Violation of Security/Privacy...
Gwendolynn ferch Elydyr
gwen at reptiles.org
Tue Oct 11 19:31:48 PDT 2005
On Tue, 11 Oct 2005, Jennifer Davis wrote:
>> So they go through a lot of stuff and hash it, and complain if the hashes
>> match ones they don't like. The only thing it sends back
>> to the company is "Yes, this hash matched". As invasions of
>> privacy go, I'm not impressed. As for stealing resources,
>
> Do I know what the hashes are? Does the presence of something on my system
> mean that they should have access to it? Considering the number of things
> that can be hidden in packets (as illustrated by the instructive talk Mark
> Langston gave last year as one example), should I really trust that some
> process poking around in _all_ my files/processes is genuinely ok?
Er... perhaps there's some confusion here about what exactly a 'hash'
is in this context. Even at the most simplistic, presuming that
they're using something like an MD5 hash, which under most conditions[0]
will always be unique to any given bit of data, you're still not talking
about something that would allow them to reverse engineer that piece
of data.
MD5 (test.out) = 3730fc15d054e3ead3db0e1049f28959
would allow you to say that the following was identical:
MD5 (test) = 3730fc15d054e3ead3db0e1049f28959
... but wouldn't say a thing about the file contents[1].
cheers!
[0] Yes, collisions are possible, but hard to come by in general.
[1] If you -can- tell me about the file contents based on a hash, I'd
be interested and amused.
==========================================================================
"A cat spends her life conflicted between a deep, passionate and profound
desire for fish and an equally deep, passionate and profound desire to
avoid getting wet. This is the defining metaphor of my life right now."
More information about the Baylisa
mailing list