The PDFs have the same size, but they do not have a header in the file that states their overall size. If PDF had a header at the beginning of the file that states the file size, then it could be harder to find a collision. From what I understand, the attack works by inserting garbage data after a fixed file prefix and before a fixed file suffix (anyone please correct me if I'm wrong).
> If PDF had a header at the beginning of the file that states the file size, then it could be harder to find a collision.
No. It doesn't change anything if the size is in the PDF header. The size of both PDFs are the same, the header of both PDF files is the same on the both "shattered" files now.
What Linus says is that if you tried to put these two PDF files in git, it would not see them as the same, as git calculates the sha1 differently. But Google would be able to produce two PDF files that would, as git sees them, appear to be same just as easy as these that were produced.
P.S. (answer to your answer to this message) Note, You wrote one level above
> If PDF had a header at the beginning of the file that states the file size, then it could be harder to find a collision.
And I argued that it isn't harder, but irrelevant.
From your answer:
> But to generate a collision with a different prefix q one would have to do the expensive computation all over again
Yes. Now read what your claim was again. It's not harder. Exactly as easy as the first time.
> But Google would be able to produce two PDF files that would, as git sees them, appear to be same just as easy as these that were produced.
Right, but they would have to re-do their enormous calculation. ("This attack required over 9,223,372,036,854,775,808 SHA1 computations.")
Google started with a common prefix p (the PDF header), then computed blocks M11, M12, M21 and M22, such that (p || M11 || M21 || S) and (p || M12 || M22 || S) collide for any suffix S. Given p, M11, M12, M21 and M22, anyone can make colliding PDFs that show different contents quickly. But to generate a collision with a different prefix q, e.g. one including the file size, one would have to do the expensive computation all over again, I think.
Note: I'm not trying to argue that SHA-1 can be made secure with padding. I was just trying to say that the statement "The PDFs have the same size" misses the point.
> I thought Hacker News was above Nazi-comparisons
> [makes Nazi-comparison]
Edit: Parent changed
> Downvoted without response? I guess I shouldn't be surprised, groups that resort to tactics like those at Berkeley are hardly above trying to silence discussion here with downvotes.
into
> (But I'd rather we avoid Nazi comparisons altogether. They can be an effective way for an author to get attention but they can be used by both sides and they rarely lead to useful discussion.)
Feels the opposite too me. It shows it's been written in the 80's.
Would "The sky above the port was the color of television, tuned to a dead channel." make sense to young people nowadays?
As a keen cyclist, I often find myself thinking "I should lose 2kg." This amount of weight does make a difference for getting up mountains fast. I'm quite thin already, but it would clearly be possible to lose that much fat. But I've also found that losing these last kilos is quite hard.
The choice of desktop environment is quite a personal matter. I would recommend Gnome 3, which is especially polished on Fedora.
The early transition years from Gnome 2 to Gnome 3 were rough, and I switched to KDE for this time. KDE was fine, but Gnome 3 has been polished a lot in the last view years. So I switched back to Gnome 3 and never looked back :).
This all reminds me of the situation in Eastern Germany just before the German unification. In the elections campaigns in Eastern Germany just after the fall of the Iron Curtain, politicians were lobbying for reunification with rather overblown promises for the future of Eastern Germany after the reunification. It should have been clear that these promises weren't realistic, and this was in fact pointed out at the time. But people dismissed these warnings, as they came from the (now free) Eastern German media. It seems that many people now thought that everything the old media said was a lie and dismissed as false everything they were saying. This feels quite similar to the attitudes about the "lying press" that are currently circulating.
But people dismissed these warnings, as they came
from the (now free) Eastern German media
As an East German who participated in the demonstrations (17 at the time), your version is completely and utterly wrong in the main part. Yes, the reuniuon was painted in a way too nice light. No, we East Germans did NOT vote for it because we were mislead - the vast majority of East Germans would have voted for it in any case! There was no alternative.
