<article>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#article09_12_15_2352218</id>
	<title>Gravatars Can Leak Users' Email Addresses</title>
	<author>kdawson</author>
	<datestamp>1260897600000</datestamp>
	<htmltext>abell writes <i>"<a href="http://en.gravatar.com/">Gravatar</a> offers a global avatar service, using an MD5 hash of the user's email as avatar ID. This piece of information in some cases is enough to retrieve the original email address. Testing a simple attack on stackoverflow.com, I was able to <a href="http://www.developer.it/post/gravatars-why-publishing-your-email-s-hash-is-not-a-good-idea">determine the email addresses of more than 10\%</a> of the site's users."</i></htmltext>
<tokenext>abell writes " Gravatar offers a global avatar service , using an MD5 hash of the user 's email as avatar ID .
This piece of information in some cases is enough to retrieve the original email address .
Testing a simple attack on stackoverflow.com , I was able to determine the email addresses of more than 10 \ % of the site 's users .
"</tokentext>
<sentencetext>abell writes "Gravatar offers a global avatar service, using an MD5 hash of the user's email as avatar ID.
This piece of information in some cases is enough to retrieve the original email address.
Testing a simple attack on stackoverflow.com, I was able to determine the email addresses of more than 10\% of the site's users.
"</sentencetext>
</article>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454584</id>
	<title>Re:e9af4cb49c97162d6be3ea8c6ca90a46</title>
	<author>Anonymous</author>
	<datestamp>1260905460000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>5</modscore>
	<htmltext><p>Your email is: tyler.szabo \_AT\_ gmail.com</p><p>md5 -s "tyler.szabo@gmail.com"<br>MD5 ("tyler.szabo@gmail.com") = e9af4cb49c97162d6be3ea8c6ca90a46</p><p>For bonus points, your name is Tyler Szabo, you go to University of Waterloo and plan on graduating in 2011.  You work at Amazon.  You are in a relationship with a Kaylan Elizabeth L. (last name withheld as a courtesy, I'm sure you know who I mean<nobr> <wbr></nobr>:) ).</p><p>I found out you registered this, looked up your avatar on Gravatar, found you on Stack Overflow which gave me your real name (searched for Szabo assuming that was something to do with you).  Using this, I looked you up on Facebook, Twitter, and various other sites. Your single avatar helped me link everything together.  Once I had your real name from Stack Overflow it became easy.</p><p>Good times.  Perhaps this reveals another security vulnerability?  One avatar links -ALL- your social networking.</p><p>I also have your parents, previous employers, etc, but won't post those here<nobr> <wbr></nobr>:)</p></htmltext>
<tokenext>Your email is : tyler.szabo \ _AT \ _ gmail.commd5 -s " tyler.szabo @ gmail.com " MD5 ( " tyler.szabo @ gmail.com " ) = e9af4cb49c97162d6be3ea8c6ca90a46For bonus points , your name is Tyler Szabo , you go to University of Waterloo and plan on graduating in 2011 .
You work at Amazon .
You are in a relationship with a Kaylan Elizabeth L. ( last name withheld as a courtesy , I 'm sure you know who I mean : ) ) .I found out you registered this , looked up your avatar on Gravatar , found you on Stack Overflow which gave me your real name ( searched for Szabo assuming that was something to do with you ) .
Using this , I looked you up on Facebook , Twitter , and various other sites .
Your single avatar helped me link everything together .
Once I had your real name from Stack Overflow it became easy.Good times .
Perhaps this reveals another security vulnerability ?
One avatar links -ALL- your social networking.I also have your parents , previous employers , etc , but wo n't post those here : )</tokentext>
<sentencetext>Your email is: tyler.szabo \_AT\_ gmail.commd5 -s "tyler.szabo@gmail.com"MD5 ("tyler.szabo@gmail.com") = e9af4cb49c97162d6be3ea8c6ca90a46For bonus points, your name is Tyler Szabo, you go to University of Waterloo and plan on graduating in 2011.
You work at Amazon.
You are in a relationship with a Kaylan Elizabeth L. (last name withheld as a courtesy, I'm sure you know who I mean :) ).I found out you registered this, looked up your avatar on Gravatar, found you on Stack Overflow which gave me your real name (searched for Szabo assuming that was something to do with you).
Using this, I looked you up on Facebook, Twitter, and various other sites.
Your single avatar helped me link everything together.
Once I had your real name from Stack Overflow it became easy.Good times.
Perhaps this reveals another security vulnerability?
One avatar links -ALL- your social networking.I also have your parents, previous employers, etc, but won't post those here :)</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454460</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454328</id>
	<title>Re:So let's change the algorithm.</title>
	<author>Anonymous</author>
	<datestamp>1260902400000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Neither changing hash algorithms nor adding a (public) salt would help against this particular kind of attack, which checks a small set of likely email addresses derived from the username associated with the Gravatar ID.</p></htmltext>
<tokenext>Neither changing hash algorithms nor adding a ( public ) salt would help against this particular kind of attack , which checks a small set of likely email addresses derived from the username associated with the Gravatar ID .</tokentext>
<sentencetext>Neither changing hash algorithms nor adding a (public) salt would help against this particular kind of attack, which checks a small set of likely email addresses derived from the username associated with the Gravatar ID.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454254</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455720</id>
	<title>Re:No need</title>
	<author>A beautiful mind</author>
	<datestamp>1259669820000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Sites like <a href="http://search.cpan.org/" title="cpan.org">cpan.org</a> [cpan.org] already do the opposite. They take an author's \_publicly visible\_ email address and try to find a gravatar for it to publicly display if one's available.</htmltext>
<tokenext>Sites like cpan.org [ cpan.org ] already do the opposite .
They take an author 's \ _publicly visible \ _ email address and try to find a gravatar for it to publicly display if one 's available .</tokentext>
<sentencetext>Sites like cpan.org [cpan.org] already do the opposite.
They take an author's \_publicly visible\_ email address and try to find a gravatar for it to publicly display if one's available.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454246</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454682</id>
	<title>Re:So let's change the algorithm.</title>
	<author>JoshuaZ</author>
	<datestamp>1260906900000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>There are two attacks here. The primary attack has absolutely nothing to do with the hash used. They just checked based on user names likely email addresses. The example given was from User Michael Smith to then check things like michael.smith@majoremailprovider.com and so on. This method, which nowhere uses anything about MD5 got around 10\% of the emails. Another attack which did use hash collision detections only got 1\%.</htmltext>
<tokenext>There are two attacks here .
The primary attack has absolutely nothing to do with the hash used .
They just checked based on user names likely email addresses .
The example given was from User Michael Smith to then check things like michael.smith @ majoremailprovider.com and so on .
This method , which nowhere uses anything about MD5 got around 10 \ % of the emails .
Another attack which did use hash collision detections only got 1 \ % .</tokentext>
<sentencetext>There are two attacks here.
The primary attack has absolutely nothing to do with the hash used.
They just checked based on user names likely email addresses.
The example given was from User Michael Smith to then check things like michael.smith@majoremailprovider.com and so on.
This method, which nowhere uses anything about MD5 got around 10\% of the emails.
Another attack which did use hash collision detections only got 1\%.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454218</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455856</id>
	<title>Re:So let's change the algorithm.</title>
	<author>panaceaa</author>
	<datestamp>1259671080000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>By using this exploit, spammers get additional user useful data: They'll know each user's full name in most cases.  They'll know that the user is interested in the site he's commenting on.  They'll know what language he speaks.  Basically, they can compose much more compelling emails with a higher probability of getting through and even being seen as relevant to the recipient.</p></htmltext>
<tokenext>By using this exploit , spammers get additional user useful data : They 'll know each user 's full name in most cases .
They 'll know that the user is interested in the site he 's commenting on .
They 'll know what language he speaks .
Basically , they can compose much more compelling emails with a higher probability of getting through and even being seen as relevant to the recipient .</tokentext>
<sentencetext>By using this exploit, spammers get additional user useful data: They'll know each user's full name in most cases.
They'll know that the user is interested in the site he's commenting on.
They'll know what language he speaks.
Basically, they can compose much more compelling emails with a higher probability of getting through and even being seen as relevant to the recipient.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454540</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30463262</id>
	<title>If your email address is simple...</title>
	<author>argent</author>
	<datestamp>1259659800000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>If your email address is common-word@famousprovider.com, then the spammers have already put your email address into their lists. Why not? They don't care if 95\% of the mail they send bounces, and they don't care if they target any specific person, the "hit" rate they need to make a profit is is negligible. I see spam attempts to thousands of never-existed addresses on my colo, and my home domain is pretty damn obscure. I'm sure Gmail gets hits from aaron.aardvark through zephram.zymurgy continually.</p></htmltext>
<tokenext>If your email address is common-word @ famousprovider.com , then the spammers have already put your email address into their lists .
Why not ?
They do n't care if 95 \ % of the mail they send bounces , and they do n't care if they target any specific person , the " hit " rate they need to make a profit is is negligible .
I see spam attempts to thousands of never-existed addresses on my colo , and my home domain is pretty damn obscure .
I 'm sure Gmail gets hits from aaron.aardvark through zephram.zymurgy continually .</tokentext>
<sentencetext>If your email address is common-word@famousprovider.com, then the spammers have already put your email address into their lists.
Why not?
They don't care if 95\% of the mail they send bounces, and they don't care if they target any specific person, the "hit" rate they need to make a profit is is negligible.
I see spam attempts to thousands of never-existed addresses on my colo, and my home domain is pretty damn obscure.
I'm sure Gmail gets hits from aaron.aardvark through zephram.zymurgy continually.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454462</id>
	<title>Re:Public address</title>
	<author>lastomega7</author>
	<datestamp>1260903840000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Because everyone has only one email. Especially<nobr> <wbr></nobr>/.ers.</htmltext>
<tokenext>Because everyone has only one email .
Especially /.ers .</tokentext>
<sentencetext>Because everyone has only one email.
Especially /.ers.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454310</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454644</id>
	<title>Re:So let's change the algorithm.</title>
	<author>Eivind</author>
	<datestamp>1260906420000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext><p>Doubt it. there's 26 letters and 10 digits, in addition to that . is very common in email-adresses. Thus you get 37 possibilities for each position. 37 to the 12th power is 6582952005840035281 hashes to run, and even if you do 10^9 Hz (i.e. one giga-hash-a-second, which would require on the order of a few hundred cores), you'd still need 208 years to do that many hashes -- then you need to look up each of them in gravatar, and analyze the result for a hit-or-miss.</p><p>"every alphanumeric email-address under 12 characters" is infact much too large a keyspace to reasonably cover overnight with a "very simple script".</p><p>It's not a large enough keyspace to be cryptographically secure, but it's large enough to not be trivially exhaustible.</p></htmltext>
<tokenext>Doubt it .
there 's 26 letters and 10 digits , in addition to that .
is very common in email-adresses .
Thus you get 37 possibilities for each position .
37 to the 12th power is 6582952005840035281 hashes to run , and even if you do 10 ^ 9 Hz ( i.e .
one giga-hash-a-second , which would require on the order of a few hundred cores ) , you 'd still need 208 years to do that many hashes -- then you need to look up each of them in gravatar , and analyze the result for a hit-or-miss .
" every alphanumeric email-address under 12 characters " is infact much too large a keyspace to reasonably cover overnight with a " very simple script " .It 's not a large enough keyspace to be cryptographically secure , but it 's large enough to not be trivially exhaustible .</tokentext>
<sentencetext>Doubt it.
there's 26 letters and 10 digits, in addition to that .
is very common in email-adresses.
Thus you get 37 possibilities for each position.
37 to the 12th power is 6582952005840035281 hashes to run, and even if you do 10^9 Hz (i.e.
one giga-hash-a-second, which would require on the order of a few hundred cores), you'd still need 208 years to do that many hashes -- then you need to look up each of them in gravatar, and analyze the result for a hit-or-miss.
"every alphanumeric email-address under 12 characters" is infact much too large a keyspace to reasonably cover overnight with a "very simple script".It's not a large enough keyspace to be cryptographically secure, but it's large enough to not be trivially exhaustible.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454366</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454416</id>
	<title>This is news to me</title>
	<author>mok000</author>
	<datestamp>1260903420000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Wow. You can glean information from the Internets. I didn't realize that.</p></htmltext>
<tokenext>Wow .
You can glean information from the Internets .
I did n't realize that .</tokentext>
<sentencetext>Wow.
You can glean information from the Internets.
