The government could just as well pinpoint the hosting provider, and pull some strings to take the site offline, then read through the captured database. When the stakes are nation-state level, quite a large amount of very disturbing things start to become practical.
Shameless self plug: They should be using Aether. ( http://www.getaether.net ) It's a distributed network that creates forum–like, anonymous and encrypted public spaces— something I created and launched a few days ago. It's an app I created for this express purpose. I don't sympathise (at all) with their views, but no one gets to choose who gets free speech and who doesn't.
The French government is simply keeping a tab on the individuals, not the electronic forum per se.
Basically they let them say a lot of racist stuff and demonstrating, but they are checking that they are not colluding for an assassination (the Jacques Chirac scare is still in the memories) and that they are are not colluding for some big destruction. And they don't want them to demonstrate too close from the presidential Palace (ie Champs Élysée is off-limit), because the proximity tends to make everybody more crazy.
One leftish guy got killed recently in a brawl, and the Government decided to dissolve the involved gang (the simple act of meeting together would be a crime now), without doing anything on the electronic or media level.
> The government could just as well pinpoint the hosting provider, and pull some strings to take the site offline, then read through the captured database.
That would be counter-productive. The goal is to keep track of the individuals and ensure they don't endanger others or create social risks (assassinations[0], terror attacks, ...). By taking the site offline, you'd increase resentment, make them move to a new host of some sort or (worse) drive them underground completely and become unable to keep tabs on their activity.
Gravatar is obviously wrong in its defense of the md5 choice. The md5 of an email is way more significant as we know in advance the structure, and for 80% of the population, we have a strong guess of the domain, the format.
Rainbow tables can be specialized for one domain (*@gmail.com) via the reduce phases or for the "first_name dot last_name" structure... & so on.
A little context here. The FDeSouche blog (a pun on "Français de souche" which could be translated as "stock French" or "purebred French", really meaning "White French") is an extreme-right blog whose commenters are pretty tame compared to what you could read on, say, Pam Geller's site. The commenters have internalized the French Hate Speech laws and mostly use innuendos.
The "mariage pour tous" (="marriage for all" i.e. same-sex marriage) was opposed by a semi grassroot movement called "la manif pour tous" ("the protest for all") made mostly of our religious right. The protests were huge, and some people have compared it to the Tea Party (minus the guns).
> The protests were huge, and some people have compared it to the Tea Party (minus the guns).
And either better dressed or significantly less dressed (many, both inside and outside the country, wondered at the existence of such fabulous anti-LGBT protesters)
I'm surprised Gravatar claims the hash is about privacy in the first place. I thought it was about generating a short, standardized URL.
If sites wanted to protect their user's anonymity, they'd cache the gravatars with different file names on their servers. Also, as a user I would never sign up for a site with my "real" address when I'm not comfortable with it being known eventually, Gravatar or not.
I was ready to dismiss this as "de-pseduonomizing" people, because in order for Gravatar to work (suitably well), they submitted their actual email address to the website host.
Intentionally "anonymous" individuals don't use real email addresses.
But the slides turned out to be pretty interesting when it gets to the email cracking part.
Here's an analysis of de-anonymizing posts to alt.anonymous.messages - those people want to stay anonymous. They make some trivial mistakes.
> Then I go into a large analysis of the types of PGP-encrypted messages there are. Messages encrypted to public keys, to passwords and passphrases, and PGP messages not encrypted at all!
I've often thought Gravatars were less-noticed privacy violations. Nice to see that confirmed here. Of course, if the websites don't have SSL-always, then governments can listen between your ISP and the web host to get your cookie, and from there, get your email address or track your activity. This, obviously, is more open since anyone can view a gravatar, or even previously generated ones via archive.org.
Also noteworthy is that it's getting increasingly harder to even have pseudonyms -- and not be outed.
About a week ago, I really wanted to get in touch with a HN user (who did not have any contact information in his profile), so I set out to do a little detective work... and after about 2 hours I basically got his e-mail address. Innocently and guilelessly I wrote him a message, and I found him to be just bewildered that I found out his identity... I felt very sorry of course for having scared him like that. This was a big moment for me. Because I also prefer to be anonymous on comment forums, and I'm generally pretty careful to not give clues as to my identity, but I still can't help but wonder if it's all gonna come back to me and maybe hurt my career in some manner.
