Re: Debian Project Leader Election 2003 Results

[Manoj Srivastava <srivasta@acm.org>]

>> On Mon, 31 Mar 2003 19:28:57 +0100,
>> Matthew Wilcox <willy@debian.org> said: 

 > On Mon, Mar 31, 2003 at 01:10:33PM -0500, Aaron M. Ucko wrote:
 >> Sam Hartman <hartmans@d.o>, in
 >> <tslfzp3jye6.fsf@konishi-polis.mit.edu> (which seems to have gone
 >> only to the list).

 > Well, that was fucking stupid.

 >> True, though I think even finding collisions on that timescale
 >> would be an accomplishment.

 > Let's try using some numbers.  An md5sum is 16 bytes -- 128
 > bits. On average, you need 2^64 samples to find a collision.  So
 > you need around 600 million samples per second to find one
 > collision in a year (assuming you're going for a brute-force attack
 > and you're not exploiting some of the weaknesses of md5).  Let's
 > assume your 3GHz processor takes 1000 cycles to calculate an md5sum
 > (I don't know what it really is.. a real number wouldn't hurt at
 > this point..), so it can do 3 million samples/s. 200 of them will
 > do it.

 > It's an accomplishment, but it's affordable.  Voters supplying a
 > salt makes it non-doable.
        
        Right. And now make that collision be the login id of another
 debian developer who has voted the same way as the first developer.

        Frankly, there are more important things to be done on devotee
 than protecting against such astronomical odds.

        manoj

-- 
Many changes of mind and mood; do not hesitate too long.
Manoj Srivastava     <srivasta@acm.org>    <http://www.golden-gryphon.com/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C