Hacker News new | past | comments | ask | show | jobs | submit login
[flagged] Has SHA-256 been broken? (treadwell-stanton.com)
14 points by furtheranalysis on Sept 10, 2019 | hide | past | favorite | 24 comments

Everything points to fake news:

1) The copy is not great, and is not of the standard you would expect from a supposedly American company: "In accordance with its disclosure policy, Treadwell Stanton DuPont won't be saying exactly how they did it — because once the proof-of-concept is out, anyone with enough computing power will be able to produce a SHA-256 collision, rendering the algorithm both insecure and obsolete."

2) The phone number listed is 917, which usually (not always) is for mobile phones in NYC. (Which finance firm can't afford a nice 212/800 central number from Verizon?)

3) Their About Us page doesn't actually list any real names of executives and directors: https://www.treadwell-stanton.com/about-us

4) Their email is hosted by Godaddy:

host -t mx treadwell-stanton.com treadwell-stanton.com mail is handled by 10 mailstore1.europe.secureserver.net. treadwell-stanton.com mail is handled by 0 smtp.europe.secureserver.net.

FINRA, SEC, etc would probably not be pleased with Godaddy email.

This is not a quick fake site. Too much went into it. Also, their social media profiles go back to Oct. 2017. If it's a fake company (and that seems likely), they are playing the long con.

Their "address," 30 Wall Street, is for a virtual office business center, Capstone Executive Offices. https://liquidspace.com/US/NY/new-york/your-wall-street-offi...

In any case, this announcement seems to be a vaporware pump-and-dump scheme for a bitcoin accelerator: https://www.facebook.com/TreadwellStanton

The timing of their first Facebook post is within 6 months of when they supposedly broke SHA256, so that definitely says long con.

AND they are associated with a lotto computer scam: https://neural-lotto.net/index.php/en/kga6

0) they provide no evidence whatsoever (e.g. they could just provide a SHA256 collision and be credible) and have not contacted or involved anyone in the security and/or cryptography fields, just went straight for the marketing copy.

The entire site looks like a scam. They deserve "credit" for spending more effort on the basic template and bullshit spiel than most scammers.

The name of the "firm" reminds me of Stratton Oakmont.

Probability that they broke SHA-256 - 0%. 0.00000%.

And if you Google for "Treadwell Stanton" the results are almost all about this announcement and fizzle out after three or four pages with nothing dating back further than a few months. Their Twitter page is mostly noise too.

By some unknown blockchain miners with no proof that want to sell you one of 25 units instead of operating them using something something quantum? No, it wasn't. Come on.

While not saying how they did it, shouldn't they be able to prove it? By showing some colliding hashes or so?

It's not just that, they're claiming computationally feasible preimage attack, something which AFAIK has not been feasibly achieved in SHA1 (SHAttered is a collision attack).

A preimage attack still isn't feasible for MD5. What an absolutely ridiculous claim they made.

To play devil's advocate, the hashes might imply details of how it was done.

Unlikely, but regardless if they have a preimage attack they could simply release a collision.

That is a much lower standard than a preimage (and trivial if you do have the computational ability to preimage), and was sufficient to declare SHA1 broken (SHAttered is a public collision, AFAIK there still is no preimage against a "full strength" SHA1).

There's no feasible preimage against even md5 still.

Looks like an attempt to manipulate Bitcoin value? Pathetic.

From the article "it is not our intention to bring down Bitcoin, break SSL/TLS security or crack any financial sector security whatsoever."

That's exactly what one would say when he had the intention to do that.

They’re pretty upfront about intending to profit from this:

> The announcement aims to secure financial and technological platform superiority to its clients and investors worldwide.

Did they pinky promise too?

So the Iraqi Information Minister finally found a new job!

Heres the Outline link, if anyone is having trouble visiting the original site like I was.


OK, we've now found something even worse than the stupid "best logo competition" for vulnerabilities.

Has been /.-ed to death already. Anyone have a snapshot?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact