Microsoft Vista and MD5SUMs

[d38dm8nw81k1ng]

From what I can squeeze out of Wikipedia (note that this may or may not be correct):

Essentially, assuming that a function has a finite number of outputs and an infinite number of inputs, as more outputs are calculated, it becomes increasingly likely that the same output will be used more than once.

So for example, I don't know the specifics of MD5, but if we take modular arithmetic:

f(a) = a % 5

f(a) has an infinite number of inputs, but can only produce 5 different outputs. Wikipedia reports that MD5 makes uses of modular addition, and so this example may not be as bad as I thought .

Anyway, the birthday paradox is that in a group of 23 people, there is greater than a 50% probability that two of those people will share a birthdate. There are 253 possible pairs that can be made with those 23 people, and with 365 birthdays (ignoring leap years), and assuming an equal distribution (not quite true), it is no longer so difficult to imagine that a birthday is shared.

Anyway, the birthday attack involves taking the true version, and obtaining its hashsum. We then take a fraudulent file and change it around, but without changing its purpose. For instance, one might use a section of memory one higher, or (if source code, for instance), change every instance of 'a' to 'b' in variable names (and other such things that change the file makeup but not its final result). Eventually, one will obtain a file with the same hashsum as the true version.

So in the end, you have a 'good' file and a 'bad' file with the same hash values. The latter can then be distributed in place of the former, with the claim that the data is identical.


EDIT:

And now I discover that there's a second page, where this was already explained .

i asked my maths teacher about this birthday paradox and he confirmed it for me. despite the protests that it wasn't possible for 23 people to have more than 50% chance of having the same birthday he proved it by pulling up a register of all the A2 maths students (25 in total). 22 and 23 had the same birthday (30/0.

[daacosta]

A fellow who makes his living selling software that will not function correctly without constant vigilence to keep out malicious software (including viruses) insults another OS because he considers the licensing scheme "viral". Irony.

What can I say? Linux rox Windoze sux?

Maybe I am not versed in the legal details but in my uninformed opinion BSD's license is perhaps better than GPL's because it allows the user more freedom with his/her creations.

Not to deviate from the topic though, I believe that even if not perfect MD5SUM is a great tool for detecting corrupted downloads. I absolutely like it and see no reason for other OSes for not adopting it...

[easuter]

Maybe I am not versed in the legal details but in my uninformed opinion BSD's license is perhaps better than GPL's because it allows the user more freedom with his/her creations.

hm...has Microsoft ever given the BSD community any form of compensation (monitary or not) for using BSD's TCP/IP stack?

[techieMoe]

Maybe I am not versed in the legal details but in my uninformed opinion BSD's license is perhaps better than GPL's because it allows the user more freedom with his/her creations.

The BSD license does grant more freedom than the GPL, on the surface. However unlike the GPL (which is designed to retain all rights of the original creator) the BSD license grants the freedom to everyone else, which allows other people to come in, modify someone else's code and use it in a piece of proprietary software without ever revealing their changes.

While this is nice from a closed-source company standpoint (such as Microsoft using the TCP/IP stack rather than making their own) it's not nice from the original programmer's standpoint because essentially they've hijacked his work and passed it off as their own. Sure, they still have to mention the original author's name, but they aren't obligated to share the profits with him/her or even let him/her know what, if anything, they changed.

Say for instance I write a piece of code that draws widgets really well. I release that code under a BSD license and it gets used by Microsoft to draw widgets in their new operating system. The BSD license (to the best of my knowledge) says the only thing they owe me for my work is a credit buried somewhere deep in the documentation. What if someone else comes along and improves upon my program and then sells a product with it? Neither they nor Microsoft must do anything but say "Oh, by the way, this is based on code by Mr. X here."

Conversely, if I release my widget drawing program under the GPL and someone improves upon it, they are compelled by the GPL to release those changes back into the wild so that anyone, including myself, can incorporate them, thereby improving the program for everyone. They can still profit off of a product using that code and they still must acknowledge that I wrote it, but the main difference is my code can never be hidden behind closed doors.

[daacosta]

hmmmm... I see your point now... It is true: BSD's license allows anybody to profit from code just by acknowledging the author (e.g., MoeWidget 0.7 (c) by M. Techie is part of Widgigator 1.0 (c) by S. Crew which is proprietary)

I am familiar with the TCP/IP stack and also with OS X but then again, money aside. Which license grants more freedom? BSD's... Why would then someone license a program under BSD's license? * No flame bait intended! If some developer has used this license I'd like to know why give all your work away? *

[techieMoe]

I am familiar with the TCP/IP stack and also with OS X but then again, money aside. Which license grants more freedom? BSD's... Why would then someone license a program under BSD's license? * No flame bait intended! If some developer has used this license I'd like to know why give all your work away? *

Well, to play devil's advocate here: if I wanted the widest possible exposure of my program to the world, the BSD license would allow that. I wouldn't get royalties or anything else for that matter. It would mostly be a matter of pride.

[Javasnob]

Getting back to the security issue for a second, I think Microsoft shouldn't worry so much about MD5SUM and keep an eye on internal security:

http://youtube.com/watch?v=KMU0tzLwhbE

[antidrugue]

Perhaps I missed something in this thread, but md5sums are avalaible on Microsoft site from Windows Vista RC1 and Windows Vista RC2.

RC1 :
http://download.windowsvista.com/pre...n/download.htm

RC2 :
http://download.windowsvista.com/pre...n/download.htm

[techieMoe]

Perhaps I missed something in this thread, but md5sums are avalaible on Microsoft site from Windows Vista RC1 and Windows Vista RC2.

RC1 :
http://download.windowsvista.com/pre...n/download.htm

RC2 :
http://download.windowsvista.com/pre...n/download.htm

Thanks. I could have sworn those weren't available when I downloaded Beta 2 a month ago.

[techieMoe]

I'm re-re-downloading RC2 and this time I'm going to verify the checksum first, thanks to the helpful heads up from antidrugue.