[ElFitz]

Quite funnily and disturbingly, one the databases of "known CSAM" hashes also apparently includes a picture of a clothed man holding a monkey[1]

[1]: https://www.hackerfactor.com/blog/index.php?/archives/929-On...

[severak_cz]

That was just a MD5 collision - an image that has same MD5 hash as some other image (in this case some CP). This is uncommon yet possible thing - see this example[0].

[0] https://natmchugh.blogspot.com/2014/11/three-way-md5-collisi...

[tyingq]

I think a flawed process where the monkey image ended up in the database is more likely than a random unintentional hash collision.

[zarzavat]

Not really. MD5 is thoroughly and completely broken, and has been for years. You can modify an image to be an MD5 collision for another image.

[nullc]

No you cannot. A collision requires the attacker to create both images.

What you are describing is a second preimage attack-- creating a second input with the same hash as a target.

There is no currently known tractable way to create second preimages for MD5.

[TillE]

Yeah, vaguely talking about MD5 as "broken" is common and misleading. There are very particular known attacks.

Obviously nobody should be using MD5, but it can be useful to understand there are circumstances where it's basically reliable unless you have an extremely sophisticated attacker.

[tyingq]

That would be an intentional collision. An unintentional collision remains unlikely for a cryptographic hash.

[nullc]

Not just unlikely but astronomically unlikely.

[ElFitz]

Yes, hash collisions definitely occur. There is no such thing as collision-free hashes, and MD5 is definitely broken.

Even though the author says they were 3 million MD5 hashes the second time, the first one he calls them SHA1 and MD5 hashes (even though SHA1 is considered weak too).

I wonder what kind of hashes Apple is planning to use. Will it be whatever is made available to them or will they only accept (what is now considered) secure standards?