News & Views

Dr. Dobb's Journal November, 2004

Open-Source Grant Money Available

A trio of grants have been established in support of open-source tools and projects:

The Mozilla Foundation has launched a new initiative, the Mozilla Security Bugs Bounty Program, which pays $500 to anyone who reports "critical security bugs—as judged by the Mozilla Foundation staff." The program is funded by Linspire as well as South African millionaire Mark Shuttleworth, former chief executive of Thawte. To participate in the bounty program, simply e-mail new exploits to the Mozilla Foundation (securitymozilla.org) with the subject line "Security Bug Bounty."
Mark Shuttleworth is offering grant money in support of open-source projects such as the development of SchoolTool, a Python-based school administration system. Likewise, grants are also available for projects advancing Python scripting interfaces for OpenOffice, Blender, AbiWord, Gnumeric, or The GIMP; and development work on a Gnome version of Eximon. The Shuttleworth Foundation's budget for these projects is $100,000 in 2004. To apply, see http://www.markshuttleworth.com/ bounty.html.
The Python Software Foundation is awarding grants of up to $40,000 "for projects related to the further development of Python, Python-related technology, and educational resources." The PSF plans on issuing calls for proposals "regularly." The grants are intended to support specific projects rather than ongoing activities; proposals should be a few pages long, explaining what the project will produce and how the funds will be spent. See http://www.python.org/psf/call-2004 .html for details.

Hash Function Flaws Found

Researchers have identified weaknesses in commonly used hash algorithms, including MD5, SHA-0, and potentially SHA-1. These algorithms take messages of any length (up to a large set boundary) and return hash values of a fixed size. The security of the hash lies in its one-way property—the original message must not be retrievable from the hash value—and its uniqueness: Each hash value must correspond to one and only one message. Cryptographers refer to a situation where two different messages hash to the same value as a "collision."

Eli Biham and Rafi Chen, of the Israel Institute of Technology, have found two near-collisions of the full compression function of SHA-0 (see http://www.cs.technion.ac.il/~biham/publications.html). Also, Antoine Joux of France's DCSSI Crypto Lab has extended Biham and Chen's technique to find an exact collision in SHA-0.

The SHA-0 algorithm, introduced by the NSA in 1993, is known to be insecure; in 1995 the NSA published SHA-1, citing a weakness in SHA-0, which it did not disclose. However, Biham and Chen have indicated that "Our new improvements also allowed us to analyze reduced variants of SHA-1...[although] at the current state of research, our attacks are not expected to break the full SHA-1." SHA-1 is widely used in encryption programs such as PGP, and is also used in the SSL protocol.

The MD5 algorithm has taken a beating as well, with researchers from Shandong University, Shanghai Jiaodong University, and the Chinese Academy of Sciences announcing they have developed a technique for rapidly finding "many real collisions" in MD5. MD5 was designed by Ron Rivest in 1992, and is used to guarantee data integrity by the Apache web server, Sun's Solaris Fingerprint Database, and EMC's Centera content addressed storage system. For more information, see http://www.iacr.org/conferences/ crypto2004/.

A Decade of Beowulf

The warrior king of the Scandinavian epic Beowulf ruled his people for 50 years; the open-source clustering technology that shares his name hasn't endured quite so long, but it's 10-years-old this summer. Donald Becker and Thomas Sterling began working on the idea of powerful clusters built from off-the-shelf hardware in late 1993; the next year, under the auspices of NASA's High Performance Computing & Communications for Earth & Space Sciences (HPCC/ESS) project, they began to build the first Beowulf cluster. As Becker was at the time working on some of the first network code for Linux, the developers chose to make the clustering software an open-source project.

The first Beowulf prototype, costing about $40,000, was built of 16 66-MHz 486 DX4 processors connected by 10-Mbps channel bonded Ethernet. It was dedicated to Earth & Space Sciences problems with large datasets. By 1996, both NASA and the Department of Energy had built Beowulf clusters capable of a gigaflop/sec performance for less than $100,000 each. Now clustered systems are the most common architecture in high-performance computing: 291 of the top 500 supercomputers in the world are clusters. For a history of the Beowulf project, see http://www.beowulf.org/overview/history.html.

Obfuscated C Code Winners Announced

Winners of the 17th annual International Obfuscated C Code Contest have been announced. They include the following: Best of Show goes to Gavin Barraclough for his Mini-OS; Best One-Liner goes to Eryk Kopczynski for OCR of 8, 9, 10, and 11; Best Utility goes to Don Yang for his CRC inserter; Best Non-Use of Curses goes to Mark Schnitzius for his Editor animation; Best X11 Game and Best Abuse of CPP goes to Daniel Vik for his X Windows car racing game and and his "Calculates prime numbers using only CPP," respectively; Best Calculated Risk goes to Brent Burley for a Poker game; Best use of Vision goes to Nick Johnson for his Curses maze displayer/navigator with only line-of-sight visibility; Best Font Engine goes to Jeff Newbern; Most Functional Output goes to Jonathan Hoyle for his Curses-based polynomial graphing with auto-scale; Best use of Light and Spheres goes to Anders Gavare for a ray tracer; Best Abuse of Indentation goes to Stephen Sykes for Space/tab/linefeed steganography; Best Abuse of the Guidelines goes to Anthony Howe for a CGI-capable HTTP server; and Best Abuse of the Periodic Table goes to John Dalbec for his Conway's look'n'say sequence split into elements. For more information, including source code, see http://www0.us.ioccc.org/whowon.html.