Things finally came to a head on slashdot last night, and now anonymous posts are banned. No more anonymous nazi ASCII art, no anonymous racism, and no APK. More in this journal entry [Ed's Comment: And lots of interesting comments too ...].
It's one way to combat anonymous hate speech and forum spam.
[Editor (JR) We've looked at the site but we cannot find an announcement that anonymous posts are actually banned; it might simply be a case that the software is not working correctly, although it would seem to be an unlikely cause. Does anyone in our community have any additional information to categorically prove or disprove that anonymous comments are disabled?
Furthermore, as there are many more comments in the journal entry than there are here, I would recommend making any new comments on BarbaraHudson's journal entry rather than splitting the discussion into two.]
(Score: 2) by The Mighty Buzzard on Sunday August 11 2019, @12:26AM (6 children)
I don't have even a single FPGA, but your point is valid. I hadn't even thought of brute forcing them every single time you wanted to find one out. It really annoys me when something so inelegant turns out to be the best way to do a thing. Guess I'll be switching us over to scrypt or bcrypt or some such for the next update. Sigh.
My rights don't end where your fear begins.
(Score: 3, Informative) by el_oscuro on Sunday August 11 2019, @01:36AM (1 child)
I wouldn't do that unless you want your server to melt. Bcrypt/scrypt are password hashes and are explicitly designed to be computationally expensive. The only time you want to use them is to validate a login and generate a session token.
Another idea: Just replace the last octlet of the IP with '.X' or something and hash that.
SoylentNews is Bacon! [nueskes.com]
(Score: 2) by The Mighty Buzzard on Sunday August 11 2019, @01:53AM
Our load isn't currently heavy enough that we couldn't get away with a 10-100ms per page load overhead. Mind you, it would make a DDoS much easier. Bears further thought.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Sunday August 11 2019, @02:05AM
Coming up with a security solution is useless without knowing your threat model. What data do you want to protect with this? Who do you want to protect it from? For how long do you want that protection to last? What cost are you willing to pay for said protection? Etc. Seems like you want to protect the IP addresses from being bruted, but from whom and for how long? What server resource hit are you willing to make per post for that protection?
(Score: 0) by Anonymous Coward on Sunday August 11 2019, @06:40PM (2 children)
Also only use 1 hash routine with one salt. Once you have 2, no matter what they are, you have cut the effectiveness by at least 1/2, more like 1/4. For evey 1 new hash method used, you add the effectiveness of hiding the IP goes down by 1/2^(n-1) to 1/2^(n). So the next question is how affective is the hash method. Like 4 IP all map the same hash. it is why then just 2 different hash methods cause the complete lost of anonymity (mathematically).
(Score: 2) by The Mighty Buzzard on Monday August 12 2019, @02:38PM (1 child)
No, if both hash routines are known it is mathematically the same as one hash routine to brute force (additive for time though), assuming they use the same input (an IPv4 address).
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Tuesday August 13 2019, @05:47AM
*and* iff they have the same output space (for high-entropy output, bitcount describes it well enough)