The government could just as well pinpoint the hosting provider, and pull some strings to take the site offline, then read through the captured database. When the stakes are nation-state level, quite a large amount of very disturbing things start to become practical.
Shameless self plug: They should be using Aether. ( http://www.getaether.net ) It's a distributed network that creates forum–like, anonymous and encrypted public spaces— something I created and launched a few days ago. It's an app I created for this express purpose. I don't sympathise (at all) with their views, but no one gets to choose who gets free speech and who doesn't.
The French government is simply keeping a tab on the individuals, not the electronic forum per se.
Basically they let them say a lot of racist stuff and demonstrating, but they are checking that they are not colluding for an assassination (the Jacques Chirac scare is still in the memories) and that they are are not colluding for some big destruction. And they don't want them to demonstrate too close from the presidential Palace (ie Champs Élysée is off-limit), because the proximity tends to make everybody more crazy.
One leftish guy got killed recently in a brawl, and the Government decided to dissolve the involved gang (the simple act of meeting together would be a crime now), without doing anything on the electronic or media level.
> The government could just as well pinpoint the hosting provider, and pull some strings to take the site offline, then read through the captured database.
That would be counter-productive. The goal is to keep track of the individuals and ensure they don't endanger others or create social risks (assassinations[0], terror attacks, ...). By taking the site offline, you'd increase resentment, make them move to a new host of some sort or (worse) drive them underground completely and become unable to keep tabs on their activity.
Gravatar is obviously wrong in its defense of the md5 choice. The md5 of an email is way more significant as we know in advance the structure, and for 80% of the population, we have a strong guess of the domain, the format.
Rainbow tables can be specialized for one domain (*@gmail.com) via the reduce phases or for the "first_name dot last_name" structure... & so on.
A little context here. The FDeSouche blog (a pun on "Français de souche" which could be translated as "stock French" or "purebred French", really meaning "White French") is an extreme-right blog whose commenters are pretty tame compared to what you could read on, say, Pam Geller's site. The commenters have internalized the French Hate Speech laws and mostly use innuendos.
The "mariage pour tous" (="marriage for all" i.e. same-sex marriage) was opposed by a semi grassroot movement called "la manif pour tous" ("the protest for all") made mostly of our religious right. The protests were huge, and some people have compared it to the Tea Party (minus the guns).
> The protests were huge, and some people have compared it to the Tea Party (minus the guns).
And either better dressed or significantly less dressed (many, both inside and outside the country, wondered at the existence of such fabulous anti-LGBT protesters)
I'm surprised Gravatar claims the hash is about privacy in the first place. I thought it was about generating a short, standardized URL.
If sites wanted to protect their user's anonymity, they'd cache the gravatars with different file names on their servers. Also, as a user I would never sign up for a site with my "real" address when I'm not comfortable with it being known eventually, Gravatar or not.
I was ready to dismiss this as "de-pseduonomizing" people, because in order for Gravatar to work (suitably well), they submitted their actual email address to the website host.
Intentionally "anonymous" individuals don't use real email addresses.
But the slides turned out to be pretty interesting when it gets to the email cracking part.
Here's an analysis of de-anonymizing posts to alt.anonymous.messages - those people want to stay anonymous. They make some trivial mistakes.
> Then I go into a large analysis of the types of PGP-encrypted messages there are. Messages encrypted to public keys, to passwords and passphrases, and PGP messages not encrypted at all!
I've often thought Gravatars were less-noticed privacy violations. Nice to see that confirmed here. Of course, if the websites don't have SSL-always, then governments can listen between your ISP and the web host to get your cookie, and from there, get your email address or track your activity. This, obviously, is more open since anyone can view a gravatar, or even previously generated ones via archive.org.
Also noteworthy is that it's getting increasingly harder to even have pseudonyms -- and not be outed.
About a week ago, I really wanted to get in touch with a HN user (who did not have any contact information in his profile), so I set out to do a little detective work... and after about 2 hours I basically got his e-mail address. Innocently and guilelessly I wrote him a message, and I found him to be just bewildered that I found out his identity... I felt very sorry of course for having scared him like that. This was a big moment for me. Because I also prefer to be anonymous on comment forums, and I'm generally pretty careful to not give clues as to my identity, but I still can't help but wonder if it's all gonna come back to me and maybe hurt my career in some manner.
Things I noticed going through your comment history:
Your race.
What car you drive.
Hints at your political ideology.
Where you grew up/that you're not originally from the United States/wherever you live now.
You've undergone an IQ test in a professional environment.
You've probably donated to Lavabit's legal fund.
What OS you use, when you last bought a new computer.
Since you talk about a computer engineering class with 250+ people, you've probably been to college. (Scratch that, you've definitely been to college.)
