SHA1 cracked .... What are the chances this will be addressed in LC?

classic Classic list List threaded Threaded
42 messages Options
123
Reply | Threaded
Open this post in threaded view
|

SHA1 cracked .... What are the chances this will be addressed in LC?

J. Landman Gay via use-livecode
Hi everyone,

Read this article today. I use SHA1 in my software, so

https://www.recode.net/2017/2/23/14715570/google-researchers-crack-internet-security-tool-sha1-encryption

What do you all think? Should I bother reporting this? or is it fair to say
they know about it?  What are the chances that there will be extra effort
placed on adding another sha digest function? sha256?

THanks

Tom
_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

J. Landman Gay via use-livecode
I think everybody is overplaying this.

It will only matter if the amount of money or other  advantages is worth at
least $110,000.


The algorithm executed in Amazons cloud at the cheapest rate would cost
that much in processing to get 1 key.

The only people that will waste YOUR money to do this are governments and
they have the equipment.
If you really have something they want so much they will come through your
door.

Depending on what you are doing why not do 2 SHA1 or even an blowfish
encrypt first.

Better yet - you could write your own in a few  hours based on other code
 -  it doesnt have to be particular clever since they don't know the
algorithm how will they break it unless it's just a simple transposition?

Read between the lines Google doesn't use it so obviously people will start
using Google's which will with 100% certainty will  have a backdoor in it
looking as to how they removed 140,000 indexed pages of www.naturalnews.com
after the owner didn't give in to blackmail - "Don't be evil" my arse.

http://www.newstarget.com/2017-02-23-breaking-mike-adams-and-alex-jones-taken-down-by-google-cia-prior-to-big-event-trump-needs-to-beware.html

 A bit of history of backdoors and homegrown encryption algorithm
http://www.whatreallyhappened.com/WRHARTICLES/NSAchallenge.php#axzz4Zb6ctE4v

I'm certainly not going to lose sleep over this.


Lagi

On 24 February 2017 at 01:25, Tom Glod via use-livecode <
[hidden email]> wrote:

> Hi everyone,
>
> Read this article today. I use SHA1 in my software, so
>
> https://www.recode.net/2017/2/23/14715570/google-
> researchers-crack-internet-security-tool-sha1-encryption
>
> What do you all think? Should I bother reporting this? or is it fair to say
> they know about it?  What are the chances that there will be extra effort
> placed on adding another sha digest function? sha256?
>
> THanks
>
> Tom
> _______________________________________________
> use-livecode mailing list
> [hidden email]
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>
_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

J. Landman Gay via use-livecode
thanks for sharing your thoughts on this Lagi, you make some good points.

On Fri, Feb 24, 2017 at 5:44 AM, Lagi Pittas via use-livecode <
[hidden email]> wrote:

> I think everybody is overplaying this.
>
> It will only matter if the amount of money or other  advantages is worth at
> least $110,000.
>
>
> The algorithm executed in Amazons cloud at the cheapest rate would cost
> that much in processing to get 1 key.
>
> The only people that will waste YOUR money to do this are governments and
> they have the equipment.
> If you really have something they want so much they will come through your
> door.
>
> Depending on what you are doing why not do 2 SHA1 or even an blowfish
> encrypt first.
>
> Better yet - you could write your own in a few  hours based on other code
>  -  it doesnt have to be particular clever since they don't know the
> algorithm how will they break it unless it's just a simple transposition?
>
> Read between the lines Google doesn't use it so obviously people will start
> using Google's which will with 100% certainty will  have a backdoor in it
> looking as to how they removed 140,000 indexed pages of
> www.naturalnews.com
> after the owner didn't give in to blackmail - "Don't be evil" my arse.
>
> http://www.newstarget.com/2017-02-23-breaking-mike-
> adams-and-alex-jones-taken-down-by-google-cia-prior-to-
> big-event-trump-needs-to-beware.html
>
>  A bit of history of backdoors and homegrown encryption algorithm
> http://www.whatreallyhappened.com/WRHARTICLES/NSAchallenge.
> php#axzz4Zb6ctE4v
>
> I'm certainly not going to lose sleep over this.
>
>
> Lagi
>
> On 24 February 2017 at 01:25, Tom Glod via use-livecode <
> [hidden email]> wrote:
>
> > Hi everyone,
> >
> > Read this article today. I use SHA1 in my software, so
> >
> > https://www.recode.net/2017/2/23/14715570/google-
> > researchers-crack-internet-security-tool-sha1-encryption
> >
> > What do you all think? Should I bother reporting this? or is it fair to
> say
> > they know about it?  What are the chances that there will be extra effort
> > placed on adding another sha digest function? sha256?
> >
> > THanks
> >
> > Tom
> > _______________________________________________
> > use-livecode mailing list
> > [hidden email]
> > Please visit this url to subscribe, unsubscribe and manage your
> > subscription preferences:
> > http://lists.runrev.com/mailman/listinfo/use-livecode
> >
> _______________________________________________
> use-livecode mailing list
> [hidden email]
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>



