• (disco)

    Ok, flipping a coin to switch between security algorithms is a horrible idea in its own right, but didn't anybody notice that there was only one password? Nobody wondered if they could change it?

  • (disco)

    For fuck's sake. This makes me want to claw my eyes out.

  • (disco)

    7e843964cca0fe3c3adc1d3f8605554b

    http://md5cracker.org/decrypted-md5-hash/7e843964cca0fe3c3adc1d3f8605554b

    OCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /md5/get.php was not found on this server.</p> <hr> <address>Apache/2.2.22 (Debian) Server at i337.net Port 80<

    Couldn't (quickly) find the SHA1 one.

  • (disco) in reply to PJH

    That would be an actual error, as that hashes to 4435369471ce5ceb55f52fd1bb459df2.

  • (disco) in reply to rc4

    binary or text mode hash?

  • (disco) in reply to accalia

    Probably text, but that's irrelevant; i337.net is one of the sites that hosts the md5 rainbow tables that the site is using to crack stuff.

  • (disco) in reply to rc4
    rc4:
    That would be an actual error, as that hashes to 4435369471ce5ceb55f52fd1bb459df2.

    uh... no it doesn't

    accalia@personal:~$ echo -n 'OCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /md5/get.php was not found on this server.</p> <hr> <address>Apache/2.2.22 (Debian) Server at i337.net Port 80<'|md5sum                                                                                          
767647fbabffe60b7003a1c8114d451d  -
accalia@personal:~$ echo 'OCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /md5/get.php was not found on this server.</p> <hr> <address>Apache/2.2.22 (Debian) Server at i337.net Port 80<'|md5sum
10196488d6e936f0890753f0b0e21854  -
  • (disco) in reply to accalia

    What about with a leading D?

  • (disco) in reply to LB_
    LB_:
    What about with a leading `D`?

    I'm taking a pure guess, because I'm certain I know the answer and CBA to test, but I think the md5 will be different in both cases..

  • (disco) in reply to LB_
    LB_:
    What about with a leading D?

    missing on the md5cracker.org that @PJH posted as well.... but since you asked:

    accalia_de_elementia@personal:~/workspace $ echo 'DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /md5/get.php was not found on this server.</p> <hr> <address>Apache/2.2.22 (Debian) Server at i337.net Port 80<'|md5sum                                                                                            
b54adfe9d192583fb0e9df7418ccce23  -
accalia_de_elementia@personal:~/workspace $ echo -n 'DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /md5/get.php was not found on this server.</p> <hr> <address>Apache/2.2.22 (Debian) Server at i337.net Port 80<'|md5sum                                                                                         
f9a82bfc0c6d0a5ab8d3ffcfe553aa1e  -
  • (disco) in reply to PJH

    https://en.wikipedia.org/wiki/Avalanche_effect

  • (disco) in reply to accalia

    Either way, it's an error. And I hashed it to that. Who knows what fuckery happened with line breaks/unicode/what-have-you changing the result. It still doesn't hash back to the hash in the article. You're arguing a moot point.

  • (disco) in reply to rc4
    rc4:
    You're arguing a moot point.

    moo point?

    [image]
  • (disco) in reply to accalia

    :mask:

  • (disco) in reply to accalia

    Gah.

    What the fuck.

  • (disco) in reply to blakeyrat
    blakeyrat:
    What the fuck.

    E_PARSE_ERROR: NOT_A_QUESTION

  • (disco) in reply to accalia

    She's cute.

  • (disco) in reply to accalia

    Interesting adaptation on the nails. Too many rings though, 'less she was sold quite a few times and the new owners never removed the rings? Kinda weird, but then the Social Engine says it may be intentional?

    Regarding the article: I suppose it might be an interesting security-through-obscurity practice to randomly choose between multiple very-strong cipher suites to begin a challenge-response conversation, but this is definitely not that....

    Filed under: Okay browser, tell me, did the password match what I sent you?

  • (disco)

    I suspect the developer may have been experimenting with the technology and left some of his toy code in place by accident. It's not something one is generally proud of having done, but I've seen it a few times.

    Or it was: "Oh, I'll clean that up when it gets nearer go-live, at the moment I'm not worried about authentication, I just need to be able to get into the app without typing in a damn username and password."

  • (disco) in reply to accalia 
    if(isset($_POST["pass"])){
	$r=rand(0,1);
	
	if( ($r==0 && md5($_POST["pass"])=="43421de3c82310246d2d7c546163bafe") || ($r==1 && sha1($_POST["pass"])=="82c8b616894ba1f60ff6e1915699591dfb8dd83f") ){
		//render successful login content, set cookie
	}else{
		//render login error
	}
}else{
	//render "no password" error
}

    Here's the fixed code. The plaintext is a substring of http://thedailywtf.com/43421de3c82310246d2d7c546163bafe and http://thedailywtf.com/82c8b616894ba1f60ff6e1915699591dfb8dd83f, respectively.

