Impractical Attack Vector

Hey guys, it's time for another episode of Space Welders. Episode 74, recorded Friday, 24th of February, 2017. Impractical Attack Vector. With your hosts, Mike Wise and Steve Rogers.

Stop coming at me like that, Steve, with that strange, strange vector. That was my TIE Fighter impersonation, that was probably quite shit. That's like one of my games this week I've played with my daughter, is Hiding People. I'll put it in the links.

Is it? Do you go out into the woods? What are we going to play today, Daddy? Well, darling, we're going to play a little game of Hiding People.

Hiding People. And the object of the game is that they don't get found, and we're not going to tell anyone where we've hidden them, are we, darling? No, Daddy! Oh God, that was just immediate bait for you.

So it's kind of like a super duper version. And if the men in the blue hats and guns come, what do we do? We run away! That's right.

A super duper version of Where's Wally? And it's on Apple TV, and if you've got a decently sized television, it's enormous and scary because it's like Where's Wally times ten, and it's in black and white, or reverse. So you ain't finding anything, and it's all moving. And it's such a great game.

It's on iPad, I think, iPhone, I don't know if it's on Android, but it just reminded me because all the sound... No one uses Android, though. They were so bored with going and getting actual sound effects, they just put their own in. So you just hear them go bzzz.

They've done it like the draw for the Jackbox Party Pack thing. It reminded me of SimCity, you know, when you put the electric lines in and it goes bzzz, bzzz. In the original, like, SimCity 2000 SimCity. Yeah, when they couldn't afford actual foley work.

So a great week this week, particularly in science, and yesterday NASA had announced something very special. And it has been going on for quite some time and had received some poo-poo from most cosmologists and astronomers out there, but finding Earth-like planets in the Godelok zone now paid off in some fashion. And just yesterday, NASA had put a YouTube video up of the actual scientists behind this particular find. But anyway, they found seven Earth-like planets orbiting a nearby star, and it's not that far away.

Yes, the best part is seven Earth-like planets, three of which could be in a habitable zone. It's reasonably close and there's room for all of us so we can finally get off this planet and away from Donald Trump. Yes, so there is now a practical reason to go. So in the presentation yesterday, you can download an app that they've developed so that you can kind of visualise or see or compare how these planets appear on Earth.

I mean, the visualisations are just total artist impressions though, aren't they? There's no way they know, they don't know the atmospheric composition of these planets yet. Not yet, but the science will come within the next five years or so. It's close enough that they can use spectroscopy, they can use a few different methods to actually determine the atmosphere.

What's really interesting is the actual size of this solar system is really small. It's teeny tiny. So there's seven planets. This was discovered by the ESO, which is the European Space Observatory's Transiting Planets and Planetissimals Small Telescope or TRAPPIST.

Wonder if they have that. That's planetissimal. It's definitely a backronym, like they came up with the name first. I was talking about this with someone the other day of space missions where they have an awesome acronym and then they've got to work out what it means.

So they have to do it backwards. So having like planets and planetissimals small telescope. It found its first star, hence it's called TRAPPIST-1, and seven planets labelled B through H. Not quite sure why they don't start with A.

I guess TRAPPIST-1A is the star. I'm having a guess where TRAPPIST comes from. I think because it's from Belgium, right? They produce a particular beer there, which is Westmoola TRAPPIST with umlaut moola.

And I've actually been there. I did a gig. Hence the backronym rather than getting it from the other way. Because you can go down in the middle of the city in Brussels, there's a couple of places to go for drinking, of course.

But there's one which is the longest bar in the world. Beer in Brussels? No. No.

And so Westmoola TRAPPIST is there. We can get in Australia. It's extremely alcoholic. It'll put you down very quickly.

Excellent. But it's my... It's of beer. I don't really like beer that much, but that is a beer that I do enjoy.

You like your fancy Belgian beers. I like my fancy Belgian beers. So these planets, they range from just under, so about 75% of the Earth's radius. To just over one and a little bit.

So they're very, very kind of Mars, Venus, Earth size in that range. But what is especially interesting is the kind of the maximum expanse of the solar system in this system is about the same as the Jovian moon system. So obviously Jupiter's moons. The distance that the furthest planet in this new system is, is about as far as the furthest moon is from Jupiter.

