If you don't know, then you aren't the target audience.

But there are two applications: the first is breaking in to a system under some very obscure set of circumstances that you are very unlikely to encounter in the real world. The second is to bump up your karma on HN.

> If you don't know, then you aren't the target audience.

If you do know, then you also know md5 being broken is really really old news.

Seriously. Cryptographers have been warning that md5 seems weak since 1996. There are probably people reading this thread who weren't even alive yet. (It got totally broken in 2004 but the warning signs were way earlier).

Someone with more karma motivation could post this as a top level story, but Plex offers to validate their Debian public key via MD5: https://support.plex.tv/articles/235974187-enable-repository...

Such security! Much wow!

While this is a bad idea, as far as i know its secure since nobody has broken md5 second preimage.

> system under some very obscure set of circumstances that you are very unlikely to encounter in the real world.

Is there any way to use HN karma? Like, can I sell my account on some shady exchange like people sell big twitter accounts? And if I can, what's the going rate for internet points these days? Asking for an unscrupulous friend.

> Is there any way to use HN karma?

Nothing other than vanity AFAIK.

It's actually a bit of a scam because karma accumulates and never expires. I've been on the leaderboard for a long time, not because I'm making particularly valuable contributions (I only post a few times a week) but just because I've been on HN since it launched.

After, sometimes, the initial scanning, the security and AV industry deals with file hashes, not actual files. This means that if you wrote a legitimate, harmful program, and a malicious version with the same hash, you would be able to troll the security rolls in many cases. Basically, those two files would look the same to the security program.

The thing that makes this blog post not realistic is:

* Such tricks would make much more sense with normal programs, where you're trying to trick an user to download and execute it. Webshells are downloaded by the attacker knowingly.

* Md5 is not used anymore (although I know security vendors who used it for embarrassingly long time). If this was SHA256, that attack would be devastating for many more severe reasons.

But it's still a fun PoC.

Because there's unlikely to be a use case

The answer is likely wordpress, because its default wp_hash algorithm is still MD5.

Your source described wp_hash_password(), not wp_hash().

As the OP article/PoC is about hashing uploaded files, not passwords btw, I think you should read it again.

Because as I pointed out, wp_hash() is used to check against uploaded files.

Oh, and source: https://developer.wordpress.org/reference/functions/wp_hash/

And as I cannot resist quoting you for trying to smartass while literally not having read the source code the PoC was about:

> As usual, you cannot make a coherent understanding on just about any subject by reading headlines alone. Life would have taught you by now that the devil is in the details.

This is not related to password hashing.,.

Literally in this "article"

>Can use it bypass some cached webshell detections.

> As usual, you cannot make a coherent understanding on just about any subject by reading headlines alone.

The amount of sweet, sweet irony displayed here will make me diabetic. Did you read the article at all? Salting? What are you on about?

Honestly, it feels that some HN commenters are LLMs instructed to defend a given entity.