| General > General Technical Chat |
| Apple privacy letter (Law enforcement through your phone) |
| << < (16/24) > >> |
| Halcyon:
--- Quote from: magic on August 23, 2022, 05:45:21 am --- --- Quote from: Halcyon on August 23, 2022, 04:37:49 am ---Propaganda? It's called mathematics. Look at something like SHA-256... the probability of a hash collision is so extraordinarily small. --- End quote --- Until it doesn't. They used to say the same about MD5. At any rate, you made it sound like this property is somehow guaranteed, which is utter :bullshit: --- End quote --- Again, maths. The limitations of MD5 were very well understood early on. Whilst I agree with "never say never", the chances of that are astronomically slim and certainly "good enough" for the purposes being discussed. On the ever-so-remote chance there is a collision in my lifetime, it will be manually verified by a human anyway. I'll also eat my hat. I would also make an educated guess that a single solitary hit wouldn't be enough (but that's just a guess). I'd suggest you go look up how big a number all the possible SHA-256 combinations really is, then you'll start to get some perspective. If you don't wish to take my word for it, you only need to speak to someone (else) in the industry, or perhaps examine the court cases where this has been previously tested (and failed). Also, keep in-mind, no one is talking about anyone being dragged through the courts or being sent to prison because of a hash value. The hashes are used to establish probable cause (and it's damn good probable cause at that), then from there, normal investigative processes commence. In order to be charged with an offence of possessing/distributing child abuse material, the prosecution must to be able to prove, beyond reasonable doubt, all the elements of the offence(s). You don't simply rely on the hash value alone. You also can't rely on AI to be able to classify what is and isn't child abuse material, a human does that. |
| magic:
Dude, I know what's hashing. My other point, which you conveniently ignore, was that even if accidental collisions are unlikely, deliberate ones may become possible at some unknown future time and all sorts of fun could be had with that. Besides, is it established that they actually use a modern long hash or is it MD4 and the information that it's MD4 is also classified like the hashes themselves? I believe we are talking US government here ;) |
| Halcyon:
--- Quote from: magic on August 23, 2022, 07:58:58 am ---Dude, I know what's hashing. My other point, which you conveniently ignore, was that even if accidental collisions are unlikely, deliberate ones may become possible at some unknown future time and all sorts of fun could be had with that. Besides, is it established that they actually use a modern long hash or is it MD4 and the information that it's MD4 is also classified like the hashes themselves? I believe we are talking US government here ;) --- End quote --- You don't seem to fully grasp the concept though, so I assumed otherwise. Let's assume the improbable happened and a collision DID occur, what then? That file somehow finds its way onto someones device as a prank, which just so happens to also be a valid image/video file, which is then matched against known bad files, which is then checked by a human only to find out it's nothing? Whilst MD5 hashing is still an option available in most digital forensics software, SHA-1 and SHA-2 are far more popular. That being said, even if it was something weaker like MD5, I've actually stood up in court and given evidence on the probability of that being a collision and it mattered not (the defence was simply trying to find a hole where there wasn't one). As I said, it's more than just the hash itself that's important, it's the contents of the file. For the context of what is being discussed here, even MD5 would be fine to use. Even the absence of any hashing, companies still report back to law enforcement about child abuse material on their servers when they become aware of it. Hashing simply automates some aspects of the whole exercise. Getting back on topic... if being given a choice between having the files hashed and compared against the database, or your files being uploaded to the company to be checked, by AI, a person, whatever... which would you feel more comfortable with? If you don't like the way a company conducts business or designs its products, then don't use them. The issue isn't about the reliability of use of hashes as evidence against someone, it's about the policies Apple are implementing. |
| bd139:
Hashing is a poor technical measure as well. Ignoring improbable collisions it has other problems: 1. The blacklist can be poisoned through incompetence. 2. The blacklist can be poisoned through malicious intent. 3. The blacklist has no independent oversight. 4. The blacklist can be extended to other material later. 5. The hash is not necessarily traceable back to the original image / material thus is impossible to re-moderate. 6. You have to store the original material if you want to regenerate the list. 7. It's a byte level hash so adding pixel changes and noise circumvents the whole thing. There is no choice but to put these stupid fucking retarded ideas where they belong: in the trash. |
| Halcyon:
--- Quote from: bd139 on August 23, 2022, 09:24:47 am ---7. It's a byte level hash so adding pixel changes and noise circumvents the whole thing. --- End quote --- This is an interesting idea and one that has been raised many times before. The truth is, crooks are (mostly) dumb and it doesn't stop them from getting caught. There is a good reason why things like Project VIC are very effective. You will never solve 100% of crime. Sadly, things like possessing child abuse material is slowing becoming "volume crime". |
| Navigation |
| Message Index |
| Next page |
| Previous page |