Source language: Translate to:

ajgMD5

Questions about NeoBook PlugIns

Moderator: Neosoft Support

Postby Gaev » Thu Nov 10, 2005 5:41 pm

eric:
If correct, there may be some vulnerabilities in MD5 and the other cryptography methods mentioned in the article should be considered instead.
Thanks for the reference ... I read it ... and looks like the vulnerabilities are more to do with how the digest is used ... vs. the actual algorithm ... if you use a 16/32 byte digest ...

- on a 3 byte string, a brute force method will give you a match with just 999 tries
- on a multi-giga byte file, it is true that more than one combination of giga bytes will resolve to the same digest ... but the probability of someone making a maicious change to a file ... and hitting upon the same digest ... is astronomically rare !

Note that php sites commonly use logic of the form ...

If "MD5(Entered UserName/Password)" "=" "qjrth5676mfghhj"

... to validate users ... since php scripts can be easily read by others in shared environments, the actual authorized names/passwords can not be inline coded ... and I haven't heard of any cases of people reverse-engineering the digest strings ... so I feel pretty comfortable with the historical record.

Having said that, I think SHA-1 would be just as good as MD5 ... as long as it is a digest commonly deployable in the other platforms, there should be no problem.
Well, with all due respect to Al, I disagree. ...

Neosoftware is a known source that we trust. I would prefer that Neosoftware provide something like this. Yes, similar arguments can be made for other plugins, but with encryption that will clearly be used for this level of security the provider needs to be held to a higher standard.
... I couldn't have said it any better.

I too appreciate Aaron's contribution ... and in some situations, some developers will be comfortable deploying it ... but Alberto, you need to understand that "actions have consequences" ... as a group, the actions of "plug-in suppliers have been disappointing to say the least" ... they say "once bitten, twice shy" ... to which I add "twice bitten, be very very shy" ... especially when it comes to mission critical functionality ... and what could be more dear to a developer's heart than piracy prevention ?

There are a few other vendors of "application development products" ... and some of them cost a lot less than NeoBook ... but serious developers stick with NeoSoft because of its "exemplary track record of reliability, responsiveness and longevity" ... I have said this before ... once you include other components in your application, it is as weak as the weakest component ... and the track record of component suppliers is "no better than those of the other vendors".

Sure, some developers may be willing to take risks with their products ... but don't assume all will ... there is definitely a need to have critical solutions from NeoSoft ... without them, the value of NeoBook is diluted.

Also, further to my concerns about NOT implementing such functionality as a plug-in, here is a functional description of one of many spying/detecting utilities on the market that can report on activities between a program and its dll (and a plug-in is nothing but a dll) ...
Detailed API Information - For each API call made by an application, the following information is displayed Information Description
Process ID A process identifier uniquely identifies the process throughout the system. The Process ID is valid until the process terminates.
Process Name Name of the process that made the API call
API Called API that was called
Parameters This includes a complete list of parameters that were passed to the API
The parameter list now includes the name of the parameter.
Return Value The return value of the API
Status Status is used to indicate whether the API call passed or failed
GetLastError Code If the Status of the API is FAILED, then this is the value of the calling thread's last-error code value
... armed with one of these utilities, your dll call is exposed ... including the secret stuff whose digest you were requesting ... using a dll call in this instance is like a homeowner puting up a "Monitored by XXX Tag" in his front door ... and then providing a blueprint of where all the sensors are located.

david:

Thanks for the clarity ... I agree ... and anything deployed in asp, php or perl scripts should be "kosher with the US government" ... as these are deployed across the planet ... and I have not seen any "notices of restriction".
It seems that this kind of implimentation could be done by another developer who would stand behind his work. Either it conforms to the standard or it doesn't. If an implimentation was done incorrectly, the developer could fix it.
... until we get to NeoBook v6 or Windows Next etc. ... anyone recall "ActiveX to Plug-In" ?
I don't think this is needed as part of the core of NB.
... see my comments about insecurity of deploying functionality via dll calls ... if something is important enough to be secured from prying eyes, it should IMO be part of NeoBook ... and from NeoSoft.
User avatar
Gaev
 
Posts: 3717
Joined: Fri Apr 01, 2005 7:48 am
Location: Toronto, Canada

Postby Neosoft Support » Fri Nov 11, 2005 12:25 pm

There are two different issues going on here.


