My goal is to see the actual proof of concept that whatever the person I replied to is feasible. Not the daily BS from security wannabes that start with "In certain scenarios it is possible to X and Y" and then never show proof.
"In certain scenarios I could be a ninja": it means absolutely nothing without proving that I actually have the skills and I could actually use them.
It is not pointless, but if you claim something show the proof.
The math is the proof of concept when an attack costs that much money to pull off. Or the various papers that show successful attacks on reduced-round versions of the hash.
Do you not accept those? What would you accept as a proof of concept?
_That is enough to distribute malicious code though, at least in certain scenarios. Someone might create a setup where reviewers check/sign one version of the source code, and what gets distributed is another version with the same hash._
Well the proof of concept without actually having two colliding files is really simple, so I thought it was generally understood.
Here's the easiest to explain way: Upload the malicious version of the file to github. Send an innocuous patch to the kernel devs that creates a file with the same hash. It gets accepted, and anyone that downloads the kernel from github gets the malicious version. Done. That's a small fraction of linux downloaders, but this is just the proof of concept.
A proof of concept became much easier with C11 unicode identifiers, and email patch review. You can trivially hide Cyrillic chars eg. between whitespace changes or other trivial "optimizations". Even without collisions.
And with the current surge of GPU's even collisions are realistic now. The H100's are not doing much when not in training.
"In certain scenarios I could be a ninja": it means absolutely nothing without proving that I actually have the skills and I could actually use them.
It is not pointless, but if you claim something show the proof.