I didn't realize that.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30458570</id>
	<title>Re:e9af4cb49c97162d6be3ea8c6ca90a46</title>
	<author>Anonymous</author>
	<datestamp>1259686620000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext>You also spend a large amount of time in the SE Lab, reminiscing about your classes with Dr. Chang.</htmltext>
<tokenext>You also spend a large amount of time in the SE Lab , reminiscing about your classes with Dr. Chang .</tokentext>
<sentencetext>You also spend a large amount of time in the SE Lab, reminiscing about your classes with Dr. Chang.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454584</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454288</id>
	<title>Rainbow Tables</title>
	<author>Anonymous</author>
	<datestamp>1260902160000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Can anyone say Rainbow Tables? Tweak the algorithm to output valid e-mail addresses. As for the salt, as long as it isn't known, while it can make is computationaly difficult, it won't stop some addresses from being hacked using the aforementioned method.</p></htmltext>
<tokenext>Can anyone say Rainbow Tables ?
Tweak the algorithm to output valid e-mail addresses .
As for the salt , as long as it is n't known , while it can make is computationaly difficult , it wo n't stop some addresses from being hacked using the aforementioned method .</tokentext>
<sentencetext>Can anyone say Rainbow Tables?
Tweak the algorithm to output valid e-mail addresses.
As for the salt, as long as it isn't known, while it can make is computationaly difficult, it won't stop some addresses from being hacked using the aforementioned method.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454278</id>
	<title>Salt?</title>
	<author>aldld</author>
	<datestamp>1260902100000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext>I'm no expert in cryptography, but would it be helpful for them to add a <a href="http://en.wikipedia.org/wiki/Salt\_(cryptography)" title="wikipedia.org" rel="nofollow">salt</a> [wikipedia.org]? (Unless they do that already, of course)</htmltext>
<tokenext>I 'm no expert in cryptography , but would it be helpful for them to add a salt [ wikipedia.org ] ?
( Unless they do that already , of course )</tokentext>
<sentencetext>I'm no expert in cryptography, but would it be helpful for them to add a salt [wikipedia.org]?
(Unless they do that already, of course)</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455146</id>
	<title>You could add a salt yourself</title>
	<author>Homburg</author>
	<datestamp>1259663280000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I guess you could add a salt yourself, at least of your email provider works like gmail, and allows you to supply a meaningless string after a +. If the first part of your email address is guessable from your username, you could do something like:</p><p>homburg+randomsalt@gmail.com</p></htmltext>
<tokenext>I guess you could add a salt yourself , at least of your email provider works like gmail , and allows you to supply a meaningless string after a + .
If the first part of your email address is guessable from your username , you could do something like : homburg + randomsalt @ gmail.com</tokentext>
<sentencetext>I guess you could add a salt yourself, at least of your email provider works like gmail, and allows you to supply a meaningless string after a +.
If the first part of your email address is guessable from your username, you could do something like:homburg+randomsalt@gmail.com</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454290</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30465138</id>
	<title>Give it now!</title>
	<author>Anonymous</author>
	<datestamp>1259666220000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Pass the salt please.</p></htmltext>
<tokenext>Pass the salt please .</tokentext>
<sentencetext>Pass the salt please.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30456348</id>
	<title>Re:So let's change the algorithm.</title>
	<author>pAnkRat</author>
	<datestamp>1259675220000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p>Correct: the attack here is:</p><p>Take big Site with thousands of user, many using thier (sorta) "real names".<br>Permute these names with some known big email provider hostnames.<br>Send them all some spam.</p><p>It does not really matter if 90\% of those emailadresses are incorrect, the rest will hit.</p><p>I would not do the MD5 validation thing, why should I?</p></htmltext>
<tokenext>Correct : the attack here is : Take big Site with thousands of user , many using thier ( sorta ) " real names " .Permute these names with some known big email provider hostnames.Send them all some spam.It does not really matter if 90 \ % of those emailadresses are incorrect , the rest will hit.I would not do the MD5 validation thing , why should I ?</tokentext>
<sentencetext>Correct: the attack here is:Take big Site with thousands of user, many using thier (sorta) "real names".Permute these names with some known big email provider hostnames.Send them all some spam.It does not really matter if 90\% of those emailadresses are incorrect, the rest will hit.I would not do the MD5 validation thing, why should I?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454540</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454254</id>
	<title>Re:So let's change the algorithm.</title>
	<author>jonesy2k</author>
	<datestamp>1260901800000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Or just add some <a href="http://en.wikipedia.org/wiki/Salt\_(cryptography)" title="wikipedia.org" rel="nofollow">salt</a> [wikipedia.org]?</htmltext>
<tokenext>Or just add some salt [ wikipedia.org ] ?</tokentext>
<sentencetext>Or just add some salt [wikipedia.org]?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454218</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454840</id>
	<title>In the grand scheme of things this is pretty minor</title>
	<author>Just Brew It!</author>
	<datestamp>1259700420000</datestamp>
	<modclass>Funny</modclass>
	<modscore>2</modscore>
	<htmltext><p>It's not exactly big news that a system based on MD5 hashes is susceptible to dictionary-style attacks; this should be obvious to anyone who understands how hashes work. In order for this particular attack to work, the attacker already has to have some reasonable guesses as to what your e-mail address is; the Gravatar trick only confirms the address. So it seems to me that the amount of additional data leaked is fairly small.</p><p>OTOH, I suppose I'm somewhat desensitized to this sort of thing, since I've had the same primary e-mail address for something like 15 years (going back to the days when I was rather active on Usenet). My e-mail address is already in every spammer database on the planet, so I don't see how a few more people knowing it could make things any worse!</p></htmltext>
<tokenext>It 's not exactly big news that a system based on MD5 hashes is susceptible to dictionary-style attacks ; this should be obvious to anyone who understands how hashes work .
In order for this particular attack to work , the attacker already has to have some reasonable guesses as to what your e-mail address is ; the Gravatar trick only confirms the address .
So it seems to me that the amount of additional data leaked is fairly small.OTOH , I suppose I 'm somewhat desensitized to this sort of thing , since I 've had the same primary e-mail address for something like 15 years ( going back to the days when I was rather active on Usenet ) .
My e-mail address is already in every spammer database on the planet , so I do n't see how a few more people knowing it could make things any worse !</tokentext>
<sentencetext>It's not exactly big news that a system based on MD5 hashes is susceptible to dictionary-style attacks; this should be obvious to anyone who understands how hashes work.
In order for this particular attack to work, the attacker already has to have some reasonable guesses as to what your e-mail address is; the Gravatar trick only confirms the address.
So it seems to me that the amount of additional data leaked is fairly small.OTOH, I suppose I'm somewhat desensitized to this sort of thing, since I've had the same primary e-mail address for something like 15 years (going back to the days when I was rather active on Usenet).
My e-mail address is already in every spammer database on the planet, so I don't see how a few more people knowing it could make things any worse!</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455122</id>
	<title>Re:So let's change the algorithm.</title>
	<author>ProfessionalCookie</author>
	<datestamp>1259662680000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>To clear that up- rather than spamming the email address spammers will likely target the blog that displays the gravatar.</htmltext>
<tokenext>To clear that up- rather than spamming the email address spammers will likely target the blog that displays the gravatar .</tokentext>
<sentencetext>To clear that up- rather than spamming the email address spammers will likely target the blog that displays the gravatar.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454540</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30456524</id>
	<title>Re:Add a user supplied "salt"</title>
	<author>molecular</author>
	<datestamp>1259676840000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>Gravatar just needs every user to supply a "salt" along with there email where ever there gravatar is used, they could even call it a password. Combine the password/salt with the emacs to generate the hash. This would make guessing the email from the hash much more difficult.</p></div><p>yeah, as salt they could even use the gravatar image itself.<br>In other words: I think this approach would render the usefullness of the service almost non-existant. It's not much harder to up a png than to remember some salt and enter it.</p></div>
	</htmltext>
<tokenext>Gravatar just needs every user to supply a " salt " along with there email where ever there gravatar is used , they could even call it a password .
Combine the password/salt with the emacs to generate the hash .
This would make guessing the email from the hash much more difficult.yeah , as salt they could even use the gravatar image itself.In other words : I think this approach would render the usefullness of the service almost non-existant .
It 's not much harder to up a png than to remember some salt and enter it .</tokentext>
<sentencetext>Gravatar just needs every user to supply a "salt" along with there email where ever there gravatar is used, they could even call it a password.
Combine the password/salt with the emacs to generate the hash.
This would make guessing the email from the hash much more difficult.yeah, as salt they could even use the gravatar image itself.In other words: I think this approach would render the usefullness of the service almost non-existant.
It's not much harder to up a png than to remember some salt and enter it.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454406</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454302</id>
	<title>Re:Public address</title>
	<author>The\_mad\_linguist</author>
	<datestamp>1260902280000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>How about wagnerr@umich.edu?<nobr> <wbr></nobr>/completelymissingthepoint</p></htmltext>
<tokenext>How about wagnerr @ umich.edu ?
/completelymissingthepoint</tokentext>
<sentencetext>How about wagnerr@umich.edu?
/completelymissingthepoint</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454270</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455388</id>
	<title>a pinch of salt</title>
	<author>Meltir</author>
	<datestamp>1259666520000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Call me when he finds a way to determine the email after gravatar starts adding a pinch of salf to the hashed emails...</p></htmltext>
<tokenext>Call me when he finds a way to determine the email after gravatar starts adding a pinch of salf to the hashed emails.. .</tokentext>
<sentencetext>Call me when he finds a way to determine the email after gravatar starts adding a pinch of salf to the hashed emails...</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454414</id>
	<title>Only the rainbow tables matter</title>
	<author>Anonymous</author>
	<datestamp>1260903420000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>TFA suggests trying email addresses related to the user's ID on some site and domain names of large hosting companies (for example, Michael Smith might be msmith@example.com, or michael.smith@example.com) and testing whether or not their md5sum is the same as the one associated with the avatar. However, a bad guy could just send any message to all such addresses and hope one hits. Of course, he might accidentally be spamming some other suckers with the same name, but no true villain would be bothered by this sort of collateral damage.</p><p>The rainbow table suggestion is more serious, since someone could find out your email address even if your screen name is different from the name in your email. (So if you registered at a site as "anonymous\_user", but provided the Gravatar people with an email address containing your real name, then the bad guys could find out your real name.) This is bad, but as a mitigating factor, the real name has to be in the rainbow table in the first place, so it is probably fairly common. If the villain finds out your name is Michael Smith, he probably still has no idea which Michael Smith you are.</p></htmltext>
<tokenext>TFA suggests trying email addresses related to the user 's ID on some site and domain names of large hosting companies ( for example , Michael Smith might be msmith @ example.com , or michael.smith @ example.com ) and testing whether or not their md5sum is the same as the one associated with the avatar .
However , a bad guy could just send any message to all such addresses and hope one hits .
Of course , he might accidentally be spamming some other suckers with the same name , but no true villain would be bothered by this sort of collateral damage.The rainbow table suggestion is more serious , since someone could find out your email address even if your screen name is different from the name in your email .
( So if you registered at a site as " anonymous \ _user " , but provided the Gravatar people with an email address containing your real name , then the bad guys could find out your real name .
) This is bad , but as a mitigating factor , the real name has to be in the rainbow table in the first place , so it is probably fairly common .
If the villain finds out your name is Michael Smith , he probably still has no idea which Michael Smith you are .</tokentext>
<sentencetext>TFA suggests trying email addresses related to the user's ID on some site and domain names of large hosting companies (for example, Michael Smith might be msmith@example.com, or michael.smith@example.com) and testing whether or not their md5sum is the same as the one associated with the avatar.
However, a bad guy could just send any message to all such addresses and hope one hits.
Of course, he might accidentally be spamming some other suckers with the same name, but no true villain would be bothered by this sort of collateral damage.The rainbow table suggestion is more serious, since someone could find out your email address even if your screen name is different from the name in your email.
(So if you registered at a site as "anonymous\_user", but provided the Gravatar people with an email address containing your real name, then the bad guys could find out your real name.
) This is bad, but as a mitigating factor, the real name has to be in the rainbow table in the first place, so it is probably fairly common.
If the villain finds out your name is Michael Smith, he probably still has no idea which Michael Smith you are.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454656</id>
	<title>Public Key Encryption</title>
	<author>Anonymous</author>
	<datestamp>1260906540000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>What if Gravatar published a public key, and sites displaying Gravatars pointed their image links to encrypt(gravatar\_id + random\_salt)?  It seems like this would solve the problem, since people viewing the page can't get access to the users' real Gravatar IDs.  Sure, the forum sites would still see your Gravatar ID, but they already have your email address in the first place.</p></htmltext>
<tokenext>What if Gravatar published a public key , and sites displaying Gravatars pointed their image links to encrypt ( gravatar \ _id + random \ _salt ) ?
It seems like this would solve the problem , since people viewing the page ca n't get access to the users ' real Gravatar IDs .
Sure , the forum sites would still see your Gravatar ID , but they already have your email address in the first place .</tokentext>
<sentencetext>What if Gravatar published a public key, and sites displaying Gravatars pointed their image links to encrypt(gravatar\_id + random\_salt)?
