So I'm looking at the end of this and everyone is blaming the researchers for showing that EJMR was doxxing them, and not blaming EJMR for doxxing them.
This is what is meant by "people should not do cryptography": it is well understood by the most basic entry level of cryptographers that you must much always salt almost anything you ever hash or encrypt and that failing to do so is generally going to result in catastrophic failures. Yet here we have a person who found the sha function and threw a bunch of unsalted data into it, and then proceeded to dox their "anonymous" users.
The researchers here did nothing wrong, the incompetence was on the part of the site operator. Any people who think that the researchers did do something wrong should ask themselves how they know that no one else did this secretly already, and whether "Kirk" would have fixed this blatantly stupid design if the researchers had not made them aware of it. Also, the site was able to just arbitrarily switch to a new salted hashing scheme which just makes me wonder what the point of including the ip in the hash actually is in the first place.
This is what is meant by "people should not do cryptography": it is well understood by the most basic entry level of cryptographers that you must much always salt almost anything you ever hash or encrypt and that failing to do so is generally going to result in catastrophic failures. Yet here we have a person who found the sha function and threw a bunch of unsalted data into it, and then proceeded to dox their "anonymous" users.
The researchers here did nothing wrong, the incompetence was on the part of the site operator. Any people who think that the researchers did do something wrong should ask themselves how they know that no one else did this secretly already, and whether "Kirk" would have fixed this blatantly stupid design if the researchers had not made them aware of it. Also, the site was able to just arbitrarily switch to a new salted hashing scheme which just makes me wonder what the point of including the ip in the hash actually is in the first place.