How Film-Based Cameras Work, Explained

We’ve become reliant on digital cameras since they are so easy to use. But have you ever wondered how film-based photography works? Read on to increase your photographic knowledge—or to develop an new appreciation for your point and click camera.
Film-based cameras, to some, are a relic of the past. Simply an old technology made obsolete by the new and improved. But to many, film is an artisan’s material, and a photographic experience no digital system could hope to ever recreate. While many photographers, professional and amateur will swear by the quality of both film-based or digital cameras—the fact remains that film is still a valid way to take great photographs, and a fascinating way to learn more about how photography works.


Photography Recap: Light, Lenses, and The Elements of Exposure

We’ve covered the basics (and them some) on how cameras work before, but for readers starting here (or those readers wanting a refresher), we’ll start with a tour of the basics. Cameras are, in theory, fairly simple. Modern cameras and lenses have had so many years of improvements in technology that it may seem ridiculous to call them simple, even if they use photographic film instead of incredibly advanced modern light sensors. However, despite all of these advances, all cameras have one reasonably simple goal: gathering, focusing, and limiting the amount of light that reaches some sort of light sensitive material.

Cameras are all about capturing and recording an instant of time by creating some sort of chemical or electric reaction with the photons (light particles) beaming down or bouncing around in any given photographic moment. These instants of captured light are called exposures, and are controlled by three major variables known as the elements of exposure: aperture, length of exposure, and light sensitivity. Aperture refers to the amount of light blocked or allowed in by a mechanical diaphragm inside the camera’s lens. The larger the number on an aperture setting, the smaller fraction of light is allowed to the sensor. Length of exposure is calculated in seconds or fractions of a second; usually this is called shutter speed, and controls how long light sensitive materials are exposed to the light.

Light sensitivity, like it sounds, is how sensitive to light the photo sensitive material inside the camera actually is. Does it take a little bit of light, or a lot to create the perfect exposure? This is sometimes referred to as the “speed” of the film used. “Faster” films can capture images with less light, therefore creating proper exposures in much smaller fractions of a second. “Slower” film requires more light, and therefore longer exposure settings. Light sensitivity, often referred to as ISO, is a significant starting point, because it’s one of the first things a film photographer has to consider, while it is often an afterthought for digital photographers.

Film Sensitivity versus Light Sensors Sensitivity

Digital cameras have settings for light sensitivity. These settings, often known as ISO, are numerical settings occurring in full stop values of 50, 100, 200, 400, 800, etc. Lower numbers are less sensitive to light, but allow for better detail without a lot of grain appearing in the shot.

Film cameras have an ISO standard that is very similar to the Digital camera ISO settings—in fact digital cameras use a standard based on the film sensitivity standards. Film photographers would have to plan in advance the sort of light environment they were planning on working in, and choose a reel of film sensitized to work for various ISO standard light conditions. A high ISO film setting of 800 or 1600 would be good for photographing in lower light environments, or fast-moving objects using fast shutter speeds. Lower ISO films were those usually used in bright, sunlit environments. Photographers would have to work in whole reels of the stuff; there was no adjusting ISO on the fly if light conditions changed. If you couldn’t achieve a shot by changing your other elements of exposure, you’d likely not get the shot. Changing ISO meant changing a whole reel of 35mm film, as opposed to today, where it simply means pushing a few buttons.

Latent Exposures and Light Sensitivity

So, yes, we have established that there are various films with various levels of sensitivity to light. But why and how are these film sensitive to light in the first place? The film, in and of itself is pretty basic. It can be thought of as a transparent carrier for light sensitive chemistry, which is applied in microscopically thin sheets over this carrier spaced out over long rolls, or various other film media. (35mm is far from the only photographic format, although they are all very similar.)
In both color and black and white film, layers of chemistry (often silver halides) that react to light are exposed to create a “latent image.” These latent images can be thought of as pictures that are already been chemically activated, although if you looked at it, there would be  no visible evidence that the exposures have been created. Latent images, once exposed, are brought to life through a developing process that takes place in the darkroom.

