Re: Month of Random Hashes: DAY THREE

["Month of Random Hashes" <morh () hush ai>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mayhem,

Your loss to Frank Trigg was a horrible embarrassment.  You are
further embarrassing yourself by offering criticism on something
you clearly do not understand.  Please be patient, full-disclosure
is not a place for flames.  If you are confused as to what the
purpose of this list is, the community urges you to read the list
charter, which is available at:

http://lists.grok.org.uk/full-disclosure-charter.html

If you have further questions to the purpose of the list, then
please ask and many of us from the community will be glad to help
you.

We are still working on the FAQ for the Month of Random Hashes
Project.  Please bear with us until we have had time to complete it.

Thank you for your kind understanding.


On Fri, 15 Jun 2007 17:49:12 -0400 Jason Miller
<jammer128 () gmail com> wrote:
> I still think this is useless. What am I going to do with hashes?
> This
> whole Month of * BS is making me want to unsubscribe from the
> listing.
>
> On 6/15/07, Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu>
> wrote:
> > On Fri, 15 Jun 2007 16:59:01 -0300, "M.B.Jr." said:
> > > but only one string can produce that md5 hash signature,
> > > that sha1 hash signature, fucking that sha256 hash signature,
> fucking that
> > > <any_other> hash signature, etc...
> >
> > Nope.  There's an infinite number of strings that would produce
> the same
> > MD5/sha1/sha256/whatever hash.  The interesting point about such
> hashes is
> > that although given a particular string A, we can *easily*
> compute the hash H.
> > However, knowing H, we don't have a good way to recover A, nor
> do we have any
> > easy way to compute a *second* string B that hashes to H.
> >
> > So, given a hash H, we know one of 3 things is true:
> >
> > 1) The person we got H from has A, and easily computed H.
> > 2) The person doesn't have A, but does have either a way to use
> several million
> > CPU-years or a crypto breakthrough to compute some string B that
> also hashes to H
> > 3) The person just pulled a pseudo-random string of bits out of
> their ass,
> > called it H, and has as little clue about A and B as we do.
> >
> > At the current time, (2) is believed to be impractical, and (3)
> fails the
> > instant the person actually has to produce A itself.  As a
> result, we can
> > usually presume that if they have a hash H, they've got the A it
> hashed from.
> > This becomes interesting if you want to prove that you have a
> prior claim on
> > something, without revealing the something (for instance, an
> advisory or PoC
> > for something while you're still working with a vendor about
> fixing it) - you
> > can (for instance) post the hash of it on May 1, release the
> announcement on
> > July 1, and when others dispute your claim you knew about it on
> May 1, you can
> > point to the hash from May 1, and show it's the same as the hash
> of your July 1
> > announcement, and thus prove you knew about it back on that
> date.
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5

wpwEAQECAAYFAkZzSDIACgkQU0oRLIlju1HmbgP+OV6RMkaxssTbhZP6MtKlxn+xk/Dg
CnRiSUsbyd0pdm+kS8h6QD5otAtjQF71RG0ii4/5wc2PPS/IeJMTzTnzAk5WBSqwq7Vy
ervqT/oYZ2juSqRyWa6snVePA+HcFDbcFIc6+FD5YFPhSbUUlmUyFD0NEZJioOMH4lZX
0W+00vo=
=ZRf1
-----END PGP SIGNATURE-----

--
Click here for free information on nursing jobs, up to $150/hour
http://tagline.hushmail.com/fc/CAaCXv1Rz1p1cxPJbMS6W9Po8lqIfuyG/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/