It's kind of like Jupiter just got a bit fiery. Yeah. And the star itself... And then the moon melted.

The star itself is about the size of Jupiter. It's only a little bit bigger. It's obviously much more massive in terms of its mass. So it's denser, hence it's a star.

It's a red dwarf star. So it's cold outside. There's no kind of atmosphere. No, not even a giggle.

It's a red dwarf. And so Neil deGrasse Tyson has suggested that the seven planets are named after the seven dwarfs? No. He doesn't get the name.

That's it. He's done his deed. I think we just call them B through H. That's fine.

His country voted in a complete lunatic. No. He doesn't get a chance. So because these planets are so close to their star, the orbital period, so their year, is really short.

So the closest one, TRAPPIST-1b, has an orbital period of 1.5 Earth days. So it goes around the entire distance around its star in one and a half days. It's like the fashion industry would be stuffed. They would be like, and now...

Oh, it's a fall catalogue! Quick! Winter catalogue! Quick!

Summer! So one of the things I really loved about yesterday's presentation, they did it on YouTube, and it was quite awkward because it was just, you know, introverts talking about their stuff. And fascinating in that self. But the thing that they were most excited with, apart from all of the science, is that they had a travel poster.

And it was true. They did it... Was it one of those like... It was scientifically correct.

So if you were standing on... Seeing the stars... Well no, it was... Yeah, it's kind of like that, but if you were standing on the shore, what would you see at night?

You'd probably see the line of the planets, and it's much like seeing the moon, but you've got all these other planets to look at. Well, you would be able to see these planets very clearly from the surface of any of the other planets. It would be such a cool system to live in, because you'd be on different planets. You're not going to different parts of countries, you're just going to different planets.

The thing is, there's a lot of planets, and they're all reasonably sized, or roughly earth-sized as we said. They're all very close to each other. They range in terms of the distance from the star from 0.01 AU, which is astronomical units, which is distance that the Earth is to the Sun, through to 0.06 AU. So they're all within 0.05 astronomical units from their star.

Even the furthest one out that we've discovered so far, anyway, TRAPPIST-1H, their orbital period is 20 days. For comparison, Mercury is 87 days. Venus is 224, Earth 365, obviously, Mars is 686. So these are booking it around their star incredibly quickly, considering it's a star, and very, very close.

Being a red dwarf means it's much cooler than our main sequence Sun, so that's why they can be close in the Goldilocks zone. It's the middle three, I believe, ENF, or E, F, and G, are the ones that are actually in the Goldilocks zone for the star. The closer ones and the further ones are kind of just outside, even though they're Earth-sized. Steve, I'm calling it.

E's mine. There we go. No one else has actually said that. Okay, I'll have F.

Right, you can have F. Yep. If you have a robot army of size that can fend off, you know, the Earthlings, yeah, you can have F all you like. Well, you've heard it, folks.

We called it. Yeah, we called it in Spaceworld Designer. Yeah. Too bad.

That's it. Legally ours. There's been a few people who've tried to do that, but it's not... Well, no, this is it.

This is ours now. If you have any objections, just let us know, info at spaceworlders.com. Sure, you'll say. So, this is a very interesting system.

Red dwarf stars are the most common and the longest living stars in the galaxy. They're probably the most common because they are the longest living star. So TRAPPIST-1 will live for about 10 trillion years, which is 700 times longer than the history of the universe so far. So it's probably going to be around for a little while, this system.

So we've got time to get there and set up our lands. Yeah, but they were saying in the last sort of 20 years of looking for these things, since the 90s, they've found well over 5,000 of these types of planets and obviously there's going to be millions more of these. What the interesting bit is, is that they're always forming around, like they've got the binary red dwarfs for Glycer and those range of planets, which was around red dwarfs and binary red dwarfs indeed. So is it a thing?

Is our sun unusual? Well, we've always, the problem with cosmology is, I don't know if you know this Mike, but space is big. And Steve's saying that with his hand on his hip. It is really, really big.

The problem with cosmology. You may think it's a long way to the shops, but that's peanuts compared to space. And because of that, we have to make certain assumptions when we look at the galaxy or when we make observations and predictions. And one of those assumptions is that the universe is homogeneous, meaning it's the same generally everywhere.