Darkrooms: Creating Images with Chemistry

Because film cameras can only create these latent images, films that have been exposed go through a process called “developing.” Developing film, for most, meant dropping off rolls of 35mm film, and getting back prints and negatives. However, there are two whole developing steps between the film drop off stage  and the print stage. Let’s briefly take a look at how film is developed.
Photo films, even after being exposed, are still in a state of light sensitivity. Taking bare film out into an environment with any light in it will ruin any and all exposures, as well as making the film completle unusable. To work around this, films are developed in what is known as a “darkroom.” Darkrooms, unlike what you might expect, are usually not completely dark, but are lit with filtered light that films aren’t as sensitive to, allowing developers to see. A lot of films, black and white in particular, are not as sensitive to yellow, red or orange lights, so darkrooms will have colored light bulbs or simple translucent filters that fill otherwise dark rooms with tinted colored light.
Edit: Films are actually developed in complete darkness in film tanks, as they are sensitive to all the whole spectrum of light. Photo papers are usually less sensitive to certain parts of the spectrum and are developed in the darkroom.

Color and black and white films use different chemistry and methods, but they employ basically the same principles. Exposed films (both color, black and white) are put in baths of chemistry that chemically change the microscopic bits treated film (“grains” of photosensitive silver halide, etc). With black and white film, those areas exposed to the more light harden so that they do not wash away, while the darkest areas exposed to the least light wash away to transparent film. This creates the signature “negative” look, with light colors swapped to black and dark areas swapped to clear transparency. Once the film is developed in this first bath, it is quickly rinsed in a “stop bath,” usually just water. The third bath is a chemical “fixer” that arrests the developing process, deactivating the chemistry on the films, freezing the developed film at its current state. Unfixed film can continue to develop without being stopped fully with a bath of chemical fixer, changing the image over time. Chemical fixer is a fairly hazardous chemical, and usually negatives are washed in another basic bath of water after fixing and dried.
Color films undergo a similar developing process. In order to create full color images, negatives have to be created that produce the three primary colors of light: red, green and blue. Negatives of these colors are created using another set of familiar primary colors: cyan, magenta, and yellow. Blue light is exposed on a yellow layer, while red is exposed to a cyan layer, and green to a magenta. Each layer is tuned to be sensitive primarily to photons of specific wavelengths (colors). Once exposed, latent images are developed, stopped, washed, fixed, and washed again in much the same way black and white film is developed.

Back to the Darkroom: Printing with Film Negatives

We’re not out of the dark yet; in order to turn a film negative into a print, more photo sensitive materials have to be bought, this time for printing. Unlike modern digital photography which is handled by digital printers, film-based printing is more or less repeating the same photographic process over again to create a true color image from a photo negative. Let’s take a quick look at what it takes to create a single film-based photographic print.
Film-based prints are all done on special sensitized, chemically treated papers that are sort of similar to photographic film. At a glance, they look and feel a lot like inkjet photo paper. One obvious difference in the two is that inkjet photo paper can be taken into the light—photo sensitive paper for film prints has to be worked with in the darkroom.

Prints can be made either by placing strips of film directly onto photo sensitive paper (ever heard the term contact sheet?) or by using an enlarger, which is basically a sort of projector that can cast light through negatives to create enlarged images. Either way, the photo paper is exposed to light, with the film blocking parts of the light and exposing others, and, in the case of color film, changing the wavelength (color) of the white light of the exposure.

From there, the photo paper has its own latent image, and is developed in more or less the same manner as films, as the chemistry is somewhat similar. The only difference is that black and white/colored tones appear from the exposure when they are developed, while films are washed away to transparency when the exposed parts are developed. This is the major difference between images in photo paper and on films—photo paper gives you your finalized, naturalistic image.

Creating Rich Images with Film Based Processes

Having had years to develop techniques, new chemistry, and technology, photographers have gotten very skilled at creating dynamic and rich imagery with these processes—most of which may seem almost needlessly complicated to modern point-and-shoot style photographers. These image making techniques, in the hands of skilled printers and developers, could create rich, amazing images, as well as compensating for loads of problems encountered while shooting. Did you overexpose your shots? Try underexposing your film. Is the detail in your highlights washed out and thin? Make like Ansel Adams, and dodge and burn to create better highlights and shadows.
Film photographers may have a complex, challenging method compared to shooting with digital cameras and printing from Photoshop. However, there are some artists that will likely never give up film, or perhaps those that will never work exclusively in digital. Film, with all its challenges, still offers artists all the tools and methods they need to create great, high-quality photographic work. Film also provides photographers the tools to resolve more detail than all but the most advanced, high resolution digital cameras. So, for the moment, film still lingers on as a valid, rich medium for photography.