It seems like this would solve the problem, since people viewing the page can't get access to the users' real Gravatar IDs.
Sure, the forum sites would still see your Gravatar ID, but they already have your email address in the first place.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454204</id>
	<title>Slashdot users are faggots</title>
	<author>Anonymous</author>
	<datestamp>1260901260000</datestamp>
	<modclass>Troll</modclass>
	<modscore>-1</modscore>
	<htmltext><p>You are all faggots. Mod me down if you agree with the faggot that you are raging faggots.</p></htmltext>
<tokenext>You are all faggots .
Mod me down if you agree with the faggot that you are raging faggots .</tokentext>
<sentencetext>You are all faggots.
Mod me down if you agree with the faggot that you are raging faggots.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454218</id>
	<title>So let's change the algorithm.</title>
	<author>Anonymous</author>
	<datestamp>1260901440000</datestamp>
	<modclass>Flamebait</modclass>
	<modscore>0</modscore>
	<htmltext>If this is directly related to MD5 (as it would seem), let's hope Gravatar switches to another algorithm. Of course, this won't do much about the existing hashes I suppose.</htmltext>
<tokenext>If this is directly related to MD5 ( as it would seem ) , let 's hope Gravatar switches to another algorithm .
Of course , this wo n't do much about the existing hashes I suppose .</tokentext>
<sentencetext>If this is directly related to MD5 (as it would seem), let's hope Gravatar switches to another algorithm.
Of course, this won't do much about the existing hashes I suppose.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455168</id>
	<title>Re:Public address</title>
	<author>grayshirtninja</author>
	<datestamp>1259663700000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>A successful nerd snipe. Well played sir, well played.<br><a href="http://xkcd.com/356/" title="xkcd.com" rel="nofollow">http://xkcd.com/356/</a> [xkcd.com]</p></htmltext>
<tokenext>A successful nerd snipe .
Well played sir , well played.http : //xkcd.com/356/ [ xkcd.com ]</tokentext>
<sentencetext>A successful nerd snipe.
Well played sir, well played.http://xkcd.com/356/ [xkcd.com]</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454270</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30457174</id>
	<title>Re:e9af4cb49c97162d6be3ea8c6ca90a46</title>
	<author>Anonymous</author>
	<datestamp>1259680800000</datestamp>
	<modclass>Funny</modclass>
	<modscore>3</modscore>
	<htmltext><p><div class="quote"><p>Your email is: tyler.szabo \_AT\_ gmail.com</p><p>md5 -s "tyler.szabo@gmail.com"
</p></div><p>Nice job obfuscating his email in the first line.</p></div>
	</htmltext>
<tokenext>Your email is : tyler.szabo \ _AT \ _ gmail.commd5 -s " tyler.szabo @ gmail.com " Nice job obfuscating his email in the first line .</tokentext>
<sentencetext>Your email is: tyler.szabo \_AT\_ gmail.commd5 -s "tyler.szabo@gmail.com"
Nice job obfuscating his email in the first line.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454584</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454310</id>
	<title>Re:Public address</title>
	<author>edwebdev</author>
	<datestamp>1260902280000</datestamp>
	<modclass>Funny</modclass>
	<modscore>1</modscore>
	<htmltext>Here's <b>a Slashdot post that shows my e-mail address next to my username</b>. <br> <br>

Who will be the first to crack it?
<br> <br>
Fixed that for you.</htmltext>
<tokenext>Here 's a Slashdot post that shows my e-mail address next to my username .
Who will be the first to crack it ?
Fixed that for you .</tokentext>
<sentencetext>Here's a Slashdot post that shows my e-mail address next to my username.
Who will be the first to crack it?
Fixed that for you.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454270</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454282</id>
	<title>So?</title>
	<author>Anonymous</author>
	<datestamp>1260902100000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Unless I'm missing something, the article can be summarized: "Guess the person's email address, check if the md5 hash of the address you guessed matches the Gravatar. If it matches you guessed correctly."</p><p>Nothing to see here. Move along...</p><p>In other news, all password hashes can eventually be cracked by brute force... Oh noes!</p></htmltext>
<tokenext>Unless I 'm missing something , the article can be summarized : " Guess the person 's email address , check if the md5 hash of the address you guessed matches the Gravatar .
If it matches you guessed correctly .
" Nothing to see here .
Move along...In other news , all password hashes can eventually be cracked by brute force... Oh noes !</tokentext>
<sentencetext>Unless I'm missing something, the article can be summarized: "Guess the person's email address, check if the md5 hash of the address you guessed matches the Gravatar.
If it matches you guessed correctly.
"Nothing to see here.
Move along...In other news, all password hashes can eventually be cracked by brute force... Oh noes!</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454296</id>
	<title>Re:No need</title>
	<author>Garble Snarky</author>
	<datestamp>1260902220000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>A) Isn't the point of it to be a public system, so that sites can accept users' email addresses, then find the gravatars themselves?
<br> <br>
B) Wouldn't it be equally easy to reverse engineer the salt string, with your own known test email? (As long as the salt is shorter than some limit maybe)</htmltext>
<tokenext>A ) Is n't the point of it to be a public system , so that sites can accept users ' email addresses , then find the gravatars themselves ?
B ) Would n't it be equally easy to reverse engineer the salt string , with your own known test email ?
( As long as the salt is shorter than some limit maybe )</tokentext>
<sentencetext>A) Isn't the point of it to be a public system, so that sites can accept users' email addresses, then find the gravatars themselves?
B) Wouldn't it be equally easy to reverse engineer the salt string, with your own known test email?
(As long as the salt is shorter than some limit maybe)</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454246</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454394</id>
	<title>Re:Public address</title>
	<author>Firehed</author>
	<datestamp>1260903240000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>That took all of one second to find in an md5 lookup database.  And thirty seconds for me to realize that I could have looked two lines higher to see it in plaintext next to your userid.<nobr> <wbr></nobr>:wallbash:</p></htmltext>
<tokenext>That took all of one second to find in an md5 lookup database .
And thirty seconds for me to realize that I could have looked two lines higher to see it in plaintext next to your userid .
: wallbash :</tokentext>
<sentencetext>That took all of one second to find in an md5 lookup database.
And thirty seconds for me to realize that I could have looked two lines higher to see it in plaintext next to your userid.
:wallbash:</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454270</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454384</id>
	<title>Re:So let's change the algorithm.</title>
	<author>Firehed</author>
	<datestamp>1260903120000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>In order for Gravatar to work, the algorithm has to be publicly known. Which means every site uses the same salt (pointless) or each domain has its own salt, which can be determined from the referrer header (not only also pointless since a potential attacker knows what site they're on, but it would also make the service pretty much impossible to implement).  The only other option would be two-way encryption with some sort of per-domain shared key, but given that most of the point of Gravatar is simplicity of implementation, that's just not going to happen.</p></htmltext>
<tokenext>In order for Gravatar to work , the algorithm has to be publicly known .
Which means every site uses the same salt ( pointless ) or each domain has its own salt , which can be determined from the referrer header ( not only also pointless since a potential attacker knows what site they 're on , but it would also make the service pretty much impossible to implement ) .
The only other option would be two-way encryption with some sort of per-domain shared key , but given that most of the point of Gravatar is simplicity of implementation , that 's just not going to happen .</tokentext>
<sentencetext>In order for Gravatar to work, the algorithm has to be publicly known.
Which means every site uses the same salt (pointless) or each domain has its own salt, which can be determined from the referrer header (not only also pointless since a potential attacker knows what site they're on, but it would also make the service pretty much impossible to implement).
The only other option would be two-way encryption with some sort of per-domain shared key, but given that most of the point of Gravatar is simplicity of implementation, that's just not going to happen.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454254</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454688</id>
	<title>Re:At first glance...</title>
	<author>Randle\_Revar</author>
	<datestamp>1260907080000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>gravatar also sounds like an alternate name for a black hole.</p></htmltext>
<tokenext>gravatar also sounds like an alternate name for a black hole .</tokentext>
<sentencetext>gravatar also sounds like an alternate name for a black hole.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454330</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455508</id>
	<title>How is that news?</title>
	<author>Tei</author>
	<datestamp>1259667900000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Is obvious for everyone that understand how it work.<br>Geez...</p><p>As the email of Gave (from Valve) is well know, and gravatars can be used in a pseudoanonymous way, I tried to search internet for the hash of is email in images.google.com. Not found. Either Gabe don't talk in forums gravatar powered, or he use a different email address.</p><p>So, If you use gravatars, and other people know your email, can search your post. This is obvious from the use of md5. With your addres hashed with md5 spamm bots can't collect address, but thats is, not privacy.</p></htmltext>
<tokenext>Is obvious for everyone that understand how it work.Geez...As the email of Gave ( from Valve ) is well know , and gravatars can be used in a pseudoanonymous way , I tried to search internet for the hash of is email in images.google.com .
Not found .
Either Gabe do n't talk in forums gravatar powered , or he use a different email address.So , If you use gravatars , and other people know your email , can search your post .
This is obvious from the use of md5 .
With your addres hashed with md5 spamm bots ca n't collect address , but thats is , not privacy .</tokentext>
<sentencetext>Is obvious for everyone that understand how it work.Geez...As the email of Gave (from Valve) is well know, and gravatars can be used in a pseudoanonymous way, I tried to search internet for the hash of is email in images.google.com.
Not found.
Either Gabe don't talk in forums gravatar powered, or he use a different email address.So, If you use gravatars, and other people know your email, can search your post.
This is obvious from the use of md5.
With your addres hashed with md5 spamm bots can't collect address, but thats is, not privacy.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455278</id>
	<title>Re:So let's change the algorithm.</title>
	<author>KiloByte</author>
	<datestamp>1259665320000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p>Or, use <tt>john -incremental -stdout</tt>.  This will test reasonable names first, while not being restricted to RL names only.</p></htmltext>
<tokenext>Or , use john -incremental -stdout .
This will test reasonable names first , while not being restricted to RL names only .</tokentext>
<sentencetext>Or, use john -incremental -stdout.
This will test reasonable names first, while not being restricted to RL names only.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454872</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455478</id>
	<title>Who cares?</title>
	<author>johny42</author>
	<datestamp>1259667720000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext><p>Using &amp;#64; instead of @ is enough to stop most e-mail harvesting bots, I don't see them brute-forcing MD5s any time soon.</p></htmltext>
<tokenext>Using @ instead of @ is enough to stop most e-mail harvesting bots , I do n't see them brute-forcing MD5s any time soon .</tokentext>
<sentencetext>Using @ instead of @ is enough to stop most e-mail harvesting bots, I don't see them brute-forcing MD5s any time soon.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454444</id>
	<title>Re:So?</title>
	<author>Anonymous</author>
	<datestamp>1260903660000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Except that the said mechanism provides a sure way to verify that an email address exists. Once an addy is correctly guessed the user cannot pretend to hide by not responding to resulting spam, because that account is *known* to exist prior to spamming (not a shot in the dark like most spam attempts) And it's known for sure because StackOverflow requires a valid email address when a user signs up for an account - to carry out StackOverflow account verification through an email link sent to the user for clicking.

In other words, one layer of protection has been taken away, although I think it's very topical and personally am not worried about my SO account because the associated Gmail account filters out spam great.</htmltext>
<tokenext>Except that the said mechanism provides a sure way to verify that an email address exists .
Once an addy is correctly guessed the user can not pretend to hide by not responding to resulting spam , because that account is * known * to exist prior to spamming ( not a shot in the dark like most spam attempts ) And it 's known for sure because StackOverflow requires a valid email address when a user signs up for an account - to carry out StackOverflow account verification through an email link sent to the user for clicking .
In other words , one layer of protection has been taken away , although I think it 's very topical and personally am not worried about my SO account because the associated Gmail account filters out spam great .</tokentext>
<sentencetext>Except that the said mechanism provides a sure way to verify that an email address exists.
Once an addy is correctly guessed the user cannot pretend to hide by not responding to resulting spam, because that account is *known* to exist prior to spamming (not a shot in the dark like most spam attempts) And it's known for sure because StackOverflow requires a valid email address when a user signs up for an account - to carry out StackOverflow account verification through an email link sent to the user for clicking.