So we look at our local area and our local area, we have a yellow main sequence star roughly halfway through its life or a little bit less. We have a few rocky planets. We have one of which can support life that we know about or main, you know, multicellular life at least. We have a few gas giants out further and there's a lot of asteroids around.

So we make an assumption that this is probably what everywhere is going to be like. So that's what we need to look for. So we need to look for a large-ish star, but not too big. We need to look for smaller rocky planets that orbit it and the planets generally get bigger as we go out.

Maybe gas giants further out, they're easy to spot because they eclipse more of the star. And then we find planets orbiting binary systems. It's like the three-body problem. We find planets orbiting red dwarf stars, incredibly close.

We find hot Jupiters, gas giants that are closer to their star than Mercury is to our Sun. But they're gas giants. So they're the size or even two or three times the size of Jupiter. So discoveries like this just make us realize that, yeah, the universe really isn't...

It's not... It's not what it seems. It's not what it seems. We can't make assumptions necessarily based on what we see right in front of us.

I mean, this is pretty close. This is 40 light years away, which is incredibly close in the scheme of things. So the more observations we get and different things mean we know more of what's out there and we can better improve our predictive capabilities, which means we can hone in on some of these things a lot easier. So some of the things that the scientists were discussing in the presentation was about well, what's the next steps?

This is just new data that's coming on in and they're not able to yet determine the composition of the atmospheres. So is there water on there? They don't know just yet. They want to use Hubble to have a bit of a better look.

Spitzer. Yeah, Spitzer. They can do... James Webb is going to be the big change.

Yeah. That's a game changer. They can use spectroscopy and they can do interferometry, which means they can use multiple telescopes in different locations but combine the results and you end up with a telescope which has an effective mirror size the size of how far apart the two telescopes are, which is so you can have a telescope with an effective size of the planet if you have two telescopes either side. So they know what to do.

We've done this before. We've looked at the atmosphere of exoplanets and other planets in the solar system and stars and things like that. So it will be definitely interesting to see if there are organic molecules, carbon, oxygen, hydrogen, things like that on some of these planets at least. The team were very excited and one of the things that they were dreaming about was the kinds of chemistry on these planets, if it's obviously there and supporting life, of course.

Nature's just going to prove us right or prove us wrong or prove us that it's not the way we thought it was. If we're going to find oxygen or some kind of life, this is the best one we've had so far. Is it more likely that it's also in our own solar system within reach? Like look at the Galilean moon.

Well, it's equally as likely as anything really, but again, we don't know. We look at our own solar system, there's one planet. Is that normal? Is that abnormal?

No. We just don't have the data. There's not enough data for a sufficient answer. Drake's equation, which is a probabilistic argument used to estimate the number of active communicative extraterrestrials out there.

So one of the things that happened... Three. The answer's three. ...was folks got on and said, there's aliens, NASA's going to announce, aliens, we've found them somewhere.

And so it's probably microbial life somewhere and also consider the time that the light's reached us. It could either be dead by the time that we've seen it. Well, this is 40 light years away, so it's only 40 years old, the light, so it's pretty close. Pretty close.

It's avatar distance. This is close enough that you could potentially, if there are people there, you could send them a signal and get a response in a human lifetime. Yeah, but that's also a key point. The researchers said it's not in their lifetime that this research will be...

I mean my lifetime, obviously. Our lifetimes. It's the... No, I mean it's in my lifetime.

Children's will be researching and continue to study this. It's not like it's a star that's a thousand light years away that we don't have a hope of getting it back. No, but we've got something. We can get a response back in, you know, 80 to 100 years, possibly.

But we've got something. We've got something that's another... I mean, if we send a signal to them, like an actual informative signal, rather than just receiving data and receiving light, you could, you know, it means you can get one back, you know, in a reasonable time, which is cool. Yeah, I'm hoping they're not listening to the sort of political machinations going on.

If you are listening, inhabitants of the TRAPPIST-1 system, although I suspect you have your own name for it, let us know. Info at spacewilders.com, follow us on Twitter, it's twitter.com slash spacewilders. Give us a tweet. If you want to come on the show, we'll fire up the Universal Translator and we'll get you on.