What this shows to me is that md5 needs to die. Perhaps it was a good in times past, but now it is too easy to crack with commodity computer hardware. The rig shown in the article costs <$2000 USD when priced out on newegg.com. Top-shelf gaming GPUs are only going to get faster.
I was surprised to read that the right to freedom of speech is not recognized in France. Anyone here from France willing to affirm or refute article's claim in that regard?
The freedom of speech is a right guaranteed, but it comes with some (minor in fact) limitations : incitement to hatred, discrimination, slander and racial insults ; racist, anti-Semite, or xenophobic activities (so including the promotion via speech), Holocaust denial ; hatred against people because of their gender, sexual orientation, or disability are prohibited and can even be sentenced with jail time for some of those.
http://en.wikipedia.org/wiki/Freedom_of_speech_by_country#Fr...
> I was surprised to read that the right to freedom of speech is not recognized in France.
It is.
The french constitution state:
> La libre communication des pensées et des opinions est un des droits les plus précieux de l’homme ; tout citoyen peut donc parler, écrire, imprimer librement, sauf à répondre de l’abus de cette liberté dans les cas déterminés par la loi.
Which mean that you have free speech, BUT, you can be prosecuted if you abuse it as defined by the law. Example of common abuses: defamation (the most common), incitement to ethnic or racial hatred, privacy violation, historical revisionism, intellectual property infringement, etc.
But except "incitement to ethnic or racial hatred" and "historical revisionism" it's mostly the same in the US.
Also, it's not all about the law, during the same sex marriage debates, a lot of homosexual people got beaten by far right / nazi-like groups.
Related to cracking with a GPU: https://passfault.appspot.com/password_strength.html can measure password strength based on length of time it would take to crack from known patterns and cost of hardware employed to do so. And this, of course, excludes that passwords are often re-used on multiple sites and the risk that your password is already in someone else's database.
What this really highlights is that, like fingerprints, it's a lot easier to accidentally share things that can uniquely or partially identify you than to cover up and stay anonymous. (Or find a nice middle ground, pretending to be someone else, say.) There's a lot of security through obscurity that we tend to trust -- that people won't investigate my identity simply because they've no reason to. And so it's worrisome when you see it happen to others.
Interesting preservation. I also couldn't help but notice that the slides themselves were beautiful. I wonder if they were generated using a recent
version of, e.g., Microsoft Office (the fonts look like those used in Modern UI) or if there's a beamer theme that looks like that. If there is one, do tell.
[+] [-] rolleiflex|12 years ago|reply
Shameless self plug: They should be using Aether. ( http://www.getaether.net ) It's a distributed network that creates forum–like, anonymous and encrypted public spaces— something I created and launched a few days ago. It's an app I created for this express purpose. I don't sympathise (at all) with their views, but no one gets to choose who gets free speech and who doesn't.
[+] [-] nraynaud|12 years ago|reply
Basically they let them say a lot of racist stuff and demonstrating, but they are checking that they are not colluding for an assassination (the Jacques Chirac scare is still in the memories) and that they are are not colluding for some big destruction. And they don't want them to demonstrate too close from the presidential Palace (ie Champs Élysée is off-limit), because the proximity tends to make everybody more crazy.
One leftish guy got killed recently in a brawl, and the Government decided to dissolve the involved gang (the simple act of meeting together would be a crime now), without doing anything on the electronic or media level.
[+] [-] masklinn|12 years ago|reply
That would be counter-productive. The goal is to keep track of the individuals and ensure they don't endanger others or create social risks (assassinations[0], terror attacks, ...). By taking the site offline, you'd increase resentment, make them move to a new host of some sort or (worse) drive them underground completely and become unable to keep tabs on their activity.
[0] http://en.wikipedia.org/wiki/Jacques_Chirac#Assassination_at...
[+] [-] seszett|12 years ago|reply
Except maybe the US, but even then some foreign hosts won't be very cooperative, especially when the purpose is to curb freedom of speech.
[+] [-] comex|12 years ago|reply
[+] [-] maximegarcia|12 years ago|reply
Gravatar is obviously wrong in its defense of the md5 choice. The md5 of an email is way more significant as we know in advance the structure, and for 80% of the population, we have a strong guess of the domain, the format. Rainbow tables can be specialized for one domain (*@gmail.com) via the reduce phases or for the "first_name dot last_name" structure... & so on.
[+] [-] nwh|12 years ago|reply
[+] [-] abolibibelot|12 years ago|reply
The "mariage pour tous" (="marriage for all" i.e. same-sex marriage) was opposed by a semi grassroot movement called "la manif pour tous" ("the protest for all") made mostly of our religious right. The protests were huge, and some people have compared it to the Tea Party (minus the guns).
