> this is rly awful "research". ederer prob got bullied on there and got mad, cause he has a reputation as a bitch.
No. Also name calling, while commenting on something you clearly don't understand is not a good look.
EJMR claimed to be anonymous. It was not, and what they were doing skipped the most absolutely trivial of steps for actual anonymization.
The only difference between this week and last week, is that now people know that their IP addresses were leaked rather than believing that they were anonymous. I would argue, it is beneficial to people to know that anyone could have done exactly what this researcher did, and we would have no way of knowing.
Blaming the person who found out how terrible EJMR's "anonymization" was, is classic shooting the messenger.
It's also a really good example of why we so "don't roll your own crypto". Any person who specializes in cryptography (or hopefully anyone who has done a basic intro to cryptography course) should have been able to point out the issues.
> more importantly, ejmr has been important in uncovering multiple cases of research fraud and is the best source for actual unfiltered info on opinions of econ departments. chilling effect of stripping anonymity is awful.
This sounds like the kind of thing where people need anonymity, it's a good thing that this research has demonstrated that ejmr was not providing such. Again, this research has not "stripped anonymity", there was none to begin with.
>Blaming the person who found out how terrible EJMR's "anonymization" was, is classic shooting the messenger.
Found out! They had an enemy: a small forum that they did not control. They looked for ways to screw it. This isn't some good-natured happenstance, they targeted someone they didn't like so they could screw them. The result, the point, wasn't, "Hey, security is important, kids, let me highlight your errors" it was, "Hey, you goddamn blasphemers, you have trod upon my fickle religious beliefs, so with the institutional and state power vested in me I will screw you."
So you're saying its good that the obviously vindictive "researcher" targeted them for personal reasons because he dislikes political/religious opinions displayed on their casual rumors forum. "It was a public service," he claims! I understand that you probably want to white knight for your team, but perhaps take a moment to realize how ghoulish your disingenuous equivocation is.
Dude, you're hiding behind an explicitly anonymous account throwing random personal attacks at people.
I literally had not heard about ejmr until this week.
Direct your anger at ejmr, they're the people who made bogus claims about anonymity while using tools they lack the most basic understanding of.
It also does not matter if it was some kind of personal "I hate this forum" or "I hate the creator". ejmr's anonymization was incompetently written, and screwed up the most basic usage of the most basic cryptographic primitives, and was using the wrong primitives in the first place.
The fact that we're hearing about this in a paper by a person you have declared to be on a vendetta is irrelevant - given that person is explicitly not a cryptographic specialist and was able to find that the ejmr posts were not anonymous means that the idea that no one else could have done so without publishing an academic paper is implausible.
As I have said elsewhere, ejmr's "anonymization" was so broken that even the attack itself was trivial (the article's author is an academic and would have absolutely made a separate publication on the deanonymization process if they could have).
then i think that's why you're so cavalier, you don't understand the area you're discussing. ejmr is an actual important site in econ, and by cracking and holding that info rather than just reporting a bug, ederer is creating and maintaining a chilling effect because "wahh, he doesn't like what people say about him on there"
imagine i find a sql injection vuln in a site. i have 2 options:
1. report it like a good person
2. exploit it and dump the whole damn list of hashes
1 is research. 2 is blackhat shit. i agree the anonymization was bad, i agree rolling your own crypto is dumb, i'm arguing by addressing it the way he did, ederer is (consciously) attempting to break the valid role of anonymity and introduce a chilling effect.
there is a big difference between reporting a bug and using a rack of a100s to crack and hold info, with the subtle undercurrent that it could be released.
there's an obvious conflict here. ederer et al. don't like ejmr, so instead of looking to actually help, they went after something totally outside their usual just to be dicks about it.
No. Also name calling, while commenting on something you clearly don't understand is not a good look.
EJMR claimed to be anonymous. It was not, and what they were doing skipped the most absolutely trivial of steps for actual anonymization.
The only difference between this week and last week, is that now people know that their IP addresses were leaked rather than believing that they were anonymous. I would argue, it is beneficial to people to know that anyone could have done exactly what this researcher did, and we would have no way of knowing.
Blaming the person who found out how terrible EJMR's "anonymization" was, is classic shooting the messenger.
It's also a really good example of why we so "don't roll your own crypto". Any person who specializes in cryptography (or hopefully anyone who has done a basic intro to cryptography course) should have been able to point out the issues.
> more importantly, ejmr has been important in uncovering multiple cases of research fraud and is the best source for actual unfiltered info on opinions of econ departments. chilling effect of stripping anonymity is awful.
This sounds like the kind of thing where people need anonymity, it's a good thing that this research has demonstrated that ejmr was not providing such. Again, this research has not "stripped anonymity", there was none to begin with.