--
*Tom Glod*

CEO @ *MakeShyft R.D.A* - www.makeshyft.com



Developer of *U.M.P* - www.IamUMP.com
_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

J. Landman Gay via use-livecode
In reply to this post by J. Landman Gay via use-livecode
It may cost $110,000 today but the computational cost of executing this
exploit will decrease year on year until it is trivial to perform. I would
think it much better to address this issue immediately so that applications
being made now are future proofed.

There is also the PR element to consider - Does Livecode really want to be
advertising a demonstrably insecure hash algorithm as a feature...

On Fri, Feb 24, 2017 at 10:44 AM, Lagi Pittas via use-livecode <
[hidden email]> wrote:

> I think everybody is overplaying this.
>
> It will only matter if the amount of money or other  advantages is worth at
> least $110,000.
>
>
> The algorithm executed in Amazons cloud at the cheapest rate would cost
> that much in processing to get 1 key.
>
> The only people that will waste YOUR money to do this are governments and
> they have the equipment.
> If you really have something they want so much they will come through your
> door.
>
> Depending on what you are doing why not do 2 SHA1 or even an blowfish
> encrypt first.
>
> Better yet - you could write your own in a few  hours based on other code
>  -  it doesnt have to be particular clever since they don't know the
> algorithm how will they break it unless it's just a simple transposition?
>
> Read between the lines Google doesn't use it so obviously people will start
> using Google's which will with 100% certainty will  have a backdoor in it
> looking as to how they removed 140,000 indexed pages of
> www.naturalnews.com
> after the owner didn't give in to blackmail - "Don't be evil" my arse.
>
> http://www.newstarget.com/2017-02-23-breaking-mike-
> adams-and-alex-jones-taken-down-by-google-cia-prior-to-
> big-event-trump-needs-to-beware.html
>
>  A bit of history of backdoors and homegrown encryption algorithm
> http://www.whatreallyhappened.com/WRHARTICLES/NSAchallenge.
> php#axzz4Zb6ctE4v
>
> I'm certainly not going to lose sleep over this.
>
>
> Lagi
>
> On 24 February 2017 at 01:25, Tom Glod via use-livecode <
> [hidden email]> wrote:
>
> > Hi everyone,
> >
> > Read this article today. I use SHA1 in my software, so
> >
> > https://www.recode.net/2017/2/23/14715570/google-
> > researchers-crack-internet-security-tool-sha1-encryption
> >
> > What do you all think? Should I bother reporting this? or is it fair to
> say
> > they know about it?  What are the chances that there will be extra effort
> > placed on adding another sha digest function? sha256?
> >
> > THanks
> >
> > Tom
> > _______________________________________________
> > use-livecode mailing list
> > [hidden email]
> > Please visit this url to subscribe, unsubscribe and manage your
> > subscription preferences:
> > http://lists.runrev.com/mailman/listinfo/use-livecode
> >
> _______________________________________________
> use-livecode mailing list
> [hidden email]
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>
_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

J. Landman Gay via use-livecode
Hi

I didn't say they shouldn't do it I said I won't lose any sleep over it.
I don't think it needs to be built in either - just a library will do and
everybody can tweak it a little bit so that NOBODY knows which one it is -
that'll piss TPTB off.

