[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050319183155.42870.qmail@smasher.org>
From: atom at smasher.org (Atom Smasher)
Subject: Re: choice-point screw-up and secure hashes
tell ya what... here's my SSN hashed with a salt:
e36c98b34d5ba979fb0bf0c64dc7b3a66c9ce841437d6460390e6380810f1440
as soon as you recover my SSN, just let me know.
btw, if an information clearing house discloses my phone number, DOB,
address, name, or ANYTHING about me (even to confirm whether or not i
exist) in a way that is not authorized by law, their security has been
compromised.
what i've outlined is NOT intended to be a substitute for best practices,
due diligence, security (network, physical, personnel, etc) and common
sense. it will however add a cushion for inevitable screw ups.
On Sat, 19 Mar 2005, Jason Coombs wrote:
> Good job! You've reduced by 99% the number of people who understand that
> the SSN is still being stored as plaintext in the database.
>
> This should result in 100% efficacy for defense against lawsuits and
> other complex liability that would otherwise arise out of pure neglect
> and incompetency.
>
> I suspect that CA1386 could be circumvented entirely if companies would
> just follow your advice. Why should anyone notify anyone else of a theft
> involving a bunch of ?secure hashes? ... After all, they're not SSN's
> any longer, and thus can't be considered personal confidential
> information.
>
> Here's a general rule for everyone to follow:
>
> obscurity = 0;
> while(!obscurity) {obscurity += salt;}
> ...
> if(security_incident && obscurity) {ignore_danger = true;}
> ...
> if(neglect + incompetency + obscurity == best_practices) {security_business_profits += google;}
--
...atom
_________________________________________
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"The limitation of riots, moral questions aside, is that
they cannot win and their participants know it. Hence,
rioting is not revolutionary but reactionary because it
invites defeat. It involves an emotional catharsis, but
it must be followed by a sense of futility."
-- Martin Luther King, Jr.
Powered by blists - more mailing lists