Re: Open Source Developers Shun Micoshaft Corporation

 

["Followup-To:" header set to comp.os.linux.advocacy.]

 

On Sun, 30 Sep 2007 10:39:24 +0100, dennis@home

<dennis@killspam.kicks-ass.net> wrote:

> You can't even grasp the concept of changing an isos content to match

> a checksum using the source code of the checksum program to make the

> fake data needed.

 

Doing that is actually very difficult if the "checksum" is carefully

constructed.

 

The MD5 hash that is typically used for this is an example of such a

carefully constructed checksum. It was originally developed for doing

secure digital signatures. So even though the algorithm is well-known,

changing a file and keeping the MD5 sum the same is very, very,

difficult if not impossible.

 

Note that MD5 has been shown to be vulnerable to a "collision attack"

that allows the creation of two files with the same hash, but you can't

pick the hash in advance. So that attack is not helpful in the case

where the attacker controls only one of the checksums, as would be the

case where he is trying to substitute an "evil" ISO for a "good" one

made by someone else.

 

Basically, it is not as simple to fake MD5 sums as you appear to think

it is. See here for more info:

 

<http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html>

 

 

--

-| Bob Hauck

-| "Reality has a well-known liberal bias." -- Stephen Colbert

-| http://www.haucks.org/

Re: Open Source Developers Shun Micoshaft Corporation

 

dennis@home wrote:

> "Jim Richardson" wrote:

>>

>> It's pretty obvious you have no clue on how the MD5 and SHA1 checksum

>> process works.

>

> Having done a quick check.

> Its pretty obvious that few people here know how md5 works.

>

> quote for wiki for those that think they know

>

>(snip)

 

LOL

 

You should have quit while you were behind, moron.

> It looks like the algorithm gets less secure the larger the file to me

> but as I said I am not a mathematician.

 

No kidding! I'd be surprised if you could muster the brain power to

simultaneously type and breath.

Re: Open Source Developers Shun Micoshaft Corporation

 

"Jim Richardson" <warlock@eskimo.com> wrote in message

news:rkd5t4-8vt.ln1@dragon.myth...

> -----BEGIN PGP SIGNED MESSAGE-----

> Hash: SHA1

>

> On Sun, 30 Sep 2007 10:39:24 +0100,

> dennis@home <dennis@killspam.kicks-ass.net> wrote:

>>

>> "owl" <owl@rooftop.invalid> wrote in message

>> news:pzeoiw0049.s94@rooftop.invalid...

>>

>> you are too stupid to argue with.

>> You can't even grasp the concept of changing an isos content to match a

>> checksum using the source code of the checksum program to make the fake

>> data

>> needed.

>

> It doesn't work that way.

> You are not using the checksum program from the LiveCD to check the

> checksum of the LiveCD.

 

Who said I was?

I said you modify the checksum program to generate data so that a real

checksum program gives the same checksum.

Then you can sustitute bits of the iso and still get the same checksum.

Its not hard to understand if you try.

Re: Open Source Developers Shun Micoshaft Corporation

 

"Jim Richardson" <warlock@eskimo.com> wrote in message

news:a2e5t4-8vt.ln1@dragon.myth...

> -----BEGIN PGP SIGNED MESSAGE-----

> Hash: SHA1

>

> On Sun, 30 Sep 2007 10:52:19 +0100,

> dennis@home <dennis@killspam.kicks-ass.net> wrote:

>>

>> "Jim Richardson" <warlock@eskimo.com> wrote in message

>> news:lgm3t4-5il.ln1@dragon.myth...

>>> -----BEGIN PGP SIGNED MESSAGE-----

>>> Hash: SHA1

>>>

>>> On Sun, 30 Sep 2007 00:22:23 +0100,

>>> dennis@home <dennis@killspam.kicks-ass.net> wrote:

>>>

>>>> Also it is probably possible to engineer an iso to have the correct

>>>> checksum.

>>>> It shouldn't be too hard as you have the source code for the checksum

>>>> program so you can modify it to add padding to the iso somewhere to

>>>> make

>>>> the

>>>> checksum anything you like. Unless you have mathmatical proof this

>>>> can't

>>>> be

>>>> done

>>>

>>> It's pretty obvious you have no clue on how the MD5 and SHA1 checksum

>>> process works.

>>

>> So as I asked is there a mathematical proof that you can only end up with

>> one checksum for any set of data?

>> If there is then no you can't fake one, if there isn't then you probably

>> can.

>

> You are confused (again) The non-presence of a proof, does not mean that

> something is or is not possible. Basic logic.

 

You are confused.. this is security.. if you can't prove you are secure then

you aren't.

Stuff on the Internet suggests that with modern computers md5 is just not

secure and anything that uses md5 is a security risk.

This means anyone using md5 to check their isos is being daft.