[+] [-] masklinn|12 years ago|reply
And either better dressed or significantly less dressed (many, both inside and outside the country, wondered at the existence of such fabulous anti-LGBT protesters)
[+] [-] rgovostes|12 years ago|reply
De-Anonymizing Web Communities with Gravatar
https://web.archive.org/web/20111219233019/http://rgov.org/2...
[+] [-] Udo|12 years ago|reply
If sites wanted to protect their user's anonymity, they'd cache the gravatars with different file names on their servers. Also, as a user I would never sign up for a site with my "real" address when I'm not comfortable with it being known eventually, Gravatar or not.
[+] [-] dmix|12 years ago|reply
Intentionally "anonymous" individuals don't use real email addresses.
But the slides turned out to be pretty interesting when it gets to the email cracking part.
[+] [-] DanBC|12 years ago|reply
(http://ritter.vg/blog-deanonymizing_amm.html)
Here's an analysis of de-anonymizing posts to alt.anonymous.messages - those people want to stay anonymous. They make some trivial mistakes.
> Then I go into a large analysis of the types of PGP-encrypted messages there are. Messages encrypted to public keys, to passwords and passphrases, and PGP messages not encrypted at all!
[+] [-] slig|12 years ago|reply
You'd be surprised. Even DPR fucked it up.
[+] [-] lstamour|12 years ago|reply
[+] [-] selmnoo|12 years ago|reply
About a week ago, I really wanted to get in touch with a HN user (who did not have any contact information in his profile), so I set out to do a little detective work... and after about 2 hours I basically got his e-mail address. Innocently and guilelessly I wrote him a message, and I found him to be just bewildered that I found out his identity... I felt very sorry of course for having scared him like that. This was a big moment for me. Because I also prefer to be anonymous on comment forums, and I'm generally pretty careful to not give clues as to my identity, but I still can't help but wonder if it's all gonna come back to me and maybe hurt my career in some manner.
[+] [-] korethr|12 years ago|reply
What this shows to me is that md5 needs to die. Perhaps it was a good in times past, but now it is too easy to crack with commodity computer hardware. The rig shown in the article costs <$2000 USD when priced out on newegg.com. Top-shelf gaming GPUs are only going to get faster.
I was surprised to read that the right to freedom of speech is not recognized in France. Anyone here from France willing to affirm or refute article's claim in that regard?
[+] [-] maximegarcia|12 years ago|reply
[+] [-] byroot|12 years ago|reply
It is. The french constitution state:
> La libre communication des pensées et des opinions est un des droits les plus précieux de l’homme ; tout citoyen peut donc parler, écrire, imprimer librement, sauf à répondre de l’abus de cette liberté dans les cas déterminés par la loi.
Which mean that you have free speech, BUT, you can be prosecuted if you abuse it as defined by the law. Example of common abuses: defamation (the most common), incitement to ethnic or racial hatred, privacy violation, historical revisionism, intellectual property infringement, etc.
But except "incitement to ethnic or racial hatred" and "historical revisionism" it's mostly the same in the US.
Also, it's not all about the law, during the same sex marriage debates, a lot of homosexual people got beaten by far right / nazi-like groups.
[+] [-] bigiain|12 years ago|reply
No. MD5 needs to stop being used in inappropriate ways.
Switching rsync to bcrypt, scrypt, or pbkdf2 for it's hashing is _not_ a sensible idea.
Using "fast hashes" for cryptographic level protection is not a sensible idea.
MD5 still has a great many uses. Killing it off because some people use it for the wrong things is shortsighted at best…
[+] [-] orborde|12 years ago|reply
[+] [-] lstamour|12 years ago|reply
What this really highlights is that, like fingerprints, it's a lot easier to accidentally share things that can uniquely or partially identify you than to cover up and stay anonymous. (Or find a nice middle ground, pretending to be someone else, say.) There's a lot of security through obscurity that we tend to trust -- that people won't investigate my identity simply because they've no reason to. And so it's worrisome when you see it happen to others.
See also: http://pandodaily.com/2013/10/26/i-challenged-hackers-to-inv...
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] ludwigz|12 years ago|reply
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] yetanotherphd|12 years ago|reply
[+] [-] telephonetemp|12 years ago|reply
[+] [-] telephonetemp|12 years ago|reply