Image Credits: Film Camera by e20ci, available under Creative Commons. New DSLR by Marcel030NL, available under Creative Commons. Film Cans By Rubin 110, available under Creative Commons. Kodak Kodachrome 64 by Whiskeygonebad, available under Creative Commons. Bathroom Darkroom By Jukka Vuokko, available under Creative Commons.  Darkroom BW by JanneM, available under Creative Commons. DIY Darkroom By Matt Kowal, available under Creative Commons. Contact Sheet One by GIRLintheCAFE, available under Creative Commons. Darkroom Prints By Jim O’Connell, available under Creative Commons.

Android Nougat’s “Seamless Updates”, Explained

In all generations of Android devices—up to an including Marshmallow—operating system updates have essentially worked the same way: the update is downloaded, the phone reboots, and the update is applied. During this time, the phone is rendered useless, at least until the update has been fully installed. With Nougat’s new “Seamless Updates,” this model is a thing of the past.


How Updates Have Changed in Android 7.0 Nougat

Google has taken a page from their own Chrome OS for the new update method. Chromebooks have effectively always worked like this: the update downloads in the background, then prompts the user that a reboot is needed to finish the installation process. One quick reboot later, and the update is complete—no waiting for the update to install, no “optimizing,” or any of that other stuff that seems to take ages. It’s quick, easy, and most of all, doesn’t have an unreasonable amount of downtime.
Starting with Android 7.0, this is the direction Android updates are going. It’s worth mentioning here that this will not apply to devices updated to Nougat, only those that ship with the software. The reason for this is perfectly logical: this new update method will require two system partitions in order to work, and pretty much all current Android phones only have one. Re-partitioning the device on the fly could be potentially catastrophic (and likely would be in many scenarios), so Google’s decision to leave it alone on current generation phones is respectable, albeit a bummer.
It works a little something like this: there’s an active system partition and a dormant partition, which are mirror images of each other. When an OTA update becomes available, the active partition downloads it, and then updates the dormant partition. One reboot later, the dormant partition becomes active, and the formerly-active partition becomes dormant, this applying the updated software.
RELATED ARTICLEHow to Manually Upgrade Your Nexus Device with Google’s Factory Images
Not only does this make the entire update process immeasurably faster, but it also serves as a sort of backup system. Should something go awry with the update, the system can detect that there’s an error while booting, and simply flip back to the unaffected system partition. Upon reboot, it can then ping the download servers once more, re-apply the update, and reboot again to complete the process. Compared to how catastrophic update failures are handled in the current system—which requires a lot of user interaction, Android development tools, and familiarity with the command line—the dual-partition method is simply better.

We Haven’t Seen This In Action Yet, So There Are Still a Lot of Questions

Of course, it comes with its own set of questions and concerns. While we understand how this system works in theory, we have yet to see how it actually performs in practice, since Nougat hasn’t had an update yet, and no devices have shipped with 7.0. Anything is speculation, but I’d imagine that when an update is being applied, for example, there will likely be a pretty hard hit to system performance.
In addition, if you’re anything like me, you read the above section and thought: “how much space will having two system partitions take?” One might automatically assume that it will take twice the amount of space, which isn’t completely incorrect, but you also have to remember that these are system partitions, which doesn’t mean it will require two copies of every app installed. Still, that means current systems that take one gigabyte—a not uncommon size for an Android OS—could essentially now require two gigabytes (or more).
That said, Google has moved to a new file system called SquashFS, which is a highly-compressed, read-only file system originally designed for embedded systems in low-memory situations. This should definitely help offset some of the space issues that will inevitably go along with having a two-system-partition setup. Still, we may start seeing devices ship with a minimum of 32GB moving forward. Time will tell.
It’s also unclear what happens to the new dormant partition after the update. There’s a possibility that it could then get updated in the background and then wait for another new OTA to arrive, but there’s no technical documentation to support this theory—just me thinking out loud. Still, it seems to make sense to me, because otherwise this new system would apparently seem like a once-and-done sort of update scenario, which is exactly the opposite direction that Google is trying to go here.
Unfortunately, since there isn’t yet a device that supports the new Seamless Update system, some of these questions will just have to go unanswered. Once the new generations of phones start to roll out, we’ll have a much better understanding of how all this will work in the real world. But for now: It sounds like a very good thing.