Lagi

On 24 February 2017 at 13:58, Dan Brown via use-livecode <
[hidden email]> wrote:

> It may cost $110,000 today but the computational cost of executing this
> exploit will decrease year on year until it is trivial to perform. I would
> think it much better to address this issue immediately so that applications
> being made now are future proofed.
>
> There is also the PR element to consider - Does Livecode really want to be
> advertising a demonstrably insecure hash algorithm as a feature...
>
> On Fri, Feb 24, 2017 at 10:44 AM, Lagi Pittas via use-livecode <
> [hidden email]> wrote:
>
> > I think everybody is overplaying this.
> >
> > It will only matter if the amount of money or other  advantages is worth
> at
> > least $110,000.
> >
> >
> > The algorithm executed in Amazons cloud at the cheapest rate would cost
> > that much in processing to get 1 key.
> >
> > The only people that will waste YOUR money to do this are governments and
> > they have the equipment.
> > If you really have something they want so much they will come through
> your
> > door.
> >
> > Depending on what you are doing why not do 2 SHA1 or even an blowfish
> > encrypt first.
> >
> > Better yet - you could write your own in a few  hours based on other code
> >  -  it doesnt have to be particular clever since they don't know the
> > algorithm how will they break it unless it's just a simple transposition?
> >
> > Read between the lines Google doesn't use it so obviously people will
> start
> > using Google's which will with 100% certainty will  have a backdoor in it
> > looking as to how they removed 140,000 indexed pages of
> > www.naturalnews.com
> > after the owner didn't give in to blackmail - "Don't be evil" my arse.
> >
> > http://www.newstarget.com/2017-02-23-breaking-mike-
> > adams-and-alex-jones-taken-down-by-google-cia-prior-to-
> > big-event-trump-needs-to-beware.html
> >
> >  A bit of history of backdoors and homegrown encryption algorithm
> > http://www.whatreallyhappened.com/WRHARTICLES/NSAchallenge.
> > php#axzz4Zb6ctE4v
> >
> > I'm certainly not going to lose sleep over this.
> >
> >
> > Lagi
> >
> > On 24 February 2017 at 01:25, Tom Glod via use-livecode <
> > [hidden email]> wrote:
> >
> > > Hi everyone,
> > >
> > > Read this article today. I use SHA1 in my software, so
> > >
> > > https://www.recode.net/2017/2/23/14715570/google-
> > > researchers-crack-internet-security-tool-sha1-encryption
> > >
> > > What do you all think? Should I bother reporting this? or is it fair to
> > say
> > > they know about it?  What are the chances that there will be extra
> effort
> > > placed on adding another sha digest function? sha256?
> > >
> > > THanks
> > >
> > > Tom
> > > _______________________________________________
> > > use-livecode mailing list
> > > [hidden email]
> > > Please visit this url to subscribe, unsubscribe and manage your
> > > subscription preferences:
> > > http://lists.runrev.com/mailman/listinfo/use-livecode
> > >
> > _______________________________________________
> > use-livecode mailing list
> > [hidden email]
> > Please visit this url to subscribe, unsubscribe and manage your
> > subscription preferences:
> > http://lists.runrev.com/mailman/listinfo/use-livecode
> >
> _______________________________________________
> use-livecode mailing list
> [hidden email]
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>
_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

J. Landman Gay via use-livecode
In reply to this post by J. Landman Gay via use-livecode
As much as I enjoy chatting with other users, a while back I had hoped
to make this more actionable by submitting an enhancement request for
sha256:

http://quality.livecode.com/show_bug.cgi?id=14223

The challenge with satisfying that request is two fold:

- sha2 is not a single algo, but a family of algos, and requires new
syntax forms that have to be thought out in addition to the more complex
engineering work to support that new set of language design patterns.

- This chart shows that sha2 already has minor weaknesses, which will
likely become more significant over time, suggesting we might already
start looking at extending the afore-mentioned framework even further to
include sha3 (and I suppose even be prepared for the inevitable sha4).
http://valerieaurora.org/hash.html

All that said, in light of the visibility of the issue after the recent
Google research, I discussed this with a member of the core dev team
yesterday, who will be evaluating the merit of this more comprehensive
framework vs perhaps a simpler implementation of merely the most
commonly-use sha2 flavor for now.

After that analysis is done I trust we'll get an update on that soon.

For now, just rest assured that they read the same security bulletins we
do (Peter tends to read more than me, so I always pick up a trick or two
talking with him about security), and are actively exploring options for us.

--
  Richard Gaskin
  Fourth World Systems
  Software Design and Development for Desktop, Mobile, and Web
  ____________________________________________________________
  [hidden email]        http://www.FourthWorld.com

_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

J. Landman Gay via use-livecode
Its good to hear its being looked at by the core team. I trust the most
obvious correct decision will be made eventually.

