[Dailydave] Some Sums

Thomas Ptacek tqbf at matasano.com
Wed Feb 7 08:54:10 EST 2007 

For those playing along with Joanna at home, use:

    d86ded8e6f086cbc86bb07d854e58e1d60680958

Which is SHA-1, untruncated, of the same file and a different nonce.

The point of posting the hash is so that I can say we did something
("devised a battery of checks that detect hardware virtualization")
and not have people think we simply made it up.

On 2/5/07, Joanna Rutkowska <joanna at invisiblethings.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Halvar Flake wrote:
> > I admit that strictly speaking I have abused DD with the last mail.
> > What about a general, publically archived  mailing list where
> > people can post hashes of results to follow up later ? Anyone who
> > has read the matasano blog recently (Ptacek/Rutkowska debate) would
> > tend to agree that we need something like this.
> >
>
> And what would that change, really, if I posted today a hash of our
> (because now, there's also Alex and Edgar working on Blue Pill) recent
> achievements in Blue Pill development (e.g. generic ways to resist
> direct timing analysis using trusted external clocks)?
>
> Ok, true, we're planning to give a presentation later this year on this
> subject and that would be cool if nobody else gave something similar
> before us, but does that mean we should "buy an insurance" today for
> "being the first"?
>
> Sure, it's cool to be the first person who publicly presents something.
> And all the press spotlight is cool too. But at some point, we can
> easily get into absurd I think...
>
> If somebody else gave a similar presentation before me, I could only
> used it as an argument to support my thesis (in this very example, that
> CPU vendors should provide a documented way to detect the presence of
> h/w hypervisors).
>
> I'm not judging Halvar, who I consider to be a great researcher, but
> it's almost a new trend now - Tom Ptacek published some mysterious hash
> in order to convince mankind that it should not be worried of hardware
> virtualization malware, now Halvar, who's next? And what's the real
> goal? To show off that "I'm better then others"? Or am I missing something?
>
> BTW, as both MD5 and SHA1 are considered broken these days, I wonder how
> difficult would it be to prepare some other file matching Halvar's or
> Tom's signatures? How about we start a little contest? I will buy a
> dinner to the first person (at a conference that we both attend) who
> creates a document matching Tom Ptacek's hash, which is here:
>
> http://www.matasano.com/log/680/detecting-virtualized-rootkits/
>
> (the way of creating a matching file should be documented)
>
> I assume it would be easier to break Tom's hash as he only posted SHA1,
> while Halvar, apparently anticipating something, published both SHA1 and
> MD5.
>
> joanna.
> -----BEGIN PGP SIGNATURE-----
>
> iD8DBQFFx4kDORdkotfEW84RAjuEAKDgwvMP6yRxelMQFW01VnGp5NiRJgCg5j8F
> 8SnNprRjcx9XuDNROHwyQOc=
> =/HEp
> -----END PGP SIGNATURE-----
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>

More information about the Dailydave mailing list