Windows 10 Without the Cruft: Windows 10 LTSB (Long Term Servicing Branch), Explained

Did you know there’s a version of Windows 10 that doesn’t get big feature updates, and doesn’t even have the Windows Store or Microsoft Edge browser? It’s called Windows 10 LTSB, short for Long Term Servicing Branch.


LTSB Is the Slowest Moving Branch of Windows 10

RELATED ARTICLEWhat Does “Defer Upgrades” in Windows 10 Mean?
There are several “branches” of Windows 10. The most unstable branch is the Insider Preview version of Windows 10. Most Windows PCs are on the “Current Branch”, which is considered the stable branch. Windows 10 Professional users have the option to “Defer Upgrades“, which puts them on the “Current Branch for Business”. This branch will only get new builds of Windows 10, like the Anniversary Preview, a few months after they’ve been tested on the “Current Branch”. It’s like the stable, consumer branch–but slower moving.
But businesses don’t want all their PCs to constantly get big updates, even if they are delayed a few months. Critical infrastructure like ATMs, medical equipment, and PCs that control machines on a factory floor don’t need whizbang features, they need long term stability and few updates that will potentially break things. A PC operating medical equipment in a hospital room doesn’t need new Cortana updates. That’s what Windows 10 LTSB–the “Long Term Servicing Branch”–is for, and it’s only available for the Enterprise edition of Windows 10.
While this is a branch of Windows 10, you can only get it by installing Windows from Windows 10 LTSB installation media. You can get other branches of Windows simply by changing an option within Windows 10 itself, but that isn’t the case here.

LTSB Gets Security Updates for 10 Years, Without Feature Updates

Because the LTSB version is designed for stability, it’s updated very differently from other builds of Windows 10. Microsoft will never publish a feature update like the Anniversary Update or November Update for Windows 10 LTSB. These machines will get security and bugfix updates through Windows Update, but that’s it. Even when Microsoft releases a new version of Windows 10 LTSB with new features, you’ll have to download new Windows 10 LTSB installation media and install or upgrade from the media. Windows 10 LTSB will never be automatically updated with new features.
According to official documentation, Microsoft will typically release a new major version of Windows 10 LTSB every two to three years. That’s what the documentation says, anyway–the current version of Windows 10 LTSB seems based on the Anniversary Update, so Microsoft is seemingly still changing its plans. You can also choose to skip releases–every version of Windows 10 LTSB will be supported with security and stability updates for ten years, according to Microsoft.
In other words, as Microsoft’s documentation words it, “The LTSB servicing model prevents Windows 10 Enterprise LTSB devices from receiving the usual feature updates and provides only quality updates to ensure that device security stays up to date.”

LTSB Doesn’t Include the Store, Cortana, Edge, and Other Apps

Windows 10 LTSB omits a lot of the new stuff in Windows 10. It doesn’t come with the Windows Store, Cortana, or Microsoft Edge browser. It also omits other Microsoft apps like Calendar, Camera, Clock, Mail, Money, Music, News, OneNote, Sports, and Weather.
In fact, the default Start menu on Windows 10 LTSB doesn’t even include a single tile. You won’t find any of those new Windows 10 apps installed, aside from the Settings app.

Microsoft Doesn’t Want You Using Windows 10 LTSB

Microsoft doesn’t want people using Windows 10 LTSB on general purpose PCs, though. As Microsoft puts it, “LTSB is not intended for deployment on most or all the PCs in an organization; it should be used only for special-purpose devices. As a general guideline, a PC with Microsoft Office installed is a general-purpose device, typically used by an information worker, and therefore it is better suited for the [Current Branch] or [Current Branch for Business] servicing branch.”
LTSB is only for rare mission-critical devices. “It’s more important that these devices be kept as stable and secure as possible than up to date with user interface changes,” explains the documentation. You might want your desktop PC to stay as stable and secure as possible without user interface changes, but Microsoft doesn’t want to give the average Windows 10 user this option. Microsoft wants your PC constantly updated with new features.

