One of the biggest fear scenarios from a hash collision is that two programs, one legitimate and one malicious, could end up with the same hash output value (i.e. the bogus program could be substituted for the legitimate one with no one the wiser). But in the real world, it would be non-trivial for an attacker to find a legitimate target program and then set about making a malicious clone that would produce precisely the same hash value. Making a second program with the same hash is hard enough, but making a second malicious program that mimics the legitimate program well enough that people run it while it performs malicious instructions the attacker wants instead is orders of magnitude harder to pull off. Even I, a crypto-hobbyist, not a crypto expert, felt like the theoretical collisions of MD5 and SHA-1 were more of a mathematical issue and not a real problem.
Maybe there's more to this...
Then come along a few demonstrations that make me realize that I'm just a crypto hobbyist and I should really just stay out of making cryptographic pronouncements. One site that reminded of this is http://www.win.tue.nl/hashclash/Nostradamus. I've seen the demonstration before, but this site is the most recent one I've come across and it explains the involved issues pretty well, and does so with humor.
Essentially, the site contains 12 different PDF documents, each with different information, but with each having the same MD5 hash. This demo makes the topic of hash collisions more relevant by "predicting" which Democratic or Republican candidate will win the Presidency of the United States in 2008. To do so, they created 12 different documents, each one with a different candidate's name. Each of the 12 documents has the same hash result, along with the same file size and checksum, of course. You can check their results with any MD5 hash checker, although one of my favorite Windows programs is DigestIT 2004 because it makes generating hashes a right-click action on any file.
The hash collisions can be created because of a combination of MD5 hash weakness and the way certain document types construct and hide content. Part of the weakness is in the hash algorithm, which doesn't consider all content bits when constructing a particular output.
Of course, in this demonstration the content is just different names. No harm, no foul. But it is a ready example of how hash collisions can be performed with forethought and end up creating content that is different than the original. There have been many other demonstrations, including ones done with asymmetric keys and executables.
The next time you hear someone say that theoretical hash collisions aren't a big deal, send them to a web site that shows the practical realities -- and then ask them who's going to win the next election.