You are not logged in.

#26 2005-02-14 07:10:58

skoal
Member
From: Frequent Flyer Underworld
Registered: 2004-03-23
Posts: 612
Website

Re: md5's time has come and gone.

Well, at least you know what you're talking about on the matter.  In my case, "ignorance is bliss"...

Offline

#27 2005-02-16 03:54:44

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: md5's time has come and gone.

*cough* sha-1 has now been "theoretically" broken
http://www.schneier.com/blog/archives/2 … roken.html

Interesting read. I hope they release their paper results soon, so we can see exactly what they did...and I can attempt, likely in futility, to understand parts of it.


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#28 2005-02-16 22:33:36

xerxes2
Member
From: Malmoe, Sweden
Registered: 2004-04-23
Posts: 1,249
Website

Re: md5's time has come and gone.

skoal wrote:

Well, at least you know what you're talking about on the matter.  In my case, "ignorance is bliss"...

it's not rocketscience skoal, here is a little overview of Arch' case,

as it is now a cracker can place his own version of a package on the mirror and noone will notice it until it's to late, next time you install that package you get the crackers version installed on your box,

but if the md5/sha sums were encrypted(RSA like) that's not possible to do, in that case the cracker must place a package as the same sum as the initial,


arch + gentoo + initng + python = enlisy

Offline

#29 2005-02-16 23:20:24

skoal
Member
From: Frequent Flyer Underworld
Registered: 2004-03-23
Posts: 612
Website

Re: md5's time has come and gone.

xerxes2 wrote:

[..]it's not rocketscience skoal, here is a little overview of Arch' case,[...]

Oh yeah, I get that part.  I've heard that concern expressed elsewhere along my Internet journeys too.  I just don't understand all the different hashing algorithms that everyone else here seems intimately knowledgeable about. 

So, for me, I've never had any problems with MD5 hashed downloads.  I can't recall any stories from any Linux distribution having one either.  And, unfortunately, that's all I have to offer on presenting an alternative.  My lack of knowledge is superceded by experience.  So, I generally trust what's worked for me in the past reliably.  I only deal with problems after they've already presented themself.  I gather that's the choice most distributed OSS is taking too.

Of course, you either prepare for the future, or suffer from the past.  I generally like to suffer...

Offline

#30 2005-02-16 23:35:59

xerxes2
Member
From: Malmoe, Sweden
Registered: 2004-04-23
Posts: 1,249
Website

Re: md5's time has come and gone.

skoal wrote:

Oh yeah, I get that part.  I've heard that concern expressed elsewhere along my Internet journeys too.  I just don't understand all the different hashing algorithms that everyone else here seems intimately knowledgeable about.

I don't know rats ass about md5/sha either more than that it's hashing algoritms,
as I said in the other post, the problem is that the sums isn't encrypted, if a cracker get access to Arch' ftp he would "own" our boxes,  you would be running his versions of various daemons instead of the real ones,


arch + gentoo + initng + python = enlisy

Offline

#31 2005-02-18 05:07:04

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: md5's time has come and gone.


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

Board footer

Powered by FluxBB