If you find a security vulnerability, I don't think the right course of action is to spend thousands of dollars of GPU time to determine as many IPs as you possibly can, then write an economics paper about it.
The whole point is they aren't security researchers - they were doing research on the nature of posts on this forum. They worked out that they could do that, and so did - for the paper they wanted to publish having that information was the goal, and the way they did that was essentially in the methods section.
Certainly the attack itself is not worth publishing: it's not in any way novel or interesting, the "anonymization" ejmr did was fundamentally broken from presumably day 1. Nothing the authors did here was new, novel, or complex - the only change is that what the cost of reversing has dropped from "a large organisation" to "a single PI's budget for a single paper" over 12 years.
We need to be very clear here: there is no part of the ejmr "anonymization" scheme that was correct for what they were trying to do. They did not salt the hash, the hash algorithm they used was considered deprecated a decade prior to ejmr existing, even the hash family they used is inappropriate for this purpose.
The reason for public disclosure of vulnerabilities is that the victims of those vulnerabilities need to know that they have been victims, and they need to know what information has been leaked by ejmr. Based on the actions ejmr took to change their hashing schema, it's fairly clear ejmr found out about the vulnerability (maybe the researchers told them, maybe the researchers were not unique in discovering this). But we also know that ejmr did not inform any of its users that ejmr had been leaking information about them for 12 years.
Which is why it is necessary to publish this information - if this paper did not detail how terrible ejmr's "anonymization" was, it's pretty clear ejmr would not have told its users, and as the HN and similar comments indicate, plenty of people would believe that breaking ejmr's system was too hard for anyone else to do.
I'm tired of repeating this: ejmr was not anonymous, their attempt at anonymization was trivially broken from day 1, and defeating the anonymization is absolutely trivial and is not remotely challenging - literally the only difficulty is how long vs how much money to spend.
> They worked out that they could do that, and so did - for the paper they wanted to publish having that information was the goal
My claim is that they shouldn't have.
>Which is why it is necessary to publish this information - if this paper did not detail how terrible ejmr's "anonymization" was, it's pretty clear ejmr would not have told its users
I agree it's necessary to disclose the vulnerability to the victims (especially if ejmr wouldn't have), but it wasn't necessary collect as much data as possible themselves and write a paper about it for their own gain.
Studying the disposition and demographics of forum posters is not new, nor is this a unique example. The only issue here is the forum posters believe, based on incorrect claims from the forum, that they were anonymous. But their posts were not, and this is the first time it came up publicly, because this is the first time someone looked at this particular forum, in the context of "I want to publish a paper about the demographics of this forum".
The forum users have the right to feel angry that their posts were not anonymous, but that anger should be directed at ejmr, not the academic that made it clear their posts were not.
The posts on ejmr were not fully anonymous, and nothing can change that - there are more than 10 years of posts, all of which are public, none of which are [fully] anonymous. It does not matter whether this academic collected any of the information, because in a hypothetical world where they don't and simply disclosed that none of the last decade+ forum posts are anonymous, anyone else could do exactly the same thing. This is assuming of course no one has done this in the past.
> I agree it's necessary to disclose the vulnerability to the victims (especially if ejmr wouldn't have), but it wasn't necessary collect as much data as possible themselves and write a paper about it for their own gain.
What harm do you think writing a paper on forum demographics did? I am genuinely curious, because this seems like you're still just trying to find ways to blame the gross negligence of the ejmr folk on the authors of this paper.
Someone else is going to do it anyway. And you need a proof of concept. If you write "N thousand users may be exposed", perhaps you will include some proof of that.
