Cargo cult security – how not to use hashing
Sometimes, I still get surprised by the lack of thought behind some software systems that have made it to production. This time, I stumbled over a 2 year old reddit thread about the Swedish city Västerås using WiFi to track the movements of people, storing hashes of their smartphone MAC addresses, in the rather naive misbelief that hashing would render people anonymity. That leads me to a subset of the subject of cargo cult programming: cargo cult security.
In short, cargo cult programming means that you use a chunk of code because you more or less know what is does, but have no idea of how it works. That means you can’t modify the code, and you probably also unknowingly include redundant code.
In my example of cargo cult security, the developers in question used hashing as a means to anonymize users. From a cargo cult perspective, hashing works well for storing passwords, so if it’s used for a completely different application it should work there too, right? No, actually quite wrong.