That's really dangerous (beyond the immediate stupidity of asking such question to a LLM) because it may give an impression that ChatGPT answers should be trusted and neutral... It's neither.
What about reading or watching things you don't want your friends, your boss, the police, a judge or anyone else to know you read or watched?
1. ejmr made a system that includes hashes that could be trivially linked to ip addresses
2. ejmr claimed posts were anonymous
3. this researcher realized that the hashes could be trivially linked to ip addresses
4. the researcher presumably informed ejmr (as ejmr changed their scheme prior to publication)
5. the researcher published the findings
The posts made on the forum could be linked to ip addresses from step 1, if this series of events stopped at step 2 or 3, the posts would still not be anonymous, and forum users would still believe that they were.
We know that at step 3 this researcher realized that the forum posts were not anonymous, we have no way of knowing how many other people may have also discovered this.
At step 4, we know ejmr changed their hashing scheme to actually make it [maybe] anonymous, and despite now knowing their existing scheme was not anonymous they did not inform any existing users that their posts were not anonymous.
At step 5 the people using these forums finally discovered that their posts were not actually anonymous, because they were never anonymous. People on that forum, and commenters on HN, act like the researcher was responsible for the technical failure of ejmr, and somehow the act of telling people that their posts were not anonymous is what actually removed anonymity.
Because people continue to struggle with this, let's imagine I made a forum where every post had an id that was computed as the first 10 characters of base64(rot13(ip || iso date)). A decade later someone goes "hang on, this looks like base 64", and then publishes their findings: you can get a post's IP address by decoding the truncated base 64 and reversing rot13.
Is that person responsible for de-anonymizing the users of my forum, or is it my fault for misrepresenting the anonymity of my forum?
"trivially be linked" = searching 3 quadrillion possibilities?
Suppose that in the near future that a quantum computer enables the "trivial" piercing of current anonymity assumptions, should those individuals also be fair game for doxxing: "they were never anonymous"?
Your casual appropriation of "triviality" to dismiss moral concerns over this paper and the authors' possible motives rings hollow in me.
Which is trivial. Doing the same thing many times is literally what computers were invented for. Whether it's 3 times or 3 quadrillion times, it does not matter.
> Suppose that in the near future that a quantum computer enables the "trivial" piercing of current anonymity assumptions, should those individuals also be fair game for doxxing: "they were never anonymous"?
There are myriad ways to have provable anonymity, quantum computers are not magic. More over the best known algorithm for some kind of deanonymization under QC is still Grover's search which is a sqrt improvement, rather than anything catastrophic like Shor's. But that's also irrelevant.
ejmr's "anonymization" was not anonymous under the standard cryptographic assumptions of 20 years ago, let alone 12 years ago when the software originated.
To be clear, when ejmr was first started:
* SHA1 was mostly cryptographically broken (that is it was considered a sufficiently determined adversary with unlimited money could break it), hence any new use of SHA-1 is definitionally wrong.
* SHA is the wrong family anyway, SHA hashes are authentication codes and are therefore intentionally extremely fast to compute. It was well established in the _90s_ that authentication hashes are not appropriate for anything other than authentication, alongside numerous demonstrations of breaking password hashes which is what ejmr was essentially doing.
* ejmr was not salting anything, and literally anyone with actual experience in any actual field using hashes knows that salting hashes is mandatory.
This isn't "this was anonymous until computers got faster", this was not anonymous at the time it was first written, under standard cryptographic assumptions. Let's say it cost $10k for this PI to compute those hashes, then 12 years ago, assuming Moore's law, it would cost $5million to break (under simple assumptions, so I doubled to be conservative).
That. is. broken.
> Your casual appropriation of "triviality" to dismiss moral concerns over this paper and the authors' possible motives rings hollow in me.
No. My claims are purely related to the claims that the authors of this paper are responsible for deanonymizing people that on ejmr, when ejmr catastrophically failed and misled its users.
Your immediate response to my statement about triviality was to repeat "it's a big number" which belies a gross misunderstanding of the field. Anything involving hashing or cryptography is filled with giant numbers. A non-trivial attack is one that involves doing something clever to reduce the search space to make the attack possible. This attack was _literally_ "we just tried every option as fast as possible". That attack on misuse of hashing operations was identified in the 90s when people demonstrated breaking of password hashes.
This attack is not clever. It does not - afaict - do anything that in anyway reduces the complexity from "try every option", it is a dumb solution to the incompetent "anonymization" performed by ejmr. That "try every option" was an option speaks to how poor the ejmr code was, and how trivial this was.
As for the "morality" of the paper: there are endless "studies" of forum culture and demographics that haven't caused problems.
The only problem I see is that ejmr is refusing to acknowledge that they rolled their own crypto, and predictably got it wrong. That and people like you who seem to believe this mediocre research paper is somehow responsible.
