Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×

Comment Re:"In the wild" - slight exaggeration (Score 1) 159

"not only weak, but broken" seems premature. The attack here involves manipulating two obtuse file formats to yield altered files with a shared hash, different to original unaltered hashes. Definitely weakened and yeah you are probably right this is the final toll for SHA-1 and from here things are likely to get worse quickly. I'll be mindful of this when I think about the various places where I use SHA-1 and start thinking about switching in other things. But I am failing to see how this right now translates into a practical vector for the various places where I encounter SHA-1. A more serious vector would be the capacity to create any desired hash with something significantly more efficient than a brute force compute. i.e. can anyone easily yield output the same as this without knowing the input?"

echo -n 'mysecretpw+somesalt'|sha1sum
3cbb35f831b4e9241dd986f66c16e465e2db2a3a -

Comment Re:"In the wild" - slight exaggeration (Score 1) 159

Umm, that is an uncited claim in the summary. Nothing of the sort is stated in any of the links. The summary links to a paper that provides more details of the attack. Very heavy and technical though a few inital takeaways from it is that implementations only take a few days to run on gear they have so does seem safe to assume that SHA-1 collisions are pretty much pwned.

Comment "In the wild" - slight exaggeration (Score 2) 159

Someone checked in PDFs that demonstrate the first engineered SHA-1 collision and this broke SVN. PDFs in question took 6500+ cpu years + 110 GPU years to generate. "In the wild" is a bit panicky & excessive.

What does this actually means in terms of integrity of repos and other things that rely on SHA-1? Does it merely break repos or does it facilitate injection attack vectors - how important is secure hashing in the guts of repos? What precisely is being secured? SHA-1 has been deprecated for SSL certs already so you shouldn't be using certs with SHA1 sigs anymore. Myself, keep an eye on how this develops and start thinking about using SHA-2 but won't be replaing git or existing usage of SHA1 for password hashing anytime soon.

Comment Re: Malignant narcissist upset, news at 11. (Score 1) 760

It's definitely a weird thing to write. It looks like a fishing expedition / incitement to bully. It isn't evidennce of fabricated threat. The tweets in link I provided above strongly suggest a different motive. I see no smoking gin in all this, nothing compelling beyond odd behaviour. If this is is considered best critique of BW, seriously it isn't much of a critique.

Comment Re:Malignant narcissist upset, news at 11. (Score 4, Interesting) 760

The insinuation is that this was done in a clandestine fashion with intent to deceive and overstate the threat. The rebuttal I linked above says that intent is clearly sarcasm/exasperation. Nothing was hidden. The original argument that this was done with intent to deceive is weak as piss.

On a side note, spent 15 mins flipping through the FBI file linked to the original slashdot story. Some seriously juvenile and purille rubbish there. Allthough the death threats, the ones I read at least, where too over the top to be credible, what is definitely present is a visceral hatred and anger and a quite possibly genuine wish for harm. Apalling: I challenge anyone who thinks that can endure that sort of abuse and remain unaffected by it.

Comment Re:Start the clock (Score 1) 267

They correspond to a global increase of temperatures of ~ 0.7c / 100years that is currently in a protracted period of significantly lower rate of growth compared to the 1970-2000 period (YMMV depending on what dataset you look at, but graph you posted strongly hints at this).

Comment Re:Free market (Score 2) 396

Even if you are allowed to buy from overseas, you are not, strictly speaking, operating in a free market. You are relying on 'anti free-market' government measures and protections in the target jurisdiction. Carry idea of free market to it's ultimate logical conclusion, medicine from overseas will still be expensive if certain people had their way and this loophole would definitely be closed to you. Using Australia as an example, it is actually illegal to export government priced/subsidised medicines from Australia. It is supposed to be for Australian citizens only. Citizens leaving australia need to demonstrate any medicine they are carrying is for their own personal use.

All this reveals one of the many faults and limitations of libertarian-ism / small government ideology. It assumes that in all transactions all parties have equal agency. Which is never ever the case when your life and health are part of that transaction. Sometimes people need to organise help protect themselves from the ruthless practices of greedy arseholes. At least as far as medicine is concerned, the rest of the developed world gets it...

Slashdot Top Deals

Yet magic and hierarchy arise from the same source, and this source has a null pointer.