In other words, one layer of protection has been taken away, although I think it's very topical and personally am not worried about my SO account because the associated Gmail account filters out spam great.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454282</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30456246</id>
	<title>Re:So let's change the algorithm.</title>
	<author>Anonymous</author>
	<datestamp>1259674260000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>UHHHHHHH...my GeForce 8500 does 1.5 GigaHashes/sec using CUDA-Multiforcer (search for the link yourself).... and no doubt the newer GTX's in SLI obliterate even that rate.... "a few hundred cores"??? please.</p></htmltext>
<tokenext>UHHHHHHH...my GeForce 8500 does 1.5 GigaHashes/sec using CUDA-Multiforcer ( search for the link yourself ) .... and no doubt the newer GTX 's in SLI obliterate even that rate.... " a few hundred cores " ? ? ?
please .</tokentext>
<sentencetext>UHHHHHHH...my GeForce 8500 does 1.5 GigaHashes/sec using CUDA-Multiforcer (search for the link yourself).... and no doubt the newer GTX's in SLI obliterate even that rate.... "a few hundred cores"???
please.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454644</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454872</id>
	<title>Re:So let's change the algorithm.</title>
	<author>Anonymous</author>
	<datestamp>1259658000000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p>That's assuming email addresses are random sequences of letters, digits and dots.</p><p>If you're a spammer and don't mind missing the email of mr. q9x7.3f.1zzp@hotmail.com, a phone book would probably provide an effective dictionary for narrowing that keyspace considerably</p></htmltext>
<tokenext>That 's assuming email addresses are random sequences of letters , digits and dots.If you 're a spammer and do n't mind missing the email of mr. q9x7.3f.1zzp @ hotmail.com , a phone book would probably provide an effective dictionary for narrowing that keyspace considerably</tokentext>
<sentencetext>That's assuming email addresses are random sequences of letters, digits and dots.If you're a spammer and don't mind missing the email of mr. q9x7.3f.1zzp@hotmail.com, a phone book would probably provide an effective dictionary for narrowing that keyspace considerably</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454644</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454280</id>
	<title>Possible workaround</title>
	<author>Anonymous</author>
	<datestamp>1260902100000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext><p>Can anyone tell me if the "you can add extra stuff after a +" that GMail lets you do is standard in the RFC for all email addresses? If it is, to "fix" this, if you should sign up to Gravatar with an email address using a random string after an added "+" the brute force search on hashes will be much, much harder. (Assuming that your email provider is implementing that part of the standard.)</p></htmltext>
<tokenext>Can anyone tell me if the " you can add extra stuff after a + " that GMail lets you do is standard in the RFC for all email addresses ?
If it is , to " fix " this , if you should sign up to Gravatar with an email address using a random string after an added " + " the brute force search on hashes will be much , much harder .
( Assuming that your email provider is implementing that part of the standard .
)</tokentext>
<sentencetext>Can anyone tell me if the "you can add extra stuff after a +" that GMail lets you do is standard in the RFC for all email addresses?
If it is, to "fix" this, if you should sign up to Gravatar with an email address using a random string after an added "+" the brute force search on hashes will be much, much harder.
(Assuming that your email provider is implementing that part of the standard.
)</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454406</id>
	<title>Add a user supplied "salt"</title>
	<author>Anonymous</author>
	<datestamp>1260903360000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Gravatar just needs every user to supply a "salt" along with there email where ever there gravatar is used, they could even call it a password. Combine the password/salt with the emacs to generate the hash. This would make guessing the email from the hash much more difficult.</htmltext>
<tokenext>Gravatar just needs every user to supply a " salt " along with there email where ever there gravatar is used , they could even call it a password .
Combine the password/salt with the emacs to generate the hash .
This would make guessing the email from the hash much more difficult .</tokentext>
<sentencetext>Gravatar just needs every user to supply a "salt" along with there email where ever there gravatar is used, they could even call it a password.
Combine the password/salt with the emacs to generate the hash.
This would make guessing the email from the hash much more difficult.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30461688</id>
	<title>Why bother salting</title>
	<author>oobayly</author>
	<datestamp>1259698140000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>The point of TFA is that one can identify the user's email address from the hash. The question is, why hash the email address. It could be just as easy to hash an integer value unique for the user. Hell, it could even be an incremental. Who cares if somebody can identify that joe@nothing.com has a Gravatar ID of 123. That ID can't be traced back to any specific Gravatar account, as the link between ID and email address would be internal.</htmltext>
<tokenext>The point of TFA is that one can identify the user 's email address from the hash .
The question is , why hash the email address .
It could be just as easy to hash an integer value unique for the user .
Hell , it could even be an incremental .
Who cares if somebody can identify that joe @ nothing.com has a Gravatar ID of 123 .
That ID ca n't be traced back to any specific Gravatar account , as the link between ID and email address would be internal .</tokentext>
<sentencetext>The point of TFA is that one can identify the user's email address from the hash.
The question is, why hash the email address.
It could be just as easy to hash an integer value unique for the user.
Hell, it could even be an incremental.
Who cares if somebody can identify that joe@nothing.com has a Gravatar ID of 123.
That ID can't be traced back to any specific Gravatar account, as the link between ID and email address would be internal.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454392</id>
	<title>Re:So?</title>
	<author>TheVoice900</author>
	<datestamp>1260903240000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Exactly. Not like it matters anyway. I even post my email up on my website so people can like, you know, email me!</p></htmltext>
<tokenext>Exactly .
Not like it matters anyway .
I even post my email up on my website so people can like , you know , email me !</tokentext>
<sentencetext>Exactly.
Not like it matters anyway.
I even post my email up on my website so people can like, you know, email me!</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454282</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454508</id>
	<title>Re:So let's change the algorithm.</title>
	<author>Anonymous</author>
	<datestamp>1260904440000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Actually, using an algorithm that takes orders of magnitude longer to compute such as 1000 md5's of the email (barring that 1000 md5's won't reduce to something relatively simple, no one knows), would make this type of bruteforcing uneconomical.</p><p>As someone else pointed out, you can't use a secret hash as any site implementing the gravatar would need to know it.<br>Whatever information gravatar has the site needs as well to compute the hash, and if the site has it, it's safe to assume that the attacker has it IMO.</p></htmltext>
<tokenext>Actually , using an algorithm that takes orders of magnitude longer to compute such as 1000 md5 's of the email ( barring that 1000 md5 's wo n't reduce to something relatively simple , no one knows ) , would make this type of bruteforcing uneconomical.As someone else pointed out , you ca n't use a secret hash as any site implementing the gravatar would need to know it.Whatever information gravatar has the site needs as well to compute the hash , and if the site has it , it 's safe to assume that the attacker has it IMO .</tokentext>
<sentencetext>Actually, using an algorithm that takes orders of magnitude longer to compute such as 1000 md5's of the email (barring that 1000 md5's won't reduce to something relatively simple, no one knows), would make this type of bruteforcing uneconomical.As someone else pointed out, you can't use a secret hash as any site implementing the gravatar would need to know it.Whatever information gravatar has the site needs as well to compute the hash, and if the site has it, it's safe to assume that the attacker has it IMO.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454268</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454270</id>
	<title>Public address</title>
	<author>Anonymous</author>
	<datestamp>1260901980000</datestamp>
	<modclass>Funny</modclass>
	<modscore>4</modscore>
	<htmltext><p>Here's my own Gravatar hash:</p><p><a href="http://www.gravatar.com/avatar/b835b33911b93c136d8e61cbbbe6736d&amp;b=identicon" title="gravatar.com">b835b33911b93c136d8e61cbbbe6736d</a> [gravatar.com]</p><p>Who will be the first to crack it?</p></htmltext>
<tokenext>Here 's my own Gravatar hash : b835b33911b93c136d8e61cbbbe6736d [ gravatar.com ] Who will be the first to crack it ?</tokentext>
<sentencetext>Here's my own Gravatar hash:b835b33911b93c136d8e61cbbbe6736d [gravatar.com]Who will be the first to crack it?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455074</id>
	<title>Re:e9af4cb49c97162d6be3ea8c6ca90a46</title>
	<author>Anonymous</author>
	<datestamp>1259661480000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext>I can also tell that Kaylan Elizabeth is female</htmltext>
<tokenext>I can also tell that Kaylan Elizabeth is female</tokentext>
<sentencetext>I can also tell that Kaylan Elizabeth is female</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454584</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454246</id>
	<title>No need</title>
	<author>Mathinker</author>
	<datestamp>1260901740000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext><p>It would have been trivial for them to just add a secret salt string to the email before hashing, and that would have solved most of the problem. It is possible that they wanted to be "nice", in that in the case they go out of business, anyone can regenerate the ID's without them. But, as this guy has shown, that's not a great idea.</p></htmltext>
<tokenext>It would have been trivial for them to just add a secret salt string to the email before hashing , and that would have solved most of the problem .
It is possible that they wanted to be " nice " , in that in the case they go out of business , anyone can regenerate the ID 's without them .
But , as this guy has shown , that 's not a great idea .</tokentext>
<sentencetext>It would have been trivial for them to just add a secret salt string to the email before hashing, and that would have solved most of the problem.
It is possible that they wanted to be "nice", in that in the case they go out of business, anyone can regenerate the ID's without them.
But, as this guy has shown, that's not a great idea.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454218</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455250</id>
	<title>In other news, Water is wet</title>
	<author>SlightOverdose</author>
	<datestamp>1259664900000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I think most of us figured out this possibility within 30 seconds of seeing how Gravatar worked.</p><p>One solution would be to have a private salt known only to Gravatar and the implementing website. Gravatar could determine the correct salt to use base on the referrer.</p><p>Of course this would mean each subscriber would need to be hashed against each salt in the Gravatar database.</p><p>In either case, I don't think it's really that big a deal.</p></htmltext>
<tokenext>I think most of us figured out this possibility within 30 seconds of seeing how Gravatar worked.One solution would be to have a private salt known only to Gravatar and the implementing website .
Gravatar could determine the correct salt to use base on the referrer.Of course this would mean each subscriber would need to be hashed against each salt in the Gravatar database.In either case , I do n't think it 's really that big a deal .</tokentext>
<sentencetext>I think most of us figured out this possibility within 30 seconds of seeing how Gravatar worked.One solution would be to have a private salt known only to Gravatar and the implementing website.
Gravatar could determine the correct salt to use base on the referrer.Of course this would mean each subscriber would need to be hashed against each salt in the Gravatar database.In either case, I don't think it's really that big a deal.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454382</id>
	<title>Why is this a problem?</title>
	<author>gman003</author>
	<datestamp>1260903120000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext>Do you consider your email address private info, need-to-know only? With a decent spam filter and easy-to-use block features, it really isn't a problem. I provide mine to pretty much anyone who asks. The only thing I do is keep it in a non-scrapable format, to keep it from getting on too many spam lists.</htmltext>
<tokenext>Do you consider your email address private info , need-to-know only ?
With a decent spam filter and easy-to-use block features , it really is n't a problem .
I provide mine to pretty much anyone who asks .
The only thing I do is keep it in a non-scrapable format , to keep it from getting on too many spam lists .</tokentext>
<sentencetext>Do you consider your email address private info, need-to-know only?
With a decent spam filter and easy-to-use block features, it really isn't a problem.
I provide mine to pretty much anyone who asks.
The only thing I do is keep it in a non-scrapable format, to keep it from getting on too many spam lists.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455594</id>
	<title>Re:So let's change the algorithm.</title>
	<author>K-Mile</author>
	<datestamp>1259668620000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Wouldn't it be easier then to just email john.doe@gmail.com, john.doe@hotmail.com, and john.doe@aol.com, instead of passing the email addresses through a cloud based online avatar brute force MD5 email validating script?</htmltext>
<tokenext>Would n't it be easier then to just email john.doe @ gmail.com , john.doe @ hotmail.com , and john.doe @ aol.com , instead of passing the email addresses through a cloud based online avatar brute force MD5 email validating script ?</tokentext>
<sentencetext>Wouldn't it be easier then to just email john.doe@gmail.com, john.doe@hotmail.com, and john.doe@aol.com, instead of passing the email addresses through a cloud based online avatar brute force MD5 email validating script?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454872</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30456242</id>
	<title>Re:So let's change the algorithm.</title>
	<author>Long1986</author>
	<datestamp>1259674260000</datestamp>
	<modclass>Offtopic</modclass>
	<modscore>-1</modscore>
	<htmltext>Hi,Dear Ladies and Gentlemen,Here are the most popular, most stylish and avantgarde shoes,handbags,Tshirts,jacket,Tracksuitw ect... <a href="http://www.kkshoe.com/" title="kkshoe.com" rel="nofollow">http://www.kkshoe.com/</a> [kkshoe.com]<nobr> <wbr></nobr>/productlist.asp?id=s76(Tracksuit) Christmas is approaching, your Christmas gifts ready? kkshoe com mall for you, which involves a number of well-known brands from the Asia-Pacific region the trend of merchandise. Promotional discounts should be, come SHOPPING bar!Christmas sale, free shipping discounts are beautifully gift<nobr> <wbr></nobr>,Christmas gifts,look, Best quality, Best reputation , Best services Service is our Lift. Nike shox $35,Handbags(Coach lv fendi d&amp;g) $35 Tshirts (Polo<nobr> <wbr></nobr>,ed hardy,lacoste) $16 ugg boot,POLO hoody,Jacket,ect... For details, please consult <a href="http://www.kkshoe.com/" title="kkshoe.com" rel="nofollow">http://www.kkshoe.com/</a> [kkshoe.com]  Thanks!!! Advance wish you a merry Christmas.</htmltext>
<tokenext>Hi,Dear Ladies and Gentlemen,Here are the most popular , most stylish and avantgarde shoes,handbags,Tshirts,jacket,Tracksuitw ect... http : //www.kkshoe.com/ [ kkshoe.com ] /productlist.asp ? id = s76 ( Tracksuit ) Christmas is approaching , your Christmas gifts ready ?
kkshoe com mall for you , which involves a number of well-known brands from the Asia-Pacific region the trend of merchandise .
