undefined | Better HN

0 pointsspangry9y ago0 comments

Using md5 is only a problem here if someone has actually gained access to your files and then gone to the trouble of secretly adding new files and calculating/brute-forcing the correct 'chosen-prefixes' to ensure a clash. It would be a pretty weird attack to mount, that's for sure.

md5 is fine for deduplicating. It's extremely improbable you'd 'organically' get a md5 hash clash for two different files.

0 comments

kardos9y ago

If you had a copy of the two image files from my second link, this 'dupe detector' would erroneously flag one as a dupe.

Also, what of truncating the hashes?

I don't get why people try to justify using severely weakened things when using the non-broken (ie, secure) version is a /trivial/ drop in replacement...

spangryOP9y ago

I'm not trying to justify anything. I'm just trying to suggest you're labouring under a misapprehension. And this has nothing to do with security. I'm guessing you've heard the (good) advice that md5 is not a secure hashing function for, say, storing passwords, and then promptly joined the 'md5 is bad for all the things' cargo cult.

So while you're correct about the two images on that blog, the only reason why you'd get a clash is because the author of that blog post spent ~15 hours on an AWS GPU instance to generate the correct prefixes which, when appended to those files, results in a clash.

So, I guess if you are in the habit of grabbing random files from your hdd, loading them on to an AWS GPU instance for 15 hours (per file) and generating hash collisions, then yeah, don't use fdupes.

kardos9y ago

fdupes is not a problem assuming wikipedia's description [1] is correct: "It first compares file sizes, partial MD5 signatures, full MD5 signatures, and then performs a byte-by-byte comparison for verification."

I was unimpressed by the md5 used in the shell script at the original link, which is using a truncated md5...

[1] https://en.wikipedia.org/wiki/Fdupes

1 more reply

j / k navigate · click thread line to collapse

0 pointsspangry9y ago0 comments

md5 is fine for deduplicating. It's extremely improbable you'd 'organically' get a md5 hash clash for two different files.

0 comments

kardos9y ago

If you had a copy of the two image files from my second link, this 'dupe detector' would erroneously flag one as a dupe.

Also, what of truncating the hashes?

I don't get why people try to justify using severely weakened things when using the non-broken (ie, secure) version is a /trivial/ drop in replacement...

spangryOP9y ago

So, I guess if you are in the habit of grabbing random files from your hdd, loading them on to an AWS GPU instance for 15 hours (per file) and generating hash collisions, then yeah, don't use fdupes.

kardos9y ago

I was unimpressed by the md5 used in the shell script at the original link, which is using a truncated md5...

[1] https://en.wikipedia.org/wiki/Fdupes

1 more reply

j / k navigate · click thread line to collapse