>LINUX FOUNDER Linus Torvalds was warned in 2005 that the use of the SHA-1 hash to sign code in Linux and Git was insecure and urged to shift to something better protected, but rejected the advice outright.
>Free software evangelist John Gilmore warned Torvalds ten years ago that "SHA1 has been broken; it's possible to generate two different blobs that hash to the same SHA1 hash".
>Torvalds point of view hasn't changed, and in an email sent over the weekend he reiterated his lack of concern.
>"Quite frankly, it's not worth worrying about. It's a hell of a lot easier to just break a source archive with other means (ie, pay a developer ten million dollars to just insert the back door you want inserted)," he concluded.
>Linus Torvald is this retarded
holy shit
Ethan Myers
brb switching to Mercurial
Christopher Jones
Read about it already. I'm with Linus.
Jack Ross
>pay a developer ten million dollars to just insert the back door you want inserted) How does this compare to the cost of creating and deploying malicious collisions? Btw, this affects SVN too.
Jace Robinson
They're working to replace SHA1 they're just not too worried at the moment because to make a collision you have to append garbage data to the files and it's hard as fuck to do that discretely on source files that are viewed in text editors.
Isaiah Wood
TempleOS is the ONLY secure OS now.
Zachary Perez
Sounds like me and Linux have a lot in common!!
Michael Watson
Why is there no threads regarding Vault 7 leaks, this is technology board afterall.. or is it applel vs android vs nvidiots vs amdrones board now ?
Andrew Fisher
you know what's insecure? your mom's asshole
Aiden Myers
Good post
Eli Jenkins
>Why isn't there already a thread about something I want to discuss? > Lets make my own thread > Naw, lets just shit up another thread, that'll make things better
Dylan Thomas
This is your last chance. After this, there is no turning back. You take the blue pill - the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill - you stay in Wonderland and I show you how deep the rabbit-hole goes.
Mason Ward
Because this thread is shit
Jose Ward
lurk moar, retard
Michael Smith
What a tard. It's over, Torvalds is finnish.
Liam Brown
everything that has ever been connected to the internet is unsafe, mongoloid, gnu/linux is just safer overall and the OS is not voluntarily spying on you and gathering your data, unlike apple and microsoft. Also it still is much better OS than win or mac
Oliver Cruz
Only webkit devs are enough idiot to merge two binary file.
Leo Jenkins
Why not just use SHA512? Is it hard or something?
Chase Baker
dem good trap. >OP IS INSECURE ACCORDING TO HIS BULLSHIT
Wyatt Thompson
user@cottenpicker~$ sh /this/isnt/new/knowledge/faggot.sh
Parker Hall
Underrated post.
Isaiah Williams
why are we not talking about the fact that that hot chick is a man baby
Samuel Taylor
Not gonna lie, former Linus supporter here. It's been hilarious watching this guy crash and burn. But in all seriousness, we can't let him control the kernel development any longer.
Jace Bennett
t. SJW psyops
Hunter Young
You are not ever going to make a meaningful attack against a source repo via a hash collision.
Adam Reed
it costs less than 10 million to crack SHA1 and either way using money in any security related arguments is pretty dumb since money doesnt matter when state actors are involved.
Noah Perez
Its not about "cracking" it. It's about covertly replacing one file in a git repo with another file that has that same hash. Git won't know they're different. the problem is how do you make a file with the same hash that actually contains something you want it to. Protip, you can't, and this is why Linus doesn't care.
Justin Reyes
Linus isn't a security expert; he's an engineer. he just wants to get shit working for him. A blessing and a curse for the rest of us.
Nolan Myers
It's being used as a glorified checksum, is it not? You still can't push changes without having them approved. SHA1 is worthless for encryption purposes. This much is true.
Wyatt Allen
>I haven't seen the attack yet, but git doesn't actually just hash the data, it does prepend a type/length field to it. That usually tends to make collision attacks much harder, because you either have to make the resulting size the same too, or you have to be able to also edit the size field in the header.
>pdf's don't have that issue, they have a fixed header and you can fairly arbitrarily add silent data to the middle that just doesn't get shown.
>So pdf's make for a much better attack vector, exactly because they are a fairly opaque data format. Git has opaque data in some places (we hide things in commit objects intentionally, for example, but by definition that opaque data is fairly secondary.