Gave, which of these are you interested in - detecting if downloaded files have been tampered with, encryption or both?

...as a group, the actions of "plug-in suppliers have been disappointing to say the least"...


I don't think it's fair to paint all plug-in developers, past, present and future, with the same broad brush. Many plug-in developers have donated their time and effort to the NeoBook community and ask nothing in return. Others ask for only a small fee in return for their work. Certainly, NeoBook is a better product because of plug-ins.

To say that I'm only going to use NeoSoft-created plug-ins sort of defeats the purpose of plug-ins in the first place. If your project is that critical, then you can easily avoid future disappointment by purchasing the source code! Then if you get in a jam, you can hire a programmer to fix the problem.
NeoSoft Support
Neosoft Support
NeoSoft Team
 
Posts: 5593
Joined: Thu Mar 31, 2005 10:48 pm
Location: Oregon, USA

Postby rcohen » Fri Nov 11, 2005 12:43 pm

And may I point out please, that the actions of "plug-in suppliers" have mostly been brought on by disappointment. I"m not sure just how many realize this, but the support of plugin developers to date (that I"ve been able to see) has been left to a few dozen NB users. And while I fully understand WHY, it doesn't change the fact.

The real problem is this catch 22. Perhaps we should try to figure out how to solve this catch 22, rather than continuing to beat a dead horse?

Just my two cents.

rcohen
User avatar
rcohen
 
Posts: 279
Joined: Sun Apr 03, 2005 7:29 pm
Location: The Smokey Mountains, Tn

Postby Gaev » Fri Nov 11, 2005 5:41 pm

Dave:
Gave, which of these are you interested in - detecting if downloaded files have been tampered with, encryption or both?
A wise man (Confuscious ?) once said that "a developer never asks a user if he wants A or B" because the answer will always be "Both !" :-)

I started this post talking about the (MD5) digest feature ... take a string, return its digest ... for deployment in applications that interact with data on the web ... so digests of names/passwords entered by users on NeoBook applications can be passed to scripts on a server ... without exposing the original values during transmission or by someone snooping at the script on the server.

Aaron introduced the plug-in in response ... and included the additional capability to obtain the digest of the contents of a file on the local disk ... to which someone enquired about its applicability ... and I responded about uses I had seen of such a feature.

Somewhere along the line, digest and encryption got intertwined ... and David Payer pointed out the differences.

The digest serves just one purpose ... to tell if the entered text is correct or not ... never tells you what the correct entered text should be !

Encryption/Decryption transform/reverse transform text based on a given key ... so you can get back to the original data ... but so can others ... because the code for such actions exists !

To answer your question ... I (personally) have no interest in functionality that determines if a file has been tampered with ... but deploying the digest of a Text String is very desirable ... and combining it with the ability to encrypt/decrypt Text Strings would help build a stronger defense mechanism ... and I would hope to see both available within NeoBook one day ... but limitations on resources being what they are, either one in the near future and the other in the not too distant future would be appreciated ... will find a way to work without "whatever is not-yet-available".
I don't think it's fair to paint all plug-in developers, past, present and future, with the same broad brush. Many plug-in developers have donated their time and effort to the NeoBook community and ask nothing in return. Others ask for only a small fee in return for their work. Certainly, NeoBook is a better product because of plug-ins.
Perhaps I should have been more pointed in my remarks.