It’s Windows 10 Enterprise, and That Gives You More Control

RELATED ARTICLE10 Features Only Available in Windows 10 Enterprise (and Education)
Because Windows 10 LTSB is only available for the Enterprise edition of Windows 10, you also get all the Enterprise-only features you can’t get on the Home and Professional editions of Windows 10.
The Enterprise edition gives you more control over telemetry data sent to Microsoft and when Windows Update installs updates. It also lets you change some special group policy settings, allowing you to disable the lock screen. Beyond configuration, you’ll find other useful features like Windows To Go, which allows you to install Windows 10 on a USB drive and take it with you so you can boot your own Windows installation on any PC you come across.

How Can I Get It?

Sounds pretty good, right? Unfortunately, as we said earlier, Windows 10 LTSB is only available as part of Windows 10 Enterprise. And Windows 10 Enterprise is only available to an organization with a volume licensing agreement, or through a new $7 per month subscription program.
Officially, if you’re part of an organization with a volume licensing program, you’re free to install Windows 10 Enterprise LTSB instead of Windows 10 Enterprise on your PCs.
RELATED ARTICLEYou Don’t Need a Product Key to Install and Use Windows 10
Unofficially, any Windows user can get Windows 10 LTSB if they want. Microsoft offers ISO images with Windows 10 Enterprise LTSB as part of its 90-day Enterprise evaluation program. You can download the ISO file–be sure to select “Windows 10 LTSB” instead of “Windows 10” when downloading–and install it on your own PC. It’ll function normally for 90 days, after which it’ll begin nagging you to activate Windows. But Windows 10 is perfectly functional even without activation, so you should be able to use it as long as you like without entering a product key. You’ll just have to put up with nag screens.

Windows 10 LTSB sounds exactly like what many Windows 10 users are asking for. Unfortunately, there’s no legitimate way for the average Windows user to get it. That’s no surprise–Microsoft doesn’t even want businesses using Windows 10 LTSB for most of their PCs. But feel free to try it out if you’re curious how Windows 10 would look without these features.

Android’s Confusing “Do Not Disturb” Settings, Explained

Android’s “Do Not Disturb” seems like a simple, self-explanatory setting. But when Google dramatically overhauled Android’s phone silencing with Do Not Disturb in Lollipop, then re-designed it again in Marshmallow, things got a little confusing. But it’s all good—we’re here to make sense of it for you.


Do Not Disturb: A History Lesson

Travel back in time with me, if you will, to a time before Lollipop. Let’s go back to KitKat (and older!), because that’s sort of where this story starts. Back in those days, silencing your phone was pretty easy: you could just turn the volume all the way down to access vibrate-only and silent modes. It was a simple time, when moms would make homemade ice cream and kids would play in down by the creek until well past dark. We didn’t have to think about things like “how long will I need my phone to be silent?,” because everything was confined to that one simple volume slider.
When Lollipop was released, Google changed things. When you turned the volume down all the way, it stopped at “vibrate only”–there was no “silent” setting. But! A new set of options appeared just below the volume slider: “None,” “Priority,” and “All.” Those were the new Do Not Disturb settings, and what a stir they caused.
Tapping either the “Priority“ or “None“ options would then present the already-confused user with even more options: “Indefinitely” and “For X amount of time.” Depending on which setting was chosen, this would either ignore all notifications—calls, texts, calendar events, etc.—for the allotted amount of time, or it would allow user-defined priority notifications to come through. To be honest, it was a convoluted mess. Because in order to define what “priority” means to you, you needed to take a trip to the Settings menu (more on this in the next section).
On top of all that, it was really unclear what any of this meant—what did “none” actually do? That’s why in Marshmallow, Google changed the way Do Not Disturb works…again. Basically, the volume button was kind of back to normal. If you turn it down all the way, it goes into “vibrate only” mode. If you press volume down again, it goes into full-on Do Not Disturb–aka silent–mode.
However, you can also enable Do Not Disturb from Quick Settings menu with more options. You’ll have options for “Total Silence,” “Alarms Only,” and “Priority Only,” and you can set time limits for how long you want Do Not Disturb to last.

