lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <200504081853.j38IrVUD006762@turing-police.cc.vt.edu>
Date: Fri Apr  8 19:53:43 2005
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: Re: Case ID 51560370 - Notice of
	ClaimedInfringement 

On Fri, 08 Apr 2005 13:45:51 EDT, Jason said:

> I get the point just fine. Injecting files C and D results in a 
> situation that cannot be resolved without downloading both files.
> 
> Song A = mp3 format file with valid license to BSA
> Song B = mp3 format file without valid license to BSA
> Song C = zip of Song A plus pad to generate MD5
> Song D = zip of Song B plus pad to generate same MD5
> 
> It is now impossible to distinguish between C and D without downloading 
> both. The content inside is still fully usable and valid but a violation 
> cannot be confirmed without yourself violating the law.

On the other hand, note the following:

1) The copyright nazi's aren't going to be looking for C *or* D, because they're
only looking for files that have the same hash as A.  They'd have to actually
download C and D and *listen* to it, and identify it (quick - how do you tell
the difference between the audio content of the original Beatles "Come Together"
and the Aerosmith cover of the same song?)

2) It's of course simple to create an arms race where the copyright nazis need to
expend more effort because they can't just go after the MD5 sum.  However, it cuts
both ways - if you see 15 copies of a file available with the same MD5 sum, you can
have *some* trust it's not corrupted.  If you see 15 copies with 15 different hashes,
which one do you trust?

3) If you change the size, date, and MD5 hash and rename it to "Frozzle-bar.doc",
you're not likely to get a note from Metallica's representative about the
pirated copy of their album.  But it's probably not going to be accessed very
much unless you re-rename it to Frozzle-bar-really-metallica-master-of-puppets.doc.
Of course, at that point, you *may* get a note from their representative.. :)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050408/eee71ef1/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