this post was submitted on 09 Aug 2023
197 points (99.5% liked)
.NET
1464 readers
1 users here now
Getting started
Useful resources
IDEs and code editors
- Visual Studio (Windows/Mac)
- Rider (Windows/Mac/Linux)
- Visual Studio Code (Windows/Mac/Linux)
Tools
Rules
- Rule 1: Follow Lemmy rules
- Rule 2: Be excellent to each other, no hostility towards users for any reason
- Rule 3: No spam of tools/companies/advertisements
Related communities
Wikipedia pages
- .NET (open source & cross platform)
- .NET Framework (proprietary & Windows-only)
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
It's in line with their delusional rationalization on their blog:
Just in case you felt that passionate about your enterprise-themed boilerplate work equipment.
I still find it hard to tell if it's malice or ineptitude, though.
It's hard for me to believe someone who spent time implementing such a system would fall for such an obvious fallacy of what hashing can do. It's like hashing phone numbers, completely worthless - if the list of values it could be is limited you can simply brute force it. Take some available lists of known emails, take all known domains or mail servers and try github@domain, try some basic password cracking methods, dictionary attacks and simply append @gmail.com etc., I'd be surprised if you couldn't de"anonymize" 99.9% of mails pretty much instantly.
But right at the start of the projects readme we have "The resulting opaque string (which can never reveal the originating email) is the only thing used". "never" is something you wouln't say about salted passwords hashed with sha512, for unsalted emails it's asenine
The more details I read, the better this gets.
Looks like SponsorLink is written by the same guy who wrote Moq. Feels like he's been planning this for a while.
I'm sympathetic to the cause as I know it can't be easy trying to find open source work, but I think he's gone about this all wrong