>

>> I have not claimed to be a mathematician so I don't know.

>> Also it doesn't really matter as a social engineered hack doesn't need to

>> fool everyone so even if owl is wise enough to check the checksums not

>> everyone is.

>>

>

> not relevent to you original claims.

 

None of this junk you and others put in is relevant to the original claim so

why do you keep on?

>

>> There are an awful lot of people trying to put down perfectly good advice

>> for some reason.

>

> probably because it's not "perfectly good advice"

 

OK so you recommend people download binaries that someone advertises in

usenet.

 

Sounds like your advice is *much* better.. so much better I will ignore you.

Re: Open Source Developers Shun Micoshaft Corporation

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

On Mon, 1 Oct 2007 08:28:44 +0100,

dennis@home <dennis@killspam.kicks-ass.net> wrote:

>

> "Jim Richardson" <warlock@eskimo.com> wrote in message

> news:rkd5t4-8vt.ln1@dragon.myth...

>> -----BEGIN PGP SIGNED MESSAGE-----

>> Hash: SHA1

>>

>> On Sun, 30 Sep 2007 10:39:24 +0100,

>> dennis@home <dennis@killspam.kicks-ass.net> wrote:

>>>

>>> "owl" <owl@rooftop.invalid> wrote in message

>>> news:pzeoiw0049.s94@rooftop.invalid...

>>>

>>> you are too stupid to argue with.

>>> You can't even grasp the concept of changing an isos content to match a

>>> checksum using the source code of the checksum program to make the fake

>>> data

>>> needed.

>>

>> It doesn't work that way.

>> You are not using the checksum program from the LiveCD to check the

>> checksum of the LiveCD.

>

> Who said I was?

> I said you modify the checksum program to generate data so that a real

> checksum program gives the same checksum.

> Then you can sustitute bits of the iso and still get the same checksum.

> Its not hard to understand if you try.

 

It doesn't work that way. That's the whole point.

 

You keep showing your complete and total ignorance on how the MD5SUM

process works.

 

 

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.6 (GNU/Linux)

 

iD8DBQFHAKZdd90bcYOAWPYRAvk0AKCKRNBGquk/fezLX69fKflfl1MQhACg1onJ

JmZg75xGXHh6maITW/OoJFc=

=/6kW

-----END PGP SIGNATURE-----

 

--

Jim Richardson http://www.eskimo.com/~warlock

"Even if you can deceive people about a product through misleading

statements, sooner or later the product will speak for itself."

- Hajime Karatsu

Re: Open Source Developers Shun Micoshaft Corporation

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

On Mon, 1 Oct 2007 08:33:53 +0100,

dennis@home <dennis@killspam.kicks-ass.net> wrote:

>

> "Jim Richardson" <warlock@eskimo.com> wrote in message

> news:a2e5t4-8vt.ln1@dragon.myth...

>> -----BEGIN PGP SIGNED MESSAGE-----

>> Hash: SHA1

>>

>> On Sun, 30 Sep 2007 10:52:19 +0100,

>> dennis@home <dennis@killspam.kicks-ass.net> wrote:

>>>

>>> "Jim Richardson" <warlock@eskimo.com> wrote in message

>>> news:lgm3t4-5il.ln1@dragon.myth...

>>>> -----BEGIN PGP SIGNED MESSAGE-----

>>>> Hash: SHA1

>>>>

>>>> On Sun, 30 Sep 2007 00:22:23 +0100,

>>>> dennis@home <dennis@killspam.kicks-ass.net> wrote:

>>>>

>>>>> Also it is probably possible to engineer an iso to have the correct

>>>>> checksum.

>>>>> It shouldn't be too hard as you have the source code for the checksum

>>>>> program so you can modify it to add padding to the iso somewhere to

>>>>> make

>>>>> the

>>>>> checksum anything you like. Unless you have mathmatical proof this

>>>>> can't

>>>>> be

>>>>> done

>>>>

>>>> It's pretty obvious you have no clue on how the MD5 and SHA1 checksum

>>>> process works.

>>>

>>> So as I asked is there a mathematical proof that you can only end up with

>>> one checksum for any set of data?

>>> If there is then no you can't fake one, if there isn't then you probably

>>> can.

>>

>> You are confused (again) The non-presence of a proof, does not mean that

>> something is or is not possible. Basic logic.

>

> You are confused.. this is security.. if you can't prove you are secure then

> you aren't.

 

No, that's not true.

> Stuff on the Internet suggests that with modern computers md5 is just not

> secure and anything that uses md5 is a security risk.

> This means anyone using md5 to check their isos is being daft.

>

 

No, the collision risk with MD5SUM is very specific, and limited in

scope, It's not a problem with the iso files in the way you seem to

imply.

>>

>>> I have not claimed to be a mathematician so I don't know.