How to Customize Do Not Disturb and Set Priority Notifications

While the basics of Do Not Disturb make sense, some of the more advanced stuff isn’t immediately clear. While “Total Silence” makes sense, “Priority Mode” won’t mean much to you unless you’ve visited those settings. So let’s take a little trip there.
Basically, Android defines notifications a few different ways: Alarms, Reminders, Events, Messages, and Calls. If you head to Settings > Sounds > Do Not Disturb, you can toggle which types of notifications are “Priority”. Messages offer even more granular controls, letting you set certain contacts as priority, so the most important people in your life can reach you even when Do Not Disturb is activated.
Calls are basically the same way, with one addition: Repeat Callers. This means that if the same person calls two times within a 15-minute period, it will be allowed through the DND setting. Another brilliant feature in my opinion.

After tweaking these settings, you can put Do Not Disturb in “Total Silence” mode, in which no notifications get through–or “Priority Only” mode, where the notifications you set as priority will get through.
And if you just want your phone to be quiet, just turn the volume all the way down. Easy enough, right?

What Is SHAttered? SHA-1 Collision Attacks, Explained

On the first day of 2016, Mozilla terminated support for a weakening security technology called SHA-1 in the Firefox web browser. Almost immediately, they reversed their decision, as it would cut access to some older websites. But in February 2017, their fears finally came true: researchers broke SHA-1 by creating the first real-world collision attack. Here’s what all that means.


What Is SHA-1?

The SHA in SHA-1 stands for Secure Hash Algorithm, and, simply put, you can think of it as a kind of math problem or method that scrambles the data that is put into it. Developed by the United States NSA, it’s a core component of many technologies used to encrypt important transmissions on the internet. Common encryption methods SSL and TLS, which you might have heard of, can use a hash function like SHA-1 to create the signed certificates you see in your browser toolbar.

We won’t go deep into the math and computer science of any of the SHA functions, but here’s the basic idea. A “hash” is a unique code based on the input of any data. Even small, random string of letters input into a hash function like SHA-1 will return a long, set number of characters, making it (potentially) impossible to revert the string of characters back to the original data. This is how password storage usually works. When you create a password, your password input is hashed and stored by the server. Upon your return, when you type in your password, it is hashed again. If it matches the original hash, the input can be assumed to be the same, and you’ll be granted access to your data.

Hash functions are useful primarily because they make it easy to tell if the input, for instance, a file or a password, has changed. When the input data is secret, like a password, the hash is nearly impossible to reverse and recover the original data (also known as the “key”). This is a bit different from “encryption”, whose purpose is scrambling data for the purpose of descrambling it later, using ciphers and secret keys. Hashes are simply meant to ensure data integrity–to make sure that everything is the same. Git, the version control and distribution software for open source code, uses SHA-1 hashes for this very reason.
That’s a lot of technical information, but to put it simply: a hash is not the same thing as encryption, since it is used to identify if a file has changed.

How Does This Technology Affect Me?

Let’s say you need to visit a website privately. Your bank, your email, even your Facebook account–all use encryption to keep the data you send them private. A professional website will provide encryption by obtaining a certificate from a trusted authority–a third party, trusted to ensure that the encryption is on the level, private between the website and user, and not being spied on by any other party. This relationship with the third party, called Certificate Authorities, or CA, is crucial, since any user can create a “self-signed” certificate–you can even do it yourself on a machine running Linux with Open SSL. Symantec and Digicert are two widely-known CA companies, for example.

Let’s run through a theoretical scenario: How-To Geek wants to keep logged in users’ sessions private with encryption, so it petitions a CA like Symantec with a Certificate Signing Request, or CSR. They create a public key and private key for encrypting and decrypting data sent over the internet. The CSR request sends the public key to Symantec along with information about the website. Symantec checks the key against its record to verify that the data is unchanged by all parties, because any small change in the data makes the hash radically different.

Those public keys and digital certificates are signed by hash functions, because the output of these functions are easy to see. A public key and certificate with a verified hash from Symantec (in our example), an authority, assures a user of How-To Geek that the key is unchanged, and not sent from someone malicious.