Steve, it's probably because they're good at detecting bullshit, so they're probably looking at us going, what a heap of shit. We just want some apes scrabbling in the mud. We just want some peace and quiet, and from these crazy other alien races around us. We've got our planets, we're swirling around, we've got the most amazing fashion scene ever.

Because the thing is, because it's only 40 light years away, they will be receiving our radio transmissions, because it's been more than 40 years since we started broadcasting radio and television signals into space. So they will actually be tuning in for whatever was on TV. What happened to Roseanne? What was on TV 40 years ago, in 1977?

Star Wars! They might be getting Star Wars right now. Maybe they think Star Wars is a documentary, and they'll come and attack us like the ending of Hitchhiker's Guide. Yeah, so they've planned a space highway through us.

Wasn't it I Love Lucy was the first thing broadcast into space, or something like that? Yeah, they'll definitely be receiving our broadcast, so it's within reason. So they'll be looking back, calling bullshit. It turns out, the University of Washington have decided they're going to offer a course.

Offer a course, a very course, Spring Quarter 2017. You can get on it. It's one credit. It's Wednesday.

Turn up from 3.30 to 4.20. They've got an enrolment for 160 students. I think it's legal in Washington, isn't it? Yeah.

Hashtag blaze it. Let's talk about what gets discussed. So there's the introduction to bullshit and spotting it. There's the ecology of the bullshit system, causality, statistical traps, visualisation, big data.

So there is some data analysis stuff in there, publication-wise. This is a Bachelor of Scepticism, right? It is a Bachelor of Scepticism. It's how to spot bullshit.

It's tools people use to propagate bullshit, statistical issues, p-hacking, hiding things in statistics when you don't look into the actual data and they just draw conclusions from it, massaging the data to get the result that you want. want, you know, cherry-picking bits, you know, writing headlines to do it. It says, at the end of the course, students should be able to provide your crystals and homeopathy aunt or casually racist uncle an accessible and persuasive explanation of why a claim is bullshit. Oh dear.

Amazing. Amazing. But they do have a lot of statistical analysis in here, like Simpson's Paradox. So this is a statistical anomaly.

Is it Simpson's Paradox why it's got so shit lately? Yeah. Or is this a different one? It's got Barney in it.

Think unsexy thoughts. So the simple thing, like, if you're looking at a set of data and you've got, like, kind of, if you look at something in isolation and then you look at something grouped together, but the results turn out the opposite to what you expect. And there's some classic examples, like famous baseball league stars, where they kind of appear like outliers and seem to have amazing batting averages. But when you put them together with a group, obviously the opposite may happen because they will average out and flip the result.

And so there's ways in which you can study statistical analysis and provide better what they call casual observation. And so most people would kind of observe this behavior differently without understanding the inherent behaviors behind how that came to be. And so a part of that is kind of the critical thinking pathway. But they do a session in their week six, you'll do data visualization and display of quantitative information, which most, you know, this is almost like an informatics style course with some statistics in there.

It's almost a big data course, but it has refuting bullshit as week 12. Week 11 is fake news. Fake news. Wow.

You know, how to spot it. And it's basically reading the New York Times. It's just news that doesn't agree with your point of view, isn't it? It's probably.

That's what our commander-in-chief says. Yeah. So I think this is kind of amazing. Like, other things that you look at, various readings and studies put out by folks.

So it covers, it's a term, semester, what's the semester these days? What's that? Four weeks? No.

No. Like 10 weeks. 10 weeks. 10 to 12 weeks.

Yeah. So you get a credit for that. You're just hanging out. Half a year.

Half an academic year. Half an academic year. You get to hang out with Carl. I don't know if it's the same in the US, mate.

Well, because you usually have a summer semester, which people don't do generally, but that's shorter. Yeah. So I think that's really interesting. It seems like it's complementary.

Well, it's definitely, they might have to change the name to make it a bit more PC. Let's be honest. But it is essentially scepticism, the university course, which is only a good thing. Well, is scepticism inherent to statistical analysis and stochastic...

Yeah, for sure. Not necessarily the analysis, but the conclusions you draw from it. You need to be careful that you're not letting your biases... I'm looking at a pie chart, and that pie chart is a Pac-Man of...