You have a first church of atheism near you, and are probably a member.
Kudos to you for gathering a lot of good stuff, an A for the effort absolutely. I should point out that you're off on /some/ things (or perhaps more accurately: incomplete). For beginners, the OS I use -- you're thinking Win8, but that's only on the laptop I recently bought. I've actually been using Ubuntu for a couple of years on the main desktop. My race, car, political ideology, place of birth, current residence, current religion, religion of household I was born to, education you've got right. For my own good I will stop confirming other bits of information, I think (hope) that still leaves enough ambiguity to grant me still some freedom of anonymity (or maybe I'll have to abandon this account after another week or so, I guess I'll think about it). Oh, while I have the perfect chance to preach /why/ anonymity is important: I have family problems, because of religious differences. If my family found out my religious beliefs in full they'd be mad at me, that is one of the reasons I choose to be anonymous (in addition to a good many other, relating to professional work life and other things).
One question: Why is my talking about being in a CE class of 250+ people not conclusive enough information that I've been to college? And, what was that /extra/ thing that made you confidently say 'Scratch that, you've definitely been to college'?
That'll teach me to make assumptions. I assumed Mac since you wrote somewhere that you didn't have the Java web plugin added 1 and 2 and got 4.
As to abandoning your account, I wouldn't worry about it. You're far more likely to get a relative's interest some other way -- perhaps an event notification on a smartphone screen, or the auto-complete bar in a browser. The simplest approach is most likely though: dinner table conversation on some evening in the future. :)
> That'll teach me to make assumptions. I assumed Mac since you wrote somewhere that you didn't have the Java web plugin added 1 and 2 and got 4.
I don't have Java web plugin installed even on my Windows machines (indeed, when I provided the link to the rubik's cube page and complained about the java applet, I was on a Windows computer). A lot of people don't have Java webplugins installed these days... seriously, try living life without it, it's great (well, if you can -- I think a lot of people use it for work/school reasons).
It's certainly not as needed as it was some handful of years ago for smooth web browsing. So if you can go without the hassles of having to update it god-knows-how many times, having different versions installed and being a mess on the computer, having yet another thing running in the background, etc... it's great. I really, really don't miss it.
Upon hearing "I'm generally pretty careful to not give clues as to my identity", Mr. unimpressive here appears to have said "Challenge Accepted." and followed through. https://www.google.ca/search?q=barney+stinson+challenge+acce... Perhaps somebody has too much time on their hands? Personally I'm more worried by non-personal, bulk attacks based on database leaks.
Oh and don't forget. selmnoo has Java disabled likely because he or she is on a Mac, so that's another vector out. Probably the fastest way to get any individual on HN is to reply to their comment and mention some site on which you've installed a payload, or not even that complicated: just ask for their email address. Done. :)
>Personally I'm more worried by non-personal, bulk attacks based on database leaks.
While a personal attack is much less likely than a non-personal bulk attack, I would guess that anybody who goes through the trouble of personally looking over your words with a magnifying glass has a much higher chance of being very dangerous.
That scary amounts of information are floating around about you has always been true though. The things you can get from your local courthouse may surprise you.
Sure, but when anyone takes an interest in someone else, we all know the odds "something bad" will happen, even if "bad" is simply "embarrassment of the person with the interest". Similarly, I suppose what I'm getting at is there really is no such thing as complete anonymity, just the temporary pretence of it. I mean, of course, lack of interest and luck can contribute to your anonymity these days, and time might diminish the odds that something can get traced back to you, but ... you never know. ;-)
I use my real name, and I lost my last job triggered by online comments I made (not the only factor). I still don't think it's a big deal in general, I also have reference threads on quite technical subjects.
Yeah, I know that even making a separate email account and using every trick not in the book to hide myself still won't help me. I'm too honest in the language I use. Or, like other usernames I've Googled, it becomes easier to pin someone down when they use the same name across multiple sites. If nothing else, it shows your interest in those sites, which can together, sometimes, uniquely identify you.
What this shows to me is that md5 needs to die. Perhaps it was a good in times past, but now it is too easy to crack with commodity computer hardware. The rig shown in the article costs <$2000 USD when priced out on newegg.com. Top-shelf gaming GPUs are only going to get faster.
I was surprised to read that the right to freedom of speech is not recognized in France. Anyone here from France willing to affirm or refute article's claim in that regard?
The freedom of speech is a right guaranteed, but it comes with some (minor in fact) limitations : incitement to hatred, discrimination, slander and racial insults ; racist, anti-Semite, or xenophobic activities (so including the promotion via speech), Holocaust denial ; hatred against people because of their gender, sexual orientation, or disability are prohibited and can even be sentenced with jail time for some of those.
http://en.wikipedia.org/wiki/Freedom_of_speech_by_country#Fr...
