in reply to Re^8: monastery mark-upedness (privacy)
in thread monastery mark-upedness

Well, again, perhaps I am not understanding the proposal here, but to spell out what I have in mind...

  1. Some monk (perhaps not Anonymous Monk, but a registered user) posts a message from IP address "a.b.c.d".
  2. Along with the message, some hash of "a.b.c.d" is posted as well.
  3. The hash is such that "a.b.c" is separate from "d".
  4. Another monk can look at hash("a.b.c") and make many guesses as to what "a.b.c" is. This is the brute force.
  5. Now the other monk has the source IP of the original monk's access. This probably gives a pretty good idea of the original monk's location, which the original monk may not have wanted to be public.

There are only 16_777_216 possibilities for "a.b.c", and that's if I search every country and every IP block that I know isn't registered to anyone.

I think I just now figured out the disconnect here. You're saying that the algorithm for hashing IP addresses here won't be public. As such, there won't be a way for people to try a dictionary attack against it. This is why you talk about spoofing IP addresses. Without a public algorithm, the only way to run dictionary attacks would be to spoof IP addresses and see what the site calls them.

...and now I see you say exactly that in Re^7: monastery mark-upedness (brute force)

You also seem to be saying that this won't be used on registered users (only the literal Anonymous Monk). If that's the case, I don't see how it would help with sock puppetry, but that doesn't really concern me.

OK, glad that's all cleared up. Thanks for your patience.

Replies are listed 'Best First'.
Re^10: monastery mark-upedness (privacy)
by goibhniu (Hermit) on Mar 21, 2008 at 20:05 UTC

    Also consider this lesson from Bruce Schneier:
    http://www.schneier.com/blog/archives/2007/11/using_google_to.html

    As far as I can see, the hash algorithm wouldn't have to be known in order to attempt this attack. It would only have to be used enough on the internet that it might be indexed with it's plaintext by Google or whatever search engine.

    The only defense against this would be a roll-your-own algoritihm, and then you don't have the benefit of peer review in the cryptanalytic community.

    #my sig used to say 'I humbly seek wisdom. '. Now it says:
    use strict;
    use warnings;
    I humbly seek wisdom.
[reply]

      You could get the benefit of a peer reviewed algorithm by using some secret salt (which was suggested by Fletch in Re^6: monastery mark-upedness (brute force)). 

      use Digest::SHA1 qw( sha1_hex );

my $ip_address = shift;
my $secret_salt = q{you don't know this part};

my $published_hash = sha1_hex( $ip_address . $secret_salt );

      [download]

      Someone who has access to the source could launch a dictionary attack now, but that would be true if the source had a roll-your-own algorithm too.

[reply]
[d/l]

        I got that. I was only intending to point out a different attack, where the attacker may not know the algorithm or even use their own cpu to do the brute forcing, but let Google do it. I guess it was a leap to go all the way to "roll-your-own". I agree that secret salt makes this less likely, but considering the Google attack may influence implementation including how the salt is selected or maybe whether the resulting hash is ever published in a Google-able space.

        #my sig used to say 'I humbly seek wisdom. '. Now it says:
        use strict;
        use warnings;
        I humbly seek wisdom.
[reply]
Re^10: monastery mark-upedness (privacy)
by tye (Sage) on Mar 21, 2008 at 19:01 UTC

    Yes, the not helping with sock puppetry is one reason why I give low odds of this ever being implemented. On the balance of privacy vs. discouraging abuse, I don't see posting even a hash of source IP for non-anonymous nodes as a worthwhile trade-off at this point. So I don't yet see an acceptable discouragement other than the convoluted idea of providing a level power that enables one to compare the source IPs of two specific nodes, which itself seems likely not worth the convolutedness for the theorized gain.

    But as anonymous trollery will almost certainly eventually become an annoying problem again, posting a hash of source IP for anonymous nodes may become worth implementing.

    - tye        

[reply]

In Section Perl Monks Discussion