Yeah. So any kind of analysis of any kind of data, whether that data is statistics, whether that data is a newspaper article, you need to make sure that your inherent biases don't muddy the conclusions that you draw. Because if you go into something expecting a conclusion, like you said, you're going to look for data that supports your already drawn conclusion, whereas you should be reading the data and then coming to a conclusion based on that. I'll include a link in the description notes for the episode.

The Simpsons Paradox is really good because California Berkeley was sued for sexual discrimination around that point, and until they had understood how this paradox worked, you could arrive at sexual discrimination in a different way. So if you're looking outwardly and you didn't have the data points to back it up, but if you didn't understand pooling, if you didn't... That's kind of what Andrew Wakefield did, who was the original arsehole who determined that vaccines cause autism, which obviously they don't, but he cherry-picked the source that he was using. He was using children that already had signs of autism and was asking if they had vaccines.

He came at it from the opposite direction. But then if you combine his data with everyone's data, the effect would disappear. So that's basically exactly what it is. It means if you're picking the data or picking the sample size or the demographics of the people or the thing that you're sampling, you have to be careful that you're getting a representative sample of everything, not exactly what you are looking for.

Whether you like it or not. The other thing, did you see this week, see as in you, you're in the cubicle or on the train or in the car listening to us, and you may have not saw, you may have read, there was $100,000 put out by a US Senator and an actor. Yeah, not just an actor, Mike, but the inimitable De Niro. It's so funny because he was teaming up and basically, is he in this camp?

Why would he put out $100,000? Why doesn't he put his entire life savings down? I'm pretty sure De Niro's got more than $100,000. If he's so confident of the outcome.

But it wasn't all, it was, so just to clarify, it was Robert De Niro and Robert Kennedy Jr. And we spoke about Rob a couple of weeks ago. They've joined forces to push vaccine nonsense, according to Vox. Yeah, it doesn't even, it doesn't even deserve talking about.

Bill Gates came back with a YouTube presentation on the Bill and Melinda channel on YouTube, and he stood there and said, this is the investment we've made. Here's the data. Let's have a look. The thing is, you will never be able to give any kind of evidence to them to get this $100,000.

Because they'll always, they'll do the what about. What about this? Oh, what about that? So you've been on your freshly minted calling bullshit course.

You go up to these guys and you want your $100,000. What would you put in front of them to convince them? You can't. That's the problem with these anti-vax people.

There's no amount of evidence that will convince them. Because they're utterly convinced that vaccines are still using thimerosal, when they haven't used thimerosal since 2001. They read down the list of ingredients and they go, oh, it's got antifreeze in it. Ignoring that, no, it doesn't have antifreeze.

It's got one of the parts of antifreeze which is used as a preservative so the vaccine doesn't go off. It's, they don't, there isn't a, talking about, you know, detecting bullshit. There isn't a fundamental scientific basis for their argument so therefore you can't refute it. Because they won't accept any amount of evidence that they're wrong.

They'll put their fingers in their ears and blah, blah, blah, blah, blah. So this is a complete, you know, they'll never pay out this $100,000 to anyone. Guaranteed. I'm urging Bill Gates on the Gates notes.

He put out, or Bill Gates, if you're listening. Bill Gates, if you're listening. Come on the show. No, he stood there and spoke about positive outliers and, you know, how investment in these countries works around vaccinations.

And you can actually see amazing deviation and statistical, genuine statistical, not anomalies and not something that you could argue against. It's just plain and simple. Like it does actually change and impact a population like in a third world country's incidence, for example. You're always going to have outliers.

You're always going to have side effects with any kind of medicine. But the fact remains that there is a clear downward trend in vaccine preventable diseases like measles, like rubella, mumps, all of those things worldwide. Except for the areas that are like, yeah, the vaccines are bad. And then you see a little uptick recently.

But there's no legitimate argument here. It's vaccines are fine. Get your kids vaccinated. There is no, there is absolutely no legitimate reason not to at all.

But the 122 million number of children's lives saved since 1990. So that's far in excess of like. The thing is, there's one argument it's got to come down to. Would you prefer your child to be autistic or dead?

Yeah. And that's it. Number of deaths under five year olds. Even if it did cause autism, would you prefer your child to be autistic but alive or dead?