I applaud all Freeware plug-in developers ... no matter what their level of performance ... and when you pay out $0, there is nothing to be disappointed about ... but if NeoSoft declines to offer functionality that competes with one of these plug-ins, it puts developers between a rock and a hard place.

And I apologise to the new crop of Plug-in developers who released products in the last year or so ... I have not tried your products and so my comments were not directed at you ... sorry, but after spending countless days trying to help make other plug-in products more appealing/successful, and then seeing them go AWOL time and again just becomes much too draining after a while.

My comment was directed primarily at Alberto ... I am frustrated to see that he fails to see things from the point of his clients ... projects started 18 months ago are still not as promised ... while other "products du jour" get announced ... sure, part of his (second) hiatus was health related ... but things weren't that different before/after this unfortunate event.

But he was not alone ... there were other disappointments ... unkept promises to fix/enhance products, discontinuing all further product development without notifying client base, lack of documentation, disappearing immediately after product release, failure to ever respond to product enquiries ... are other disappointments experienced to date.

To say that I'm only going to use NeoSoft-created plug-ins sort of defeats the purpose of plug-ins in the first place. If your project is that critical, then you can easily avoid future disappointment by purchasing the source code! Then if you get in a jam, you can hire a programmer to fix the problem.
1) assuming the source IS available in the first place
2) it would have to be of the "final" (promised) version of the plug-in ... need I say that some products are in that "promised" state for over a year or more ?
3) if the total cost of NeoBook plus plug-ins plus source plus additional cost of hiring a programmer ... no longer makes it the platform of choice, then we all lose.

And I am not saying that no one should use third party plug-ins ... each developer makes a decision on a project by project basis ... in fact, I am revisiting two of Hans-Peter's plug-ins for a (free) utility I am developing for another product.

But there are a few "mission critical" areas where there is no room for the additional risk introduced by using 3rd parties that have chosen to support the NeoBook platform ... sure VB and others have plug-in developers too ... but the critical mass of their user base has attracted the kind of developers that are able to make a profitable living from their offerings ... and are less likely to close shop and disappear due to disappointing sales ... there is safety in numbers.
User avatar
Gaev
 
Posts: 3717
Joined: Fri Apr 01, 2005 7:48 am
Location: Toronto, Canada

Postby beno » Fri Nov 11, 2005 7:32 pm

Hi Gaev,

Your contributions to this forum always are a super source to the NeoBook community. And, somehow this is another type of plugin - knowledge and experience.

But I feel you are pushing a little bit far things on plugin developers.

Some ideas to share with you:

I applaud all Freeware plug-in developers ... no matter what their level of performance ... and when you pay out $0, there is nothing to be disappointed about ...


Come on, I'm surprised a serious and smart guy like you states this. A developer uses NeoBook and plugins if it meets the functionality he needs for his project. If these are free or real expensive this is out of main point when deploying projects.

From my own experience NeoBook has turned into a "free" development tool, calm down, "free" because it allows me to express my personal software projects and to offer powerfull solutions to my clients. And "free" because if I do the calculations of the income I have made with it for the last years (5?, 7?, do not remember, I made a income with it since the DOS days), then the license cost is absolutely negligible, goes to zero NO kidding.

But going back to your message, as it has been stated in other threads the NB plugin market is in a real difficult situation, where no one is making profits, and my feeling that keep on pushing on these nice guys is too much.

A wise man (Confuscious ?) once said that "a developer never asks a user if he wants A or B" because the answer will always be "Both !


Mmmh, I guess Confuscious never wrote his wisdom in VB or Delphi or Java, but you as a smart programmer can move freely in these environments and code your projects, some of them with the aid of plugins or libraries, and fullfill your project needs. In other words, my guess is that with NeoBook you will never have A and B at the same time, this is a MM authoring tool that we use to produce great software projects, but we as developers will never dream that ALL of our ideas and projects will be done with this tool exclusively. You do not play a guitar using only 1 string, eventhough you can fiddle and have a lot of fun with it.