>>> Also it doesn't really matter as a social engineered hack doesn't need to

>>> fool everyone so even if owl is wise enough to check the checksums not

>>> everyone is.

>>>

>>

>> not relevent to you original claims.

>

> None of this junk you and others put in is relevant to the original claim so

> why do you keep on?

>

>>

>>> There are an awful lot of people trying to put down perfectly good advice

>>> for some reason.

>>

>> probably because it's not "perfectly good advice"

>

> OK so you recommend people download binaries that someone advertises in

> usenet.

 

No, I point out that your advice is far from "perfectly good"

>

> Sounds like your advice is *much* better.. so much better I will ignore you.

>

>

>

 

 

Feel free, you've been somewhat amusing for a while, but only somewhat.

 

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.6 (GNU/Linux)

 

iD8DBQFHAKbgd90bcYOAWPYRAsebAKCCwm1UujaJKKsTlotxsUAg+KLAHwCg5/V7

fznmUX+1HlmQrA+GHSsg96w=

=j9NI

-----END PGP SIGNATURE-----

 

--

Jim Richardson http://www.eskimo.com/~warlock

I've noticed that when a new policy mentions me by name,

it's never a good thing.

Re: Open Source Developers Shun Micoshaft Corporation

 

dennis@home wrote:

>

> "Jim Richardson" <warlock@eskimo.com> wrote in message

> news:rkd5t4-8vt.ln1@dragon.myth...

>> -----BEGIN PGP SIGNED MESSAGE-----

>> Hash: SHA1

>>

>> On Sun, 30 Sep 2007 10:39:24 +0100,

>> dennis@home <dennis@killspam.kicks-ass.net> wrote:

>>>

>>> "owl" <owl@rooftop.invalid> wrote in message

>>> news:pzeoiw0049.s94@rooftop.invalid...

>>>

>>> you are too stupid to argue with.

>>> You can't even grasp the concept of changing an isos content to match a

>>> checksum using the source code of the checksum program to make the fake

>>> data

>>> needed.

>>

>> It doesn't work that way.

>> You are not using the checksum program from the LiveCD to check the

>> checksum of the LiveCD.

>

> Who said I was?

> I said you modify the checksum program to generate data so that a real

> checksum program gives the same checksum.

> Then you can sustitute bits of the iso and still get the same checksum.

> Its not hard to understand if you try.

 

You say a lot of things. None make any sense

 

Feel free to *prove* that you can generate data that way which is small

enough to fit *additionally* on an ISO to still generate the "valid" MD5

 

Please read some about how MD5 are generated, though. You are even more

clueless how it works than you are in general

 

Your "super plan" to modify MD5 is simply hilarious. Worthy a windows (and

Vista at that, to top the idocy a little more) using nimwit

--

Support your local Search and Rescue unit -- get lost.

Re: Open Source Developers Shun Micoshaft Corporation

 

"Anonymous Remailer (austria)" <mixmaster@remailer.privacy.at> wrote in

message news:4526d20b0285c1b8f34874b3670e6501@remailer.privacy.at...

>

> You really are that stump stupid, aren't you? You actually believe

> this, don't you??

>

> There's actually a trivial attack against SSL that not only involves

> intercepting that traffic but modifying it.

 

Thats why they don't use ssl.

They don't use md5 either because its cr@p.

>

>> Then you have to crack the key using the small amout of data you have.

>> And it doesn't use md5 either as md5 has known faults that make it

>> easier to attack using brute force.

>

> Easier, yes. But still impractical, and therefor impossible in this

> scenario. It would take you far longer to "crack" and MD5 signature

> than the data you're "cracking" would be useful. By the time you

> managed to develop an evil copy of Fedora Core 7, Fedora would be up to

> Core 1,678,371,740.

 

You acn continue to believe that if you want.

As I said its not relevant to the original point.

I will not believe it as noone as even attepted to show any proof it is

secure.

You and several others saying oif course ists secure we use it doesn't carry

much weight especially as you introduced it in an attempt to deflect the

discussion away from the original point that you don't download binaries

recommened by users on usenet.

The reason you don't.. they may be a s stupid as you are and accept things

as true just because they have been that way for a few years.

There are plenty of examples of "secure" protocols being broken as computer

power gets better and I see no reason to trust your nonunderstanding of the

problem.

At least I admit I don't understand it but I am not prepared to take the

word of someone mouthing off like you.

I have had dealings with a so called cryptographer in the past trying to

sell technology to the company I work for on the basis that it would

revelotionise computer storage. He started exactly the same as you.. "you

woun't understand this because your too stupid" and needless to say he was a

con artist just like you.

>

>> And you forget its Iwouldn't be trying to decode any encryption I

>> would be trying to encode some data to make the same checksum. The

>

> Not checksum, hash. Two different things.