If that happened, the forum has completely mishandled this and the blame is squarely on them. If it didn't then I guess it's an open question.
The responsible vs. irresponsible disclosure question is "do you tell the responsible party ahead of time and give them time to repair it". From articles it certainly appears that ejmr learned how broken their code was prior to this paper being published.
But responsible vs irresponsible disclosure is not a question of "should this be disclosed at all?", which the security community as whole seems to have determined that the answer is "yes".
The problem is that ejmr was not anonymous, and if you publish something that is not anonymous, it is forever not anonymous.
The only option would be to not disclose that there was any problem, not notify people that their posts were not anonymous, and this paper (the actual "research" about where posters lived/worked?) could also not be published. Because any acknowledgement or indication that the you could get form id to ip in any forum would cause people to go "huh, how did they do that?" a Streisand effect your way to everyone knowing.
This is of course assuming that no one else interested in commenter identities has ever looked at ejmr either, because these researchers did not do anything clever to break the scheme.
Snippets of posts with IP addresses at Harvard, Stanford, Yale, University of Chicago, and the National Bureau of Economic Research headquarters include: "Rapefugees Welcome!!!!! - Merkel"; "bietches are fugly"; and "Its about ching chong taking bubba's job and bubba putting on a white pointy hood in response."
[1] https://www.businessinsider.com/harvard-yale-toxic-posts-ejm...
Do you or do you not think that it should be acceptable to use language like "d4mn j3ws" in an academic forum?
Of course it's not acceptable. It's not acceptable for any academic to disagree with me period. All those posters need to be rooted out, fired, and blacklisted.
Should that sort of language be "acceptable?"
Well, I find it absurdly distasteful.
But clearly it's acceptable to some people.
Outside of the bounds of legality, you don't get to decide what is or is not acceptable for other people when it comes to speech.
Notably, no salt used
I think there's where the anonymity claims might have come from
Do they have the NAT translation logs for all major universities?
Strange topic of research for an economist.
Here's a direct quote the paper has from EJMR: "And America lost its war against blks. [...] At least until we resolve to final solution"
Do you have any empathy at all for those on the other side of this?
more importantly, ejmr has been important in uncovering multiple cases of research fraud (including one of the literal damn authors, this is some vindictive ass bs) and is the best source for actual unfiltered info on opinions of econ departments. includes important info like info abt people's political biases, potential toxic departmental cultures (or rather, which are more or less toxic, this being econ), and even info on sexual harassment allegations that depts would rather cover up. chilling effect of stripping anonymity is awful.
No. Also name calling, while commenting on something you clearly don't understand is not a good look.
EJMR claimed to be anonymous. It was not, and what they were doing skipped the most absolutely trivial of steps for actual anonymization.
The only difference between this week and last week, is that now people know that their IP addresses were leaked rather than believing that they were anonymous. I would argue, it is beneficial to people to know that anyone could have done exactly what this researcher did, and we would have no way of knowing.
Blaming the person who found out how terrible EJMR's "anonymization" was, is classic shooting the messenger.
It's also a really good example of why we so "don't roll your own crypto". Any person who specializes in cryptography (or hopefully anyone who has done a basic intro to cryptography course) should have been able to point out the issues.
> more importantly, ejmr has been important in uncovering multiple cases of research fraud and is the best source for actual unfiltered info on opinions of econ departments. chilling effect of stripping anonymity is awful.
This sounds like the kind of thing where people need anonymity, it's a good thing that this research has demonstrated that ejmr was not providing such. Again, this research has not "stripped anonymity", there was none to begin with.
Found out! They had an enemy: a small forum that they did not control. They looked for ways to screw it. This isn't some good-natured happenstance, they targeted someone they didn't like so they could screw them. The result, the point, wasn't, "Hey, security is important, kids, let me highlight your errors" it was, "Hey, you goddamn blasphemers, you have trod upon my fickle religious beliefs, so with the institutional and state power vested in me I will screw you."
So you're saying its good that the obviously vindictive "researcher" targeted them for personal reasons because he dislikes political/religious opinions displayed on their casual rumors forum. "It was a public service," he claims! I understand that you probably want to white knight for your team, but perhaps take a moment to realize how ghoulish your disingenuous equivocation is.
1. report it like a good person
2. exploit it and dump the whole damn list of hashes
1 is research. 2 is blackhat shit. i agree the anonymization was bad, i agree rolling your own crypto is dumb, i'm arguing by addressing it the way he did, ederer is (consciously) attempting to break the valid role of anonymity and introduce a chilling effect.
there is a big difference between reporting a bug and using a rack of a100s to crack and hold info, with the subtle undercurrent that it could be released.
there's an obvious conflict here. ederer et al. don't like ejmr, so instead of looking to actually help, they went after something totally outside their usual just to be dicks about it.
