zlacker

[return to "Justice Department withdraws FBI subpoena for USA Today records ID'ing readers"]
1. xvecto+W4[view] [source] 2021-06-05 22:32:49
>>lxm+(OP)
I wish services didn't store IPs at all.

If abuse is an issue, why not hash the IP with a nonce?

◧◩
2. gizmo6+m6[view] [source] 2021-06-05 22:47:23
>>xvecto+W4
There are only 2^32 possible IP addresses. You can brute-force that on a personal laptop.
◧◩◪
3. xvecto+Ee[view] [source] 2021-06-06 00:20:01
>>gizmo6+m6
If you use a hard hash function you cannot brute force that on a laptop - not even a tenth of that. You can, however, spin up compute instances to brute force it in a few days if you have $50k lying around.
◧◩◪◨
4. xxs+1V[view] [source] 2021-06-06 10:45:39
>>xvecto+Ee
>force that on a laptop

They said: "personal computer", which could easily have 2x GPUs and 16+ cores. Heck, laptops nowadays can have a pretty good discrete GPU.

Using password grade hash with a =nonce= is absolutely no way to be accomplished per each request. The nonce would have to be the same for multiple uses - hence NOT a 'nonce'. The sharing of the said non-nonce would require a form a replicated Map (or IP-sticky processing with a local map). It's rather convoluted solution for absolutely no benefit as it's still not hard to brute force.

Storing it in such a way - slow hash + salt yields no benefits for debugging either, so I wonder why would you do so? Password hashes are useful for proving a match with an unknown plain text (while making it expensive to brute force) - so what would be the exact purpose of having non-nonce+IP?

[go to top]