Those are essentially what they're advocating here. They would prefer their children to be dead than autistic, which is ridiculous. Right around the world right now, his statistics are saying that there's an 86% of children worldwide who receive basic vaccines, highest in history right now. It still seems quite low.

It does actually. There's a lot of third world countries that wouldn't have the vaccine programs that we would have. But looking at, say, diphtheria, tetanus and, you know, DP3 vaccines and income levels across the countries, and you look at the data that's being provided by UNICEF, it's staggering. There's been an 80% change, a 96% change in life expectancy.

And so his argument is basically saying for every dollar spent on childhood immunizations, you get a $44 economic benefit, full stop. So where's your $100,000 up against that? So you're up against E, and you can't have a constant against E, because that's a rate of change you cannot deny. And so I just think those guys should just fuck off and die.

Stick to acting, and I don't know, what does Robert Kennedy do these days? Oh, he's part of the Trump administration. Is he? Yeah.

Keep doing that. Well, it doesn't matter. We're off to trap us, Steve. Yep.

We're warping there. I asked you this week, if, let's say it took, so for, it's 40. 40 light years. 40 light years.

Or 39, I think. Let's say you could do a light year in a day, so it's like a month away, a couple of months away. So you go for, let's go a month that way. Yep.

And then have the most amazing pool party, like, ever. I don't know, does Trappist-1F have Wi-Fi? Don't need it. Mike, did you just say you don't need Wi-Fi?

No, we don't. How am I supposed to Facebook to let everyone know I'm there? If I can't check in on Facebook in Trappist-1F... Maybe like 40 years later, everyone else would know.

But there's no point in going. No, you said, yeah, but there's no point in going if I can't check in on Facebook. But it's like in Star Trek. It's like when you go to the gym, you gotta check in on Facebook, otherwise it doesn't count.

I'm gymming right now. I'm running. And as soon as you check in, you can leave. That's true, because obviously Star Trek never really actually goes in, or retcons the actual performance of warp drive.

So if you had, what warp technology would you need to get to Trappist? Is my question. And so we're thinking maybe warp 8? Well, it's never...

I don't think it... The Star Trek warp is never really properly defined. It's always exactly how fast you need to go to get to where you need to be, either just on time or just too late, depending on the dramatic constraints of the story that you're telling. Three days away, or we're either close enough or not far away.

Yeah, and it's a logarithmic scale, so warp 8 is probably going to be a couple of days or maybe a week. You could warp 8 there and it'd be a week. Yeah, let's say that. Let's go with that.

Let's go with that. That's what I'm going with. So CloudFront, who went with something, their whole idea is trying to... They protect you from DDoS attacks on the internet.

So just recently, a few security advisors have put out an alert saying that there's a bleed, that there's some error going on with their software and as a part of a bug that's turned up. I'm really confused about where this is occurring because it's actually leaking passwords. It was leaked memory that was cached by search engines, which included different systems, including OnePass and Uber and places like that, that use CloudFlare as their DDoS protection. CloudFlare's had issues in the past.

Whenever you have any kind of system that's trying to protect your data, it can be bad. So the idea is that they front your servers and so web requests will be filing through them, through to you, etc. So they're kind of like the DDoS mafia in front. You pay them mafia money and they hold off the DDoS attacks and someone give you Google reports about that.

This has been documented before, specifically with Apache had a bug in SSL and it had an open piece of memory and when someone else came through... This is why people are calling it CloudBleed because they're comparing it to Heartbleed which is the SSL bug from last year or the year before. To me this reads like it's similar to the Heartbleed one, which is an easy-to-solve problem specifically, but it seems to be beaten up everywhere. Everyone's kind of got a story to go with this one.

Yeah, so they posted a post mortem on their blog or on their website, kind of downplaying as you would to an extent. We said it affected customers like Uber, 1Password, Fitbit and OKCupid, said no sensitive data was exposed because it was encrypted in transit. Well, who knows if that's to be properly believed or not. The fact remains is that they were dumping out memory into request streams that could be read.

So it depends how you define sensitive data, I guess. Yeah, well, generally a bot comes along, they'll read your robots text on your site or otherwise. The main issue was that this was out there and being cached by search engines, so that means it remains available. Yeah, so it's coming along to your site and then hitting cache and then it's storing it for itself and so that's then searchable elsewhere and someone else has stored that piece of information.

