Jump to content
chrisg

This Census

Recommended Posts

Secure Hash Algorithm 1, sounds like encryption to me... ;)

Says it right there in the name. It's a hashing algorithm. Hashing != encryption.

Share this post


Link to post
Share on other sites

 

Secure Hash Algorithm 1, sounds like encryption to me... ;)

Says it right there in the name. It's a hashing algorithm. Hashing != encryption.

 

Sooo... Why did you say it is not an encryption scheme ? It was designed specifically to encrypt US Government traffic but it has been compromised for years.

 

Or are you being pedantic over something ?

 

Cheers

Share this post


Link to post
Share on other sites

Sooo... Why did you say it is not an encryption scheme ? It was designed specifically to encrypt US Government traffic but it has been compromised for years.

Because hashing is not encryption in the sense you're talking about it. They're related, but they're in no way the same thing.

 

SHA-1 is the same type of thing as MD5. It creates a hash (or "fingerprint") of the source material. You cannot convert the hash back to the source material. Never. You can't decrypt a hash any more than you can uncompress a JPEG.

 

If somebody says they've "SHA-1 encrypted" some data for transmission or storage, they're lying.

 

 

They /might/ be storing passwords as SHA-1 hashes, which I agree is poor practice. However, that's all server side. If someone said they were using "SHA-1 encryption for 'backward compatibility of browsers'", they don't know what they're talking about.

 

Or are you being pedantic over something ?

Far from pedantry. There is a major and important distinction to be made.

Share this post


Link to post
Share on other sites

Hmm,

 

I see what you mean SS, but it is still an option for encryption and it can still be used for secure comms transmissions, except SHA-1 was compromised long ago.

 

However I have not personally looked at the security side of the census because I have it on good authority it is not secure but I'm not sure, for reasons given above, that I really care :)

 

Encryption is always a battle, has been since PGP, they don't want us to hide our data and we sometimes want to.

 

I was on a project years ago that was using Cellular Automata Transforms for a variety of innovative applications, one of them was encryption. It never went to market, when submitted to NSA they could not crack it and that was just not allowed :) However for quite a time the chief developer, in the U.S. had people with rather thick ME accents calling up wanting a copy :)

 

Cheers

Share this post


Link to post
Share on other sites

 

 

Secure Hash Algorithm 1, sounds like encryption to me... ;)

Says it right there in the name. It's a hashing algorithm. Hashing != encryption.

 

Sooo... Why did you say it is not an encryption scheme ? It was designed specifically to encrypt US Government traffic but it has been compromised for years.

 

Or are you being pedantic over something ?

 

Cheers

 

 

I'm actually confused.

The name explicitly explains its hashed, not encrypted.

I've always found this guy explains the difference well.

https://danielmiessler.com/study/encoding-encryption-hashing-obfuscation/

 

 

While you could argue that you need to 'dehash' to read it, there's still no actual encryption (public or private key, etc) going on.

at least AFAIK

Share this post


Link to post
Share on other sites

I see what you mean SS, but it is still an option for encryption and it can still be used for secure comms transmissions, except SHA-1 was compromised long ago.

No it isn't, and no it can't.

 

SHA-1 (and SHA-256, and probably others) are used as a part of the TLS and SSL encryption processes, to verify authenticity of X.509 certificates. The actual encryption method is AES, DES, 3DES, RC4, etc.

 

However it CAN NEVER BE used "for encryption" by itself. It is simply impossible, because it is a non-reversible operation.

 

 

But yes, people have found ways to generate SHA-1 collisions without total brute-forcing, which is why passwords are salted.

 

Edit: SHA-1 may be used for data integrity. Hash data before transmission, hash data at destination, compare. Data corrupted/tampered with in transit will have mismatching hashes. This still isn't encryption.

Edited by SquallStrife

Share this post


Link to post
Share on other sites

 

 

 

Secure Hash Algorithm 1, sounds like encryption to me... ;)

Says it right there in the name. It's a hashing algorithm. Hashing != encryption.

 

Sooo... Why did you say it is not an encryption scheme ? It was designed specifically to encrypt US Government traffic but it has been compromised for years.

 

Or are you being pedantic over something ?