>

>> two tasks are by no means the same. All I have to do is end up with a

>

> In fact they are nearly identical because the best known attack for

> either is a brute force attack.

>

>> file the same size and same checksum while only changing a few files

>> that the user is unlikely to use, lets say the drivers for some

>> obscure hardware, probably a few tens of megabytes to play with.

>

> Can't be done. Not even against MD5.

>

>> > impact. You don't actually believe that someone can could put up a

>> > malicious LiveCD without *someone* noticing and it being announced

>> > all over the news right?

>>

>> Yes I do think it is quite possible.

>

> Yes, but you think Wikipeddia is a source of accurate and useful

> information too. <laugh>

>

>> When was the last time you checked the contents of a cd other than

>> the checksum?

>

> Today. About an hour ago.

>

>> > And honestly, who the hell would download a operating system from a

>> > P2P file sharing program? Anyone in their right mind that wants to

>> > download an OS is going to go to the OS' website, inform themselves

>> > about the OS and then download it if they want to from there.

>>

>> At least one person here that says it can't happen has said they do

>> so I guess you know at least one.

>

> There's nothign wrong with downloading your ISO's via bittorrent or the

> like. The hash/signature is verifiable regardless. The method of

> distribution is irrelevant.

>

>> > And if someone is an idiot enough to use some P2P software to

>> > download binaries and gets their system toasted as a result then

>> > they probably didn't deserve much better in the first place.

>>

>> Their system probably wouldn't be toasted.. it would sit there

>> controlling bots sending spam to you and I and they would be

>> oblivious.

>

> Like your average Wintard, then... :)

>

Re: Open Source Developers Shun Micoshaft Corporation

 

dennis@home wrote:

>

> "Bob Hauck" . wrote in message

> news:slrnfg0drm.3h1.postmaster@robin.haucks.org...

>> ["Followup-To:" header set to comp.os.linux.advocacy.]

>>

>> On Sun, 30 Sep 2007 10:39:24 +0100, dennis@home

>> <dennis@killspam.kicks-ass.net> wrote:

>>

>>> You can't even grasp the concept of changing an isos content to match

>>> a checksum using the source code of the checksum program to make the

>>> fake data needed.

>>

>> Doing that is actually very difficult if the "checksum" is carefully

>> constructed.

>>

>> The MD5 hash that is typically used for this is an example of such a

>> carefully constructed checksum. It was originally developed for doing

>> secure digital signatures. So even though the algorithm is well-known,

>> changing a file and keeping the MD5 sum the same is very, very,

>> difficult if not impossible.

>>

>> Note that MD5 has been shown to be vulnerable to a "collision attack"

>> that allows the creation of two files with the same hash, but you can't

>> pick the hash in advance. So that attack is not helpful in the case

>> where the attacker controls only one of the checksums, as would be the

>> case where he is trying to substitute an "evil" ISO for a "good" one

>> made by someone else.

>>

>> Basically, it is not as simple to fake MD5 sums as you appear to think

>> it is. See here for more info:

>>

>> <http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html>

>>

>

> At last someone that might know what he is talking about..

 

You have been told several times already that your "attack vector" does not

work. By different people.

For your "attack" to work you need a possible "pre-image attack". But MD5 is

vulnerable to "collision attacks", thus rendering your scenario totally

impractical

You can *not* fake a valid MD5 for a tampered ISO that way

 

So now you are faced with a situation where you

a) can not generate MD5 sums which could fool people

b) can not put a faked ISO on the net with a valid MD5

 

Your complete "scenario" (which was stupid FUD from the start) has broken

down to nothing

> I was beginning to think all Linux users were stupid like the rest of the

> posters here.

> I will go and have a look at that and see if I can understand it.

 

Don't bother. It contains several words longer than 1 syllable and even

language which is different from the grunts you use thus making it way too

difficult for you

 

 

--

Only two things are infinite,

the Universe and Stupidity.

And I'm not quite sure about the former.

- Albert Einstein

Re: Open Source Developers Shun Micoshaft Corporation

 

Jim Richardson wrote:

> -----BEGIN PGP SIGNED MESSAGE-----

> Hash: SHA1

>

> On Mon, 1 Oct 2007 08:33:53 +0100,

> dennis@home <dennis@killspam.kicks-ass.net> wrote:

>>> On Sun, 30 Sep 2007 10:52:19 +0100,

>>> dennis@home <dennis@killspam.kicks-ass.net> wrote:

>>>>

>>>> "Jim Richardson" <warlock@eskimo.com> wrote in message

>>>> news:lgm3t4-5il.ln1@dragon.myth...

>>>>> On Sun, 30 Sep 2007 00:22:23 +0100,

>>>>> dennis@home <dennis@killspam.kicks-ass.net> wrote:

>>>>>

>>>>>> Also it is probably possible to engineer an iso to have the correct

>>>>>> checksum.

