SoylentNews is people
SoylentNews
from the I-love-the-smell-of-burning-trolls-in-the-morning dept.
Things finally came to a head on slashdot last night, and now anonymous posts are banned. No more anonymous nazi ASCII art, no anonymous racism, and no APK. More in this journal entry [Ed's Comment: And lots of interesting comments too ...].
It's one way to combat anonymous hate speech and forum spam.
[Editor (JR) We've looked at the site but we cannot find an announcement that anonymous posts are actually banned; it might simply be a case that the software is not working correctly, although it would seem to be an unlikely cause. Does anyone in our community have any additional information to categorically prove or disprove that anonymous comments are disabled?
Furthermore, as there are many more comments in the journal entry than there are here, I would recommend making any new comments on BarbaraHudson's journal entry rather than splitting the discussion into two.]
(Score: 2) by The Mighty Buzzard on Saturday August 10 2019, @10:08PM (12 children)
Technically possible, practically impossible.
My rights don't end where your fear begins.
(Score: 3, Interesting) by qzm on Saturday August 10 2019, @10:20PM (11 children)
MD5 hashes can be calculated in a single FPGA at a rate of 4Gbps+, so around 125 million hashes/second.
There are around 3.5 billion IP addresses to use (or a bit over 4 if you want to search all, including reserved ones)
So, it wouldnt take many FPGAs to be able to search the ENTIRE space in a second, or around half a minute for one FPGA....
Not saying single MD5 is enough, but double hashing, etc scale without too much trouble.
Not really impossible it seems..
(Score: 0) by Anonymous Coward on Saturday August 10 2019, @11:33PM
4G of addresses x 1024 bit hashes plus 15 bytes for readable ip. Makes a single table only 80 byte rows so 320GB per table, so 3 tables is a 1TB. Just saw some of 1TB SSD for $90.
No need to dump the pictures.
Cost here is time creating the tables to reverse the hashes.
Tech has changed over years still remember 12kB memory and 5MB removable player.
(Score: 0) by Anonymous Coward on Saturday August 10 2019, @11:36PM (2 children)
You are assuming you know everything they are doing. They may include salt or some other extra text that adds to the complexity. You'd have to look at the public code repository.
(Score: 3, Informative) by The Mighty Buzzard on Sunday August 11 2019, @12:35AM (1 child)
Us admins have access to the salt, so not really relevant. Mind you, we also have access to the servers so we could just turn logging on and match up the timestamps of posts to the access log. Using a hashed IP address was supposed to make it a nontrivial thing to find a person's IP address rather than seeing it at a glance. That and to annoy law enforcement. There really is no way to keep a determined admin from knowing anything they want to that's going on with their servers.
My rights don't end where your fear begins.
(Score: 2) by jmorris on Sunday August 11 2019, @07:34AM
Wouldn't annoy law enforcement long. If you can regenerate the hash to know the IP is the same it means you have the salting data. Four billion tries gets the IP, worst case. Brute forcing a 32bit value isn't hard now. But if Officer Friendly has a warrant they will get in anyway, best they get what they want and go instead of setting up camp and rooting around.
(Score: 2) by The Mighty Buzzard on Sunday August 11 2019, @12:26AM (6 children)
I don't have even a single FPGA, but your point is valid. I hadn't even thought of brute forcing them every single time you wanted to find one out. It really annoys me when something so inelegant turns out to be the best way to do a thing. Guess I'll be switching us over to scrypt or bcrypt or some such for the next update. Sigh.
My rights don't end where your fear begins.
(Score: 3, Informative) by el_oscuro on Sunday August 11 2019, @01:36AM (1 child)
I wouldn't do that unless you want your server to melt. Bcrypt/scrypt are password hashes and are explicitly designed to be computationally expensive. The only time you want to use them is to validate a login and generate a session token.
Another idea: Just replace the last octlet of the IP with '.X' or something and hash that.
SoylentNews is Bacon! [nueskes.com]
(Score: 2) by The Mighty Buzzard on Sunday August 11 2019, @01:53AM
Our load isn't currently heavy enough that we couldn't get away with a 10-100ms per page load overhead. Mind you, it would make a DDoS much easier. Bears further thought.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Sunday August 11 2019, @02:05AM
Coming up with a security solution is useless without knowing your threat model. What data do you want to protect with this? Who do you want to protect it from? For how long do you want that protection to last? What cost are you willing to pay for said protection? Etc. Seems like you want to protect the IP addresses from being bruted, but from whom and for how long? What server resource hit are you willing to make per post for that protection?
(Score: 0) by Anonymous Coward on Sunday August 11 2019, @06:40PM (2 children)
Also only use 1 hash routine with one salt. Once you have 2, no matter what they are, you have cut the effectiveness by at least 1/2, more like 1/4. For evey 1 new hash method used, you add the effectiveness of hiding the IP goes down by 1/2^(n-1) to 1/2^(n). So the next question is how affective is the hash method. Like 4 IP all map the same hash. it is why then just 2 different hash methods cause the complete lost of anonymity (mathematically).
(Score: 2) by The Mighty Buzzard on Monday August 12 2019, @02:38PM (1 child)
No, if both hash routines are known it is mathematically the same as one hash routine to brute force (additive for time though), assuming they use the same input (an IPv4 address).
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Tuesday August 13 2019, @05:47AM
*and* iff they have the same output space (for high-entropy output, bitcount describes it well enough)