Melvin Carvalho [ARCHIVE] on Nostr: 📅 Original date posted:2013-04-01 📝 Original message:On 1 April 2013 20:28, ...
📅 Original date posted:2013-04-01
📝 Original message:On 1 April 2013 20:28, Petr Praus <petr at praus.net> wrote:
> An attacker would have to find a collision between two specific pieces of
> code - his malicious code and a useful innoculous code that would be
> accepted as pull request. This is the second, much harder case in the
> birthday problem. When people talk about SHA-1 being broken they actually
> mean the first case in the birthday problem - find any two arbitrary values
> that hash to the same value. So, no I don't think it's a feasible attack
> vector any time soon.
>
> Besides, with that kind of hashing power, it might be more feasible to
> cause problems in the chain by e.g. constantly splitting it.
>
OK, maybe im being *way* too paranoid here ... but what if someone had
access to github, could they replace one file with one they had prepared at
some point?
>
>
> On 1 April 2013 03:26, Melvin Carvalho <melvincarvalho at gmail.com> wrote:
>
>> I was just looking at:
>>
>> https://bitcointalk.org/index.php?topic=4571.0
>>
>> I'm just curious if there is a possible attack vector here based on the
>> fact that git uses the relatively week SHA1
>>
>> Could a seemingly innocuous pull request generate another file with a
>> backdoor/nonce combination that slips under the radar?
>>
>> Apologies if this has come up before ...
>>
>>
>> ------------------------------------------------------------------------------
>> Own the Future-Intel® Level Up Game Demo Contest 2013
>> Rise to greatness in Intel's independent game demo contest.
>> Compete for recognition, cash, and the chance to get your game
>> on Steam. $5K grand prize plus 10 genre and skill prizes.
>> Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
>> _______________________________________________
>> Bitcoin-development mailing list
>> Bitcoin-development at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20130401/073ada84/attachment.html>
📝 Original message:On 1 April 2013 20:28, Petr Praus <petr at praus.net> wrote:
> An attacker would have to find a collision between two specific pieces of
> code - his malicious code and a useful innoculous code that would be
> accepted as pull request. This is the second, much harder case in the
> birthday problem. When people talk about SHA-1 being broken they actually
> mean the first case in the birthday problem - find any two arbitrary values
> that hash to the same value. So, no I don't think it's a feasible attack
> vector any time soon.
>
> Besides, with that kind of hashing power, it might be more feasible to
> cause problems in the chain by e.g. constantly splitting it.
>
OK, maybe im being *way* too paranoid here ... but what if someone had
access to github, could they replace one file with one they had prepared at
some point?
>
>
> On 1 April 2013 03:26, Melvin Carvalho <melvincarvalho at gmail.com> wrote:
>
>> I was just looking at:
>>
>> https://bitcointalk.org/index.php?topic=4571.0
>>
>> I'm just curious if there is a possible attack vector here based on the
>> fact that git uses the relatively week SHA1
>>
>> Could a seemingly innocuous pull request generate another file with a
>> backdoor/nonce combination that slips under the radar?
>>
>> Apologies if this has come up before ...
>>
>>
>> ------------------------------------------------------------------------------
>> Own the Future-Intel® Level Up Game Demo Contest 2013
>> Rise to greatness in Intel's independent game demo contest.
>> Compete for recognition, cash, and the chance to get your game
>> on Steam. $5K grand prize plus 10 genre and skill prizes.
>> Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
>> _______________________________________________
>> Bitcoin-development mailing list
>> Bitcoin-development at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20130401/073ada84/attachment.html>