Comment by hk__2
4 years ago
> Champions of privacy, phoning home a hash of every executable your computer runs!
What’s the matter with privacy? That’s a basic signature check, and you can do so while preserving privacy by using salted hashes or a similar solution.
A centralized repository of all your executable hashes is a high precision fingerprint.
There are two major somewhat misleading bits of buzz around macOS “phoning home” all of our executables.
1: among Windows, macOS and Linux only Linux distros don’t do such checks, and most of end-user Linux installations are arguably secure in spite of this—mostly because they are very rare and thus not a priority target for malware.
2: this only concerns files you launch. If you wrap your binary invocation in a shell script, that shell script’s hash will be sent, not your binary’s.
What does the author of the operating system phoning home have to do with Linux not being a target for malware? It seems like you're mixing up two different issues with this.
4 replies →
Who is laughing at the Gentoo folks now ey?
Yes it is, but merely sending hashes doesn’t mean such a centralized repository exists. We need more information on the actual implementation.
For one, they now have a list of everyone running Tor.
They can perfectly do that without recurring to sending the hashes, using asymmetric cryptography.
But... this way the also gather some data.
I don’t understand how salted hashes would obfuscate the query. Private information retrieval is much more complicated than private password storage, and how do we know what the protocol is?