You are free to express all your personal feelings on Alberto, we all know his projects went into a big delay and he also had a health problem. But come on, Alberto is a nice guy, who knows when he is going to complete all his projects and dreams. I have a lot of projects and dreams too, but I will find a way to make them happen and not keep blameing on this guy as the cause that these never happened. My guitar has 6 strings and there are other musical instruments to play with too.

I invite all the NeoFriends to support the 3rd party plugin development. For me it makes no big difference in my budget if I can buy a plugin and support a nice developer who is trying to share with us his freedom in creating software and at the same time making a income to enjoy life with his family or spend some hours playing his/her guitar (piano, mandolin, sax, citar, whistle, ...) .. I have acquired LOTS of plugins and I'm happy about this.

My cent

beno
User avatar
beno
 
Posts: 678
Joined: Fri Apr 01, 2005 9:03 am
Location: México

Postby Gaev » Fri Nov 11, 2005 8:49 pm

beno:
A developer uses NeoBook and plugins if it meets the functionality he needs for his project. If these are free or real expensive this is out of main point when deploying projects.
You are right that the price of the plug-in is not important when deciding whether to deploy it in a project ... but we might have have a different definition of "meets the functionality he needs for his project" ... you may not consider it as a requirement, but there are (business) applications where the most important "requirement" is "ongoing support" ... in turn, this means that the same is required from suppliers of ALL the components that make up this application.

Perhaps you mis-understood my comment ... which was in response to Dave ... where I was clarifying that "my disappointment with plug-in developers" was NOT at those that offer "free" plug-ins ... I applaud their contributions ... which benefit many developers ... and my point was that when people get something for nothing, they should not be disappointed with what they DO NOT get.

But no developer should be placed in a situation where this is the only choice ... and my point is that "a policy that NeoSoft does not compete with plug-ins of a similar nature" is fundamentally flawed ... and in the long run, detrimental to the growth of NeoBook's developer/user base.
the NB plugin market is in a real difficult situation, where no one is making profits, and my feeling that keep on pushing on these nice guys is too much.
I am not pushing any 3rd party supplier to do anything ... I am just requesting that NeoBook provide some core functionality in a package that encompasses "their usual high standard" ... and if Alberto (or others) just don't get the suttle hints that people are disappointed, then its time to be blunt.
VB or Delphi or Java, but you as a smart programmer can move freely in these environments and code your projects, some of them with the aid of plugins or libraries, and fullfill your project needs.
There are tons of development platforms today ... one does not choose/change a platform lightly ... but one can not also stick with a platform that fails to meet some core requirements ... patience is not an endless comodity.
But come on, Alberto is a nice guy, who knows when he is going to complete all his projects and dreams. I have a lot of projects and dreams too, but I will find a way to make them happen and not keep blameing on this guy as the cause that these never happened.
As I mentioned in my earlier post, my disappointment is not limited to Alberto ... but he seems to be the only one who keeps interjecting about his plug-ins ... the other disappointees are "conspicuous by their absence".
I have acquired LOTS of plugins and I'm happy about this.
Good for you ... just don't limit my choices when it comes to core functionality.
User avatar
Gaev
 
Posts: 3717
Joined: Fri Apr 01, 2005 7:48 am
Location: Toronto, Canada

Postby beno » Fri Nov 11, 2005 9:46 pm

Hi Gaev,

I'm respectfull about your ideas and really apprecite them. But obviously we have different points of view.

And this last idea is the one I like to emphazise on.

Software development is a creative activity and in order to be succesfull it requires freedom and diversity, as other human activities.

NeoBook, as other software tools, must keep growing as powerfull development envirmoment option (which actually is) spiced/enhanced by the creativity and wisdom of other plugin/visioners/developers. This diversity, if encouraged, will guarantee a longevous permanence.

