Live
Breaking
3h ago Gaming DuckStation Setup: 512KB BIOS in 12 Steps [2026] 7h ago Gaming ROG Xbox Ally vs Ally X: $599 vs $999, 47% Faster [2026] 11h ago Gaming PS6 Cost Leak Hits $960 as Sony Delays to 2028 [2026] 15h ago Gaming Subnautica 2 Hits 5M Sales as $250M Bonus Suit Ends [2026] 23h ago Gaming ROG Ally vs ROG Ally X: $450 vs $799, 2x the Battery [2026] 1d ago Gaming PPSSPP Setup: No BIOS Required, 12 Steps [2026] 1d ago Gaming Steam Frame vs Quest 3: 16GB RAM, 2x the GPU [2026] 2d ago Gaming RPCS3 Setup: 74% PS3 Compatibility in 12 Steps [2026] 2d ago Gaming PSVR2 vs Quest 3: $399 vs $599, OLED vs LCD [2026] 2d ago Gaming PSN Hacked via 2FA Bypass for 6 Months [2026] 2d ago Gaming Cemu Setup: Wii U Games in 4K, 12 Steps, 30 Min [2026] 3d ago Gaming 7 Days to Die Dedicated Server: 13 Steps, 30 Min [2026] 3d ago Gaming PS5 Pro vs Xbox Series X: $899 vs $649, 37% Faster [2026] 3d ago Gaming Loot Boxes Get PEGI 16 as EU Probes $23B Market [2026] 3h ago Gaming DuckStation Setup: 512KB BIOS in 12 Steps [2026] 7h ago Gaming ROG Xbox Ally vs Ally X: $599 vs $999, 47% Faster [2026] 11h ago Gaming PS6 Cost Leak Hits $960 as Sony Delays to 2028 [2026] 15h ago Gaming Subnautica 2 Hits 5M Sales as $250M Bonus Suit Ends [2026] 23h ago Gaming ROG Ally vs ROG Ally X: $450 vs $799, 2x the Battery [2026] 1d ago Gaming PPSSPP Setup: No BIOS Required, 12 Steps [2026] 1d ago Gaming Steam Frame vs Quest 3: 16GB RAM, 2x the GPU [2026] 2d ago Gaming RPCS3 Setup: 74% PS3 Compatibility in 12 Steps [2026] 2d ago Gaming PSVR2 vs Quest 3: $399 vs $599, OLED vs LCD [2026] 2d ago Gaming PSN Hacked via 2FA Bypass for 6 Months [2026] 2d ago Gaming Cemu Setup: Wii U Games in 4K, 12 Steps, 30 Min [2026] 3d ago Gaming 7 Days to Die Dedicated Server: 13 Steps, 30 Min [2026] 3d ago Gaming PS5 Pro vs Xbox Series X: $899 vs $649, 37% Faster [2026] 3d ago Gaming Loot Boxes Get PEGI 16 as EU Probes $23B Market [2026]
NewsroomLive
Today5 new
Archive136 stories
Last filed3h ago
Languages10
UTC19:26:30
Top Story Gaming

DuckStation Setup: 512KB BIOS in 12 Steps [2026]

DuckStation is a free PlayStation 1 emulator built almost single-handedly by a developer known as stenzek, and it has become the default recommendation for PS1 emulation on PC largely because it just works – accurate timing,…

3h ago  ·  Jul 14, 2026 Read the brief

The Desks

// editorial departments

Latest

// fresh from the editors

More from the desks

// keep digging
// about

About Shattered.io

This domain has been home to the SHAttered SHA-1 collision project since 2017, and is now a hub for cryptography, security and privacy reporting. The full origin story of the project, the two proof PDFs and the research credits live below.

The SHAttered project — origin, proof files and research credits

On 23 February 2017, researchers at CWI Amsterdam and Google showed the world the first real collision for the SHA-1 hash function. The project was called SHAttered, and this domain has been its home ever since. The two files that prove the break are still here to download.

What a collision actually is

A cryptographic hash takes any file and returns a short fixed-length fingerprint. The promise is simple: change a single bit of the file and the fingerprint changes too, and no two different files should ever share one. A collision breaks that promise. It is a pair of distinct inputs that produce the exact same hash. For a function used to sign software, certificates and documents, a collision is not a curiosity. It is a crack in the foundation.

What SHAttered produced

The team did not just argue that SHA-1 was weak on paper. They built the evidence. Two PDF files, visibly different and carrying different content, share one identical SHA-1 value: 38762cf7f55934b34d179ae6a4c80cadccbb7f0a. Run either file through SHA-1 and the answer matches. Run them through SHA-256 and the answer differs, which is how anyone can confirm they are genuinely two separate files.

What the attack cost

The break was expensive, and that was part of the point. Producing the collision took roughly nine quintillion SHA-1 computations, the work of about 6,500 CPU-years and 110 GPU-years run in parallel. That scale kept the attack out of reach for a casual attacker in 2017, yet it ran thousands of times faster than trying every possibility by brute force. The direction of travel was clear: the cost would only fall.

Why SHA-1 had to retire

Once a working collision exists, trust in a hash erodes quickly. Within months the result pushed browsers, certificate authorities and version-control systems to drop SHA-1 for anything security-sensitive. Git added collision detection. TLS certificates signed with SHA-1 were phased out. The lesson reached far past one algorithm: a function can look safe for years and still fall the moment the maths and the hardware line up.

The research and the people behind it

SHAttered was the work of Marc Stevens and Pierre Karpman at CWI Amsterdam, together with Elie Bursztein, Ange Albertini and Yarik Markov at Google. It built on years of earlier cryptanalysis of the SHA-1 design. The full technical paper that documents the method is preserved here.

Beyond the collision

The same questions that drove SHAttered run through everything we cover here: how hashing works, where it is used, and how systems prove they have not cheated. These guides pick up where the research leaves off.

What you'll find on shattered.io today

Beyond the original SHA-1 collision proof, the site now publishes ongoing coverage across cryptography, cybersecurity, privacy, cryptocurrency and provably-fair systems. Every article is editorial, lightly-opinionated and built on primary sources where possible.