On Fri, Feb 24, 2017 at 11:28 AM, Richard Gaskin via use-livecode <
[hidden email]> wrote:

> As much as I enjoy chatting with other users, a while back I had hoped to
> make this more actionable by submitting an enhancement request for sha256:
>
> http://quality.livecode.com/show_bug.cgi?id=14223
>
> The challenge with satisfying that request is two fold:
>
> - sha2 is not a single algo, but a family of algos, and requires new
> syntax forms that have to be thought out in addition to the more complex
> engineering work to support that new set of language design patterns.
>
> - This chart shows that sha2 already has minor weaknesses, which will
> likely become more significant over time, suggesting we might already start
> looking at extending the afore-mentioned framework even further to include
> sha3 (and I suppose even be prepared for the inevitable sha4).
> http://valerieaurora.org/hash.html
>
> All that said, in light of the visibility of the issue after the recent
> Google research, I discussed this with a member of the core dev team
> yesterday, who will be evaluating the merit of this more comprehensive
> framework vs perhaps a simpler implementation of merely the most
> commonly-use sha2 flavor for now.
>
> After that analysis is done I trust we'll get an update on that soon.
>
> For now, just rest assured that they read the same security bulletins we
> do (Peter tends to read more than me, so I always pick up a trick or two
> talking with him about security), and are actively exploring options for us.
>
> --
>  Richard Gaskin
>  Fourth World Systems
>  Software Design and Development for Desktop, Mobile, and Web
>  ____________________________________________________________
>  [hidden email]        http://www.FourthWorld.com
>
>
> _______________________________________________
> use-livecode mailing list
> [hidden email]
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>



--
*Tom Glod*

CEO @ *MakeShyft R.D.A* - www.makeshyft.com



Developer of *U.M.P* - www.IamUMP.com
_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

J. Landman Gay via use-livecode
Why does it need to be a part of the language and not a widget or a library
stack which we can all fiddle with for our projects , which would make it
more difficult for the bad boys to decrypt?


Lagi

On 24 February 2017 at 17:15, Tom Glod via use-livecode <
[hidden email]> wrote:

> Its good to hear its being looked at by the core team. I trust the most
> obvious correct decision will be made eventually.
>
> On Fri, Feb 24, 2017 at 11:28 AM, Richard Gaskin via use-livecode <
> [hidden email]> wrote:
>
> > As much as I enjoy chatting with other users, a while back I had hoped to
> > make this more actionable by submitting an enhancement request for
> sha256:
> >
> > http://quality.livecode.com/show_bug.cgi?id=14223
> >
> > The challenge with satisfying that request is two fold:
> >
> > - sha2 is not a single algo, but a family of algos, and requires new
> > syntax forms that have to be thought out in addition to the more complex
> > engineering work to support that new set of language design patterns.
> >
> > - This chart shows that sha2 already has minor weaknesses, which will
> > likely become more significant over time, suggesting we might already
> start
> > looking at extending the afore-mentioned framework even further to
> include
> > sha3 (and I suppose even be prepared for the inevitable sha4).
> > http://valerieaurora.org/hash.html
> >
> > All that said, in light of the visibility of the issue after the recent
> > Google research, I discussed this with a member of the core dev team
> > yesterday, who will be evaluating the merit of this more comprehensive
> > framework vs perhaps a simpler implementation of merely the most
> > commonly-use sha2 flavor for now.
> >
> > After that analysis is done I trust we'll get an update on that soon.
> >
> > For now, just rest assured that they read the same security bulletins we
> > do (Peter tends to read more than me, so I always pick up a trick or two
> > talking with him about security), and are actively exploring options for
> us.
> >
> > --
> >  Richard Gaskin
> >  Fourth World Systems
> >  Software Design and Development for Desktop, Mobile, and Web
> >  ____________________________________________________________
> >  [hidden email]        http://www.FourthWorld.com
> >
> >
> > _______________________________________________
> > use-livecode mailing list
> > [hidden email]
> > Please visit this url to subscribe, unsubscribe and manage your
> > subscription preferences:
> > http://lists.runrev.com/mailman/listinfo/use-livecode
> >
>
>
>
> --
> *Tom Glod*
>
> CEO @ *MakeShyft R.D.A* - www.makeshyft.com
>
>
>
> Developer of *U.M.P* - www.IamUMP.com
> _______________________________________________
> use-livecode mailing list
> [hidden email]
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>
_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

J. Landman Gay via use-livecode


On 24/02/2017 17:18, Lagi Pittas via use-livecode wrote:
> Why does it need to be a part of the language and not a widget or a library
> stack which we can all fiddle with for our projects , which would make it
> more difficult for the bad boys to decrypt?