In other words, let's say Dave experiments a "M$ style nightmare" and tomorrow he decides that all the possible actions will be added to NB by NeoSoft ... this will take NB into a narrow perspective and narrow will be the future too. ... (Sorry Dave, I'm just neuronstorming and surely do not want to disturb your dreams...:) ). My idea is that nature has shown us that diversity is great and its a viable way to success.

Finally, my intention is not to argue. We have different points of view and this is the interesting point.

Saludos,

beno
User avatar
beno
 
Posts: 678
Joined: Fri Apr 01, 2005 9:03 am
Location: México

Postby reynoldlariza » Fri Nov 11, 2005 10:28 pm

Gaev wrote:while other "products du jour" get announced ... sure, part of his (second) hiatus was health related ...

ouch!, is that me? :oops: just curious :wink:
User avatar
reynoldlariza
 
Posts: 70
Joined: Sat Apr 02, 2005 10:47 am
Location: Bacoor, Cavite Philippines 4102

Postby Gaev » Sat Nov 12, 2005 6:06 am

reynoldlariza:
ouch!, is that me? just curious
... No ... definitely not ...

a) I applaud you for your (free) contributions to the community ... I have not had reason to deploy any of your plug-ins but I am sure others will find it beneficial.

b) In my eyes, you are one of the victims of "the actions of your peers before you" ... by the time you came on the scene, I had had my share of disappointments with some of your peers ... so unlike before, I did not contact you with offers of help of any kind.

At the risk of repeating myself ... all I am asking is for some core/critical functionality to be offered by NeoSoft ... irrespective of whether a 3rd party solution exists or has been promised to exist some time in the future.


beno:
I'm respectfull about your ideas and really apprecite them. But obviously we have different points of view.
The respect is mutual ... but from your responses, I don't believe you have understood my position ... I am not against 3rd party plug-ins per se ... and even for core/critical functions, 3rd parties are free (even encouraged) to offer solutions ... competition is a good thing ... just don't limit MY choice to 3rd party solutions.
Software development is a creative activity and in order to be succesfull it requires freedom and diversity, as other human activities.

NeoBook, as other software tools, must keep growing as powerfull development envirmoment option (which actually is) spiced/enhanced by the creativity and wisdom of other plugin/visioners/developers. This diversity, if encouraged, will guarantee a longevous permanence.
No argument there ... but diversity should also extend to degree of integration, continued compatibility and level of support for the functionality.
In other words, let's say Dave experiments a "M$ style nightmare" and tomorrow he decides that all the possible actions will be added to NB by NeoSoft
Doesn't look like you have read my previous posts ... I truly believe in the plug-in model ... I used to like early versions of Delphi and VB ... until they became multi megabyte bloated pieces of software ... database, grid, image manipulation, interfaces with other languages/software, functions of interest to a minority of users are all excellent candidates for plug-ins ... when it comes to security related issues, it is definitely not a good idea ... as the plug-in (dll) model is less secure (from snoopers) than embeded commands.
Finally, my intention is not to argue. We have different points of view and this is the interesting point.
Nor mine ... just to set the record straight on where I stand.
User avatar
Gaev
 
Posts: 3717
Joined: Fri Apr 01, 2005 7:48 am
Location: Toronto, Canada

Postby beno » Sat Nov 12, 2005 5:22 pm

Hi Gaev,

... just don't limit MY choice to 3rd party solutions.


Ok, understood.

Let's wait and see what Dave and NeoSoft plans to offer ... hopefully they surprise us... who knows....

saludos,

beno
User avatar
beno
 
Posts: 678
Joined: Fri Apr 01, 2005 9:03 am
Location: México

MD5 broken in 45 minutes

Postby edunaway » Tue Nov 15, 2005 2:42 pm

I saw this today. Providing merely as an FYI...

