espaeth
Digital Plumber
Premium,MVM
join:2001-04-21
Minneapolis, MN | For those wondering "Why Playstation 3s?"
There's a nice overview here: »people.csail.mit.edu/tromer/slid···rump.pdf |
|
TSI Gabe
Premium,VIP
join:2007-01-03
Chatham, ON | Yeah I've coded an MD5 algo myself for the PS3 and it does 80 million hashes per second.
This may not look like a lot, but its just about as much as a very expensive Xeon server so your bang for the buck is quite real. |
|
MxxCon
join:1999-11-19
Brooklyn, NY
clubs:  
1 edit |  KARL, YOU ARE WRONG.
how can you post a story without even reading it?!
THEY NEVER SAID THEY "have found a method of hacking any website".
what they did say was that they "found a way to forge certain digital certificates"
THAT'S A HUGE DIFFERENCE.
your own link to our forum says »SSL security flaw with MD5 certificates announces today that's nothing even close to "hacking any website"
KARL, STOP SPREADING FUD! --
Check out my awesome city of MxxTopia »mxxtopia.myminicity.com/ind or »mxxtopia.myminicity.com (the more people visit, the bigger it is) |
|
Cheese
Premium
join:2003-10-26
Naples, FL
clubs:
| said by MxxCon  :how can you post a story without even reading it?! THEY NEVER SAID THEY "have found a method of hacking any website".what they did say was that they "found a way to forge certain digital certificates"THAT'S A HUGE DIFFERENCE. your own link to our forum says » SSL security flaw with MD5 certificates announces today that's nothing even close to "hacking any website" KARL, STOP SPREADING FUD! And the article says CLAIM, not they they DID, can YOU read? |
|
MxxCon
join:1999-11-19
Brooklyn, NY
clubs: | they never CLAIMED to have found a method of hacking any website either. |
|
rdmiller
join:2005-09-23
Richmond, VA | Not news
The flaw is in the process of issuing new MD5 certificates. If no one is issuing new MD5s, this is not a problem. |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to TSI Gabe
Re: For those wondering "Why Playstation 3s?"
said by TSI Gabe :Yeah I've coded an MD5 algo myself for the PS3 and it does 80 million hashes per second. What ever happened to 30 billion hashes per second?
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Orange County, California USA | my web site |
|
beaups
join:2003-08-11
Hilliard, OH | lol I was just wondering the same thing |
|
TSI Gabe
Premium,VIP
join:2007-01-03
Chatham, ON | reply to Steve
That was the C compiler optimizing my code into doing nothing quite literally. Sometimes those C optimizations don't really help... |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| said by TSI Gabe :That was the C compiler optimizing my code into doing nothing quite literally. Sometimes those C optimizations don't really help... It's far more likely that your optimizer found a bug in your code than you found a bug in the optimizer.
The problem with compilers is that they do exactly what you ask them too bad women and children won't follow that example 
Steve
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Orange County, California USA | my web site |
|
k1ll3rdr4g0n
join:2005-03-19
Homer Glen, IL
| reply to MxxCon
Re: KARL, YOU ARE WRONG.
said by MxxCon :how can you post a story without even reading it?! THEY NEVER SAID THEY "have found a method of hacking any website".what they did say was that they "found a way to forge certain digital certificates"THAT'S A HUGE DIFFERENCE. your own link to our forum says » SSL security flaw with MD5 certificates announces today that's nothing even close to "hacking any website" KARL, STOP SPREADING FUD! I have to agree with you. Though they claim its just a "proof-of-concept" aka POC or Piece o' cr4p. I love how people always go "omgz its a new exploitz, lets all freak out" - and never actually demonstrates that it works. I mean what the hell people, so if I sat there and said that I found a "POC" exploit for Linux servers would you all jump out of your chair and go "I'm switching to Windows Server". I hope not (assuming I could explain exactly how it worked).
