If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.
md5 is far from dangerous when combined with file size check and compression.
Sure, you may be able to create a colliding file with a few weeks' computation. But is that colliding file going to be a valid zip/gzip/bzip2 file? And with the exact same size to the byte?
It's the ZIP that makes it trivial and negates the size checks. Ever heard of rarjpegs? That works for zip files too. You can place any kind of garbage in the beginning of the file and it will still be a valid zipfile. If your malicious payload is 1Mb size, you get the rest of the gigabyte for you to fill with hash-colliding garbage. That's 99% of the file. A hash collision attack is trivial in such conditions.
Excellent point, hadn't thought of that. While both gzip and bzip2 permit such data, they make it detectable; xz doesn't permit it, zip not only permits it but says nothing. So this is a valid hole for zips.
There actually is a good demos pack but it's not very demanding and I can't figure out how to do a timedemo, there doesn't seem to be a way to do it without altering the code. There's no documented timedemo, only a GUI...
If anybody is willing to help change that, it's probably best to start off by posting to http://www.ogre3d.org/forums
I've checked out vegastrike and it looks ancient. I don't think anybody gives a damn how it performs nowadays. No timedemo support, of course.
a) it is just under livid development.
b) if you checked it out - how much time did you spent on playing it?
c) timedemo is just a mission to script :P
but hey, a bunc h of 'benchmarks' all running basically the same eninge (*quake) are really saying sooo much.
Besides, why is ut2004 never included? Yes, it is old. But it doesn't look half as bad as most of the *quake descendants used. And it would give a much more rounded picture.
What about the Unigine benchmarks. Why aren't they run?