Code - 5

Just arirved at the 22th chaos communication congress. Together with Lars I took the Nachtzug from Augsburg.

We are in a very nice hostel called Generator Hostel, which is very nice for a quite moderate price. Although we arrived at 8 o'clock in the morning, we already could enter our rooms and get a breakfast on arrival day. Very recommendable.

Pictures will follow from time to time.

Yesterday del.icio.us, the well known social bookmark service, has been bought by Yahoo. This brings me to share some thoughts I had recently about the thing that everyone calls »Web 2.0«.
Although probably nobody can provide an exact definition on what Web 2.0 is, it's mostly surrounding »social software«, i. e. web-software that is not organized as top-down-communication, but as communication between the users.
The most common example for social software are probably wikis and blogs. What I always saw very critical is that centralized services like flickr and del.icio.us are so popular in the blogosphere and the internet community. They are often called »Web 2.0« as well, although they work completely different. My vision of a free net is a different one.

Now with yahoo buying del.icio.us, the two probably most popular »Web 2.0«-services belong to the same company. The problems with this are obvious: You don't know what Yahoo does with your data (Data Mining), you never know if they're gonna change their terms of use from one day to the other (e. g. limit the number of pictures/links, take money for services that were free before) or even shut down a service because it doesn't match the »shareholder value« (Remember GiMiX? That was social software as well).

In my opinion there is a big discrepance between the ideals of »social software« and letting it depend on one centralized service. I have no problem with hosters that provide free/ad-financed blogs. As long as I can trackback them with my self-hosted blog-software, as long as they can link me and as long as I don't need an account at some companies service to comment them. With flickr, this is different. I cannot add pictures on someone else's flickr-group from my own web-gallery. All the »social« aspect of flickr are completely based on everyone having an account at yahoo. Same goes with del.icio.us.

If we really want »Web 2.0« to be something that has to do with more freedom, more control from us / the users / the single person on the net, we should provide alternatives to centralized services. Alternatives that are not based on »just another web-service«, but on decentralized open standards and (at least as a possibility) free software. A fine example how this works is jabber (as an alternative to the IM-chaos of ICQ/AIM/MSN).
An alternative to del.icio.us could work like the PGP-keyservers. An alternative to flickr would be interoperability-standards to the various web-galleries (coppermine, menalto gallery), maybe some function similar to trackbacks for collective albums. If that's the direction »Web 2.0« goes, I'm really looking foward to »Web 3.0«. If »Web 2.0« means monopolies of Yahoo, Google and Microsoft, then it's not »MyWeb 2.0«.

From the ffmpeg-list:
>>> Java is rumored to be platform-independent.
>> Highly overhyped rumor, it actually runs on all platforms... that have a JVM.
> Right, both of them. :) Funny essay on the matter:
> http://web.ivy.net/~carton/academia/java_languageoftomorrow.html

And congratulations to the marketing guys of sun who managed to promote their product for years with something that just isn't true.

As the article some days ago about SHA1 got a lot of interest, I thought I'll write some more background info about this, especially for people thinking that collisions aren't a big problem.

Cryptographic hash functions are functions where you can put a string of any length and get a fixed-size result. E. g. with SHA1, you get 160 bit, with MD5 128 bit. The hash-function has to fulfill some requirements:
- It should be hard to get two strings with the same hash (collision-resistant).
- It should be hard to get a string to a given hash (one-way-function).
To be more precise: In an optimal case, hard means that it shouldn't be possible with all hardware on earth in the timeframe that your cryptography needs to be secure. Some examples where cryptographic hashes are used are shadown-passwords, digital signatures or verification of file downloads.

Xiaoyun Wang, chinese cryptographer and well known for her analysis of the SHA1 function, was not allowed to travel to the US to attend the Crypto conference starting today (via Bruce Schneier).

Too bad, because she discovered some new results on the attacks on SHA1, which reduce it to a complexity of 2^63 to generate a collission. Adi Shamir, well known cryptographer and one of the RSA-inventors, presented these results.
These news are important, because 2^63 is a complexity that can be broken with todays hardware if you invest enough money and time. This would be an interesting project for distributed computing, although I don't know if the attack can be implemented on common hardware (maybe someone with cryptographic experiences wants to comment if this is possible).

Too bad that most software devs have not noticed the recent results on hash-functions. Most of them still use MD5 (which has been broken about a year ago), SHA-1 is widely used. The GNU Coreutils don't have any tools for modern hash-functions, same goes with most programming languages (PHP, Python), while they implement some sort of md5sum or sha1sum, no sha256sum or whirlpoolsum at all.