>>>>>> It shouldn't be too hard as you have the source code for the checksum

>>>>>> program so you can modify it to add padding to the iso somewhere to

>>>>>> make

>>>>>> the

>>>>>> checksum anything you like. Unless you have mathmatical proof this

>>>>>> can't be done

>>>>>

>>>>> It's pretty obvious you have no clue on how the MD5 and SHA1 checksum

>>>>> process works.

>>>>

>>>> So as I asked is there a mathematical proof that you can only end up

>>>> with one checksum for any set of data?

>>>> If there is then no you can't fake one, if there isn't then you

>>>> probably can.

>>>

>>> You are confused (again) The non-presence of a proof, does not mean that

>>> something is or is not possible. Basic logic.

>>

>> You are confused.. this is security.. if you can't prove you are secure

>> then you aren't.

>

> No, that's not true.

 

Of course it's not true. The idiot just keeps digging a deeper hole.

>> Stuff on the Internet suggests that with modern computers md5 is just not

>> secure and anything that uses md5 is a security risk.

>> This means anyone using md5 to check their isos is being daft.

>>

>

> No, the collision risk with MD5SUM is very specific, and limited in

> scope, It's not a problem with the iso files in the way you seem to

> imply.

>

>>>

>>>> I have not claimed to be a mathematician so I don't know.

>>>> Also it doesn't really matter as a social engineered hack doesn't need

>>>> to fool everyone so even if owl is wise enough to check the checksums

>>>> not everyone is.

>>>>

>>>

>>> not relevent to you original claims.

>>

>> None of this junk you and others put in is relevant to the original claim

>> so why do you keep on?

>>

>>>

>>>> There are an awful lot of people trying to put down perfectly good

>>>> advice for some reason.

>>>

>>> probably because it's not "perfectly good advice"

>>

>> OK so you recommend people download binaries that someone advertises in

>> usenet.

>

> No, I point out that your advice is far from "perfectly good"

 

It's far from even 'good', never mind the 'perfectly' part.

>> Sounds like your advice is *much* better.. so much better I will ignore

>> you.

>>

> Feel free, you've been somewhat amusing for a while, but only somewhat.

 

You see what using windoze does for some people. The "M$ Mindset", pah.

 

They even have AV headers in their messages, when posting to a *newsgroup*.

They must be scared of passing something on to other windoze (l)users in

their groups.

X-Antivirus-Status: Clean

X-Antivirus: avast! (VPS 000777-4, 30/09/2007), Outbound message

 

Pitiful.

--

Operating systems:

FreeBSD 6.2, Debian 4.0

PCLinuxOS 2007, (K)Ubuntu 7.04

Ubuntu 7.10 "Gutsy" beta

Re: Open Source Developers Shun Micoshaft Corporation

 

dennis@home wrote:

>

> "Jim Richardson" <warlock@eskimo.com> wrote in message

> news:rkd5t4-8vt.ln1@dragon.myth...

> > -----BEGIN PGP SIGNED MESSAGE-----

> > Hash: SHA1

> >

> > On Sun, 30 Sep 2007 10:39:24 +0100,

> > dennis@home <dennis@killspam.kicks-ass.net> wrote:

> >>

> >> "owl" <owl@rooftop.invalid> wrote in message

> >> news:pzeoiw0049.s94@rooftop.invalid...

> >>

> >> you are too stupid to argue with.

> >> You can't even grasp the concept of changing an isos content to

> >> match a checksum using the source code of the checksum program to

> >> make the fake data

> >> needed.

> >

> > It doesn't work that way.

> > You are not using the checksum program from the LiveCD to check the

> > checksum of the LiveCD.

>

> Who said I was?

> I said you modify the checksum program to generate data so that a

> real checksum program gives the same checksum.

 

What in the HELL are you babbling about? Do you not even understand

that "checksums" are calculated by the user, and matched against those

published by the distributors themselves? There IS no opportunity to

modify any program anywhere, that does whatever is you think you're

talking about.

> Then you can sustitute bits of the iso and still get the same

> checksum. Its not hard to understand if you try.

 

NO, you can't. If you do that it won't hash properly. The values will

be different any you will discard the corrupt/altered file.

 

Don't you think it's about time you came to grips with the fact that

you're wrong? That you really don't know anything about the subject?

 

Or are you so afraid of admitting you're wrong you'll continue to make

a mockery of yourself until you just burn out?

>

>

Re: Open Source Developers Shun Micoshaft Corporation

 

Anonymous wrote:

> dennis@home wrote:

>

>>

>> "Jim Richardson" <warlock@eskimo.com> wrote in message

>> news:rkd5t4-8vt.ln1@dragon.myth...