>Put another way: I doubt the sky is falling for git as a source control management tool. Do we want to migrate to another hash? Yes. Is it "game over" for SHA1 like people want to say? Probably not.
there is absolute no mention of TempleOS in the vault7 leaks
Henry Parker
Only FBI could care about him.
Use DOS.
Samuel Johnson
>You take the red pill - you stay in Wonderland and I show you a sea of nigger cattle in the rabbit-hole.
James Phillips
who is that shitskin in the background
Brody Wright
Random faggot.
William Cox
whoah
Carter Gomez
what if they're really married? wew
science has gone too ___
James Garcia
Hands off, she belongs to Pajeet
Wyatt Hernandez
>science has gone too ___
boneriffic
Wyatt Young
No anymore.
Joshua Foster
>she
Austin Torres
i donno mane, i'd be pretty afraid of putting my dick into a mutilated ballsack
but everything else is OK
why? did they break up?
Adam Reyes
He's bullshitting
Eli Miller
is that a pajeet or an abu hajaar
Josiah Martin
Indian programmer
John Clark
how do you know
Sebastian Campbell
It's on her site. Her boipucci is now free.
Noah Long
Well, yeah.
Ryan Robinson
ctrl-f no wikileaks the article is about git and source code
Carson Barnes
It's related to the Wikileaks releases
Colton Bell
BAM
Grayson Jackson
wtf i hate linux now
i am now a #WindowsWarrior
Cooper Reed
Is there any logical reason why you would fucking say that post is underrated? Has anybody expressed any kind of dissatisfaction or criticism at all against it? Are you delusional? Are you reading replies that are nonexistant? Maybe you come from communities with voting systems, but there is literally no way that you could know what other people think of that post you just replied to here. Maybe it's psychological. Maybe it's your own post you're replying to, like a 12 year old fucktard liking his own facebook posts thinking his swelling autism is going unnoticed. Maybe your self esteem depends on you tricking yourself into thinking someone out there thinks your post is worth something. Or maybe you are just a retard, the worst kind of retard, the one who thinks he's smart, the one who thinks he's the only one to have gotten the joke, to have understood the post. Well, guess what, faggot, that post is under no definition underrated so why don't you do the world a favor and go check out what the bottom of your toilet smells like?
Angel Scott
#windowsinsider
Connor Cook
It means you need to git the fuck out now.
Owen Reyes
Pajeets are natures rejects so it makes sense.
Thomas Anderson
Welcome to the team!
Lincoln Rogers
sha1 collision was recent, op is a fag and a systemd user.
I know as *he's my boy pussy.
Benjamin Flores
This. Also checked.
>she >her
William Russell
Pajeets are actually natures sweetest nectar.
Liam Sullivan
10 Rupees have been deposited in your account Hijab. Keep up the good work.
Nathan Rivera
Look at bitcoin, it's been subverted by bribing developers. And so what you might get a collision but what are the chances you can change a whole release, you would have to have back end access to the git repo. And that's assuming people aren't going to see it when they download and build from source.
Joseph Turner
>sha-1 and linux are literally the same thing
fuck of shill
Levi Gonzalez
>Underrated can only mean it doesn't have any critisism. Maybe the guy thinks it deserves more positive feedback.
Zachary Martinez
Because the attack is close hash attack there are layers of possible defense.
First of all the garbage must be inserted before an actual timely swapping of the file, and this garbage must be signed off on (since it must be a legit change) to produce the bad (close pack) hash.
The close hash areas are known. They can be simply denied by a checker in the program. So CIA would try to insert the garbage and all these big red warnings would come up pointing to the garbage and how it created a close hash.
This is even before the substitution operation that would allow for an actual code insertion, where altered code with the same bad hash number is inserted.
This is one of those "OH NOES so bad security look what I found" when really its nothing just poor Linuxtard developer crying for attention.
Josiah Jenkins
>tfw import more third world sub 60IQ Somalian Muslims.
Jackson Taylor
>Protip, you can't, and this is why Linus doesn't care the flame virus used an md5 collision attack to be detected as a whitelisted program by virus scanners.
I'm not sure about SHA1, but it's probably possible with it too.
Dominic Young
He's not retarded, he's just a shill.
Zachary Morgan
>pretending it's hopeless These leaks reveal that some platforms are more secure than others, for example there were tons of Windows attacks but relatively few Unix attacks.
