From owner-freebsd-security@FreeBSD.ORG Tue Sep 28 20:09:37 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9731216A4CE for ; Tue, 28 Sep 2004 20:09:37 +0000 (GMT) Received: from dfmm.org (walter.dfmm.org [66.180.195.210]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6562543D46 for ; Tue, 28 Sep 2004 20:09:37 +0000 (GMT) (envelope-from freebsd-security@dfmm.org) Received: (qmail 72571 invoked by uid 1000); 28 Sep 2004 20:09:37 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 28 Sep 2004 20:09:37 -0000 Date: Tue, 28 Sep 2004 13:09:35 -0700 (PDT) From: Jason Stone X-X-Sender: jason@walter To: freebsd-security@FreeBSD.ORG In-Reply-To: <20040928161359.GA22274@VARK.MIT.EDU> Message-ID: <20040928125056.C79820@walter> References: <20040925140242.GB78219@gothmog.gr> <20040927091710.GC914@orion.daedalusnetworks.priv> <20040928161359.GA22274@VARK.MIT.EDU> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: compare-by-hash (was Re: sharing /etc/passwd) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Sep 2004 20:09:37 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > One thing to keep in mind is that the collision-resistance of SHA-1 is > an unproven conjecture. sure, I was going to mention that - indeed, md4 is the algorithm used in rsync, and it _has_ been shown to be less collision-resistant than the full 128-bits would imply. which means that instead of finding only one collision in the entire lifetime of the universe, you'll find four. it doesn't change the fact that the probability of your computer catching fire and killing you, in an absolutely real and literal sense, is many millions of times higher, and that the time you spend worrying about this would be much, much better spent backing up your data offsite and wearing kevlar pants. also, excellent point someone made about passwords already using md5 in freebsd - this means that there are already an infinite number of passwords that will let someone into your box as root, right now, this very instant. so using rsync, you're hardly worse off.... -Jason -------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQFBWcUBswXMWWtptckRAi3rAJ4tyujyV0XyT7nC2VpdntVA5KjIbwCdHkpZ OSGmWnJPtrb4DLrwNz0HaEA= =UZOZ -----END PGP SIGNATURE-----