<<< Date Index >>>     <<< Thread Index >>>

[IP] more on Solution for Gov't Security-Privacy Clash?



As I said, I saw this before . When will reporters and even Comp Sci people stop the rediscovery of basic things in the science every 5 years

Dave

ps maybe there is more than reported . I hope so



Delivered-To: dfarber+@xxxxxxxxxxxxxxxxxx
Date: Thu, 11 Mar 2004 15:11:41 -0800
From: Brad Templeton <btm@xxxxxxxxxxxxxx>
Subject: Re: [IP] Solution for Gov't Security-Privacy Clash?
To: Dave Farber <dave@xxxxxxxxxx>

> With data-hashing, "you can hand your data to your worst enemy and they
> don't have anything," says Kim Taipale, executive director of the Center
> for Advanced Studies in Science and Technology Policy, a policy research
> group in New York.


Do these people think they just invented the concept of one-way functions
for comparing data without knowing the source?  It's a very old concept,
and there's a reason why it hasn't been proposed by the security
community.

A one way hash only works for protection if the source or "real" string/name
is not something that can be guessed, and it definitely can't be something
from a relatively small enumerated set.

Most of the better computer passwords work using a one-way hash, so that
the computer that you are logging into can't tell you your password.
(You can spot the people who do it well because they won't mail you your
password, and instead will change your password to something new and
mail you that.)

However, it is well known that such systems are vulnerable to the
"dictionary" attack.  Which is to say, if you use an ordinary word or
common name for your password, then given the one-way hash, they can
still find it out.  It's no longer one-way.

So if, like the world's major governments, you have a list of the names
of all your people, it is an easy step to convert a list of the hashes
of the names of people in a hotel or on an airliner back to their
real names.     They say they will only check against a list of
terrorist names, but this is just their promise.  The one-way hash is
in fact providing no more security than we already get from the promises
we have now.  A false sense of security.

It does do one thing for you.  If you register at the hotel under a
well  made-up name, they won't be able to extract your made-up
name from the hash.   Wow, I feel safer.

This is one reason that the famous "do not spam" list is a disaster
waiting to happen.  The spammers already have lists of all the
email addresses of people who get spam.  (Sort of by definition!)
As such, releasing a list of hashes of names on the do not spam list
will tell the spammers, if nobody else, exactly which addresses are
real and on the list. A great list for spamming to.
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/