Cryptographic hash implementations have a lot of fairly strict
requirements that make them extremely difficult to implement in a
language like LiveCode.  For example, they have to run in _exactly_ the
same amount of time for the same number of bytes of input, no matter
what those bytes are.

It would be good to have an external that provides a nice variety of
cryptographic hashes, though.

                                         Peter

--
Dr Peter Brett <[hidden email]>
LiveCode Technical Project Manager

lcb-mode for Emacs: https://github.com/peter-b/lcb-mode

_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

J. Landman Gay via use-livecode
In reply to this post by J. Landman Gay via use-livecode
Lagi Pittas wrote:

 > Why does it need to be a part of the language and not a widget
 > or a library stack which we can all fiddle with for our projects,
 > which would make it more difficult for the bad boys to decrypt?

Peter covered why it should be done in C, but if you really need sha256
today Mark Smith's libSHA includes a scripted version:

http://marksmith.on-rev.com/revstuff/

--
  Richard Gaskin
  Fourth World Systems
  Software Design and Development for Desktop, Mobile, and Web
  ____________________________________________________________
  [hidden email]        http://www.FourthWorld.com

_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

J. Landman Gay via use-livecode
I dl'd and also sent him some money.

Bob S


> On Feb 24, 2017, at 09:56 , Richard Gaskin via use-livecode <[hidden email]> wrote:
>
> Peter covered why it should be done in C, but if you really need sha256 today Mark Smith's libSHA includes a scripted version:
>
> http://marksmith.on-rev.com/revstuff/
>
> --
> Richard Gaskin


_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

axwald
In reply to this post by J. Landman Gay via use-livecode
Hi,

few days ago I read about PHP incorporating a modern crypto lib now:
> https://dev.to/paragonie/php-72-the-first-programming-language-to-add-modern-cryptography-to-its-standard-library

Not a specialist regarding this, but wouldn't it be possible to interface such?
> https://github.com/jedisct1/libsodium

@Lagi: The first customer already called to ask if I'd use "this security risk" - thanks "LibHash-Hmac" (Richard posted the URL) I could deny plausibly :)
Even if I agree with you about the real risk, it would be very bad idea not to update any commercial software now. It might even have juristic consequences, knowingly using broken crypto?

Anyway. Have fun!
• Livecode programming until the cat hits the fan •
Reply | Threaded
Open this post in threaded view
|

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

J. Landman Gay via use-livecode
In reply to this post by J. Landman Gay via use-livecode
An aside response...

> Read between the lines Google doesn't use it so obviously people will start
> using Google's which will with 100% certainty will  have a backdoor in it
> looking as to how they removed 140,000 indexed pages of www.naturalnews.com
> after the owner didn't give in to blackmail - "Don't be evil" my arse.

While Google may include a backdoor (something I consider unlikely but I realise that's no less conjecture than '100% certainty'), the Natural News issue isn't what the site owners paint it to be. This https://www.google.co.uk/amp/s/www.seroundtable.com/amp/google-natural-news-deindex-23463.html is a good place to start for reference.

k
_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

J. Landman Gay via use-livecode
On Sat, Feb 25, 2017 at 5:15 AM, Keith Martin via use-livecode <
[hidden email]> wrote:

> While Google may include a backdoor (something I consider unlikely but I
> realise that's no less conjecture than '100% certainty'), the Natural News
> issue isn't what the site owners paint it to be. This
> https://www.google.co.uk/amp/s/www.seroundtable.com/amp/
> google-natural-news-deindex-23463.html is a good place to start for
> reference.
>

Just reading a couple of paragraphs of that site was enough to tell me that
the connection with reality was, well, tenable.   Black helicopters, the
trilateral commission, VWRC, and Yeti conversations would have fit in . . .