And actually this is partly the browsers fault, and the HTTPS scheme as a whole. I mean I just find the whole idea of *paying* for security a little unsecure. CA's don't maintain SSL, so why should we shell out $$$ to them? But, whatever, back to the point at hand. So lets point out the browser: its stupid. It wont tell you *what* CA verified (unless you manually look) the cert, just that its good; wait...so a cert from ABC company is as valid of a cert from verisign? Uhhh...I see something wrong with that myself but regardless.
I actually did see that a long time ago that 2 (chinese?) people claimed to have "broken" the MD5 algorithm (they claimed they were able to determine collisions or something like that...). They never posted any evidence, just that they broke it. Here it is, what a couple years later, I haven't seen a story on how MD5 is really broken, have you? What makes that even more of a laugh is that MD5 isn't an encryption, its just a hash algorithm. What makes THIS story a laugh too is that MD6 was talked about a long time and seems to be available for your greedy downloading hands.
My question I propose to you:
If MD6 is available, why not use THAT in certificates instead of MD5? After all, don't we trust in CA's to keep our sites and data secure and encrypted? I know I sure don't for my own sites/services (you might be like "wtf?", but I am coming with a solution to that).
In my conclusion, its merely just a response to increase of technology. Its like saying you can find the prime numbers to a 20 digit (I don't know, some obscene number) composite number in a matter of seconds on a quad core, with 64bit os with 4GBs of RAM. Yeah, its defiantly going to make that large number look like nothing on modern technology, but when the number was put out there - the technology at the time couldn't handle it. So - there's nothing to see here, move along. |
|
R4M0N
Brazilian Soccer Ownz Joo
join:2000-10-04
Glen Allen, VA | Congratulations
This is the first site I regularly frequent where this topic did not turn into a fanboy bash-fest about the virtues/flaws of the PS3.
There's still hope for geek humanity.  |
|
TSI Gabe
Premium,VIP
join:2007-01-03
Chatham, ON | reply to Steve
Re: For those wondering "Why Playstation 3s?"
No Actually removing a printf simply displaying the value being calculated completely removed the md5 function from the code. |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| said by TSI Gabe :No Actually removing a printf simply displaying the value being calculated completely removed the md5 function from the code. The compiler did what it was supposed to do: if you were calling a function that had no side effects, it knew that it could eliminate the call without having any effect on correct operation. It was right.
Benchmarking is a known science; calling your operation in a way that insists on a side effect (as I'm sure you found) lets you get the effect you want.
Steve
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Orange County, California USA | my web site |
|
KeysCapt
Premium,Mod
join:2001-07-11
Keys Exile
clubs:
Host:
Time Warner Cable ..
Weather
Ham Radio
Sports Chat
| Not Karl's Fault
That isn't Karl's fault ... if there are any inaccuracies, I'm the one who provided the info from the Wired.com article. It states, "A powerful digital certificate that can be used to forge the identity of any website on the internet is in the hands of in international band of security researchers, thanks to a sophisticated attack on the ailing MD5 hash algorithm, a slip-up by Verisign, and about 200 PlayStation 3s." Their original blog pointer to the story, now gone, included the "we can hack anything" suggestion. |
|
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ
 ·Optimum Online
| reply to k1ll3rdr4g0n
Re: KARL, YOU ARE WRONG.
said by k1ll3rdr4g0n :[ If MD6 is available, why not use THAT in certificates instead of MD5? Hell, why not just turn it all the way up to MD11??? |
|
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ
·Optimum Online
| Anyone get a replacement cert?
I emailed RapidSSL support about this the day it was published and heard nothing. Now I see official press releases indicating that they will re-issue MD5-signed certs, but no mention of this on the RapidSSL site and no response from support.
Anyone found any more info on getting a reissue?
--
with every mistake we must surely be learning |
|
Kearnstd
Elf Wizard
Premium
join:2002-01-22
Mullica Hill, NJ | reply to espaeth
Re: For those wondering "Why Playstation 3s?"
PS3s really are being used in ways that Sony never intended lol. how long till DARPA builds a supercomputer of 5000 PS3 CPUs lol.
--
[65 Arcanist]Filan(High Elf) Zone: Broadband Reports |
|