They're suggesting that that text is encrypted in some way, shape or form. I just sort of, I'm hearing foo, but how that actually comes together. Something that's also interesting is the SHA-1 hash algorithm, like it's quite old and you need to get off it. You're probably on AES-256 or SHA-256 these days, but there is, and this is not new news, there's like 2015 and much earlier when SSHA has come around, they've had collisions with that particular hashing algorithm before, but they're saying there's a PDF style attack.

So someone has, researchers working at the CWI Institute in Amsterdam have found a practical technique for generating an SHA-1 collision. So while there may have been maybe accidental collisions in the past, this is an actual method that you can use to create a collision and this is bad because things like Git and other systems use SHA-1 hashing to generate what should be a unique key. So there was an attack in 2005 that was able to find collisions in 2 to the power of 69 calculations, which is a large number, but not hugely so. This new method is 100,000 times faster than that and is being dubbed the first practical technique to compromise the SHA-1 hashing.

But most people would be using an AES, I say Red Jindal, someone's got to correct me. You would hope for actual security circumstances, you would be using much higher hashing numbers, but you would still use SHA-1 and these kind of, because the thing is with these smaller and quicker hashing, okay, it may not be as secure as 256 or 512 people using these days, but it's quicker, it's easy to use, and so if you're just generating a hash for an identifier, so Git, for example, uses hashing to identify commits, that's all you need it for. It doesn't need to be secure in and of itself, it just needs to be unique. So like think MD5, obviously do not use MD5 to hash your passwords because MD5 is broken, but if you just need to use MD5 to hash something to see if it's the same as something else, then it's probably okay because it's quick and it's easy.

Generally used for file checking, you know, like a CRC. I think SHA-1 is the same. You shouldn't use it for secure programs for, say, hashing a password, but if for hashing... But even if you're hashing, you should be salting it either way.

But again, if you're just hashing a Git commit, it doesn't matter, it doesn't need to be secure, but if there's a collisionable, if there's a way to create a collision, then you're then making that it's not even useful for that. It's not even useful for uniquely identifying things that don't need to be secure, but just need to be unique. So people would have to move on to more secure, but slower and more difficult to use alternatives, like 256. Yeah, what Steve's talking about is obfuscation of the content.

It's not like a GUID where you've got, you know, a quad tuplet of numbers that come together, which also include letters, to create a unique identifier. That's a bit different. It's taking that content and then applying a hash algorithm to it to come out with some other character string. And what's being discussed here is that there's a specific hashing algorithm called SHA-1, and that can cause collisions.

That means you can come out with the same hash again, it's the same. So what they've used it for is to obtain an SH-1 signature on one PDF file and use it as a valid signature on a second file. So you could make a system think that a second file is the same as the first file, even though it's not. So it could contain malicious code, it could contain anything, really.

It may not even be a PDF file. So I'm sure there's systems out there that are using SHA-1 for passwords, without a doubt. Like, I'm sure there's systems out there that are using MD5 for passwords, without a doubt. The group has said they're going to wait 90 days before releasing the code, which is very nice of them, I thought.

You know, you're white hat hackers, as opposed to people that would use it for nefarious reasons. That's what you want. They were working with Google. They're working with a team from Google Research, so this is like legitimate attack research.

This isn't a group of hackers, you know, in a dimly lit basement with beanies on and tapping at their keyboard. This is like... What's your favourite? Neckbeard and Unix developers.

Neckbeard, Unix. Neckbeard and Unix developers. Yeah. Don't hurt me.

But AES is probably my favourite. Everyone in your lifetime as a coder, you will write a Regindal equivalent, 256, 512... I just store my passwords as plain text. It's really easy.

You should try it. Yeah. Because it means if someone loses their password, you can just email it to them. If they phone you up and don't know how to log in, you can just read the password for them.

If they're having technical issues, you can log in for them. You should try it, Mike. It's really easy. And then you go and...

Just make sure there's a good password on your database. It's all you need. You store your salt next to the thing. No!

Who needs that? When do you store your salt somewhere else? That's so, like, 2010 security, Mike. We've gone beyond that.

Systems are secure these days. You don't need to do that. No. So, if you've ever written a password system, you'll know about it.

