LINUX IS INSECURE ACCORDING TO WIKILEAKS

Good post

>Why isn't there already a thread about something I want to discuss?
> Lets make my own thread
> Naw, lets just shit up another thread, that'll make things better

This is your last chance. After this, there is no turning back. You take the blue pill - the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill - you stay in Wonderland and I show you how deep the rabbit-hole goes.

Because this thread is shit

lurk moar, retard

What a tard.
It's over, Torvalds is finnish.

everything that has ever been connected to the internet is unsafe, mongoloid, gnu/linux is just safer overall and the OS is not voluntarily spying on you and gathering your data, unlike apple and microsoft. Also it still is much better OS than win or mac

Only webkit devs are enough idiot to merge two binary file.

Why not just use SHA512? Is it hard or something?

dem good trap.
>OP IS INSECURE ACCORDING TO HIS BULLSHIT

user@cottenpicker~$ sh /this/isnt/new/knowledge/faggot.sh

Underrated post.

why are we not talking about the fact that that hot chick is a man baby

Not gonna lie, former Linus supporter here. It's been hilarious watching this guy crash and burn. But in all seriousness, we can't let him control the kernel development any longer.

t. SJW psyops

You are not ever going to make a meaningful attack against a source repo via a hash collision.

it costs less than 10 million to crack SHA1 and either way using money in any security related arguments is pretty dumb since money doesnt matter when state actors are involved.

Its not about "cracking" it. It's about covertly replacing one file in a git repo with another file that has that same hash. Git won't know they're different. the problem is how do you make a file with the same hash that actually contains something you want it to. Protip, you can't, and this is why Linus doesn't care.

Linus isn't a security expert; he's an engineer. he just wants to get shit working for him. A blessing and a curse for the rest of us.

It's being used as a glorified checksum, is it not? You still can't push changes without having them approved. SHA1 is worthless for encryption purposes. This much is true.

>I haven't seen the attack yet, but git doesn't actually just hash the
data, it does prepend a type/length field to it. That usually tends to
make collision attacks much harder, because you either have to make
the resulting size the same too, or you have to be able to also edit
the size field in the header.

>pdf's don't have that issue, they have a fixed header and you can
fairly arbitrarily add silent data to the middle that just doesn't get
shown.

>So pdf's make for a much better attack vector, exactly because they
are a fairly opaque data format. Git has opaque data in some places
(we hide things in commit objects intentionally, for example, but by
definition that opaque data is fairly secondary.

>Put another way: I doubt the sky is falling for git as a source
control management tool. Do we want to migrate to another hash? Yes.
Is it "game over" for SHA1 like people want to say? Probably not.

marc.info/?l=git&m=148787047422954&w=2

you guys are too much.

wtf that's really a tranny damn

Can you explain what your pic means?

>ring-0

>no network stack
Fuck off CIA nigger.

this

there is absolute no mention of TempleOS in the vault7 leaks

Only FBI could care about him.

Use DOS.

>You take the red pill - you stay in Wonderland and I show you a sea of nigger cattle in the rabbit-hole.

who is that shitskin in the background

Random faggot.

whoah

what if they're really married? wew

science has gone too ___

Hands off, she belongs to Pajeet

>science has gone too ___

boneriffic

No anymore.

>she

i donno mane, i'd be pretty afraid of putting my dick into a mutilated ballsack

but everything else is OK

why? did they break up?

He's bullshitting

is that a pajeet or an abu hajaar

Indian programmer

how do you know

It's on her site. Her boipucci is now free.

Well, yeah.

ctrl-f
no wikileaks
the article is about git and source code

It's related to the Wikileaks releases

BAM

wtf i hate linux now

i am now a #WindowsWarrior

Is there any logical reason why you would fucking say that post is underrated? Has anybody expressed any kind of dissatisfaction or criticism at all against it? Are you delusional? Are you reading replies that are nonexistant? Maybe you come from communities with voting systems, but there is literally no way that you could know what other people think of that post you just replied to here. Maybe it's psychological. Maybe it's your own post you're replying to, like a 12 year old fucktard liking his own facebook posts thinking his swelling autism is going unnoticed. Maybe your self esteem depends on you tricking yourself into thinking someone out there thinks your post is worth something. Or maybe you are just a retard, the worst kind of retard, the one who thinks he's smart, the one who thinks he's the only one to have gotten the joke, to have understood the post. Well, guess what, faggot, that post is under no definition underrated so why don't you do the world a favor and go check out what the bottom of your toilet smells like?

#windowsinsider

It means you need to git the fuck out now.

Pajeets are natures rejects so it makes sense.

Welcome to the team!

sha1 collision was recent, op is a fag and a systemd user.

I know as *he's my boy pussy.

This. Also checked.

>she
>her

Pajeets are actually natures sweetest nectar.

10 Rupees have been deposited in your account Hijab. Keep up the good work.

Look at bitcoin, it's been subverted by bribing developers. And so what you might get a collision but what are the chances you can change a whole release, you would have to have back end access to the git repo. And that's assuming people aren't going to see it when they download and build from source.

