> Why would anybody invest 110K into a collision? What is the practical use of it?
Suppose you are on the verge of completing a major sale to some large, nervous purchaser -- perhaps a major world military. This is a decent-sized but not huge sale: $2 billion, with profits of around $200 million. The other major competitor for this contract is built around Linux and your offering relies on a custom operating system.
Your head of sales thinks that the the purchasing agent seems particularly concerned about security issues with the operating system -- keeps asking questions like "So, can you document that your system is less vulnerable than some 'open source' system?". The head of sales makes a rough guess that a news story about vulnerabilities in Linux might sway the chance of winning the contract by around 5%.
So: that's $10 million in value to your company that might created by generating publicity about the vulnerability of Git so long as that publicity is generated at the right moment in time. What's the chance that 1% of that can be "found" to make it happen?
The thing is: $110,000 is actually a very SMALL amount of money, relative to the amounts of money that many influential people manage on a daily basis. The use doesn't have to be very practical for it to be well worth it.
Pathes in Linux are reviewed by multiple people before merging. Even if you create a collision and submit patch you cannot really do much without write access to repo. It is even more difficult because person merging path will not fast forward in most cases.
This attack still do not allow for inserting a arbitrary data in arbitrary places to make attack on Linux possible. Finally SHA1 in git also take size into consideration and make this attack even more expensive[2].
People should really chill out. There are cheaper attack vectors that collisions.
Notice that the attack I described does not require actually merging in the patch, it only requires that news stories be written about how there might be such a vulnerability.
I am NOT implying that it might not be hypothetical. I have absolutely no reason to believe that anything like this has been attempted. I'm just trying to point out that for many out there, $100K is chump change.
Suppose you are on the verge of completing a major sale to some large, nervous purchaser -- perhaps a major world military. This is a decent-sized but not huge sale: $2 billion, with profits of around $200 million. The other major competitor for this contract is built around Linux and your offering relies on a custom operating system.
Your head of sales thinks that the the purchasing agent seems particularly concerned about security issues with the operating system -- keeps asking questions like "So, can you document that your system is less vulnerable than some 'open source' system?". The head of sales makes a rough guess that a news story about vulnerabilities in Linux might sway the chance of winning the contract by around 5%.
So: that's $10 million in value to your company that might created by generating publicity about the vulnerability of Git so long as that publicity is generated at the right moment in time. What's the chance that 1% of that can be "found" to make it happen?
The thing is: $110,000 is actually a very SMALL amount of money, relative to the amounts of money that many influential people manage on a daily basis. The use doesn't have to be very practical for it to be well worth it.