Plain text all the way. Yeah. So, yeah. The Regindal was developed by some researchers, oh, it was, what, 2001?

Sometime around there. Oh, yeah. During the... Well, they were trying to get the advanced encryption standards together and beyond the DES encryption standards, which is called the Data Encryption Standard, oddly called DES.

And they're all symmetric algorithms, meaning you've got repeating so you can get them encrypting and decrypting your data. So there's plenty of publications out there. You will absolutely, at some stage in your life, will write some kind of encryption, if at all. Tell you what's very, very, very sexy right now is quantum computing for encryption.

There's a lot of research going on inside of that. The only premise there is in terms of it's not a sequential sort of execution to get your numbers. In quantum, you can go parallel, so you can have a probabilistic way of arriving at the same answer at the same time. You can hack the password before it's even created.

That's right. You can guess the password before it's happened. But the problem is that when you look at the password, when you look at it, then it will be determined at that point. So it kind of collapses.

So anyway, encryption is fun. So Steve, if you want to be cryptic and send the Space Wilders some kind of cryptic love message, where would you send it? You can send it to www.spacewilders.com and we'll try and hack it. Send us love messages encrypted with SHA-1.

Please make it MB5. We're busy. Yeah. No, no.

Open plain text. Just get it open that way. Yeah. Just leave us a comment.

You can also find the show notes there for this episode and all the other episodes. I've encrypted them. We've encrypted them. First one to unencrypt them gets a prize.

Sorry, Doug. I was late this week. I was busy. You can subscribe to the show on iTunes, Stitcher and SoundCloud.

I don't know if they encrypt. No, they don't. No? They probably should, hey?

It's a thing. Make sure you subscribe, though, and leave a comment and a rating and a share. Leave a share. Don't share it with your friends.

Just leave a share. No, you need a private key. You need to exchange the private key at the bar. Yep.

If you meet a girl. PGP that share. Yeah. If you meet a girl and it's serious, you give her your private key.

Yep. Just make sure you wrap that private key. Dating advice from cryptologists. Yep.

You can follow us on Twitter, twitter.com slash space folders, facebook.com slash space folders. It's encrypted. That is. Mike's on Twitter, twitter.com slash michael underscore wise.

Encrypted you need glasses to see it. So am I, twitter.com slash the skeptical dev. Maybe encrypted. Maybe.

I'm just open to anyone. Yeah. It's, it's, it's got, it's a, it works in smell a vision. Hmm.

I've, I've seen it. It's quite horrific. Yeah. Make sure you check out our store.

That's on the website. Not encrypted. Maybe it is. It probably should be.

If you want to put in your credit card. Has, has a planets swirling around it. Yep. Lots of them.

Make sure you vote for us at Castaway Awards. That's castawayawards.com slash vote for the popular vote. Make sure you, uh, uh, validate your email address when you do that to make sure, make your vote count. Possibly.

Yeah. I'm sure some of the other people while you're there. Not very secure. And if you have any questions, comments or feedback, don't handshake, email us, don't exchange keys.

Info at spacewilders.com. Sweet. So guys, uh, thanks so much for listening to us. And it's a very close to our 75th episode.

And I think we've almost been doing this for a year and a bit weekly somehow, some kind of way. So we'll continue to impress upon you our amazing knowledge of the universe and IT things. And hopefully we challenge you to find someone with better knowledge and bullshittery ability than us. Yeah.

Or, or not. And so the Castaway Awards, best of luck to all those. It's coming up soon. And of course ABI Days is on and I want to put a big shout out to a mate who got in.

Joseph Cooney, best of luck for your presentation at the Sydney Convention Centre. Please impress everyone there. I'm sure you'll be a fantastic. And if you're interested, go to Joseph's presentation.

It will be a cracker. It'll be fun. I think, hopefully. And it won't be encrypted, so you'll be able to understand everything that's going on in there.

But make it happen. That'd be good, wouldn't it? An encrypted presentation. An encrypted presentation.

Maybe. No, no, no, no. It's just binary. Just forget it.

Yep. It'll start with 1011110. There's a lot of other people going to that. There's a lot of speakers.

Yeah. So Joseph's there. Congratulations, Joseph. And knock them out.

Break a leg. All those good things. So it's Mike out. Steve out.