Promotional discounts should be , come SHOPPING bar ! Christmas sale , free shipping discounts are beautifully gift ,Christmas gifts,look , Best quality , Best reputation , Best services Service is our Lift .
Nike shox $ 35,Handbags ( Coach lv fendi d&amp;g ) $ 35 Tshirts ( Polo ,ed hardy,lacoste ) $ 16 ugg boot,POLO hoody,Jacket,ect... For details , please consult http : //www.kkshoe.com/ [ kkshoe.com ] Thanks ! ! !
Advance wish you a merry Christmas .</tokentext>
<sentencetext>Hi,Dear Ladies and Gentlemen,Here are the most popular, most stylish and avantgarde shoes,handbags,Tshirts,jacket,Tracksuitw ect... http://www.kkshoe.com/ [kkshoe.com] /productlist.asp?id=s76(Tracksuit) Christmas is approaching, your Christmas gifts ready?
kkshoe com mall for you, which involves a number of well-known brands from the Asia-Pacific region the trend of merchandise.
Promotional discounts should be, come SHOPPING bar!Christmas sale, free shipping discounts are beautifully gift ,Christmas gifts,look, Best quality, Best reputation , Best services Service is our Lift.
Nike shox $35,Handbags(Coach lv fendi d&amp;g) $35 Tshirts (Polo ,ed hardy,lacoste) $16 ugg boot,POLO hoody,Jacket,ect... For details, please consult http://www.kkshoe.com/ [kkshoe.com]  Thanks!!!
Advance wish you a merry Christmas.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454366</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455752</id>
	<title>Re:So let's change the algorithm.</title>
	<author>mr exploiter</author>
	<datestamp>1259670060000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>That's assuming email addresses are random sequences of letters, digits and dots.</p><p>If you're a spammer and don't mind missing the email of mr. q9x7.3f.1zzp@hotmail.com, a phone book would probably provide an effective dictionary for narrowing that keyspace considerably</p></div><p>That's assuming nothing. You know how to read? Parent is talking about covering the ENTIRE range of emails under 12 characters with those characters.</p></div>
	</htmltext>
<tokenext>That 's assuming email addresses are random sequences of letters , digits and dots.If you 're a spammer and do n't mind missing the email of mr. q9x7.3f.1zzp @ hotmail.com , a phone book would probably provide an effective dictionary for narrowing that keyspace considerablyThat 's assuming nothing .
You know how to read ?
Parent is talking about covering the ENTIRE range of emails under 12 characters with those characters .</tokentext>
<sentencetext>That's assuming email addresses are random sequences of letters, digits and dots.If you're a spammer and don't mind missing the email of mr. q9x7.3f.1zzp@hotmail.com, a phone book would probably provide an effective dictionary for narrowing that keyspace considerablyThat's assuming nothing.
You know how to read?
Parent is talking about covering the ENTIRE range of emails under 12 characters with those characters.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454872</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454330</id>
	<title>At first glance...</title>
	<author>fahrbot-bot</author>
	<datestamp>1260902400000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>...I thought "Gravatar" was a new theoretical exotic particle, like a Graviton, especially when used with the following "can leak", but this actually makes more sense - sort of - though I don't know if "leak" is the best verb here.  In any case, I gotta stop reading science journals late at night.</htmltext>
<tokenext>...I thought " Gravatar " was a new theoretical exotic particle , like a Graviton , especially when used with the following " can leak " , but this actually makes more sense - sort of - though I do n't know if " leak " is the best verb here .
In any case , I got ta stop reading science journals late at night .</tokentext>
<sentencetext>...I thought "Gravatar" was a new theoretical exotic particle, like a Graviton, especially when used with the following "can leak", but this actually makes more sense - sort of - though I don't know if "leak" is the best verb here.
In any case, I gotta stop reading science journals late at night.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454998</id>
	<title>Re:So let's change the algorithm.</title>
	<author>ysth</author>
	<datestamp>1259660040000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p> <a href="http://tools.benramsey.com/md5/" title="benramsey.com" rel="nofollow">I</a> [benramsey.com] <a href="http://md5.gromweb.com/" title="gromweb.com" rel="nofollow">disagree.</a> [gromweb.com] </p><p>Granted, those are basically very unsophisticated databases that just store lookup values, but it's relatively easy to bruteforce an MD5 hash down into one of the possible original strings </p></div><p>No, it's not.  Or at least, it only is if you have truly awesome amounts of time or computing resources to spend.  Hence lookup databases like those you reference.</p></div>
	</htmltext>
<tokenext>I [ benramsey.com ] disagree .
[ gromweb.com ] Granted , those are basically very unsophisticated databases that just store lookup values , but it 's relatively easy to bruteforce an MD5 hash down into one of the possible original strings No , it 's not .
Or at least , it only is if you have truly awesome amounts of time or computing resources to spend .
Hence lookup databases like those you reference .</tokentext>
<sentencetext> I [benramsey.com] disagree.
[gromweb.com] Granted, those are basically very unsophisticated databases that just store lookup values, but it's relatively easy to bruteforce an MD5 hash down into one of the possible original strings No, it's not.
Or at least, it only is if you have truly awesome amounts of time or computing resources to spend.
Hence lookup databases like those you reference.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454366</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454540</id>
	<title>Re:So let's change the algorithm.</title>
	<author>Korin43</author>
	<datestamp>1260904860000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>3</modscore>
	<htmltext>What I'm wondering is why this matters at all. A spammer would just send emails [your username]@[every common email domain]. Why would they bother to check if it's the correct address or not?</htmltext>
<tokenext>What I 'm wondering is why this matters at all .
A spammer would just send emails [ your username ] @ [ every common email domain ] .
Why would they bother to check if it 's the correct address or not ?</tokentext>
<sentencetext>What I'm wondering is why this matters at all.
A spammer would just send emails [your username]@[every common email domain].
Why would they bother to check if it's the correct address or not?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454268</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454802</id>
	<title>No salting</title>
	<author>Mathinker</author>
	<datestamp>1259699820000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I more or less agree with you that this isn't particularly newsworthy (is Gravatar all that widely used?), except for the fact that if they had bothered to add a random, secret salt before hashing, everything would have been secure (or rather, as secure as the secret salt).</p><p>&gt; In other news, all password hashes can eventually be cracked by brute force... Oh noes!</p><p>True, but that is like saying "No encryption which uses a key smaller than the length of the ciphertext is secure": mathematically true, but not true in practice.</p><p>I think what you should have said instead was:</p><p>"In other news, doing security is harder than you think."</p></htmltext>
<tokenext>I more or less agree with you that this is n't particularly newsworthy ( is Gravatar all that widely used ?
) , except for the fact that if they had bothered to add a random , secret salt before hashing , everything would have been secure ( or rather , as secure as the secret salt ) . &gt; In other news , all password hashes can eventually be cracked by brute force... Oh noes ! True , but that is like saying " No encryption which uses a key smaller than the length of the ciphertext is secure " : mathematically true , but not true in practice.I think what you should have said instead was : " In other news , doing security is harder than you think .
"</tokentext>
<sentencetext>I more or less agree with you that this isn't particularly newsworthy (is Gravatar all that widely used?
), except for the fact that if they had bothered to add a random, secret salt before hashing, everything would have been secure (or rather, as secure as the secret salt).&gt; In other news, all password hashes can eventually be cracked by brute force... Oh noes!True, but that is like saying "No encryption which uses a key smaller than the length of the ciphertext is secure": mathematically true, but not true in practice.I think what you should have said instead was:"In other news, doing security is harder than you think.
"</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454282</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30459862</id>
	<title>Re:Not A Bug</title>
	<author>Anonymous</author>
	<datestamp>1259691360000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><blockquote><div><p>Email addresses are usernames. They are not secret information.</p></div></blockquote><p>I believed that until spam became a huge problem.  Now I no longer notice any spam because of filters, but every now and then I have problems with e-mail not being delivered.  Spammers aren't monitoring internet hops.  Geeze.</p></div>
	</htmltext>
<tokenext>Email addresses are usernames .
They are not secret information.I believed that until spam became a huge problem .
Now I no longer notice any spam because of filters , but every now and then I have problems with e-mail not being delivered .
Spammers are n't monitoring internet hops .
Geeze .</tokentext>
<sentencetext>Email addresses are usernames.
They are not secret information.I believed that until spam became a huge problem.
Now I no longer notice any spam because of filters, but every now and then I have problems with e-mail not being delivered.
Spammers aren't monitoring internet hops.
Geeze.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454618</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454366</id>
	<title>Re:So let's change the algorithm.</title>
	<author>Firehed</author>
	<datestamp>1260902880000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>4</modscore>
	<htmltext><p><a href="http://tools.benramsey.com/md5/" title="benramsey.com">I</a> [benramsey.com] <a href="http://md5.gromweb.com/" title="gromweb.com">disagree.</a> [gromweb.com]</p><p>Granted, those are basically very unsophisticated databases that just store lookup values, but it's relatively easy to bruteforce an MD5 hash down into one of the possible original strings (obviously with any algorithm that has a fixed output size with limitless inputs like MD5 there are infinite inputs that will hash down to a single md5sum, but when you're trying to get a valid email address out of a hash it's easy to pick the right one).  Couple that with the fact that in this situation, you know that the entire string is lowercased and probably 60\% of the gravatar emails (probably more like 90\% actually) are going to come from one of four or five domains... reversal becomes quite easy. If you're bored, you could spin up a few Amazon EC2 or Rackspace Cloud Server instances to dump out some large tables. One each for gmail, yahoo, msn, aol, whatever else; it'd be a very simple script to make. You could probably cover every alphanumeric email address under 12 characters overnight, at a cost of about a dollar and ten minutes of scripting.</p><p>The thing to realize here is that gravatar doesn't md5 emails to hide them from people who want to obscure their identity, just to obscure them from spambots.  So it's really a non-issue. If you're that concerned, leave your blog comments with a fake email address.</p></htmltext>
<tokenext>I [ benramsey.com ] disagree .
[ gromweb.com ] Granted , those are basically very unsophisticated databases that just store lookup values , but it 's relatively easy to bruteforce an MD5 hash down into one of the possible original strings ( obviously with any algorithm that has a fixed output size with limitless inputs like MD5 there are infinite inputs that will hash down to a single md5sum , but when you 're trying to get a valid email address out of a hash it 's easy to pick the right one ) .
Couple that with the fact that in this situation , you know that the entire string is lowercased and probably 60 \ % of the gravatar emails ( probably more like 90 \ % actually ) are going to come from one of four or five domains... reversal becomes quite easy .
If you 're bored , you could spin up a few Amazon EC2 or Rackspace Cloud Server instances to dump out some large tables .
One each for gmail , yahoo , msn , aol , whatever else ; it 'd be a very simple script to make .
You could probably cover every alphanumeric email address under 12 characters overnight , at a cost of about a dollar and ten minutes of scripting.The thing to realize here is that gravatar does n't md5 emails to hide them from people who want to obscure their identity , just to obscure them from spambots .
So it 's really a non-issue .
If you 're that concerned , leave your blog comments with a fake email address .</tokentext>
<sentencetext>I [benramsey.com] disagree.
[gromweb.com]Granted, those are basically very unsophisticated databases that just store lookup values, but it's relatively easy to bruteforce an MD5 hash down into one of the possible original strings (obviously with any algorithm that has a fixed output size with limitless inputs like MD5 there are infinite inputs that will hash down to a single md5sum, but when you're trying to get a valid email address out of a hash it's easy to pick the right one).
Couple that with the fact that in this situation, you know that the entire string is lowercased and probably 60\% of the gravatar emails (probably more like 90\% actually) are going to come from one of four or five domains... reversal becomes quite easy.
If you're bored, you could spin up a few Amazon EC2 or Rackspace Cloud Server instances to dump out some large tables.
One each for gmail, yahoo, msn, aol, whatever else; it'd be a very simple script to make.
You could probably cover every alphanumeric email address under 12 characters overnight, at a cost of about a dollar and ten minutes of scripting.The thing to realize here is that gravatar doesn't md5 emails to hide them from people who want to obscure their identity, just to obscure them from spambots.
So it's really a non-issue.