> I was surprised to read that the right to freedom of speech is not recognized in France.
It is.
The french constitution state:
> La libre communication des pensées et des opinions est un des droits les plus précieux de l’homme ; tout citoyen peut donc parler, écrire, imprimer librement, sauf à répondre de l’abus de cette liberté dans les cas déterminés par la loi.
Which mean that you have free speech, BUT, you can be prosecuted if you abuse it as defined by the law. Example of common abuses: defamation (the most common), incitement to ethnic or racial hatred, privacy violation, historical revisionism, intellectual property infringement, etc.
But except "incitement to ethnic or racial hatred" and "historical revisionism" it's mostly the same in the US.
Also, it's not all about the law, during the same sex marriage debates, a lot of homosexual people got beaten by far right / nazi-like groups.
> a lot of homosexual people got beaten by far right / nazi-like groups.
This IS a lie. Do you have any sources?
There have been one attack on a gay couple, hugely used by the government and their supporting medias. Newspapers have implies (no facts) that the culprits where members of the strike against same sex marriage or far right activists. There was then a huge huge buzz to shame the strikers. And finally, 4 months later, the police arrested 4 youths: 3 in a "cité" (public housing, "ghetto") and one was already in jail, all of them well known of the police services for violence facts.
http://www.leparisien.fr/paris-75/agression-homophobe-a-pari...
Some people in the comments do say that the police delayed the arrest so that the government could shame the protesters against same sex marriage.
One more thing, the man beaten reacts to the arrest on a far left web site.
https://bellaciao.org/fr/spip.php?article137205
And he is in a complete deny, not being able to recognize that those who beat him have nothing in common with those that protested against same sex marriage.
Your first source speaks of "verbal aggression", you cannot take that as a proof for 1200 physical aggressions.
"L’organisme (SOS homophobie) a reçu trois fois plus d’appels et de mails entre le 1er janvier et la fin mars. (1 200 personnes sur trois mois, contre 1 556 sur l'ensemble de l'année 2011)."
"Ces chiffres sont un indicateur important car ils permettent de mesurer la libération de la parole homophobe."
If you assume that "Gravatar usage" means uses a unique identifier for me across multiple websites, and that "secure enough" means that it doesn't leak information about my identity – then the question becomes nonsense:
"Is there a way to uniquely identify me across multiple websites that doesn't uniquely identify me?"
Related to cracking with a GPU: https://passfault.appspot.com/password_strength.html can measure password strength based on length of time it would take to crack from known patterns and cost of hardware employed to do so. And this, of course, excludes that passwords are often re-used on multiple sites and the risk that your password is already in someone else's database.
What this really highlights is that, like fingerprints, it's a lot easier to accidentally share things that can uniquely or partially identify you than to cover up and stay anonymous. (Or find a nice middle ground, pretending to be someone else, say.) There's a lot of security through obscurity that we tend to trust -- that people won't investigate my identity simply because they've no reason to. And so it's worrisome when you see it happen to others.
Lol,there is no "Liberté d'expression" in France. Even if you say something the most gentle way you'll get sued because you said so. There is only "la liberté d'exprimer son accord avec la pensée unique". But things might change, for better or worst. France is living a very interesting time. Things can blow up anytime.
I'm curious to see some references and figures here. As far as I know, only Hate Speech, and holocaust-denial are forbidden. Libel laws apply too, and some people are trigger-happy with them though.
But accusations of Hate Speech are being broadly abused. For example, a guy I disagree with on almost every issues (economy and immigration) Eric Zemmour was accused and found guilty of hate speech for saying that most people in jail are Arabs in France. This is a fact that was confirmed by many judges and yet the guy was still sentenced cause he hurt some people's sensitivity (I guess...). I'm half Arab myself and still it's obvious to me that most people in jail in France are Arabs (mostly cause they're the poorer), but still, it's true.
Yep, as much as I despise Zemmour, the lawsuits against him are inept. He's the ultimate troll and thrives on contreversy (and whines about "la pensée unique" while being invited pretty much everywhere on TV). Even the laws against holocaust denial are counter productive, since they make the deniers loonies look like martyrs.
Interesting preservation. I also couldn't help but notice that the slides themselves were beautiful. I wonder if they were generated using a recent
version of, e.g., Microsoft Office (the fonts look like those used in Modern UI) or if there's a beamer theme that looks like that. If there is one, do tell.
Shameless self plug: They should be using Aether. ( http://www.getaether.net ) It's a distributed network that creates forum–like, anonymous and encrypted public spaces— something I created and launched a few days ago. It's an app I created for this express purpose. I don't sympathise (at all) with their views, but no one gets to choose who gets free speech and who doesn't.