SHA1 collisions proven possisble

James DeVincentis james.d at
Thu Mar 2 00:38:25 UTC 2017

Keep in mind botnets that large are comprised largely of IoT devices which have very little processing power compared to the massive multi-core, high frequency, high memory bandwidth (this is especially important for cryptographic operations) CPUs in data centers. It doesn’t take much processing power to launch DDoS attacks so that’s why IoT is perfect for botnets. Those botnets which have desktop grade systems are also comprised of typically older machines that go unpatched and do not have high end server CPUs or GPUs. A botnet is also not going to get you the high end GPUs you need for phase 2. Generally the people with hardcore GPUs are gamers and workstation users that push those GPUs. They're going to notice the GPUs being utilized abnormally. 

On top of that, the calculations they did were for a stupidly simple document modification in a type of document where hiding extraneous data is easy. This will get exponentially computationally more expensive the more data you want to mask. It took nine quintillion computations in order to mask a background color change in a PDF.

And again, the main counter-point is being missed. Both the good and bad documents have to be brute forced which largely defeats the purpose. Tthose numbers of computing hours are a brute force. It may be a simplified brute force, but still a brute force. 

The hype being generated is causing management at many places to cry exactly what Google wanted, “Wolf! Wolf!”.

> On Mar 1, 2017, at 6:22 PM, valdis.kletnieks at wrote:
> On Wed, 01 Mar 2017 15:28:23 -0600, "james.d--- via NANOG" said:
>> Those statistics are nowhere near real world for ROI. You'd have to invest
>> at least 7 figures (USD) in resources. So the return must be millions of
>> dollars before anyone can detect the attack. Except, it's already
>> detectable.
> *Somebody* has to invest 7 figures in resources.  Doesn't have to be you.
> Remember that if you have access to a 1M node botnet, you could have 56,940,000
> hours of CPU time racked racked up in... under 60 hours.

More information about the NANOG mailing list