[HN Gopher] The image in this post displays its own MD5 hash
___________________________________________________________________
The image in this post displays its own MD5 hash
Author : kstrauser
Score : 212 points
Date : 2022-09-23 20:58 UTC (2 hours ago)
(HTM) web link (retr0.id)
(TXT) w3m dump (retr0.id)
| kstrauser wrote:
| From the discussion:
|
| > This was particularly tricky to make work because the image
| data in a PNG needs to have a valid adler32 checksum, _and_ a
| valid crc32 checksum.
| Retr0id wrote:
| In hindsight, I really regret not including the adler32 and
| crc32 in the image itself too, since I knew them ahead of time.
| If you inspect them with hexeditor, you'll find they have non-
| random values :)
| airstrike wrote:
| But to make up for it you started and ended with 1337 so all
| is forgiven
| zeven7 wrote:
| Is there an MD5 hash string that hashes to itself?
| AustinDev wrote:
| Probably not but, would love to be proven wrong. To get this
| stuff to work you have to add a ton of garbage data to the end
| of the file from what I understand which you can't really do
| with a string.
| rileymat2 wrote:
| It is interesting that the OP used "hash string" instead of
| MD5 value. I'd wager that if you dove into string encodings
| that you would find some.
| kadoban wrote:
| There's not _that_ many encodings that feel natural enough.
| Maybe: bytes, ascii/utf-8/latin1/etc. (all equiv.), utf-16,
| utf-32, maybe ebcdic.
|
| I guess it should be pretty likely to exist if you try them
| all, but the search is likely very computationally
| difficult unless I'm forgetting some particular weakness in
| md5 (quite possible).
| manimino wrote:
| Neat question. The best answer seems to be an HN thread from 13
| years ago (!) which posits that the chance of one existing is
| ~63%:
|
| https://news.ycombinator.com/item?id=614079
|
| However, it appears no one has actually discovered it yet, if
| it exists.
|
| A more tractable question might be to find a cycle in the MD5
| hash space, like a->b->c->d->a. So one might ask, what is the
| shortest MD5 cycle found so far?
| Retr0id wrote:
| Funny timing, I was joking about this percentage mere days
| ago - https://retr0.id/notice/ANnYouw6w2di8XvcNE
| XCSme wrote:
| This looks impressive.
|
| Is an MD5 hash still "safe" if you use a salt? Can an attacker
| generate a collision having the MD5 hash without knowing the
| salt?
| Retr0id wrote:
| > Can an attacker generate a collision having the MD5 hash
| without knowing the salt?
|
| Depending on how the salt is applied, yes.
| kadoban wrote:
| Trying to make md5 safe is annoying enough, and has few enough
| benefits, that it's basically a waste of time.
|
| I _think_ that would do it though, if your salt is private and
| secure enough and you apply it the right way. I easily could be
| missing an attack though, so take with a large grain of salt
| (heh).
| londons_explore wrote:
| There are no known attacks against MD5 as long as the data you
| hash is not controllable by the attacker.
|
| You should still use a different hash algorithm though.
| akprasad wrote:
| Related, from earlier today: "MD5 Collision with CRC32 Preimage"
| https://news.ycombinator.com/item?id=32956235
| inasio wrote:
| Related: Inverting hash functions using SAT and SMT solvers [0]
|
| [0] https://blog.lse.epita.fr/2012/07/31/using-sat-and-smt-to-
| de...
| Retr0id wrote:
| Hi everyone - I go into slightly more detail on my twitter thread
| on the same topic:
| https://twitter.com/David3141593/status/1573218394358386688 (Yes,
| the PNG also survives being uploaded to twitter)
|
| The pleroma instance linked in the OP is hosted on a very tiny
| VPS with no CDN, I fear it may fall over - if it does, consider
| swapping to the twitter URL.
|
| Direct links to the image itself:
|
| https://retr0.id/media/a13f403f-fff5-4f40-b9a2-13cce355f61b/...
|
| https://pbs.twimg.com/media/FdUxWg-XkAE5FBx?format=png&name=...
| TheSpiceIsLife wrote:
| Was the 1337 at either end of the hash intentional?
| Retr0id wrote:
| Yes
| [deleted]
| kstrauser wrote:
| Sorry if I overwhelmed your VPS! But seriously, this was super
| impressive. Well done!
| Retr0id wrote:
| It's still alive, just barely! CPU[**********
| *************************************************************
| ******100.0%] Tasks: 49, 30 thr; 1 running Mem[||||||
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| |||****641M/768M] Load average: 2.51 2.12 2.01
| Swp[||||||||||||||||||||||||
| 215M/768M] Uptime: 166 days(!), 19:40:07
| kstrauser wrote:
| My Mastodon instance cries in how little RAM you're able to
| run that on. I'm envious.
| tacker2000 wrote:
| Impressive! This is the true "hacking" spirit!
| thrdbndndn wrote:
| All the reply links other than #2 don't work. Any idea?
| Retr0id wrote:
| I disabled replies to save server resources, it would probably
| be down right now, otherwise. If you have access to another
| fediverse instance, you should be able to view them that way.
___________________________________________________________________
(page generated 2022-09-23 23:00 UTC)