If you're that concerned, leave your blog comments with a fake email address.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454244</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455232</id>
	<title>Re:Public Key Encryption</title>
	<author>Kijori</author>
	<datestamp>1259664720000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Two points.</p><p>Firstly, the image files can't be static if you're using the salt, since the gravatar backend would have to remove it and look up the gravatar\_id; this would increase running costs for gravatar by a considerable amount. Second, if you're using a gravatar\_id why bother with the encryption? As long as there's no way for the gravatar ID to be resolved back to an email address it doesn't matter if people know it, especially since knowing the encrypted version would necessarily be functionally identical.</p><p>A nicer solution - still with the problem of no longer being static image files - would be<br>-User inputs email address<br>-Site connects to the gravatar server, using the unique encryption key it was given by gravatar to authenticate itself and send the email address (much like how reCaptcha works)<br>-gravatar service sends back a link to a static image associated with that user. This link can be stored for future use.</p><p>This puts less strain on the gravatar servers, since the repeated image-serving is static, and also avoids there being any way to link images back to email addresses.</p><p>Still doesn't answer the question, though, of whether there's any point trying to brute-force gravatar when the addresses in your dictionary are already part of your indiscriminate mailings.</p></htmltext>
<tokenext>Two points.Firstly , the image files ca n't be static if you 're using the salt , since the gravatar backend would have to remove it and look up the gravatar \ _id ; this would increase running costs for gravatar by a considerable amount .
Second , if you 're using a gravatar \ _id why bother with the encryption ?
As long as there 's no way for the gravatar ID to be resolved back to an email address it does n't matter if people know it , especially since knowing the encrypted version would necessarily be functionally identical.A nicer solution - still with the problem of no longer being static image files - would be-User inputs email address-Site connects to the gravatar server , using the unique encryption key it was given by gravatar to authenticate itself and send the email address ( much like how reCaptcha works ) -gravatar service sends back a link to a static image associated with that user .
This link can be stored for future use.This puts less strain on the gravatar servers , since the repeated image-serving is static , and also avoids there being any way to link images back to email addresses.Still does n't answer the question , though , of whether there 's any point trying to brute-force gravatar when the addresses in your dictionary are already part of your indiscriminate mailings .</tokentext>
<sentencetext>Two points.Firstly, the image files can't be static if you're using the salt, since the gravatar backend would have to remove it and look up the gravatar\_id; this would increase running costs for gravatar by a considerable amount.
Second, if you're using a gravatar\_id why bother with the encryption?
As long as there's no way for the gravatar ID to be resolved back to an email address it doesn't matter if people know it, especially since knowing the encrypted version would necessarily be functionally identical.A nicer solution - still with the problem of no longer being static image files - would be-User inputs email address-Site connects to the gravatar server, using the unique encryption key it was given by gravatar to authenticate itself and send the email address (much like how reCaptcha works)-gravatar service sends back a link to a static image associated with that user.
This link can be stored for future use.This puts less strain on the gravatar servers, since the repeated image-serving is static, and also avoids there being any way to link images back to email addresses.Still doesn't answer the question, though, of whether there's any point trying to brute-force gravatar when the addresses in your dictionary are already part of your indiscriminate mailings.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454656</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455816</id>
	<title>Not the algorithm</title>
	<author>panaceaa</author>
	<datestamp>1259670720000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext><p>This is not related to the MD5 algorithm or use of salts.  The fact is that Gravatar wants sites to use Gravatar without sending loads of requests to gravatar.com.  Therefore Gravatar must provide a "client-side" API for generating Gravatar avatar URLs based on the known constant, email addresses.  Sure, they could have salted things, but whatever they do, there's an essentially open source function somewhere that takes an email address and converts it to a Gravatar URL.  As the algorithm is available to anyone, any attack can use it to check intelligent guesses against the known algorithm result.</p><p>There really isn't anything Gravatar can do without changing their design to decouple avatar URLs from email addresses.  Basically whenever anyone registers an account with a blog, the site would have to ask Gravator for the user's Gravatar avatar URL -- and probably poll on some regular basis in case users add Gravatar avatars later.  The blog would then have to pertain this data in their databases for later look-up when comments are viewed.  This is certainly possible, and could probably be designed in a way that doesn't add additional load to Gravatar's servers.  But compared to the current implementation, which can be added to blogs with very minimal coding (probably just a couple lines in PHP), to do this more safely would require persistence-layer/database schema changes that would severely limit the attractiveness of Gravatar.</p></htmltext>
<tokenext>This is not related to the MD5 algorithm or use of salts .
The fact is that Gravatar wants sites to use Gravatar without sending loads of requests to gravatar.com .
Therefore Gravatar must provide a " client-side " API for generating Gravatar avatar URLs based on the known constant , email addresses .
Sure , they could have salted things , but whatever they do , there 's an essentially open source function somewhere that takes an email address and converts it to a Gravatar URL .
As the algorithm is available to anyone , any attack can use it to check intelligent guesses against the known algorithm result.There really is n't anything Gravatar can do without changing their design to decouple avatar URLs from email addresses .
Basically whenever anyone registers an account with a blog , the site would have to ask Gravator for the user 's Gravatar avatar URL -- and probably poll on some regular basis in case users add Gravatar avatars later .
The blog would then have to pertain this data in their databases for later look-up when comments are viewed .
This is certainly possible , and could probably be designed in a way that does n't add additional load to Gravatar 's servers .
But compared to the current implementation , which can be added to blogs with very minimal coding ( probably just a couple lines in PHP ) , to do this more safely would require persistence-layer/database schema changes that would severely limit the attractiveness of Gravatar .</tokentext>
<sentencetext>This is not related to the MD5 algorithm or use of salts.
The fact is that Gravatar wants sites to use Gravatar without sending loads of requests to gravatar.com.
Therefore Gravatar must provide a "client-side" API for generating Gravatar avatar URLs based on the known constant, email addresses.
Sure, they could have salted things, but whatever they do, there's an essentially open source function somewhere that takes an email address and converts it to a Gravatar URL.
As the algorithm is available to anyone, any attack can use it to check intelligent guesses against the known algorithm result.There really isn't anything Gravatar can do without changing their design to decouple avatar URLs from email addresses.
Basically whenever anyone registers an account with a blog, the site would have to ask Gravator for the user's Gravatar avatar URL -- and probably poll on some regular basis in case users add Gravatar avatars later.
The blog would then have to pertain this data in their databases for later look-up when comments are viewed.
This is certainly possible, and could probably be designed in a way that doesn't add additional load to Gravatar's servers.
But compared to the current implementation, which can be added to blogs with very minimal coding (probably just a couple lines in PHP), to do this more safely would require persistence-layer/database schema changes that would severely limit the attractiveness of Gravatar.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454218</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454268</id>
	<title>Re:So let's change the algorithm.</title>
	<author>Mad Merlin</author>
	<datestamp>1260901980000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>2</modscore>
	<htmltext><p>It's not, any hashing function would be subject to the same problem. If you RTFA you'll find that they just brute force combinations of the user name and common email domains.</p><p>To actually fix this would require not hashing (only) email address, you could mix in some secret salt with the email before hashing, or you could use encryption (with a secret key), or you could just hand out unique identifiers which are associated only in the Gravitar database. I don't know if any of these are feasible for this particular application though.</p></htmltext>
<tokenext>It 's not , any hashing function would be subject to the same problem .
If you RTFA you 'll find that they just brute force combinations of the user name and common email domains.To actually fix this would require not hashing ( only ) email address , you could mix in some secret salt with the email before hashing , or you could use encryption ( with a secret key ) , or you could just hand out unique identifiers which are associated only in the Gravitar database .
I do n't know if any of these are feasible for this particular application though .</tokentext>
<sentencetext>It's not, any hashing function would be subject to the same problem.
If you RTFA you'll find that they just brute force combinations of the user name and common email domains.To actually fix this would require not hashing (only) email address, you could mix in some secret salt with the email before hashing, or you could use encryption (with a secret key), or you could just hand out unique identifiers which are associated only in the Gravitar database.
I don't know if any of these are feasible for this particular application though.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454218</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30456034</id>
	<title>Re:So let's change the algorithm.</title>
	<author>selven</author>
	<datestamp>1259672520000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>This programmer used <b>a bot</b> to gather over 8k email addresses. So it's pretty useless against spam.</p></htmltext>
<tokenext>This programmer used a bot to gather over 8k email addresses .
So it 's pretty useless against spam .</tokentext>
<sentencetext>This programmer used a bot to gather over 8k email addresses.
So it's pretty useless against spam.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454366</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454244</id>
	<title>Re:So let's change the algorithm.</title>
	<author>sam0737</author>
	<datestamp>1260901680000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext><p>No it's not related to MD5 itself. period.</p></htmltext>
<tokenext>No it 's not related to MD5 itself .
period .</tokentext>
<sentencetext>No it's not related to MD5 itself.
period.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454218</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455222</id>
	<title>Simple way to protect yourself</title>
	<author>Umangme</author>
	<datestamp>1259664480000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p>Some email providers have a simple way of giving you a throw away id. E.g example+slashdotnospam@gmail.com is sent to example@gmail.com.</p><p>Say my name is Lary Page. If my email id is lary.page@gmail.com, I can still protect myself so that you will never get my email id.</p><p>
MD5 (lary.page@gmail.com) = "1b8dbe98e2b1138fd3ba34e26fc55107".
</p><p>So I provide my email id as lary.page+1b8dbe98e2b1138fd3ba34e26fc55107@gmail.com. If I gave you the md5 of that id, you'll find it hard to get back to lary.page@gmail.com.</p><p>Try, the MD5 hash of the above email id is 803efbc80ead933f28d0704d43d1f63b.</p></htmltext>
<tokenext>Some email providers have a simple way of giving you a throw away id .
E.g example + slashdotnospam @ gmail.com is sent to example @ gmail.com.Say my name is Lary Page .
If my email id is lary.page @ gmail.com , I can still protect myself so that you will never get my email id .
MD5 ( lary.page @ gmail.com ) = " 1b8dbe98e2b1138fd3ba34e26fc55107 " .
So I provide my email id as lary.page + 1b8dbe98e2b1138fd3ba34e26fc55107 @ gmail.com .
If I gave you the md5 of that id , you 'll find it hard to get back to lary.page @ gmail.com.Try , the MD5 hash of the above email id is 803efbc80ead933f28d0704d43d1f63b .</tokentext>
<sentencetext>Some email providers have a simple way of giving you a throw away id.
E.g example+slashdotnospam@gmail.com is sent to example@gmail.com.Say my name is Lary Page.
If my email id is lary.page@gmail.com, I can still protect myself so that you will never get my email id.
MD5 (lary.page@gmail.com) = "1b8dbe98e2b1138fd3ba34e26fc55107".
So I provide my email id as lary.page+1b8dbe98e2b1138fd3ba34e26fc55107@gmail.com.
If I gave you the md5 of that id, you'll find it hard to get back to lary.page@gmail.com.Try, the MD5 hash of the above email id is 803efbc80ead933f28d0704d43d1f63b.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454618</id>
	<title>Not A Bug</title>
	<author>lhunath</author>
	<datestamp>1260905940000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext><p> Email addresses are usernames.  They are not secret information.  If somebody can be bothered enough to find your email address through brute-forcing the MD5 hash of it; you've got bigger problems.</p><p>Far more than "10\% of stackoverflow.com's users" can have their email addresses GUESSED far faster.  Likely your email address is also FAR easier to establish through a simple Google search on your pseudonyms.</p><p>If you for some odd reason want your email address to be secret; for the same name as wanting a secret pseudonym or using a false name when signing up; register a fake email address instead (and set it up for forwarding).  You're giving your email address in clear text to the site's owner and all the internet hops inbetween him and you ANYWAY.</p><p>It's important to learn to distinguish between what is a secret and what is not; and if you want to make things secret, at what level you should put your trust.</p></htmltext>
<tokenext>Email addresses are usernames .
They are not secret information .
If somebody can be bothered enough to find your email address through brute-forcing the MD5 hash of it ; you 've got bigger problems.Far more than " 10 \ % of stackoverflow.com 's users " can have their email addresses GUESSED far faster .
Likely your email address is also FAR easier to establish through a simple Google search on your pseudonyms.If you for some odd reason want your email address to be secret ; for the same name as wanting a secret pseudonym or using a false name when signing up ; register a fake email address instead ( and set it up for forwarding ) .
You 're giving your email address in clear text to the site 's owner and all the internet hops inbetween him and you ANYWAY.It 's important to learn to distinguish between what is a secret and what is not ; and if you want to make things secret , at what level you should put your trust .</tokentext>
<sentencetext> Email addresses are usernames.
They are not secret information.
If somebody can be bothered enough to find your email address through brute-forcing the MD5 hash of it; you've got bigger problems.Far more than "10\% of stackoverflow.com's users" can have their email addresses GUESSED far faster.
