

Argonne National Laboratory's broken implementation of SHA1 - drewr
http://blog.n01se.net/?p=40

======
adammarkey
Link bait title. I had my hopes up for something juicy only to find out
something I already knew... government employees build crappy software.

~~~
timf
> government employees build crappy software

That is quite the generalization. Out of the same national lab comes MPICH for
example which is installed on nearly every large supercomputer that needs a
message passing library. It's very robust, portable, performant, and popular.

<http://www.mcs.anl.gov/research/projects/mpich2/>

National labs are far more like normal companies than you might imagine. The
software efforts are done by small teams that vary in their aims, funding,
talent, competitional pressure, and enthusiasm. Pretty much like any other
software environment...

Take a look at the error rates discussed in this story about NASA and I don't
know how you could generalize that "government employees build crappy
software": <http://www.fastcompany.com/node/28121/print>

------
th0ma5
ummm... so this means they broke their implementation of the encryption, not
that they have found a way to break the encryption in order to find the
unencrypted source?

~~~
pavel_lishin
Correct.

~~~
ableal
From the article, it seems that what is really broken is the I/O in the web
interface - input is (wrongly) 'sanitized', output printing is misformatted.

Trite lesson we (do not) learn from this: beware trivial tasks that don't seem
worth the trouble of testing.

------
neilc
Who cares? Government agency has buggy web-accessible implementation of SHA1.
Not notable, and a link-bait title to boot.

------
drewr
You're right; the title was horrible. Thanks to whoever changed it.

No bait intended. Thought it might spur some discussion. I learn a great deal
from anything crypto-related on HN.

