The Post Your Thoughts of the Moment Thread 2

[WaluigiTime64]

Oh right, I hit a thousand a few posts ago.

[FireArrow]

Los Angeles first, then I was gonna head north

You should check out Stockton and Fresno

[mikey]

You should check out Stockton and Fresno

well, I'm not going any more.  Basically my mom asked me what I was gonna do and we got to the point where she threatened to kick me out.  I said ok I'm leaving and then she decided that she wouldn't be able to handle that

[BlackDragonSlayer]

1: Why does nobody sell 30/36 pants. Not jeans; they have those.
2: Why do I have to be the exact size nobody bothers to have. SERIOUSLY. They have 30/34s!

[Zunawe]

[Zunawe]

Double post:
This probably isn't super interesting to most of you, but the SHA-1 hashing function was officially feasibly broken a couple days ago. I realize that doesn't mean much, but basically a bunch of things on the Internet are now insecure. (Link)

More explain

A hashing function turns an arbitrary amount of data into a fixed amount of data. Say you wanted to give employees an employee id that appeared sorta random, and you want to base it on their name. You could pass their name through a hashing function and get, say, a 6-digit number from it, regardless of the length of their name and apparently unrelated to the characters in it.

The more important aspect of these hashing functions (in terms of security) is that they're not reversible. A very basic example:

Input:
   Any integer number
Output:
   0 if the input is even
   1 if the input is odd

Now, if I give you any input of any size, you can easily tell me the hash of it. But if I tell you what the hash is, you can't possibly tell me what I used as my input to get that hash.

The other major aspect of a secure hash function is a low probability of different inputs producing the same output. The above example is awful in that respect. The SHA-1 function can produce 2¹⁶⁰ distinct outputs (~1.5e48). Additionally, any minor change in the input should result in a vastly different output. When two inputs hash to the same output, that's called a collision. If you can practically produce a collision, the hash function is not secure.

On Feb 24th, Google announced that they had successfully and practically collided two different files. According to their math, careful use of time and resources could allow the creation of two pieces of data that collide for as little as $110,000. That sounds like a lot, but if we're talking about governments or well-organized malcontended groups, that's not very costly.

[close]

Implications

In short, this means that two distinct pieces of data can be created that SHA-1 believes are the same thing. Somebody could upload the harmless piece somewhere, and it would publicly look like nothing, and then when somebody tries to download it, they are given something malicious. Because their hashes are the same, no flags are raised and the malicious data goes unnoticed.

Git, in particular, uses SHA-1 to identify commits repositories of code, and GitHub, the largest open-source host in the world, expects the hash of each commit to be unique. If two different files have the same hash, suddenly the unique identifier is trying to refer to two separate files. This has already corrupted WebKit repositories (possibly beyond repair).

To reel in the spook a bit, Google hasn't released the algorithm for colliding data. They have simply proven it can be done by publishing two PDFs with the same hash (that's what was uploaded to WebKit). They will, however, release their research in three months, meaning anything that relies on SHA-1 has that long to come up with a fix.

[close]

I like these computer science things. Feel free to ignore me when I do this, because I'm fully aware this is not the crowd to be running to with discussion on secure hashing functions. But I like to tell people about it anyway, just in case they think it's at all interesting.

[WaluigiTime64]

Google hasn't released the algorithm for colliding data. They have simply proven it can be done by publishing two PDFs with the same hash (that's what was uploaded to WebKit). They will, however, release their research in three months, meaning anything that relies on SHA-1 has that long to come up with a fix.

Wow, that's kinda mean. 3 months is a long time.
Also computer science is something I want to get into at some point, so this was a fun read.

[Zunawe]

It's actually very responsible. Assuming you trust Google. They're saying

"We just built a math bomb that can destroy these types of structures. It was built to show that it can be built, and we've proven it works. While we feel it is a responsibility that we share how this bomb works, we will give you three months to evacuate the structures this bomb can destroy. After three months, those still using said structures will be doing so at their own risk, knowing we have shared with everyone how to make the bomb and why it works."

There's a fun little cryptography ethical dilemma related to why they do this, but that's a whole other discussion.

Three months is actually pretty quick. Something like Git that has relied on this tool for years only has three months to come up with a solution for fixing this problem before the entire program and all the repositories created with it become unsecured. In fact, that they release it at all says something about Google's view on public information.

[Latios212]

Bahaha I can follow most of the CS stuff you post

Yeah I find it pretty surprising that it's going to be released so soon. Sounds like it might throw a lot of people/companies into a frenzy.

[Zunawe]

Bahaha I can follow most of the CS stuff you post

I didn't mean that as in I'm talking over your heads (I hope I don't). Just that I expect a lot of people to read a sentence or two, decide it's uninteresting, and move on. And I'm fine with that. I earnestly hope I don't sound like I'm trying to prove my intelligence or anything pretentious like that.

Yeah I find it pretty surprising that it's going to be released so soon. Sounds like it might throw a lot of people/companies into a frenzy.

Firefox responded within the day I believe.

[WaluigiTime64]

Just that I expect a lot of people to read a sentence or two, decide it's uninteresting, and move on. And I'm fine with that.

I thought that was the majority of posts in the Off-Topic Board.
It definitely peaked my interest, even though I didn't have a full understanding of it.

I earnestly hope I don't sound like I'm trying to prove my intelligence or anything pretentious like that.

It didn't sound like that at all! No need to worry.
That's subjective though, so maybe somebody did read it as such.

I'd love to see more of these computer science things actually. One day it might motivate me enough to self-study computer science (when I'm not busy with a thousand other things).

[mikey]

stop using small fonts in every one of your posts

[WaluigiTime64]

stop using small fonts in every one of your posts

i refuse lol

[mikey]

"Breaking: Maybe there exists more than two emotion, scientists say

Recent researches have shown that maybe there exists more than two emotion, according to top scientists.  This may be comes as a blow to many of us, who previously thinks as only two emotion.  According to new researches, scientists are discovered there may be is more than 2 emotion, at least three, and has discovers evidence for possibly up to 9, may be more.  What does this mean?  Well, we no more will dismiss something as not emotion, be cause it could be, emotion, we don't know about it.  As of now, we stick to two emotion that we know about for sure.  Researches over time will tell us more about other emotion.

[Maelstrom]

I just realized that we now have exactly 1,000 more sheets on the site since the new submission system was put in place back in october of 2014. Zeta is 8 posts away from being a Nintendo Nocturne. I'd call this a major success.