The vision of being stuck with a useless currency without any value, in the middle of crumbling infrastructure (and whatever problems US infrastructure may have - and I lived in the US for a decade - it's not even close to East Germany, and yes, we had plenty of lead pipes too, in my own house for example), incapable of traveling anywhere (no money), a dead-end society. Our environment was a huge disaster!!
Without reunification everybody who could would have moved West. You may argue that has happened anyway, but I would say not nearly as much as what would have happened if the GDR had remained.
As far as "cost" - this is a somewhat silly argument on the level of an economy. For me, yes, I have to look at my costs, same as for a business. But in an economy somebody's cost is somebody else's income! The US does a lot of "socialism" and planned economy via military spending. Germany did the reunification. I think the German money was well-spend in comparison. Okay sorry, that wasn't supposed to be an argument about US military spending, I have no idea about its overall effects, but I know about the effects of the German reunification.
The environmental cleanup alone was HUGE, you have no idea (it seems to me). I lived next to a very large chemical fiber factory (where I learned too), such filth, huge mountains(!) of ash nearby form the (horribly dirty) power plant, the river that ran by without much life and you didn't want to touch the water. Today: The water is near perfect, the ash-mountains gone (there is a big new modern factory), the power plant modernized, everything is clean. Yes there are a lot less people in the area, but overall I consider it a huge plus.
The depopulation problem is not actually alone that people moved out of East Germany: Quite a few larger cities there are gaining. A big part of it is people moving to cities. Same reason why some areas in the US (Bay Area, where I lived) are gaining, or Munich or Berlin in Germany, or Moscow and St. Petersburg in Russia, while villages suffer. East Germany had been the less populated and more rural part of Germany before too!
So no, overall what they promised about the reunification was not all that oversold. Some individuals may disagree, the majority though most definitely does not regret voting the way they did.
However, your misrepresentation of what happened does remind me of what is going on now. Trump is the work of Russian hackers! People are mislead! As someone who feels actually pretty left (at least socially very much so, and when it comes to risks and rewards distribution in society), I am disgusted by what I have to read from "my" camp. Zero reflection, zero analysis. Trump brought out the worst, that is true! I see a lot of it in many of those arguing against him though.
I also was at the demonstrations and I also think that there was no realistic alternative to a reunification.
But at the time people were discussing different ways of performing the reunification. The SPD under Lafontaine proposed a slower approach rather than an immediate reunification. He made the point that because of the crumbling infrastructure and desolate state of the economy, a unification wouldn't be easy, resulting in unemployment etc.
These warnings turned out to be true, and people should have known. But people didn't listen and voted for CDU in great numbers, because they promised it all. And I think one reason for this is that the warnings also came from the old media, so many people thought "They've been lying for so long, this must be false."
proposed a slower approach rather than an
immediate reunification
And that was out of the question. I too would have left the GDR immediately if that would have happened, and pretty much everybody I know too.
It's not true, that's all. We voted for reunification because we wanted it, that's all. A clean fast cut was the right way to go instead of continuing to muddle through. It was impossible to do a "smoother" transition - not unless the BRD would have disallowed people to move there and would have forced us to remain!
> And that was out of the question. I too would have left the GDR immediately if that would have happened, and pretty much everybody I know too.
So what? Depopulation happened anyway due to unemployment. I'm not convinced that substantially more people would have left if reunification had been planned for 1995, for example.
There would have been no difference in outcome if it had been "planned" for 1995 - so no reason not to do it right away. Do you really believe anything would have been better for the East German industry? It was nothing but junk, yes even what was supposed to be the best factories.
Except for a minority in East Germany there was no reason for a delay. The difficult and hard adaptation was inevitable! The GDR was a complete wreck.
Yes, I agree. Also, this text is quite old and isn't all that representative of his blog either. The blog takes controversial positions, but is entertaining at the same time. It's sort of like a yellow-press newspaper for CCC hackers, if that makes sense.
Looks like it's a concurrency bug that is only triggered non-deterministically under certain circumstances. It is probably hard to reproduce reliably in a test, if this is possible at all.