Because the hash is easy to monitor and impossible (some would say “difficult”) to reverse, the correct, verified hash signature means that the certificate and the connection can be trusted, and data can be agreed to be sent encrypted from end to end. But what if the hash wasn’t actually unique?

What Is a Collision Attack, and Is It Possible in the Real World?

You might have heard of the “Birthday Problem” in mathematics, although you might not have known what it was called. The basic idea is that if you gather a large enough group of people, chances are pretty high that two or more people will have the same birthday. Higher than you’d expect, in fact–enough that it seems like a weird coincidence. In a group as small as 23 people, there’s a 50% chance that two will share a birthday.

This is the inherent weakness in all hashes, including SHA-1. Theoretically, the SHA function should create a unique hash for any data that is put into it, but as the number of hashes grows, it becomes more likely that different pairs of data can create the same hash. So one could create an untrusted certificate with an identical hash to a trusted certificate. If they got you to install that untrusted certificate, it could masquerade as trusted, and distribute malicious data.

Finding matching hashes within two files is called a collision attack. At least one large scale collision attack is known to have already happened for MD5 hashes. But on Feb. 27th, 2017, Google announced SHAttered, the first-ever crafted collision for SHA-1. Google was able to create a PDF file that had the same SHA-1 hash as another PDF file, despite having different content.
SHAttered was performed on a PDF file. PDFs are a relatively loose file format; lots of tiny, bit-level changes can be made without preventing readers from opening it or causing any visible differences. PDFs are also often used to deliver malware. While SHAttered could work on other types of files, like ISOs, certificates are rigidly specified, making such an attack unlikely.
So how easy is this attack to perform? SHAttered was based on a method discovered by Marc Stevens in 2012 which required over 2^60.3 (9.223 quintillion) SHA-1 operations—a staggering number. However, this method is still 100,000 times fewer operations than would be required to achieve the same result with brute force. Google found that with 110 high-end graphics cards working in parallel, it would take approximately one year to produce a collision. Renting this compute time from Amazon AWS would cost about $110,000. Keep in mind that as prices drop for computer parts and you can get more power for less, attacks like SHAttered become easier to pull off.
$110,000 may seem like a lot, but it’s within the realm of affordability for some organizations—which means real life cybervillians could forge digital document signatures, interfere with backup and version control systems like Git and SVN, or make a malicious Linux ISO appear legitimate.
Fortunately, there are mitigating factors preventing such attacks. SHA-1 is rarely used for digital signatures anymore. Certificate Authorities no longer provide certificates signed with SHA-1, and both Chrome and Firefox have dropped support for them. Linux distributions typically release more frequently than once per year, making it impractical for an attacker to create a malicious version and then generate one padded to have the same SHA-1 hash.
On the other hand, some attacks based on SHAttered are already happening in the real world. The SVN version control system use SHA-1 to differentiate files. Uploading the two PDFs with identical SHA-1 hashes to a SVN repository will cause it to corrupt.

How Can I Protect Myself from SHA-1 Attacks?

There’s not a lot for the typical user to do. If you’re using checksums to compare files, you should use SHA-2 (SHA-256) or SHA-3 rather than SHA-1 or MD5. Likewise, if you’re a developer, be sure to use more modern hashing algorithms like SHA-2, SHA-3, or bcrypt. If you’re worried that SHAttered has been used to give two distinct files the same hash, Google has released a tool on the SHAttered site that can check for you.
Image Credits: Lego Firefox, Lots of Hash, Please Don’t Hurt the Web author unknown, Google.

All of Amazon’s Different Music Services, Explained

Amazon offers free music streaming with Prime, a paid music service for an additional monthly fee, direct MP3 sales, a way to get MP3s when you purchase audio CDs, and a music locker you can upload your own songs to. That’s a lot to keep track of! Here are all of Amazon’s confusing music services, explained.