--
Dr. Richard E. Hawkins, Esq.
(702) 508-8462
_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

J. Landman Gay via use-livecode
For those interested there is a SHA-1 collider here to have a play with
https://alf.nu/SHA1

On 25 Feb 2017 3:18 p.m., "Dr. Hawkins via use-livecode" <
[hidden email]> wrote:

> On Sat, Feb 25, 2017 at 5:15 AM, Keith Martin via use-livecode <
> [hidden email]> wrote:
>
> > While Google may include a backdoor (something I consider unlikely but I
> > realise that's no less conjecture than '100% certainty'), the Natural
> News
> > issue isn't what the site owners paint it to be. This
> > https://www.google.co.uk/amp/s/www.seroundtable.com/amp/
> > google-natural-news-deindex-23463.html is a good place to start for
> > reference.
> >
>
> Just reading a couple of paragraphs of that site was enough to tell me that
> the connection with reality was, well, tenable.   Black helicopters, the
> trilateral commission, VWRC, and Yeti conversations would have fit in . . .
>
>
> --
> Dr. Richard E. Hawkins, Esq.
> (702) 508-8462
> _______________________________________________
> use-livecode mailing list
> [hidden email]
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>
_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

J. Landman Gay via use-livecode
In reply to this post by axwald
On 24/02/2017 18:47, axwald via use-livecode wrote:

> few days ago I read about PHP incorporating a modern crypto lib now:
>> https://dev.to/paragonie/php-72-the-first-programming-language-to-add-modern-cryptography-to-its-standard-library
>
> Not a specialist regarding this, but wouldn't it be possible to interface
> such?
>> https://github.com/jedisct1/libsodium
>
> @Lagi: The first customer already called to ask if I'd use "this security
> risk" - thanks "LibHash-Hmac" (Richard posted the URL) I could deny
> plausibly :)
> Even if I agree with you about the real risk, it would be very bad idea not
> to update any commercial software now. It might even have juristic
> consequences, knowingly using broken crypto?

If you're using SHA-1 to implement an HMAC, you should already be using
the recommended formulation:

     hmac := hash(key | hash(key | message))

Or, in LiveCode:

     function HmacSha1(pKey, pData)
         return sha1digest(pKey & sha1digest(pKey & pData))
     end HmacSha1

If you are doing this, then the current attack on SHA-1 does not affect
the security of your system at all [1].

                                         Peter

[1] I am not a cryptographer but this is my understanding of the situation.

--
Dr Peter Brett <[hidden email]>
LiveCode Technical Project Manager

lcb-mode for Emacs: https://github.com/peter-b/lcb-mode

_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

J. Landman Gay via use-livecode
Thanks for that Peter! I've been thinking about a way to encrypt data for storage in database systems for things like passwords and server credentials. Now to figure out how to decrypt it...

Bob S


> On Feb 27, 2017, at 02:49 , Peter TB Brett via use-livecode <[hidden email]> wrote:
>
>    function HmacSha1(pKey, pData)
>        return sha1digest(pKey & sha1digest(pKey & pData))
>    end HmacSha1


_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

J. Landman Gay via use-livecode
In reply to this post by J. Landman Gay via use-livecode
err... This does not work. I cannot find a function called sha1digest in the LC library.

Bob S


> On Feb 27, 2017, at 02:49 , Peter TB Brett via use-livecode <[hidden email]> wrote:
>
> Or, in LiveCode:
>
>    function HmacSha1(pKey, pData)
>        return sha1digest(pKey & sha1digest(pKey & pData))
>    end HmacSha1
>
> If you are doing this, then the current attack on SHA-1 does not affect the security of your system at all [1].
>


_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

J. Landman Gay via use-livecode
Bob Sneidar wrote:

 > I cannot find a function called sha1digest in the LC library.

It's sha-ONE-digest, and it's been around for a while so it should be there.

--
  Richard Gaskin
  Fourth World Systems
  Software Design and Development for the Desktop, Mobile, and the Web
  ____________________________________________________________________
  [hidden email]                http://www.FourthWorld.com

_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

J. Landman Gay via use-livecode
I search for SHA in the dictionary, nada. I type sha1digest in to a script, right click it, nada. I type shaONEdigest in a script, right click it, nada.

Bob S


> On Feb 28, 2017, at 09:33 , Richard Gaskin via use-livecode <[hidden email]> wrote:
>
> Bob Sneidar wrote:
>
> > I cannot find a function called sha1digest in the LC library.
>
> It's sha-ONE-digest, and it's been around for a while so it should be there.
>
> --
> Richard Gaskin


_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
123