[Full-disclosure] Re: choice-point screw-up and secure hashes
From: Atom Smasher (atom_at_smasher.org)
Date: 03/20/05
- Previous message: Atom Smasher: "Re: [Full-disclosure] Re: choice-point screw-up and secure hashes"
- In reply to: Jason Coombs: "[Full-disclosure] Re: choice-point screw-up and secure hashes"
- Next in thread: Jason Coombs: "Re: [Full-disclosure] Re: choice-point screw-up and secure hashes"
- Maybe reply: Jason Coombs: "Re: [Full-disclosure] Re: choice-point screw-up and secure hashes"
- Maybe reply: Jason Coombs: "Re: [Full-disclosure] Re: choice-point screw-up and secure hashes"
- Maybe reply: Todd Towles: "RE: [Full-disclosure] Re: choice-point screw-up and secure hashes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 19 Mar 2005 19:11:39 -0500 (EST) To: Jason Coombs <jasonc@science.org>
On Sat, 19 Mar 2005, Jason Coombs wrote:
>> i've been referring to a social engineering attack where people SIGNED
>> UP FOR ACCOUNTS and got the info because they were paying customers and
>> they asked for it!
>
> The whole choicepoint behind the business model is to sell the SSNs to
> customers... If you choosepoint to defeat your own business model by
> choicepointing your customers to secure hashes rather than the SSNs
> they're really interested in acquiring, then your customers will
> choosepoint your competition instead, and the endpoint of your business
> strategy will be bankruptcy.
===============
the whole point of their operation, as i understand it, is to verify and
sell data. some of their customers have a legitimate need for buying SSNs,
some don't. among those who don't there may be a legitimate need to VERIFY
SSNs. by grouping customers buy their legitimate needs and screening them
accordingly this could have been avoided.
> Suppose legislation existed to require all SSNs to be stored in hashed
> form, and encrypted while in transit. This way, your customers would be
> required to preserve the hashes and never cross-reference your data set
> with a data set that contains raw SSNs.
===================
requiring encryption of transported data, regardless of media, IS a good
idea. requiring that all SSNs be hashed is NOT what i'm advocating... i am
advocating it for situations where it would not cause any significant
overhead. a lot of real-world applications would work just as well with
hashed SSNs.
> What does “in transit” mean? What does “stored” mean? What does “hashed”
> mean? Look at digital signature legislation. Even in countries that have
> tried to spell out required algorithms, the legislation still fails to
> force people to do things “right” by geek standards.
=====================
who ever said that the legislature could get it right? not me... it would
be great if they could do it, but i'm not holding my breath. i think a
better model involves civil liability. if a company can be sued for a
security leak, they'll take steps to avoid it. of course, any big company
will carry insurance to pay everyone off, but the insurance companies
would require that standards are maintained. so, in the end, it's the
mighty dollar that could keep everyone in line. far from perfect, but in
many respects better than waiting for congress-critters to figure out the
difference between a hash and a hard drive.
> It's hopeless. Give up now, before anyone else gets hurt. You're not
> going to make things better by scraping some income for yourself off the
> topline revenue for helping your employer pretend that what they're
> doing is “okay”.
===============
it's pretty bad, but it's not hopeless... the only way to make it better
is to challenge it. telling anyone that what they're doing is OK is rarely
part of my day.
--
...atom
_________________________________________
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"To invent, you need a good imagination and a pile of junk."
-- Thomas Edison
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Previous message: Atom Smasher: "Re: [Full-disclosure] Re: choice-point screw-up and secure hashes"
- In reply to: Jason Coombs: "[Full-disclosure] Re: choice-point screw-up and secure hashes"
- Next in thread: Jason Coombs: "Re: [Full-disclosure] Re: choice-point screw-up and secure hashes"
- Maybe reply: Jason Coombs: "Re: [Full-disclosure] Re: choice-point screw-up and secure hashes"
- Maybe reply: Jason Coombs: "Re: [Full-disclosure] Re: choice-point screw-up and secure hashes"
- Maybe reply: Todd Towles: "RE: [Full-disclosure] Re: choice-point screw-up and secure hashes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
