lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050319183155.42870.qmail@smasher.org>
From: atom at smasher.org (Atom Smasher)
Subject: Re: choice-point screw-up and secure hashes

tell ya what... here's my SSN hashed with a salt:
 	e36c98b34d5ba979fb0bf0c64dc7b3a66c9ce841437d6460390e6380810f1440

as soon as you recover my SSN, just let me know.

btw, if an information clearing house discloses my phone number, DOB, 
address, name, or ANYTHING about me (even to confirm whether or not i 
exist) in a way that is not authorized by law, their security has been 
compromised.

what i've outlined is NOT intended to be a substitute for best practices, 
due diligence, security (network, physical, personnel, etc) and common 
sense. it will however add a cushion for inevitable screw ups.


On Sat, 19 Mar 2005, Jason Coombs wrote:

> Good job! You've reduced by 99% the number of people who understand that 
> the SSN is still being stored as plaintext in the database.
>
> This should result in 100% efficacy for defense against lawsuits and 
> other complex liability that would otherwise arise out of pure neglect 
> and incompetency.
>
> I suspect that CA1386 could be circumvented entirely if companies would 
> just follow your advice. Why should anyone notify anyone else of a theft 
> involving a bunch of ?secure hashes? ... After all, they're not SSN's 
> any longer, and thus can't be considered personal confidential 
> information.
>
> Here's a general rule for everyone to follow:
>
> obscurity = 0;
> while(!obscurity) {obscurity += salt;}
> ...
> if(security_incident && obscurity) {ignore_danger = true;}
> ...
> if(neglect + incompetency + obscurity == best_practices) {security_business_profits += google;}


-- 
         ...atom

  _________________________________________
  PGP key - http://atom.smasher.org/pgp.txt
  762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
  -------------------------------------------------

 	"The limitation of riots, moral questions aside, is that
 	 they cannot win and their participants know it. Hence,
 	 rioting is not revolutionary but reactionary because it
 	 invites defeat. It involves an emotional catharsis, but
 	 it must be followed by a sense of futility."
 		-- Martin Luther King, Jr.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