Likely your email address is also FAR easier to establish through a simple Google search on your pseudonyms.If you for some odd reason want your email address to be secret; for the same name as wanting a secret pseudonym or using a false name when signing up; register a fake email address instead (and set it up for forwarding).
You're giving your email address in clear text to the site's owner and all the internet hops inbetween him and you ANYWAY.It's important to learn to distinguish between what is a secret and what is not; and if you want to make things secret, at what level you should put your trust.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454890</id>
	<title>Could provide an API</title>
	<author>Mathinker</author>
	<datestamp>1259658240000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext><p>From Gravatar's FAQ:</p><p><div class="quote"><p><div class="quote"><p>MD5 isnt strong enough encryption, they&rsquo;ve cracked that havent they?</p></div><p>MD5 is plenty good for obfuscating the email address of users across the wire. if you&rsquo;re thinking of rainbow tables, those are all geared at passwords (which are generally shorter, and less globally different from one another) and not email addresses, furthermore they are geared at generating anything that matches the hash, NOT the original data being hashed. If you are thinking about being able to reproduce a collision, you still don&rsquo;t necessarily get the actual email address being hashed from the data generated to create the collision. In either case the work required to both construct and operate such a monstrocity would be prohibitively costly. If we left your password laying around in the open as a plain md5 hash someone might be able to find some data (not necessarily your password) which they could use to log in as you... Leaving your email address out as an md5 hash, however, is not going to cause a violent upsurge in the number of fake rolex watch emails that you get. Lets face it there are far more lucrative, easier, ways of getting email address. I hope this helps ease your mind.</p> </div><p>So, they might have already thought about this vulnerability and dismissed it as not interesting.</p><p>They could still fix their concept by providing an API where a website wanting to discover the avatar for a given email first hashes the email with MD5 and then the Gravatar URL which is generated <b>redirects</b> them to a link to the image (which contains no information about the email address, or perhaps uses a <a href="http://en.wikipedia.org/wiki/Salt\_(cryptography)" title="wikipedia.org" rel="nofollow">salted</a> [wikipedia.org] hash). This, in conjunction with rate limiting the number of queries per website, could provide a relatively secure way to do what they want.</p></div>
	</htmltext>
<tokenext>From Gravatar 's FAQ : MD5 isnt strong enough encryption , they    ve cracked that havent they ? MD5 is plenty good for obfuscating the email address of users across the wire .
if you    re thinking of rainbow tables , those are all geared at passwords ( which are generally shorter , and less globally different from one another ) and not email addresses , furthermore they are geared at generating anything that matches the hash , NOT the original data being hashed .
If you are thinking about being able to reproduce a collision , you still don    t necessarily get the actual email address being hashed from the data generated to create the collision .
In either case the work required to both construct and operate such a monstrocity would be prohibitively costly .
If we left your password laying around in the open as a plain md5 hash someone might be able to find some data ( not necessarily your password ) which they could use to log in as you... Leaving your email address out as an md5 hash , however , is not going to cause a violent upsurge in the number of fake rolex watch emails that you get .
Lets face it there are far more lucrative , easier , ways of getting email address .
I hope this helps ease your mind .
So , they might have already thought about this vulnerability and dismissed it as not interesting.They could still fix their concept by providing an API where a website wanting to discover the avatar for a given email first hashes the email with MD5 and then the Gravatar URL which is generated redirects them to a link to the image ( which contains no information about the email address , or perhaps uses a salted [ wikipedia.org ] hash ) .
This , in conjunction with rate limiting the number of queries per website , could provide a relatively secure way to do what they want .</tokentext>
<sentencetext>From Gravatar's FAQ:MD5 isnt strong enough encryption, they’ve cracked that havent they?MD5 is plenty good for obfuscating the email address of users across the wire.
if you’re thinking of rainbow tables, those are all geared at passwords (which are generally shorter, and less globally different from one another) and not email addresses, furthermore they are geared at generating anything that matches the hash, NOT the original data being hashed.
If you are thinking about being able to reproduce a collision, you still don’t necessarily get the actual email address being hashed from the data generated to create the collision.
In either case the work required to both construct and operate such a monstrocity would be prohibitively costly.
If we left your password laying around in the open as a plain md5 hash someone might be able to find some data (not necessarily your password) which they could use to log in as you... Leaving your email address out as an md5 hash, however, is not going to cause a violent upsurge in the number of fake rolex watch emails that you get.
Lets face it there are far more lucrative, easier, ways of getting email address.
I hope this helps ease your mind.
So, they might have already thought about this vulnerability and dismissed it as not interesting.They could still fix their concept by providing an API where a website wanting to discover the avatar for a given email first hashes the email with MD5 and then the Gravatar URL which is generated redirects them to a link to the image (which contains no information about the email address, or perhaps uses a salted [wikipedia.org] hash).
This, in conjunction with rate limiting the number of queries per website, could provide a relatively secure way to do what they want.
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454562</id>
	<title>Does explain ...</title>
	<author>Anonymous</author>
	<datestamp>1260905100000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext>... the emails about ad I got today on my email address I used to register a gravatar.</htmltext>
<tokenext>... the emails about ad I got today on my email address I used to register a gravatar .</tokentext>
<sentencetext>... the emails about ad I got today on my email address I used to register a gravatar.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454374</id>
	<title>Re:At first glance...</title>
	<author>Psaakyrn</author>
	<datestamp>1260903000000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>2</modscore>
	<htmltext><p>And you didn't think of Gravitar instead? Kids these days...</p><p><a href="http://en.wikipedia.org/wiki/Gravitar" title="wikipedia.org" rel="nofollow">http://en.wikipedia.org/wiki/Gravitar</a> [wikipedia.org]</p></htmltext>
<tokenext>And you did n't think of Gravitar instead ?
Kids these days...http : //en.wikipedia.org/wiki/Gravitar [ wikipedia.org ]</tokentext>
<sentencetext>And you didn't think of Gravitar instead?
Kids these days...http://en.wikipedia.org/wiki/Gravitar [wikipedia.org]</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454330</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30458716</id>
	<title>Thats why I use....</title>
	<author>hesaigo999ca</author>
	<datestamp>1259687160000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>That's why I use a new hotmail address usually made with the sites name and my own to keep logs of everything that comes from there, so if anything is compromised, then I know usually where it comes from. Also I have no worries someone gets my address as it is irrelevant seeing as it is not my real one.</p></htmltext>
<tokenext>That 's why I use a new hotmail address usually made with the sites name and my own to keep logs of everything that comes from there , so if anything is compromised , then I know usually where it comes from .
Also I have no worries someone gets my address as it is irrelevant seeing as it is not my real one .</tokentext>
<sentencetext>That's why I use a new hotmail address usually made with the sites name and my own to keep logs of everything that comes from there, so if anything is compromised, then I know usually where it comes from.
Also I have no worries someone gets my address as it is irrelevant seeing as it is not my real one.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454698</id>
	<title>The Guardian says...</title>
	<author>Anonymous</author>
	<datestamp>1259697660000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Gravatar!<nobr> <wbr></nobr>... for i shall be your provider... your companion, meh, YOUR MASTER!</p></htmltext>
<tokenext>Gravatar !
... for i shall be your provider... your companion , meh , YOUR MASTER !</tokentext>
<sentencetext>Gravatar!
... for i shall be your provider... your companion, meh, YOUR MASTER!</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454996</id>
	<title>Re:e9af4cb49c97162d6be3ea8c6ca90a46</title>
	<author>Anonymous</author>
	<datestamp>1259660040000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>1</modscore>
	<htmltext><p>Yes, you're smart to figure all that out.<br>But then you do not have to leave slashdot to solve the riddle:</p><p><div class="quote"><p>by iSzabo (1392353)    on Wednesday December 16, @01:04AM (#30454460)</p></div><p>I don't know if Facebook keeps track of visitors to ones profile (some networks do), but possible tyler can now guess who you are as well.</p><p>- 043dc29be78d00413a3da8611fd93451</p></div>
	</htmltext>
<tokenext>Yes , you 're smart to figure all that out.But then you do not have to leave slashdot to solve the riddle : by iSzabo ( 1392353 ) on Wednesday December 16 , @ 01 : 04AM ( # 30454460 ) I do n't know if Facebook keeps track of visitors to ones profile ( some networks do ) , but possible tyler can now guess who you are as well.- 043dc29be78d00413a3da8611fd93451</tokentext>
<sentencetext>Yes, you're smart to figure all that out.But then you do not have to leave slashdot to solve the riddle:by iSzabo (1392353)    on Wednesday December 16, @01:04AM (#30454460)I don't know if Facebook keeps track of visitors to ones profile (some networks do), but possible tyler can now guess who you are as well.- 043dc29be78d00413a3da8611fd93451
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454584</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454510</id>
	<title>Big deal...</title>
	<author>Anonymous</author>
	<datestamp>1260904560000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>If you have an MD5 hash of a file or phrase, like an email, and have candidates, you can compare them and see if there's a match!  Video at 11!</p><p>But seriously, this approach isn't really novel, just a novel application of existing technology.  That said, it only effects users who's emails were already easily guessable.  If your username is Jon Robert and your email is jon.robert@gmail.com...well, if I was guessing without this, I'd guess that first anyways.  All this does it permit you to confirm an email.  This is an exploit, but not really all that dangerous of one, because it doesn't reveal emails, only let you confirm that the email you guessed exists and what it is.</p><p>The approach of using rainbow tables, only discussed briefly, is a bit more concerning, and I'd like to see more about this.</p></htmltext>
<tokenext>If you have an MD5 hash of a file or phrase , like an email , and have candidates , you can compare them and see if there 's a match !
Video at 11 ! But seriously , this approach is n't really novel , just a novel application of existing technology .
That said , it only effects users who 's emails were already easily guessable .
If your username is Jon Robert and your email is jon.robert @ gmail.com...well , if I was guessing without this , I 'd guess that first anyways .
All this does it permit you to confirm an email .
This is an exploit , but not really all that dangerous of one , because it does n't reveal emails , only let you confirm that the email you guessed exists and what it is.The approach of using rainbow tables , only discussed briefly , is a bit more concerning , and I 'd like to see more about this .</tokentext>
<sentencetext>If you have an MD5 hash of a file or phrase, like an email, and have candidates, you can compare them and see if there's a match!
Video at 11!But seriously, this approach isn't really novel, just a novel application of existing technology.
That said, it only effects users who's emails were already easily guessable.
If your username is Jon Robert and your email is jon.robert@gmail.com...well, if I was guessing without this, I'd guess that first anyways.
All this does it permit you to confirm an email.
This is an exploit, but not really all that dangerous of one, because it doesn't reveal emails, only let you confirm that the email you guessed exists and what it is.The approach of using rainbow tables, only discussed briefly, is a bit more concerning, and I'd like to see more about this.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30458598</id>
	<title>Re:Public address</title>
	<author>SatanicPuppy</author>
	<datestamp>1259686740000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>That's just what I was thinking. I use Stack Overflow, and my username is (predictably) Satanicpuppy. 5 seconds of googling will give you my email address, because I treat all information on public forums as public information.</p><p>This is only a problem for people who think that they can really be sure of their privacy because some website takes a half-assed precaution.</p></htmltext>
<tokenext>That 's just what I was thinking .
I use Stack Overflow , and my username is ( predictably ) Satanicpuppy .
5 seconds of googling will give you my email address , because I treat all information on public forums as public information.This is only a problem for people who think that they can really be sure of their privacy because some website takes a half-assed precaution .</tokentext>
<sentencetext>That's just what I was thinking.
I use Stack Overflow, and my username is (predictably) Satanicpuppy.
5 seconds of googling will give you my email address, because I treat all information on public forums as public information.This is only a problem for people who think that they can really be sure of their privacy because some website takes a half-assed precaution.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454270</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30456076</id>
	<title>Re:No need</title>
	<author>selven</author>
	<datestamp>1259672820000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>No, it would not be easy to reverse engineer the salt string. Even if you know half of the source text and the hash, that does not make it much easier to get the second half of the source. You would still have to try all possible combinations. The secret salt could be:</p><p>example@gmail.com124235rjcw475tvye<br>example124235rjc@w475tvyegmail.com<br>e1x2a4m2p3l5er@jgcmwa4i7l5.tcvoyme<br>124235rjcw475tvyemoc.liamg@elpmaxe</p><p>There are just too many possibilities.</p></htmltext>
<tokenext>No , it would not be easy to reverse engineer the salt string .
Even if you know half of the source text and the hash , that does not make it much easier to get the second half of the source .
You would still have to try all possible combinations .
The secret salt could be : example @ gmail.com124235rjcw475tvyeexample124235rjc @ w475tvyegmail.come1x2a4m2p3l5er @ jgcmwa4i7l5.tcvoyme124235rjcw475tvyemoc.liamg @ elpmaxeThere are just too many possibilities .</tokentext>
<sentencetext>No, it would not be easy to reverse engineer the salt string.