  • (disco) in reply to accalia

    What happened to the udder? :giggity:

  • (disco)
    It’s bad enough that he’s passing passwords in the clear

    Ehm, how else would you pass them? I mean you would of course use https, but we don't know from the code snippet if it is or not.

  • (disco) in reply to Matt_Westwood

    This is why you always put print("PENISPENISPENIS") in the code you intend to delete.

  • (disco)
  • (disco) in reply to sloosecannon
    sloosecannon:
    img src="/uploads/default/original/3X/b/e/be7a46dac5dfefcabdd846b4025310107292ea22.png" width="275" height="183">

    img src="/uploads/default/original/3X/e/3/e34e96600f01f5ff3453c008a44737134114426f.png" width="266" height="190">

    img src="/uploads/default/original/3X/3/3/33cdbfcc835c683dbc2b2118f2e1ed824ba570fd.png" width="194" height="259">

    img src="/uploads/default/original/3X/a/0/a008919bbd6c5ef7fa5dbc9630ff4c291b5a401e.png" width="207" height="244">

    img src="/uploads/default/original/3X/e/9/e999838d7c0f240167cf2119c196fdb88f3f12de.png" width="264" height="191">

    img src="/uploads/default/original/3X/4/7/47d0d395fe1ddbc6c29bea5b885caca51ce0f2b8.png" width="225" height="225">

    img src="/uploads/default/original/3X/e/c/eca77a53a15ec491c4439089e92cc731a28585e6.png" width="133" height="200">

    img src="/uploads/default/original/3X/0/d/0dddf19291e9f4bc19c07c866b3ad29d9f1ba50a.png" width="194" height="259">

    well... i didn't think i had to put a 'NSWF' label on that link.... i rather thought ti would be obvious from context.

    whoopsies?

  • (disco) in reply to accalia
    accalia:
    i rather thought ti would be obvious from context.

    It was. That, and looking at the URL the link goes to. I am not one of the 6 (so far) people that clicked the link.

  • (disco) in reply to HardwareGeek
    HardwareGeek:
    It was. That, and looking at the URL the link goes to. I am not one of the 6 (so far) people that clicked the link.

    still.... that was a bit overreaction was it not?

  • (disco) in reply to accalia

    Given the URL, I'm guessing that the things it leads to are not your vanilla NSFW material, and thus may warrant a reaction of that level. I would probably have a similar reaction either way, but that's due to my particular interests.

  • (disco) in reply to accalia
    accalia:
    that was a bit overreaction was it not?

    Maybe. Since I didn't look at the search results, I can't say with certainty just how disturbing the results are. (Plus, of course, the results depend on your search history. Maybe @sloosecannon's search history caused Google to return results warranting that reaction. :trolleybus:)

  • (disco) in reply to HardwareGeek
    HardwareGeek:
    Plus, of course, the results depend on your search history. Maybe @sloosecannon's search history caused Google to return results warranting that reaction. :trolleybus:

    It occurs to me that my own search history may have a similar effect. o.o

  • (disco) in reply to Fox
    Fox:
    vanilla NSFW material,
    [image]

    :fa_question_circle:

    HardwareGeek:
    Since I didn't look at the search results, I can't say with certainty just how disturbing the results are.
    ah. the rare quantul superposition of search results.... :-D
  • (disco) in reply to accalia

    OMG, spoiler that, you perv! What the fuck is wrong with you, posting not only vanilla NSFW material, but whatever weird position that is, on top of it?! Are you trying to turn this into some fucking pervy Kamanilla Sutra?

  • (disco) in reply to Fox
    Fox:
    What the fuck is wrong with you,

    it's a shorter list what isn't wrong with me.

    ;-)

  • (disco) in reply to accalia

    I'm just doing my part to warn the denizens of the forum...

  • (disco) in reply to accalia

    Now that's sexy!

  • (disco) in reply to HardwareGeek
    HardwareGeek:
    I am not one of the 6 (so far) people that clicked the link.

    I don't know. Does right-clicking still update the click-track? I did that to see what was being googled, because (at that exact point in time) it didn't occur to me that we would be looking for peoplehumans sporting that particular anatomy feature (whether emulated or not).

  • (disco) in reply to Fox
    Fox:
    posting not only vanilla NSFW material, but whatever weird position that is, on top of it?!

    Not to mention that it is some weird inter-species stuff going on there. That appears to be a Cymbidium flower; it's definitely not a V. planifolia.

Leave a comment on “Confession: The Coin-Flip Hash”

Log In or post as a guest

Replying to comment #:

Log Out

« Return to Article