/prog/ - Git is DEAD — Tinychan BBS

Name: Anonymous 2017-02-24 4:43

DEAD
https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html

Name: Anonymous 2017-02-24 5:27

160 bit ciphers are dead

the SHAttered attack weakened SHA-1 by 17bits, one bit is lost to the birthday attack, and the other 142 bits were brute-forced

Name: Anonymous 2017-02-24 5:33

and the other 142 bits were brute-forced

Woah, so you can just brute-force md5 because it's 128 bit long, huh?

Name: Anonymous 2017-02-24 5:44

wait, i think the birthday attack eats half the bits, not just one

>>3
unless md5 is a lot slower to compute than sha-1, it's pretty much gone

Name: Anonymous 2017-02-24 5:59

The other question would be `how many cpu's does google/others have?'
google reportedly has over 1,000,000, the attack uses 6,500 cpu years, it could well be under the 1-day mark for a 60-bit brute-force

Name: Anonymous 2017-02-24 6:31

>>2
This quote does not seem to be correct, where did you take it from?
The paper says

In total the computational effort spent is equivalent to 2^63.1 SHA-1 compressions

Name: Anonymous 2017-02-24 8:09

>>1
but IIRC git doesn't use SHA1 for security, it's still resistant to accidental collisions

>>3
that's old news, MD5 hasn't been considered secure since someone collided M$ certs to issue malicious windows updates

Name: Anonymous 2017-02-24 10:39

>>7

but IIRC git doesn't use SHA1 for security

This is false, the -S command signs the SHA-1 of the commit, not to mention that if a collision happens it can mess your repo or even insert malicious code without warning.

Name: Anonymous 2017-02-24 11:31

>>8
you may be right, my knowledge of git is fairly basic

Name: Cudder !cXCudderUE 2017-02-24 12:12

>>3,4
MD5 collisions could be found in seconds on hardware 10 years ago:

https://www.win.tue.nl/hashclash/
http://lookit.typepad.com/lookit/2006/03/creating_collis.html

>>8
It's not really a problem until someone comes up with two colliding source files (i.e. ASCII text.)

Nevertheless, FUCK GOOGLE. I was hoping the Chinese would come up with it first, using actual brain power instead of CPU time like they did with MD5, but these fat pigs beat them to it.

Name: Anonymous 2017-02-24 12:47

>>10
I, for one, am happy to have a publicly disclosed exploit kill SHA1 instead of it being silently exploited by the spies paid by oppressive governments but I guess to each his own. it's like you keep saying: insecurity is freedom to get hacked by the Chinese.

also dubs

Name: Anonymous 2017-02-24 13:32

>>7,10
I was talking about brute-force specifically, not any other attacks.

It's not really a problem until someone comes up with two colliding source files (i.e. ASCII text.)

Many projects have some kind of binaries in their repos, not necessarily the compiled program, it might just be binary blobs.
Chromium, the linux kernel, openbsd, freebsd, etc do that.

Name: Anonymous 2017-02-24 13:43

check 'em

Name: dubzchecker 2017-02-24 16:38

>>13

initalizing dubzchecker ...
[#######......57%]
STOP
ERROR 07: dubs not found
exiting

Name: Anonymous 2017-02-24 19:06

meanwhile https://lists.gnupg.org/pipermail/gnutls-devel/2017-February/008309.html
Now we can't serve certs signed by multiple private keys, thanks for removing openpgp support, faggot.

Name: Cudder !cXCudderUE 2017-02-25 1:10

>>11

I, for one, am not happy to have a publicly disclosed exploit kill SHA1 instead of it being silently exploited by the ~~spies paid by oppressive governments~~jailbreaking, DRM-killing, freedom-fighting crackers who give us warez, pr0n, leaked datasheets, and other juicy 0day releases.

FTFY

Name: Anonymous 2017-02-25 2:40

>>6
yeah, i got my calculation wrong =)

Still pretty bad to see a 160 bit hash defeated by a 17 bit attack

Name: Anonymous 2017-02-25 2:50

>>10

using actual brain power instead of CPU time

Ugh... it's not simple brute force.

