

Your lack of self-control and justification of how that is supposed to be normal in particular for an adult does not speak well for how you were raised.

I don't lack self-control, I simply have no tolerance for people like you who try to get by in indirect insults as if that's any better than calling someone a dumbass. As for the words you claim I am putting in your mouth, I can only assume you are referring to me saying the following:

Most small kids would not have waited for you to call them by the wrong name, take an insulting tone with them, insinuate that they're in denial about something they've already openly acknowledged (head in the sand or up... where, exactly?), and refuse to address (acknowledge, hell, not even answer) their questions, before calling you a doo-doo head.

Well, I'm not sure how that's putting words in anyone's mouth. Here are the quotes detailing you doing each and every one of those things:

"by the wrong name": Androids are getting Powned left right & center due to their abysmal security & Bronsco thinks I'm talking about ad blockers?!?!

"take an insulting tone with them" and "insinuate that they're in denial about something they've already openly acknowledged" are covered by the next two:

"head in the sand": Just how deep in the "sand" do you have your head stuck in?

"or up... where, exactly?": Oh, do keep your head up where it's been hiding

And, to that, I'll reiterate: Where, exactly? I'm sure your mother would be proud. As for your refusal to address my questions, well, I'm not going to quote our entire conversation; you can go back and read it yourself.

Comment Re:Samsung != Apple (Score 1) 142

You're an android user

Thanks for highlighting that incorrect assumption. I didn't give you my full bio but, in addition to being a user, I am also a developer (apps and roms alike) and, in addition to Android, I also use iOS, Windows, several distros of Linux, a couple of BSDs, and my primary OS of choice is OSX. Hardly a fanboy.

Android bugs that in most cases will never be corrected until people replace their phones with new models so that their maker will be motivated enough to update them.

Are you implying that newer versions of Android aren't affected by the vulnerabilities you know of? That's what it sounds like; if that's the case, I don't know what we're arguing about. Older versions of iOS are vulnerable, too. Apple controls the upgrade path for iOS just like Google controls it for Nexus devices; if other manufacturers don't privide patches and OS updates, that's an other-manufacturer problem, not an Andriod problem.

To clarify my point, only Apple makes iOS devices, so we have no example of how 3rd party devices would receive updates. All that exists for this is conjecture. As a result, we can not legitimately compare the update process of iOS devices with the update process of non-Nexus Android devices and pin the results on Google. Likewise, we can not compare the security of iOS devices and non-Nexus Android devices and pin those results on Google, either.

And, as a user of a fully updated Nexus device (and several Apple devices including two iPads) thats, quite conveniently, all I care to discuss.

Again, I am not here to educate you & I have signed NDAs that prevent me from talking about them or just what problems they encountered in anything but the most general terms.

Then I guess it's good that I was asking a very general question, isn't it? I'll restate, in that context: By the way, how does Marshmallow hold up? That's pretty general; yes, it's about a specific version, but if your argument boils down to "all Android versions, combined, are less secure than the current version of iOS" I'm afraid my initial comment regarding the intelligence of your posterior appears to be correct.

It's a simple concept, really; when comparing a specific property of two or more things (in this case, security), you make those things as similar as possible, and you only compare those things. iOS: only distributed by Apple. Easy, only compare with Android on Nexus devices. Latest iOS? Only compare with latest Android. iOS in default configuration? Only compare with Android in default configuration. iOS fully locked down? Only compare with fully locked down Android.

Sure, this doesn't give you a broad picture of the landscape, for that you do have to compare all iOS versions and all Android versions currently in widespread use, in aggregate; that's not what we're talking about here, though. Here, we're talking about Nexus devices, which are updated by Google directly and, as a result, will mostly be running the latest version, much like iOS devices, so the comparison should be limited thusly.

I couldn't care less that you are unable to show more control than most small children.

You must not have kids (or friends with kids). Most small kids would not have waited for you to call them by the wrong name, take an insulting tone with them, insinuate that they're in denial about something they've already openly acknowledged (head in the sand or up... where, exactly?), and refuse to address (acknowledge, hell, not even answer) their questions, before calling you a doo-doo head. I could have displayed a bit more restraint, but the name would have come out in this post anyway.

I took a fish head to the movies and I didn't have to pay. -- Fish Heads, Saturday Night Live, 1977.