-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is a reply to a comment posted by graue on 2013/11/21 at 06:00h GMT.
> Hmm... did this site get served a secret warrant last week? Or did they just forget to update their warrant canary?
> https://mediacru.sh/transparency/warrant-canary.txt
> (Note: the date 08/11 is written European style meaning November 8th, as you can see if you go up a directory.)
Hi, just wanted to let you know that we haven't, in fact, been served a warrant.
The failure to update the canary was due to my own mistake, and I'm terribly sorry about that.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
iQIcBAEBAgAGBQJSjdtLAAoJELJF4ERQRPL8VuMP/j8bqNm/uAMzq1n+ebf90RRq
cDQUsjCbENoR3/1VF4GR0iQhzxDQ28C2Wcc/rjgPjNkL5fLL9QQNb5hUZ38a+ray
r3fBE4ZQZ5XSriq9iOGy2RoXKhwM/1QuJ9qaOOYmJwkc+/Re+1WbAtAbKnBoPkOy
z5xMkSnr7b1jI/sUHHmlU6s5wvchXKKLmniCKjtaLp2WLVv95FoxrzRoNu/gHVv2
LXnjKTllzfcPm9thvCRoikv/N3PKuDBvCIbGm6yhYsNo8a1croAlnChEf0rDWk1B
8IFM5SXcsuVOSymHJ18VVp2s7xGi1RRcTpUyDt/s74kUuLx7Wpd27YWf5Yko8O+m
BWfLXbAUamxwRyCmNN219xnhdAb0paaiddbvQX+PHUMMM2+UwdWSSgWnyloFVhGs
bqZ/vQO6FSP4CVCZvvxyFm493MWSBTvZ2bpWWgdVdIBAg/qSv+D0I6XGyAhUdCqh
5j38U7nMaHFROr+lCISXdtMxUvPBzNFxKV+3ZTxm/L3hWU75pT9XWsJOxejiIdFe
7IMgKpbwsWDUg5Mat5muhn13vBH9B5qfa1smhO1eiP/29XLogLj3B2gZ0nnEIO0q
1o+j/G5crxxhqW01nGBzJq3IaP3+dsCP9Eiwom3cO0EsulZUL9TRsAPjT5IhXJNz
uPzRgvYpICnrL2qqyGfP
=uKWu
-----END PGP SIGNATURE-----
Ack! My other half is responsible for the warrant canary. He keeps forgetting it. We may as well not even have it. It doesn't mean much without a signature, but I assure you that we have never been served a warrant.
As of November 11th, 2013, neither MediaCrush nor its admins have ever received any sort of warrant, or any other kind of notice or request, from the government of any country.
Additionally, we do not store anything about a user who visits our site. Here's an example from the HTTP log:
When you upload a file, your IP address is run though bcrypt (12 rounds) and saved with the file information in redis. Reversing bcrypt is infeasible with modern technology (and probably for many years to come). We store nothing else about you.
I'm going to respond to all of you at once by saying this: bcrypt is the best possible solution that we are aware of. It's infeasible for anyone but the most resourceful adversaries to brute force your hashed IP, and even then it's still expensive.
However, that's part of why we're open source. You can't trust us when we say that we aren't storing your IP. We could be doing it and you'd have no way of being able to tell. If you're concerned about this, run a private instance of MediaCrush. There are instructions in the README, it's pretty easy to set up.
I don't know exactly what situation you are trying to avoid, but with the standard bcrypt, if somebody has the IP hash and a candidate's specific IP, they can positively match the two (something you specifically mention on your privacy page).
One possible tweak is to continue using bcrypt and a salt, but instead shorten the hash output to something like 24 bits. This way it still cannot be so easily reversed or rainbow-tabled, and collisions still shouldn't be an active problem. However, it wont be possible to positively match a given IP to a hash, since multiple IPs will likely hash to a given output. Granted, if you have a candidate IP and it matches the output hash, there is a very high probability that it was the source IP, but it wouldn't be 100%.
At 1/3 of a second to compute a single hash, brute forcing the entire space of possible addresses takes around 45 CPU-years. But computing the hash of every single IP address is ridiculously parallel, so it's trivial to spin up 2k machines on EC2 and brute force the entire thing in a week. Total cost, somewhere under $8k if you don't want to bother owning real machines, less for any organization that happens to need to do similar things on a regular or semi-regular basis.
It's not a trivial investment since that effort only gets you a single IP address, but it's easily within the reach of a vast number of organizations if they have real motivation (read: not a fishing expedition) to reverse it.
And of course, they wouldn't have to test every IP address in the world, they'd only have to test the IP addresses that appeared in the webserver logs at some point, substantially reducing the time requirement.
Good answer... It looks like it would take on the order of 7 CPU years to create a table of every used address, much less time to target an area or individual.
I don't think this is an issue at all though, I was just curious.
Actually, the salting is an important detail. Those 7 CPU years would only create a table for one hash. That's how long it takes to brute force a single hash, not the entire space.
I think the whole point of a warrant canary is that you have to do something, every week/month, to confirm that you never had to obey a warrant. And (presumably, I don't think it has been tried in courts yet) a gag order can prevent you to speak about a warrant, but it can't force you to do anything, including actively saying that you didn't receive anything.
If it's automated.. the gag order prevents you to stop it, so it might as well not be there.
mike@glue:~$ wget -qO - https://mediacru.sh/transparency/warrant-canary.txt|gpg --verify
gpg: Signature made Fri 08 Nov 2013 11:48:13 GMT using RSA key ID 5044F2FC
gpg: BAD signature from "MediaCrush Administrators <admin@mediacru.sh>"
mike@glue:~$
josemanueldiez@InfiniteImprobabilityDrive:~$ wget -qO - https://mediacru.sh/transparency/warrant-canary.signed.txt|gpg --verify
gpg: Signature made Fri Nov 8 12:48:13 2013 CET using RSA key ID 5044F2FC
gpg: Good signature from "MediaCrush Administrators <admin@mediacru.sh>"
https://mediacru.sh/transparency/warrant-canary.txt
(Note: the date 08/11 is written European style meaning November 8th, as you can see if you go up a directory.)