| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: jasonc at science.org (Jason Coombs) Subject: Re: choice-point screw-up and secure hashes > i've been referring to a social > engineering attack where people > SIGNED UP FOR ACCOUNTS and got > the info because they were paying > customers and they asked for it! The whole choicepoint behind the business model is to sell the SSNs to customers... If you choosepoint to defeat your own business model by choicepointing your customers to secure hashes rather than the SSNs they're really interested in acquiring, then your customers will choosepoint your competition instead, and the endpoint of your business strategy will be bankruptcy. Suppose legislation existed to require all SSNs to be stored in hashed form, and encrypted while in transit. This way, your customers would be required to preserve the hashes and never cross-reference your data set with a data set that contains raw SSNs. What does ?in transit? mean? What does ?stored? mean? What does ?hashed? mean? Look at digital signature legislation. Even in countries that have tried to spell out required algorithms, the legislation still fails to force people to do things ?right? by geek standards. It's hopeless. Give up now, before anyone else gets hurt. You're not going to make things better by scraping some income for yourself off the topline revenue for helping your employer pretend that what they're doing is ?okay?. Sincerely, Jason Coombs jasonc@...ence.org
Powered by blists - more mailing lists