Blog/February 2017/Feb 24th

February 24th

Well, my wife and I have been battling colds off and on. She started it, and passed it on to me. My resistance to her is very low (in all regards), so I took up where she left off. It started with a very painful sore throat, which passed in a few days. I thought it was over, but no; my entire mucus production system has gone into overdrive, and now I sound like a gravel-eating frog.

At least there’s Sudafed.

Speaking of medical issues, I took Esther to have a routine colonoscopy this week. I wouldn’t normally publicly divulge that sort of information about her, but she suggested that perhaps it might spur others to do the same. And given my family history of waiting too long to be checked-out, I agreed with her. So. Everything was fine, B”H; though they did take a couple polyps for further examination. She’ll revisit the doctor after pesaḥ to hear if there’s any reason to make her visits more frequent.

A few minutes of discomfort can save your life.

There was a very significant development in the crypto-world this week. Researchers at Google and the CWI Institute in Amsterdam created an SHA-1 hash collision in a “practical” manner. It’s been known for years that SHA-1 has theoretical weaknesses, but this is the first publicly known intentional hash-collision. I say “practical” in quotes, because the computation required 6,500 years-worth of CPU time and 110 years of GPU time. That’s a lot of computing power, but clearly if Google could pull it off, the NSA and the Chinese could also do it. Perhaps large criminal enterprises could also manage it.

What does it mean for you? Not too much in the near-term. However, in practical terms it means that it is now possible (if not truly feasible) for someone to create a fake electronic document which is “identical with” some other document — “identical” as far as its SHA-1 hash is concerned. This matters because quite a few software products rely on using SHA-1 to determine the authenticity of a document. For example, the git software-control system as well as fossil, which hundreds of thousands of developers use to store their code, use SHA-1 hashes to validate that code has or hasn’t been modified. A determined attacker could possibly create virus-laden code which produces the same SHA-1 hash as “good” code, and thereby subvert the source-code of some product used by millions. For instance: the Linux kernel. That’s not a good thing.

Update: 6500 years of CPU is 56,940,000 hours. The Amazon EC2 service offers CPUs for rent at a current price of $1.591 per hour for a 36-CPU machine (or $ 0.04419 per CPU-hour). Thus, one could purchase the computing power needed for a mere $2,516,178 in current US dollars. Round to $5 million to include overhead costs such as software development and personnel. Forget what I said about governments; you could fund it with a Kickstarter campaign…

Jew Haiku:

Hashes collide now
Nothing done
We own your code base

Daniela and Jeremy returned to the USA from their trip to England. Sarah’s got plans for a short European trip (more on that next week). And Esther and I hope, some day, to be able to vacation in Dimona. I hear it’s nice there, this time of year.

I’ve been juggling two contracts as well as 8th development and a cold. And catching-up with laundry. It’s been a tiring week, and I’m really and truly ready for shabbat and so are Esther and Sarah!

This shabbat it’s just the three of us. We’ll have:
homemade ḥalla, red lentil soup, spice-rubbed baked chicken, veggie chow-mein, roasted cauliflower, roasted potatoes, veggie cholent, various salatim, fruit, and blackcurrant muffins.

Until next time,
shabbat shalom!