>> > -----BEGIN PGP SIGNED MESSAGE-----

>> > Hash: SHA1

>> >

>> > On Sun, 30 Sep 2007 10:39:24 +0100,

>> > dennis@home <dennis@killspam.kicks-ass.net> wrote:

>> >>

>> >> "owl" <owl@rooftop.invalid> wrote in message

>> >> news:pzeoiw0049.s94@rooftop.invalid...

>> >>

>> >> you are too stupid to argue with.

>> >> You can't even grasp the concept of changing an isos content to

>> >> match a checksum using the source code of the checksum program to

>> >> make the fake data

>> >> needed.

>> >

>> > It doesn't work that way.

>> > You are not using the checksum program from the LiveCD to check the

>> > checksum of the LiveCD.

>>

>> Who said I was?

>> I said you modify the checksum program to generate data so that a

>> real checksum program gives the same checksum.

>

> What in the HELL are you babbling about? Do you not even understand

> that "checksums" are calculated by the user, and matched against those

> published by the distributors themselves? There IS no opportunity to

> modify any program anywhere, that does whatever is you think you're

> talking about.

 

It has been told repeatedly (by several different posters) to that stupid

nimwit that with an "collision attack" on MD5 you can't control the MD5

hash, thus rendering his scenario completely impossible

 

Instead of wising up and reading some material about how MD5 works, he still

babbles his idiocy about "modify the checksum program".

>> Then you can sustitute bits of the iso and still get the same

>> checksum. Its not hard to understand if you try.

>

> NO, you can't. If you do that it won't hash properly. The values will

> be different any you will discard the corrupt/altered file.

>

> Don't you think it's about time you came to grips with the fact that

> you're wrong? That you really don't know anything about the subject?

>

> Or are you so afraid of admitting you're wrong you'll continue to make

> a mockery of yourself until you just burn out?

>

 

He is a Vista user. What do you expect? It can't get any dumber than that.

You have to be "Oxford" from the Mac camp to be as stupid as those guys

--

This problem was sponsored by Microsoft

Re: Open Source Developers Shun Micoshaft Corporation

 

dennis@home wrote:

>

> "Peter Köhlmann" . wrote in message

> news:fdq9m6$9ad$02$2@news.t-online.com...

>

>> Feel free to *prove* that you can generate data that way which is small

>> enough to fit *additionally* on an ISO to still generate the "valid" MD5

>

> Why? That isn't what I said you do.

>

> As you fail to understand what the mechanism I suggested despite me having

> repeated it I don't have much faith in anything you say.

 

Good. Then tell us the difference between "collision attack" and "pre-image

attack". Explain in detail how they relate to your proposed "solution"

 

 

MD5 is vulnerable to the first (collision), not the second (pre-image)

 

And you need a "pre-image attack" to generate the MD5Sum you need, as you

don't have control over the MD5 hash with collision attacks

 

See why everyone thinks you are a cretinous imbecile? Because that is

exactly what you are. A totally clueless, extremely stupid Vista luser.

Comparing your IQ to bread is an insult. To the bread

--

Only two things are infinite,

the Universe and Stupidity.

And I'm not quite sure about the former.

- Albert Einstein

Re: Open Source Developers Shun Micoshaft Corporation

 

"Peter Köhlmann" . wrote in message

news:fdqe57$s5j$01$1@news.t-online.com...

> You have been told several times already that your "attack vector" does

> not

> work. By different people.

> For your "attack" to work you need a possible "pre-image attack". But MD5

> is

> vulnerable to "collision attacks", thus rendering your scenario totally

> impractical

> You can *not* fake a valid MD5 for a tampered ISO that way

 

Now lets discuss what it says in that pdf.

They take a data set

Then they create a new data set with the first half the same.

Then they generate a new data set with different data in the second half but

with the same checksum.

 

Now that sounds like they are doing what I said I would need to do.

For those that still haven't read the thread properly what I proposed is

that someone makes minor changes to some of the files (the hack) and then

modify other files (like obsolete drivers as there are megabytes to play

with) to give the same checksum.

It *can* be done with the size of data sets used in the pdf.

Where is the proof it can't be done with bigger files.

Now are going to say the pdf is a lie too?

 

What I don't know and what you certainly don't know is how difficult it is

with iso sized images.

 

If you can prove the documented attack in the pdf is false let me know as it

will prove you were right after all.

Re: Open Source Developers Shun Micoshaft Corporation

 

"Peter Köhlmann" . wrote in message

news:fdqfss$knj$02$1@news.t-online.com...

> /quote

> Q: What is a collision attack and a preimage attack?

> A: A preimage attack would enable someone to find an input message that

> causes a hash function to produce a particular output. In contrast, a

> collision attack finds two messages with the same hash, but the attacker

> can't pick what the hash will be. The attacks announced at CRYPTO 2004 are

> collision attacks, not preimage attacks.

> /unquote

>

 

So they cretae a file and get an md5 sum for that file.