>sha-1 and linux are literally the same thing

fuck of shill

>Underrated can only mean it doesn't have any critisism.
Maybe the guy thinks it deserves more positive feedback.

Because the attack is close hash attack there are layers of possible defense.

First of all the garbage must be inserted before an actual timely swapping of the file, and this garbage must be signed off on (since it must be a legit change) to produce the bad (close pack) hash.

The close hash areas are known. They can be simply denied by a checker in the program. So CIA would try to insert the garbage and all these big red warnings would come up pointing to the garbage and how it created a close hash.

This is even before the substitution operation that would allow for an actual code insertion, where altered code with the same bad hash number is inserted.

This is one of those "OH NOES so bad security look what I found" when really its nothing just poor Linuxtard developer crying for attention.

>tfw import more third world sub 60IQ Somalian Muslims.

>Protip, you can't, and this is why Linus doesn't care
the flame virus used an md5 collision attack to be detected as a whitelisted program by virus scanners.

I'm not sure about SHA1, but it's probably possible with it too.

He's not retarded, he's just a shill.

>pretending it's hopeless
These leaks reveal that some platforms are more secure than others, for example there were tons of Windows attacks but relatively few Unix attacks.

>pay a developer ten million dollars to just insert the back door you want inserted)," he concluded.

WHAT IF THEY GOT TO HIM!?

That's md5 which is a much weaker hash, and there's plenty of room to hide garbage for hash collisions inside an executable file. Git inserts metadata that affects the hash, which makes collisions much much harder. And the SHA-1 collision published by Google made two identical .pdf files, which are files that have a LOT of room to put garbage data to cause collisions in. Making say, two C source files with the same hash, without one being very obviously corrupted, is a much different story.

That virus was apparently fuckhuge though. They probably just kept appending data to it until they found something that worked. That wouldn't really work here when the source code of the files is in plain view. The devs would also notice if one file suddenly grew like 1000% with one commit

Costs $2500 to perform a collision. $2000 is a fixed cost and $500 is the average cost per collision.

That's inaccurate. The point is not to get a backdoor accepted, it's to get a user to download the malicious code without being able to notice that it is actually a compromised version, as they wouldn't run git diff HEAD~2 HEAD~1 or whatever. Note also that the payload can be inserted anywhere in the history which makes it even harder to find out. This type of attack would be deployed not against devs but rather against automated build systems.

yes

>Making say, two C source files with the same hash, without one being very obviously corrupted, is a much different story
couldn't you just stick an enourmous comment in the middle of the C file?

I suppose the things that would have to occur to sneak something like that into a git repo would be near impossible though.

>pulling numbers out of your ass

Suffice is to say that those were not pulled out of my ass.

...

Did you read SHAttered? It's hard to do in any context where length is a known quantity. PDF is an ugly format which doesn't have that encoded early so you can fuck with shit.
Perhaps NSA have developed it further, we have to assume so, but come on now... it's git... "security journalists" are bottom barrel scum who love to mislead, kill em all.

So does this "Ally" still have the penis or not? I need to know.

This kills the erection

>shilling free software
what

>Why not just use SHA512?

I don't understand this either.

My 6 year old CPU can run sha512sum at 272MB/s. It can run sha1sum at 502MB/s. That's 3.7s and 2s for a 1GB file. The tar I have containing the source code for linux is 90MB.

Why use sha1? Hell why even use sha256? Sure 256 hasn't been broken yet but why not go with it? How is the 120ms saved an issue?

Also I have no idea why but sha256sum runs slower than 512 on my computer. What's gonig on there? I'm running it on 1GB of random data in a ramfs mount.

>
>Is there any logical reason why you would fucking say that post is underrated? Has anybody expressed any kind of dissatisfaction or criticism at all against it? Are you delusional? Are you reading replies that are nonexistant? Maybe you come from communities with voting systems, but there is literally no way that you could know what other people think of that post you just replied to here. Maybe it's psychological. Maybe it's your own post you're replying to, like a 12 year old fucktard liking his own facebook posts thinking his swelling autism is going unnoticed. Maybe your self esteem depends on you tricking yourself into thinking someone out there thinks your post is worth something. Or maybe you are just a retard, the worst kind of retard, the one who thinks he's smart, the one who thinks he's the only one to have gotten the joke, to have understood the post. Well, guess what, faggot, that post is under no definition underrated so why don't you do the world a favor and go check out what the bottom of your toilet smells like?
Is this a new pasta

Aight. It was good knowing y'all.

dd if=/dev/zero of=/dev/hda bs=666

>Also I have no idea why but sha256sum runs slower than 512 on my computer
I don't know the details of each algorithm, but speed is not proportional to hash size

>2017
>/dev/hda

>Also I have no idea why but sha256sum runs slower than 512 on my computer. What's gonig on there?
I don't know but it sounds like it's worth investigating.

saved to my pasta folder

>that post is under no definition underrated
what did the faggot mean by this?

anything connected to external networks is insecure

It's not sufficient for you to merely say it.

this