 

Cheers

 

 

I'm actually confused.

The name explicitly explains its hashed, not encrypted.

I've always found this guy explains the difference well.

https://danielmiessler.com/study/encoding-encryption-hashing-obfuscation/

 

 

While you could argue that you need to 'dehash' to read it, there's still no actual encryption (public or private key, etc) going on.

at least AFAIK

 

Public key Private key is just one way and it does include hashing.

 

Think of it this way, if a message is sent in the clear anyone can read it if they intercept it, if it is hashed and the interceptee does not have the hash key it cannot be read, that by definition is an encrypted message.

 

What Squall is meaning is that hashing is more typically used on a local system to securely store data such as passwords but there is no reason why it cannot be used for end-to-end comms especially in a closed system which to be fair is what the original intent of SHA-1 was.

 

Cheers

Share this post


Link to post
Share on other sites

Think of it this way, if a message is sent in the clear anyone can read it if they intercept it, if it is hashed and the interceptee does not have the hash key it cannot be read, that by definition is an encrypted message.

YES, that is an encrypted message. NO, that is NOT HASHING.

 

A message SHA-1 hashed CAN NEVER BE RECOVERED.

 

What Squall is meaning is that hashing is more typically used on a local system to securely store data such as passwords but there is no reason why it cannot be used for end-to-end comms especially in a closed system which to be fair is what the original intent of SHA-1 was.

YES THERE IS!!! Because data that has been SHA-1 hashed CAN NEVER BE RECOVERED. NEVER EVER EVER. THAT'S THE WHOLE POINT.

 

SHA-1 produces a message digest.

 

I suspect you have SHA-1 confused with something else.

Edited by SquallStrife
  • Like 1

Share this post


Link to post
Share on other sites

That's what I thought.

Though careful or brute 'cracking' you might be able to stumble across readable data again, but with no key to undo it all, there's no going back.

Share this post


Link to post
Share on other sites

Though careful or brute 'cracking' you might be able to stumble across readable data again, but with no key to undo it all, there's no going back.

Even with brute forcing, you don't necessarily have the source data, just something that generates the same hash. Which in the cases of passwords stored without a salt, is functionally identical to the actual password.

 

Interesting footnote from the wiki page:

 

A 2011 attack by Marc Stevens can produce hash collisions with a complexity between 260.3 and 265.3 operations.[1] As of October 2015, no actual collisions are publicly known.

Edited by SquallStrife

Share this post


Link to post
Share on other sites

SS is correct. Hashing is there to "highlight meddling" for lack of a better term. I am by no means a security expert, but I spent the last few years working inside one of the big 4 banks implementing the systems for a new platform that went live recently.
it's a terminology that's easily mixed up, but they do infact serve different purposes.

Security is taken very seriously inside a bank, as one would imagine.

 

Encrypting things is one thing and hashing them is an additional level of security, albeit a different level.
Security is your tool box, encryption and hashing are two different tools to do two different jobs.

 

And as for breaches that are made public and ones that are not. Absolutely, some things that went on in this bank, that were never made public, very interesting indeed.

No one wants to be on the front page of the newspaper, do they?
Unless you're winning a gold medal in Rio.

 

The security and penetration testing phase of the project was pretty cool. That's some interesting shit. I love all things security related, I'm just not very good at it or know enough about it. Still blows my mind what can be done though.

As for the Census, I'll do it, I don't really care what they do with my information.
MEH!

  • Like 1

Share this post


Link to post
Share on other sites

:)

 

I'm being sloppy in my text, well aware it is just a part of TLS/SSH. Whether I have it confused with something else or whether I zoned out in the last presentation I had to attend on this, well, that is completely possible :)

 

Cheers

Share this post


Link to post
Share on other sites

FU government.

 

http://www.salingerprivacy.com.au/2016/03/17/census-no-longer-anonymous/

 

http://www.smh.com.au/federal-politics/political-news/risking-prosecution-nick-xenophon-boycotts-census-name-requirement-20160808-gqnh56.html

 

http://www.smh.com.au/comment/why-i-wont-be-filling-in-the-census-tomorrow-20160808-gqnapp.html

 

"Although there are certainly heightened privacy and security risks of accidental loss or malicious misuse with storing names and addresses, the deliberate privacy invasion starts with the use of that data to create a Statistical Linkage Key (SLK) for each individual, to use in linking data from other sources.