Then they create a new file with defined data in part of it and then change

the other half to give the same checksum.

How is this different from what I want to do other than which bits of the

file are changed and which are left alone?

I may be being thick but in principle it does what I would need to do

AFAICS.

 

 

All your other stuff is just a smoke screen IMO.

>

> See that part about "a hash function to produce a particular output",

> dennis? That is a preimage attack. You don't have that with MD5

>

> But that is what you would need to get data which matches a valid MD5Sum

>

> MD5 is vulnerable to "collision attacks", but then you can't pick the

> hash.

> In short, you can't control the output, thus making it impossible for you

> to generate a ISO with matching MD5. In short, MD5 is just fine to protect

> an ISO image against tampering

 

From reading the pdf I just don't see where it says that is true.

It states they take a file (data set) and changesome of it and generate the

rest to get the same checksum.

In principle they have hacked the file just as I would need to hack the iso.

>

> *That* has been told to you gazillion times, and you still blubbered

> your "hacked MD5 generator to produce data" idiocy

 

The bit of evidence presented so far does not support your claims.

>

> You are really a worthy windows user. Stupid beyond imagination. Your

> fellow

> Vista lusers will be proud of you

 

Present some evidence that what you say is true rather than evidence that

says it isn't.

Re: Open Source Developers Shun Micoshaft Corporation

 

"Adam Albright" <AA@ABC.net> wrote in message

news:e802g3dltg0ae7p1b9hsnenonqp7gddevu@4ax.com...

 

Hi crazy.

Any new events in your imagination?

Re: Open Source Developers Shun Micoshaft Corporation

 

On Mon, 1 Oct 2007 20:18:33 +0100, "dennis@home"

<dennis@killspam.kicks-ass.net> wrote:

>

>"Adam Albright" <AA@ABC.net> wrote in message

>news:e802g3dltg0ae7p1b9hsnenonqp7gddevu@4ax.com...

>

>Hi crazy.

>Any new events in your imagination?

 

Get a clue. As long as there are pompous blowhards needing to puff out

their chests and strut around pretending they know everything like you

always do I have plenty of ammunition to show the world what clowns

those like you truly are.

 

Any questions?

Re: Open Source Developers Shun Micoshaft Corporation

 

On Mon, 1 Oct 2007 20:00:50 +0100, dennis@home

<dennis@killspam.kicks-ass.net> wrote:

 

To simplify things (I don't want to repeat what was already written, here is

what Bob Hauck just wrote (but did not crosspost to your cretins group):

> It is a collison attack to change bits of an iso to make it contain

> malicious code.

 

Um, no, that's wrong.  The collision attack requires that the attacker

generate both files.  You can't choose the hash value, you can only

get the same value for two different files.  The attack relies on being

able to manipulate the data in both files.  Hence it is not possible to

match an existing MD5 generated by someone else in this way.

 

The example on the web site has the attacker generating both messages

and then signing them both himself.  Since he can force both messages to

have the same MD5 then they both appear legit.  

 

OTOH, if Fred has generated a message, it is not possible for Charlie to

create a new message with the same (already generated) MD5.

 

See the difference?  It is subtle but very important.  Someone could

make both "good" and "bad" ISO's with the same MD5, but it isn't clear

what utility that would have as an attack vector since only someone who

has legitimate access to the download site could do it.

 

 

< snip more utter idiocy from the Vista luser dennis >

 

This has been explained to you at least half a dozen times by now, from

different people.

 

You are obviously too stupid (well, you do run Vista. That alone explains

most of it) to understand this stuff even when it is explained to you in

simple language

--

Support your local Search and Rescue unit -- get lost.

Re: Open Source Developers Shun Micoshaft Corporation

 

"Adam Albright" <AA@ABC.net> wrote in message

news:jii2g35srkm3v9j64h72n6on465sqv0ouo@4ax.com...

> On Mon, 1 Oct 2007 20:18:33 +0100, "dennis@home"

> <dennis@killspam.kicks-ass.net> wrote:

>

>>

>>"Adam Albright" <AA@ABC.net> wrote in message

>>news:e802g3dltg0ae7p1b9hsnenonqp7gddevu@4ax.com...

>>

>>Hi crazy.

>>Any new events in your imagination?

>

> Get a clue. As long as there are pompous blowhards needing to puff out

> their chests and strut around pretending they know everything like you

> always do I have plenty of ammunition to show the world what clowns

> those like you truly are.

>

> Any questions?

>

 

Why are you so stupid?

Do you even bother to read anything in your fantasy world or do you just

post anyway?

You can imagine everyone else to be an expert if you like, I tend to read

what they post first then you pickup little hints like "I am not a

mathematician" you know the sort of things that contradict your view.

I still think you are crazy.