Prime Music: Free Streaming With Amazon Prime

RELATED ARTICLEThe Amazon Echo Is What Makes Smarthome Worthwhile
If you have an Amazon Prime subscription, you have access to Prime Music for no additional fee. Prime Music offers over two million songs you can stream without any advertisements. It’s a bit like Spotify, Apple Music, Google Play Music All Access, and similar services. It’s just less expensive and has a much smaller catalog.
You can play this music from Amazon Music in your web browser, on the Amazon Music app for iPhone, Android, Fire devices, or the desktop, or by telling Alexa to play it on an Amazon Echo. You’ll be able to search the free selections of songs and listen to radio stations from here.
(Your Amazon Prime subscription also provides you with free access to “original audio series” via Audible Channels. The rest of Audible is a separate audiobook store owned by Amazon.)

Amazon Music Unlimited: A Larger Streaming Library for a Monthly Fee

Amazon Music Unlimited is Amazon’s real competitor to services like Spotify, Apple Music, and Google Play Music All Access. You get a much larger catalog of unlimited, ad-free streaming music than the one included with Prime Music. Amazon claims the catalog has tens of millions of songs, and it should be similar to other music streaming services.
To get this additional music, you have to pay an additional fee. Multiple plans are available:

  • Echo Plan: Access to Amazon Music Unlimited via Alexa on a single Amazon Echo, Dot, or Tap will cost you $3.99 a month.
  • Individual Plan: A Prime member can pay either $7.99 a month or $79 per year to gain access to Amazon Music Unlimited. This enables access on all your devices, including web browsers and smartphones. You’d have to pay $9.99 per month if you’re not a Prime Member.
  • Family Plan: Amazon also sells a family plan for $14.99 a month or $149 per year. Up to six family members will gain access to Amazon Music Unlimited on all their devices.

There’s also a free 30-day trial, so you can try it out without paying anything.
To subscribe or see more information, head to Amazon’s Music Unlimited website. You’ll then be able to access much more music on the Amazon Music website and in the associated app.

Amazon Digital Music Store: Buy MP3s for Your Local Collection

You don’t have to use Amazon’s unlimited music streaming services. You can choose to buy your music the old-fashioned way—or at least the old-fashioned online way—by buying individual MP3s or albums of MP3s from the Amazon Store. Some music is only available for purchase and isn’t offered as part of their streaming services. That choice is up to the music artist or their label.
Search Amazon’s digital music store and find MP3s you want to buy. It will often be cheaper to buy an entire album at once than MP3s of all the songs in it one by one, but you can also choose to buy individual songs from an album.
Those MP3s will also appear in your Amazon streaming library, if you’re a subscriber. If you ever want to re-download them, just head to the Purchased Music section of your Amazon Music library.

Auto-Rip: Buy Physical CDs and Get the MP3s, Too

If you only buy digital music, you may not have seen Amazon’s “Auto-Rip” feature. But if you buy physical CDs from Amazon, they’ll often throw in a free digital MP3 copy.
If a physical audio CD advertises the “Auto-Rip” feature on its store page, you’ll get both the physical disc and digital MP3 copies from Amazon.
For example, Amazon is currently selling the MP3 version of Taylor Swift’s 1989 for $11.49. The physical copy is $12.29, but includes Amazon Auto-Rip. That means that, for an additional 80 cents, you can immediately get the MP3s and have Amazon mail you the physical CD for your collection.
The MP3s will be stored in the Purchased Music section of your Amazon Music library online. You can access them from anywhere and re-download them in the future.
Not every album offers Auto-Rip, so be sure to check the storage page for the album before purchasing it. Auto-Rip is included with vinyl copies of some albums, too.

Amazon Cloud Music Library: Upload and Stream Up to 250 Songs

You don’t have to purchase new music to get it into your Amazon Music library. Amazon allows you to upload up to 250 songs to your Cloud Music library, so you can stream them anywhere. Songs you purchase from Amazon don’t count toward that limit, though, which is nice—and makes sense, since Amazon would rather you purchase music.
To use this feature, visit the Amazon Music website, click the “Upload music to your cloud library” link in the sidebar, and download the Amazon Music application for your PC or Mac. Install the application and sign in with your Amazon account. Click the “My Music” category in the heading and select “Uploaded” in the sidebar. You can either drag and drop music onto the window from here or click the “Upload” action at the right side of the window and select music you want to upload.
Any songs you upload will appear in your Amazon Music Library alongside any purchased songs.