Even if you know half of the source text and the hash, that does not make it much easier to get the second half of the source.
You would still have to try all possible combinations.
The secret salt could be:example@gmail.com124235rjcw475tvyeexample124235rjc@w475tvyegmail.come1x2a4m2p3l5er@jgcmwa4i7l5.tcvoyme124235rjcw475tvyemoc.liamg@elpmaxeThere are just too many possibilities.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454296</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30456206</id>
	<title>Re:Possible workaround</title>
	<author>Anonymous</author>
	<datestamp>1259673960000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Here's what sendmail has to say about "plussed users":</p><p><a href="http://www.sendmail.org/m4/misc\_features.html" title="sendmail.org" rel="nofollow">http://www.sendmail.org/m4/misc\_features.html</a> [sendmail.org]<br><a href="http://www.google.com/search?q=sendmail+plussed+users+site\%3Abooks.google.com" title="google.com" rel="nofollow">http://www.google.com/search?q=sendmail+plussed+users+site\%3Abooks.google.com</a> [google.com]</p></htmltext>
<tokenext>Here 's what sendmail has to say about " plussed users " : http : //www.sendmail.org/m4/misc \ _features.html [ sendmail.org ] http : //www.google.com/search ? q = sendmail + plussed + users + site \ % 3Abooks.google.com [ google.com ]</tokentext>
<sentencetext>Here's what sendmail has to say about "plussed users":http://www.sendmail.org/m4/misc\_features.html [sendmail.org]http://www.google.com/search?q=sendmail+plussed+users+site\%3Abooks.google.com [google.com]</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454280</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454524</id>
	<title>easier than other methods?</title>
	<author>bcrowell</author>
	<datestamp>1260904740000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext><p>But is this significantly easier than other methods of harvesting email addresses? Spammers already do dictionary attacks on big providers like yahoo. It's not clear to me that this method is a better way of generating a list of email addresses. If you carry out a dictionary attack on yahoo.com, you're going to come up with probably tens of millions of valid email addresses. If you carry out this attack on gravatar.com, how many addresses are you going to get for your trouble? 10\% of gravatar's users, apparently -- which I'm guessing is not really that big a number. Remember, once a spammer has a botnet, it costs him zero to send out one more spam to test whether a particular address is valid. Therefore the dictionary attack is free.</p><p>
The defense against dictionary attacks is also exactly the same as the defense against this attack: either don't use a big email provider, or use a big email provider but pick a username that has a lot of characters (so it's not vulnerable to brute-forcing) and is also not vulnerable to dictionary attacks.
</p></htmltext>
<tokenext>But is this significantly easier than other methods of harvesting email addresses ?
Spammers already do dictionary attacks on big providers like yahoo .
It 's not clear to me that this method is a better way of generating a list of email addresses .
If you carry out a dictionary attack on yahoo.com , you 're going to come up with probably tens of millions of valid email addresses .
If you carry out this attack on gravatar.com , how many addresses are you going to get for your trouble ?
10 \ % of gravatar 's users , apparently -- which I 'm guessing is not really that big a number .
Remember , once a spammer has a botnet , it costs him zero to send out one more spam to test whether a particular address is valid .
Therefore the dictionary attack is free .
The defense against dictionary attacks is also exactly the same as the defense against this attack : either do n't use a big email provider , or use a big email provider but pick a username that has a lot of characters ( so it 's not vulnerable to brute-forcing ) and is also not vulnerable to dictionary attacks .</tokentext>
<sentencetext>But is this significantly easier than other methods of harvesting email addresses?
Spammers already do dictionary attacks on big providers like yahoo.
It's not clear to me that this method is a better way of generating a list of email addresses.
If you carry out a dictionary attack on yahoo.com, you're going to come up with probably tens of millions of valid email addresses.
If you carry out this attack on gravatar.com, how many addresses are you going to get for your trouble?
10\% of gravatar's users, apparently -- which I'm guessing is not really that big a number.
Remember, once a spammer has a botnet, it costs him zero to send out one more spam to test whether a particular address is valid.
Therefore the dictionary attack is free.
The defense against dictionary attacks is also exactly the same as the defense against this attack: either don't use a big email provider, or use a big email provider but pick a username that has a lot of characters (so it's not vulnerable to brute-forcing) and is also not vulnerable to dictionary attacks.
</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30456476</id>
	<title>Re:Salt?</title>
	<author>molecular</author>
	<datestamp>1259676600000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>I'm no expert in cryptography, but would it be helpful for them to add a <a href="http://en.wikipedia.org/wiki/Salt\_(cryptography)" title="wikipedia.org" rel="nofollow">salt</a> [wikipedia.org]? (Unless they do that already, of course)</p></div><p>The salt would have to be secret, which would ruin the whole point of other sites being able to calculate the md5 and use the gravatar. Making it public wouldn't work, because it would then be known to the attacker.</p></div>
	</htmltext>
<tokenext>I 'm no expert in cryptography , but would it be helpful for them to add a salt [ wikipedia.org ] ?
( Unless they do that already , of course ) The salt would have to be secret , which would ruin the whole point of other sites being able to calculate the md5 and use the gravatar .
Making it public would n't work , because it would then be known to the attacker .</tokentext>
<sentencetext>I'm no expert in cryptography, but would it be helpful for them to add a salt [wikipedia.org]?
(Unless they do that already, of course)The salt would have to be secret, which would ruin the whole point of other sites being able to calculate the md5 and use the gravatar.
Making it public wouldn't work, because it would then be known to the attacker.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454278</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454500</id>
	<title>use email+whatever@domain.com</title>
	<author>topham</author>
	<datestamp>1260904320000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p>Use your email address with "+randomsequence"@</p><p>Randomsequence will have to be consistent between the user and the sites they want the gravatar to work at, but it will generate an MD5 hash different than their actual address; yet if the site sends email to the user with it the user will receive it.</p></htmltext>
<tokenext>Use your email address with " + randomsequence " @ Randomsequence will have to be consistent between the user and the sites they want the gravatar to work at , but it will generate an MD5 hash different than their actual address ; yet if the site sends email to the user with it the user will receive it .</tokentext>
<sentencetext>Use your email address with "+randomsequence"@Randomsequence will have to be consistent between the user and the sites they want the gravatar to work at, but it will generate an MD5 hash different than their actual address; yet if the site sends email to the user with it the user will receive it.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454402</id>
	<title>So?</title>
	<author>trapnest</author>
	<datestamp>1260903360000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Maybe I am missing the point, but who cares?<br>I understand that there is this huge number of people that think that an email address is private information, but why?</p></htmltext>
<tokenext>Maybe I am missing the point , but who cares ? I understand that there is this huge number of people that think that an email address is private information , but why ?</tokentext>
<sentencetext>Maybe I am missing the point, but who cares?I understand that there is this huge number of people that think that an email address is private information, but why?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454290</id>
	<title>Re:No need</title>
	<author>Anonymous</author>
	<datestamp>1260902160000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>But in order for other sites to use their service, and come up with the same hash, they'd have to make it not so secret.  What they need to do is hash it against a user providable string to use as a salt (including the option of nothing at all).  Then, all you have to do when signing up with a Gravatar enabled site is provide your email and your personal salt, which would be different for almost ever user.</p></htmltext>
<tokenext>But in order for other sites to use their service , and come up with the same hash , they 'd have to make it not so secret .
What they need to do is hash it against a user providable string to use as a salt ( including the option of nothing at all ) .
Then , all you have to do when signing up with a Gravatar enabled site is provide your email and your personal salt , which would be different for almost ever user .</tokentext>
<sentencetext>But in order for other sites to use their service, and come up with the same hash, they'd have to make it not so secret.
What they need to do is hash it against a user providable string to use as a salt (including the option of nothing at all).
Then, all you have to do when signing up with a Gravatar enabled site is provide your email and your personal salt, which would be different for almost ever user.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454246</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30462668</id>
	<title>Not News</title>
	<author>GreyyGuy</author>
	<datestamp>1259701020000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>The important part of the trick is that you have to assume the email address is the same as the username and then compare the hashes of that name @yahoo.com, @hotmail.com, @gmail.com, and other popular email services. Because people that use those webmail addresses have never received spam before.</p><p>If any spammer did try this, I would expect them to be very pissed off to discover that after all that work they already had 99\% or more of those addresses to begin with.</p></htmltext>
<tokenext>The important part of the trick is that you have to assume the email address is the same as the username and then compare the hashes of that name @ yahoo.com , @ hotmail.com , @ gmail.com , and other popular email services .
Because people that use those webmail addresses have never received spam before.If any spammer did try this , I would expect them to be very pissed off to discover that after all that work they already had 99 \ % or more of those addresses to begin with .</tokentext>
<sentencetext>The important part of the trick is that you have to assume the email address is the same as the username and then compare the hashes of that name @yahoo.com, @hotmail.com, @gmail.com, and other popular email services.
Because people that use those webmail addresses have never received spam before.If any spammer did try this, I would expect them to be very pissed off to discover that after all that work they already had 99\% or more of those addresses to begin with.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455130</id>
	<title>Re:At first glance...</title>
	<author>Anonymous</author>
	<datestamp>1259662800000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>I was certain that Gravatar was a character from the Hitchhikers Guide to the Galaxy.</p></htmltext>
<tokenext>I was certain that Gravatar was a character from the Hitchhikers Guide to the Galaxy .</tokentext>
<sentencetext>I was certain that Gravatar was a character from the Hitchhikers Guide to the Galaxy.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454330</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454460</id>
	<title>e9af4cb49c97162d6be3ea8c6ca90a46</title>
	<author>iSzabo</author>
	<datestamp>1260903840000</datestamp>
	<modclass>Funny</modclass>
	<modscore>2</modscore>
	<htmltext><p>I actually *just* (20 minutes ago) put my picture up there. Can you guess my email<nobr> <wbr></nobr>;)</p></htmltext>
<tokenext>I actually * just * ( 20 minutes ago ) put my picture up there .
Can you guess my email ; )</tokentext>
<sentencetext>I actually *just* (20 minutes ago) put my picture up there.
Can you guess my email ;)</sentencetext>
</comment>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455146
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454290
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454246
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454218
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_36</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454392
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454282
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_27</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454328
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454254
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454218
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_26</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30456476
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454278
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30458598
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454270
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_28</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30457174
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454584
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454460
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_31</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455122
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454540
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454268
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454218
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_33</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454302
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454270
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454384
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454254
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454218
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30456348
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454540
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454268
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454218
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_25</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454394
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454270
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_30</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455720
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454246
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454218
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_15</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455232
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454656
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_17</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455168
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454270
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_20</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455074
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454584
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454460
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454688
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454330
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_18</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30458570
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454584
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454460
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30456034
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454366
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454244
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454218
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_12</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455278
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454872
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454644
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454366
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454244
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454218
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_37</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455856
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454540
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454268
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454218
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454998
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454366
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454244
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454218
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_34</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454374
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454330
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_10</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30456242
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454366
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454244
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454218
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_24</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455816
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454218
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455752
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454872
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454644
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454366
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454244
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454218
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_29</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30456524
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454406
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_32</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454802
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454282
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_23</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454508
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454268
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454218
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_19</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30456246
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454644
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454366
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454244
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454218
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_22</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454682
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454218
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_13</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30459862
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454618
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30456076
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454296
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454246
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454218
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_14</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30456206
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454280
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_16</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455130
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454330
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455594
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454872
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454644
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454366
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454244
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454218
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_21</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454462
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454310
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454270
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_35</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454444
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454282
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_15_2352218_11</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454996
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454584
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454460
</commentlist>
</thread>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_12_15_2352218.7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454382
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_12_15_2352218.13</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454278
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30456476
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_12_15_2352218.11</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454270
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455168
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454394
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30458598
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454310
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454462
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454302
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_12_15_2352218.4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454406
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30456524
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_12_15_2352218.1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454330
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454374
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454688
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455130
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_12_15_2352218.2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454656
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455232
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_12_15_2352218.8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454618
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30459862
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_12_15_2352218.6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454460
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454584
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454996
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455074
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30458570
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30457174
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_12_15_2352218.0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454282
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454444
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454802
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454392
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_12_15_2352218.5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454280
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30456206
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_12_15_2352218.3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454840
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_12_15_2352218.12</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455388
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_12_15_2352218.9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454218
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454268
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454508
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454540
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455856
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30456348
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455122
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454254
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454384
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454328
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455816
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454682
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454244
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454366
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30456034
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30456242
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454644
----http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30456246
----http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454872
-----http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455278
-----http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455594
-----http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455752
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454998
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454246
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454290
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455146
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30455720
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454296
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30456076
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_12_15_2352218.10</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_15_2352218.30454204
</commentlist>
</conversation>