Please don't believe that SLKs offer anonymity. SLKs are easy to generate, with the same standard used across multiple datasets. For example, Malcolm Turnbull would be known by the SLK URBAL241019541 in the type of datasets the ABS wants to match Census data against, including mental health services (yes, mental health!) and other health records, disability services records, early childhood records, community services records, as well as data about housing assistance and homelessness. Anyone with access to these types of health and human services datasets can search for individuals by generating and searching against their SLK. All you need to know is their first and last names, gender and date of birth.

Now tell me that privacy will be absolutely protected if census data is coded and linked using an SLK as well.

Edited by Director

Share this post


Link to post
Share on other sites

D it really depends if the data is of any real use other than for statistical nation profiling.

 

I really in the main do not think it is, in that I agree with Squall, we get a lot out of the census.

 

The day they want your bank account details we go find the pitchforks :)

 

Cheers

Share this post


Link to post
Share on other sites

Nothing to worry about unless you mark religion as Islam al akbah kill all infidels hey?

Edited by Jeruselem

Share this post


Link to post
Share on other sites

http://www.abc.net.au/news/2016-08-08/nick-xenophon-to-withhold-name-in-census-over-privacy-concerns/7702304

 

" South Australian senator Nick Xenophon says he will not be putting his name on his census details, and is prepared to challenge any fines he incurs as a result."

 

Because I'm sure the government doesn't have his address on record. Nah, no way someone involved closely with politics has a known address.

"I put no name on my form, take THAT!" Great work mate..... nice address.... or ID number on form (if posted) or unique online code.... or IP address. Or postal mark (stamp) etc.

 

I'm just amused how every letterbox in my house got a form. There are 3 post poxes, and 1 house.

Do they expect me to do it thrice?

Edited by Master_Scythe

Share this post


Link to post
Share on other sites

Gee I have to ask for my paper version

 

Why? They have ID's on them too.

I'm just doing it from somewhere other than home.

probably a maccas, on my phone.

Edited by Master_Scythe

Share this post


Link to post
Share on other sites

 

Gee I have to ask for my paper version

 

Why? They have ID's on them too.

I'm just doing it from somewhere other than home.

probably a maccas, on my phone.

 

Or Amsterdam from a vpn?

Share this post


Link to post
Share on other sites

 

Yes there is. The ABS is made out of people and when governments don't get what they want from a government department, they fire those people and replace them with yes men. Tony Abbott did it a bunch of times and only Gillian Triggs stood up to him. The Freedom of Information Commissioner, e.g. did not, left quietly and got replaced by a Liberal Party lackey.

I might believe that, if it weren't for the Census and Statistics Act 1905 that makes it expressly illegal.

 

 

You do realise it's the government that can repeal and enact laws, right?

 

http://www.abc.net.au/news/2016-08-08/nick-xenophon-to-withhold-name-in-census-over-privacy-concerns/7702304

 

" South Australian senator Nick Xenophon says he will not be putting his name on his census details, and is prepared to challenge any fines he incurs as a result."

 

Because I'm sure the government doesn't have his address on record. Nah, no way someone involved closely with politics has a known address.

"I put no name on my form, take THAT!" Great work mate..... nice address.... or ID number on form (if posted) or unique online code.... or IP address. Or postal mark (stamp) etc.

 

I'm just amused how every letterbox in my house got a form. There are 3 post poxes, and 1 house.

Do they expect me to do it thrice?

 

 

He's doing it to set an example and provide a test case for a legal conclusion.

Edited by Kothos

Share this post


Link to post
Share on other sites

You do realise it's the government that can repeal and enact laws, right?

 

"You do realise" that the government doesn't control the senate right now, and repealing/changing the Census act would be a pretty hard sell to crossbench senators.

 

You might as well say no laws matter, because the could some day be repealed.

Share this post


Link to post
Share on other sites

As I live in a shared housing environment, I would of course refuse to disclose my information to a third party. I was never given a form or any other sort of document with instructions on how to complete the census (Why should I google something that should have been provided?)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×