[HN Gopher] The image in this post displays its own MD5 hash ___________________________________________________________________ The image in this post displays its own MD5 hash Author : kstrauser Score : 212 points Date : 2022-09-23 20:58 UTC (2 hours ago) (HTM) web link (retr0.id) (TXT) w3m dump (retr0.id) | kstrauser wrote: | From the discussion: | | > This was particularly tricky to make work because the image | data in a PNG needs to have a valid adler32 checksum, _and_ a | valid crc32 checksum. | Retr0id wrote: | In hindsight, I really regret not including the adler32 and | crc32 in the image itself too, since I knew them ahead of time. | If you inspect them with hexeditor, you'll find they have non- | random values :) | airstrike wrote: | But to make up for it you started and ended with 1337 so all | is forgiven | zeven7 wrote: | Is there an MD5 hash string that hashes to itself? | AustinDev wrote: | Probably not but, would love to be proven wrong. To get this | stuff to work you have to add a ton of garbage data to the end | of the file from what I understand which you can't really do | with a string. | rileymat2 wrote: | It is interesting that the OP used "hash string" instead of | MD5 value. I'd wager that if you dove into string encodings | that you would find some. | kadoban wrote: | There's not _that_ many encodings that feel natural enough. | Maybe: bytes, ascii/utf-8/latin1/etc. (all equiv.), utf-16, | utf-32, maybe ebcdic. | | I guess it should be pretty likely to exist if you try them | all, but the search is likely very computationally | difficult unless I'm forgetting some particular weakness in | md5 (quite possible). | manimino wrote: | Neat question. The best answer seems to be an HN thread from 13 | years ago (!) which posits that the chance of one existing is | ~63%: | | https://news.ycombinator.com/item?id=614079 | | However, it appears no one has actually discovered it yet, if | it exists. | | A more tractable question might be to find a cycle in the MD5 | hash space, like a->b->c->d->a. So one might ask, what is the | shortest MD5 cycle found so far? | Retr0id wrote: | Funny timing, I was joking about this percentage mere days | ago - https://retr0.id/notice/ANnYouw6w2di8XvcNE | XCSme wrote: | This looks impressive. | | Is an MD5 hash still "safe" if you use a salt? Can an attacker | generate a collision having the MD5 hash without knowing the | salt? | Retr0id wrote: | > Can an attacker generate a collision having the MD5 hash | without knowing the salt? | | Depending on how the salt is applied, yes. | kadoban wrote: | Trying to make md5 safe is annoying enough, and has few enough | benefits, that it's basically a waste of time. | | I _think_ that would do it though, if your salt is private and | secure enough and you apply it the right way. I easily could be | missing an attack though, so take with a large grain of salt | (heh). | londons_explore wrote: | There are no known attacks against MD5 as long as the data you | hash is not controllable by the attacker. | | You should still use a different hash algorithm though. | akprasad wrote: | Related, from earlier today: "MD5 Collision with CRC32 Preimage" | https://news.ycombinator.com/item?id=32956235 | inasio wrote: | Related: Inverting hash functions using SAT and SMT solvers [0] | | [0] https://blog.lse.epita.fr/2012/07/31/using-sat-and-smt-to- | de... | Retr0id wrote: | Hi everyone - I go into slightly more detail on my twitter thread | on the same topic: | https://twitter.com/David3141593/status/1573218394358386688 (Yes, | the PNG also survives being uploaded to twitter) | | The pleroma instance linked in the OP is hosted on a very tiny | VPS with no CDN, I fear it may fall over - if it does, consider | swapping to the twitter URL. | | Direct links to the image itself: | | https://retr0.id/media/a13f403f-fff5-4f40-b9a2-13cce355f61b/... | | https://pbs.twimg.com/media/FdUxWg-XkAE5FBx?format=png&name=... | TheSpiceIsLife wrote: | Was the 1337 at either end of the hash intentional? | Retr0id wrote: | Yes | [deleted] | kstrauser wrote: | Sorry if I overwhelmed your VPS! But seriously, this was super | impressive. Well done! | Retr0id wrote: | It's still alive, just barely! CPU[********** | ************************************************************* | ******100.0%] Tasks: 49, 30 thr; 1 running Mem[|||||| | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| | |||****641M/768M] Load average: 2.51 2.12 2.01 | Swp[|||||||||||||||||||||||| | 215M/768M] Uptime: 166 days(!), 19:40:07 | kstrauser wrote: | My Mastodon instance cries in how little RAM you're able to | run that on. I'm envious. | tacker2000 wrote: | Impressive! This is the true "hacking" spirit! | thrdbndndn wrote: | All the reply links other than #2 don't work. Any idea? | Retr0id wrote: | I disabled replies to save server resources, it would probably | be down right now, otherwise. If you have access to another | fediverse instance, you should be able to view them that way. ___________________________________________________________________ (page generated 2022-09-23 23:00 UTC)