Re: Open Source Developers Shun Micoshaft Corporation

 

On Tue, 2 Oct 2007 07:50:18 +0100, "dennis@home"

<dennis@killspam.kicks-ass.net> wrote:

>

>"Adam Albright" <AA@ABC.net> wrote in message

>news:jii2g35srkm3v9j64h72n6on465sqv0ouo@4ax.com...

>> On Mon, 1 Oct 2007 20:18:33 +0100, "dennis@home"

>> <dennis@killspam.kicks-ass.net> wrote:

>>

>>>

>>>"Adam Albright" <AA@ABC.net> wrote in message

>>>news:e802g3dltg0ae7p1b9hsnenonqp7gddevu@4ax.com...

>>>

>>>Hi crazy.

>>>Any new events in your imagination?

>>

>> Get a clue. As long as there are pompous blowhards needing to puff out

>> their chests and strut around pretending they know everything like you

>> always do I have plenty of ammunition to show the world what clowns

>> those like you truly are.

>>

>> Any questions?

>>

>

>Why are you so stupid?

>Do you even bother to read anything in your fantasy world or do you just

>post anyway?

>You can imagine everyone else to be an expert if you like, I tend to read

>what they post first then you pickup little hints like "I am not a

>mathematician" you know the sort of things that contradict your view.

>I still think you are crazy.

 

What you need to work on is not coming off as pompous jerk.

Re: Open Source Developers Shun Micoshaft Corporation

 

"Adam Albright" <AA@ABC.net> wrote in message

news:4ah4g352mi6p83f3n6mcnkemogjleqfrkq@4ax.com...

 

>

> What you need to work on is not coming off as pompous jerk.

>

 

You need to work on being sane.

Re: Open Source Developers Shun Micoshaft Corporation

 

On Tue, 2 Oct 2007 20:58:52 +0100, "dennis@home"

<dennis@killspam.kicks-ass.net> wrote:

>

>"Adam Albright" <AA@ABC.net> wrote in message

>news:4ah4g352mi6p83f3n6mcnkemogjleqfrkq@4ax.com...

>

>

>>

>> What you need to work on is not coming off as pompous jerk.

>>

>

>You need to work on being sane.

 

 

Pointing out the INSANITY of things others posters claim IS being

sane, rational and fully awake. You should try it sometime.

Re: Open Source Developers Shun Micoshaft Corporation

 

Adam Albright wrote:

>

>

> Pointing out the INSANITY of things others posters claim IS being

> sane, rational and fully awake. You should try it sometime.

>

 

 

 

hehehe...how the fukk would a demented as*hole mental case like you know?

Is that what you talked about in your group meeting this week?

Frank

Re: Open Source Developers Shun Micoshaft Corporation

 

"Adam Albright" <AA@ABC.net> wrote in message

news:j1c5g39rmfmtbk783r9b9lh402mnn7epoi@4ax.com...

> On Tue, 2 Oct 2007 20:58:52 +0100, "dennis@home"

> <dennis@killspam.kicks-ass.net> wrote:

>

>>

>>"Adam Albright" <AA@ABC.net> wrote in message

>>news:4ah4g352mi6p83f3n6mcnkemogjleqfrkq@4ax.com...

>>

>>

>>>

>>> What you need to work on is not coming off as pompous jerk.

>>>

>>

>>You need to work on being sane.

>

>

> Pointing out the INSANITY of things others posters claim IS being

> sane, rational and fully awake. You should try it sometime.

 

What do you think I have been doing with your posts?

>

Re: Open Source Developers Shun Micoshaft Corporation

 

In comp.os.linux.advocacy, dennis@home

<dennis@killspam.kicks-ass.net>

wrote

on Wed, 3 Oct 2007 20:13:10 +0100

<fe0pki$vla$1@news.datemas.de>:

>

> "Adam Albright" <AA@ABC.net> wrote in message

> news:j1c5g39rmfmtbk783r9b9lh402mnn7epoi@4ax.com...

>> On Tue, 2 Oct 2007 20:58:52 +0100, "dennis@home"

>> <dennis@killspam.kicks-ass.net> wrote:

>>

>>>

>>>"Adam Albright" <AA@ABC.net> wrote in message

>>>news:4ah4g352mi6p83f3n6mcnkemogjleqfrkq@4ax.com...

>>>

>>>

>>>>

>>>> What you need to work on is not coming off as pompous jerk.

>>>>

>>>

>>>You need to work on being sane.

>>

>>

>> Pointing out the INSANITY of things others posters claim IS being

>> sane, rational and fully awake. You should try it sometime.

>

> What do you think I have been doing with your posts?

 

Not understanding them? :-)

 

--

#191, ewill3@earthlink.net

Useless C++ Programming Idea #8830129:

std::set<...> v for(..:iterator i = v.begin() i != v.end() i++)

if(*i == thing) {...}

 

--

Posted via a free Usenet account from http://www.teranews.com