The SHAttered attack is 100,000 faster than the brute force attack that relies on the birthday paradox. The brute force attack would require 12,000,000 GPU years to complete, and it is therefore impractical.[0]

[0] https://shattered.it/

Name: Anonymous 2017-02-25 7:36

>>16
Crackers don't fight for freedom. If they wanted to fight for freedom, they'd be writing free software.

Name: Anonymous 2017-02-25 10:12

>>19
Crackers are food. How is food supposed to fight for freedom? Do chips and nachos fight for food in your universe?

Name: Anonymous 2017-02-25 11:28

>>20
Crackers are white people. I hate them because they took my freedoms.

Name: Anonymous 2017-02-25 11:38

>>21
You're delusional. You need to see a doctor.

Name: Anonymous 2017-02-25 12:24

>>21
The negroes' freedoms - i.e. jobs were taken by low-paid illegal immigrants. The only whites who benefitted from that are the rich elite in the corporation upper echelons. Mass immigration is your real enemy, not whites.

Name: Anonymous 2017-02-25 12:25

>>20
Crackers are people who crack safes and security devices.

Name: Anonymous 2017-02-25 12:28

>>24
Also people who write keygens and pills to make software free.

Name: Anonymous 2017-02-25 12:37

>>25
Those kinds of crackers don't actually liberate software. To be free software means getting access to the exact source code of a corresponding binary program. Crackers do not publish the source code of a binary program that they've cracked. To be free software means users are legally permitted to share the software. No copyright holder gives permission for any cracker to distribute the cracked program.

Name: Anonymous 2017-02-25 12:43

>>26

access to the exact source code

That's open-source software, not free as in beer, which is what I meant.

To be free software means users are legally permitted

To be free software means you ain't gotta pay for it.

Name: Anonymous 2017-02-25 13:23

>>27
Free beer is a myth.

Name: Cudder !cXCudderUE 2017-02-25 17:02

>>26
Source code? We don't need no stinkin' source code!

Name: Anonymous 2017-02-25 17:45

>>29
LOL.

Name: Anonymous 2017-02-26 13:46

age

Git is DEAD

1 Name: Anonymous 2017-02-24 4:43

2 Name: Anonymous 2017-02-24 5:27

3 Name: Anonymous 2017-02-24 5:33

4 Name: Anonymous 2017-02-24 5:44

5 Name: Anonymous 2017-02-24 5:59

6 Name: Anonymous 2017-02-24 6:31

7 Name: Anonymous 2017-02-24 8:09

8 Name: Anonymous 2017-02-24 10:39

9 Name: Anonymous 2017-02-24 11:31

10 Name: Cudder !cXCudderUE 2017-02-24 12:12

11 Name: Anonymous 2017-02-24 12:47

12 Name: Anonymous 2017-02-24 13:32

13 Name: Anonymous 2017-02-24 13:43

14 Name: dubzchecker 2017-02-24 16:38

15 Name: Anonymous 2017-02-24 19:06

16 Name: Cudder !cXCudderUE 2017-02-25 1:10

17 Name: Anonymous 2017-02-25 2:40

18 Name: Anonymous 2017-02-25 2:50

19 Name: Anonymous 2017-02-25 7:36

20 Name: Anonymous 2017-02-25 10:12

21 Name: Anonymous 2017-02-25 11:28

22 Name: Anonymous 2017-02-25 11:38

23 Name: Anonymous 2017-02-25 12:24

24 Name: Anonymous 2017-02-25 12:25

25 Name: Anonymous 2017-02-25 12:28

26 Name: Anonymous 2017-02-25 12:37

27 Name: Anonymous 2017-02-25 12:43

28 Name: Anonymous 2017-02-25 13:23

29 Name: Cudder !cXCudderUE 2017-02-25 17:02

30 Name: Anonymous 2017-02-25 17:45

31 Name: Anonymous 2017-02-26 13:46