Ryder Cruz
>pay a developer ten million dollars to just insert the back door you want inserted)," he concluded.
WHAT IF THEY GOT TO HIM!?
Colton Rodriguez
That's md5 which is a much weaker hash, and there's plenty of room to hide garbage for hash collisions inside an executable file. Git inserts metadata that affects the hash, which makes collisions much much harder. And the SHA-1 collision published by Google made two identical .pdf files, which are files that have a LOT of room to put garbage data to cause collisions in. Making say, two C source files with the same hash, without one being very obviously corrupted, is a much different story.
William Phillips
That virus was apparently fuckhuge though. They probably just kept appending data to it until they found something that worked. That wouldn't really work here when the source code of the files is in plain view. The devs would also notice if one file suddenly grew like 1000% with one commit
Christian Garcia
Costs $2500 to perform a collision. $2000 is a fixed cost and $500 is the average cost per collision.
Sebastian Sanders
That's inaccurate. The point is not to get a backdoor accepted, it's to get a user to download the malicious code without being able to notice that it is actually a compromised version, as they wouldn't run git diff HEAD~2 HEAD~1 or whatever. Note also that the payload can be inserted anywhere in the history which makes it even harder to find out. This type of attack would be deployed not against devs but rather against automated build systems.
Hudson Harris
yes
Ian Sanchez
>Making say, two C source files with the same hash, without one being very obviously corrupted, is a much different story couldn't you just stick an enourmous comment in the middle of the C file?
I suppose the things that would have to occur to sneak something like that into a git repo would be near impossible though.
Jace Bailey
>pulling numbers out of your ass
Wyatt Allen
Suffice is to say that those were not pulled out of my ass.
Nathan Ward
...
Jeremiah Hall
Did you read SHAttered? It's hard to do in any context where length is a known quantity. PDF is an ugly format which doesn't have that encoded early so you can fuck with shit. Perhaps NSA have developed it further, we have to assume so, but come on now... it's git... "security journalists" are bottom barrel scum who love to mislead, kill em all.
Sebastian Rogers
So does this "Ally" still have the penis or not? I need to know.
Juan Perry
This kills the erection
Brayden Campbell
>shilling free software what
Kayden Ross
>Why not just use SHA512?
I don't understand this either.
My 6 year old CPU can run sha512sum at 272MB/s. It can run sha1sum at 502MB/s. That's 3.7s and 2s for a 1GB file. The tar I have containing the source code for linux is 90MB.
Why use sha1? Hell why even use sha256? Sure 256 hasn't been broken yet but why not go with it? How is the 120ms saved an issue?
Also I have no idea why but sha256sum runs slower than 512 on my computer. What's gonig on there? I'm running it on 1GB of random data in a ramfs mount.
Jeremiah Diaz
> >Is there any logical reason why you would fucking say that post is underrated? Has anybody expressed any kind of dissatisfaction or criticism at all against it? Are you delusional? Are you reading replies that are nonexistant? Maybe you come from communities with voting systems, but there is literally no way that you could know what other people think of that post you just replied to here. Maybe it's psychological. Maybe it's your own post you're replying to, like a 12 year old fucktard liking his own facebook posts thinking his swelling autism is going unnoticed. Maybe your self esteem depends on you tricking yourself into thinking someone out there thinks your post is worth something. Or maybe you are just a retard, the worst kind of retard, the one who thinks he's smart, the one who thinks he's the only one to have gotten the joke, to have understood the post. Well, guess what, faggot, that post is under no definition underrated so why don't you do the world a favor and go check out what the bottom of your toilet smells like? Is this a new pasta
John White
Aight. It was good knowing y'all.
dd if=/dev/zero of=/dev/hda bs=666
Josiah Howard
>Also I have no idea why but sha256sum runs slower than 512 on my computer I don't know the details of each algorithm, but speed is not proportional to hash size
Lincoln King
>2017 >/dev/hda
Gabriel Morris
>Also I have no idea why but sha256sum runs slower than 512 on my computer. What's gonig on there? I don't know but it sounds like it's worth investigating.
Benjamin Hill
saved to my pasta folder
John Reyes
>that post is under no definition underrated what did the faggot mean by this?
John Mitchell
anything connected to external networks is insecure