IT: MD5 Collision Source Code Released
November 15, @04:16PM
http://it.slashdot.org/it/05/11/15/2037 ... 93&tid=228
The crypto world was shaken to its roots last year with the announcement of a new algorithm to find collisions in the still widely-used MD5 hash algorithm. Despite considerable work and commentary since then, no source code for finding such collisions has been published. Until today! Patrick Stach has announced the availability of his source code for finding MD5 collisions and MD4 collisions (Coral cache links provided to prevent slashdotting). MD4 collisions can be found in a few seconds (but nobody uses that any more), while MD5 collisions (still being used!) take 45 minutes on a 1.6 GHz P4. At last we will be able to implement various attacks which have been purely hypothetical until now. This more than anything should be the final stake in the heart of MD5, now that anyone can generate collisions whenever they want."
edunaway
 
Posts: 88
Joined: Wed May 04, 2005 9:17 am

Postby Gaev » Tue Nov 15, 2005 6:22 pm

eric:

In the same f.y.i. spirit ... I did some googling and came up with this informative web page ...
http://www.cryptography.com/cnews/hash.html ... which explains a lot of the jargon ... and in particular the implications of the the announcement of a new algorithm to find collisions in the still widely-used MD5 hash algorithm.

To put it in layman's terms ...

a) it was never a secret that if you take a multi-megabyte sized text (as in the contents of a file) and come up with a 16/32 byte value, more than one different text string will hash to the same digest string.

After all, using a purely numeric string as an example, if you had a 6 digit string (i.e. one million different possibilities) hashed to a 2 digit digest (100 different possibilities), you are bound to have multiple original strings hash to the same digest.

In crypto jargon, this is known as collisions.

b) so far, the key question has been "what are the two or more strings that hash to the same digest" ? ... armed with the recent algorithms ... after about 50 hours of computing loops ... one can come up with pairs of such "colliding strings".

But they do NOT enable one to take a "digest" and "reverse-hash" it to obtain the original string(s) ... they do not even enable one to determine, from a given original string and its corresponding hash, what other "matching string" will hash to the same "digest".

c) so, in the context of its intended use (i.e. compare the digest derived from some user entered text to a pre-coded value), this algorithm does NOT make them any more vulnerable.

I am not familiar with the exact manner of use of digests in Digital Signatures, Certificates, SSL etc. ... but the document above points to some vulnerabilities in the use of digests in such contexts.

To quote from the referenced web page ...
A preimage attack would enable someone to find an input message that causes a hash function to produce a particular output. In contrast, a collision attack finds two messages with the same hash, but the attacker can't pick what the hash will be. The attacks announced at CRYPTO 2004 are collision attacks, not preimage attacks.
... And no one has come up with an algorithm to mount a succesful preimage attack ... yet !

Having said that, being able to deploy either MD5 or SHA-1 digests in NeoBook would be just as fine ... as both appear to be widely deployed in other platforms.
User avatar
Gaev
 
Posts: 3717
Joined: Fri Apr 01, 2005 7:48 am
Location: Toronto, Canada

Postby Aaron » Tue Sep 05, 2006 5:59 pm

Here is the source code of this plugin:

http://es.geocities.com/neobook05/ajgMD ... ceCode.zip

It use a Delphi component called MD5. I added that component in the ZIP.
Aaron
 
Posts: 13
Joined: Fri Apr 01, 2005 7:16 am
Location: Spain

Postby smartmedia » Tue Jun 29, 2010 11:52 am

Hi..

I am trying to find this plugin. Does anyone have it..???
Thanks
User avatar
smartmedia
 
Posts: 889
Joined: Fri Apr 01, 2005 6:50 am
Location: Hellas

Postby Neosoft Support » Wed Jun 30, 2010 10:21 am

This is a very old plug-in. You could try emailing the author - maybe his email still works.
NeoSoft Support
Neosoft Support
NeoSoft Team
 
Posts: 5593
Joined: Thu Mar 31, 2005 10:48 pm
Location: Oregon, USA

PreviousNext

Return to PlugIn Discussions

Who is online

Users browsing this forum: No registered users and 3 guests