lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <246045308-1111271352-cardhu_blackberry.rim.net-7997-@engine144>
From: jasonc at science.org (Jason Coombs)
Subject: Re: choice-point screw-up and secure hashes

Atom Smasher wrote:
> tell ya what... here's my SSN
> hashed with a salt:
>
> e36c98b34d5ba979fb0bf0c64dc7b3
> a66c9ce841437d6460390e63808
> 10f1440
>
> as soon as you recover my SSN,
> just let me know.

A fine challenge. Give us access to your hashing machine, or at least hash the following SSN for us using the salt that you've selected for yours and your SSN will be on full-disclosure in the not-too-distant future.

123-45-6789

Your implication that the person who intercepts a hard drive filled with ?secure hashes? will not also have some reference point for decoding the hashes is just wrong.

Before I make off with your hard drive, I'm going to try very hard to add some known SSNs to the database using your own hashing machine (which presumably I won't be able to own outright, such that I could discover your salting algorithm directly).

I'm expecting you to salt the input SSN only, not use a keyed hash algorithm. Don't change the rules of the game in the middle of play... Your proposed scenario didn't mention the use of a keyed hash algorithm, so no fair using one after you salt my SSN.

Your original message was complicated enough that I am pretty sure you weren't suggesting that companies should encrypt the information they store in databases. That would have taken too few words to recommend, and if it's that easy to solve the underlying problem, who will hire you?

Cheers,

Jason Coombs
jasonc@...ence.org


-----Original Message-----
From: Atom Smasher <atom@...sher.org>
Date: Sat, 19 Mar 2005 13:34:53 
To:Jason Coombs <jasonc@...ence.org>
Cc:Full-Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: choice-point screw-up and secure hashes

tell ya what... here's my SSN hashed with a salt:
 	e36c98b34d5ba979fb0bf0c64dc7b3a66c9ce841437d6460390e6380810f1440

as soon as you recover my SSN, just let me know.

btw, if an information clearing house discloses my phone number, DOB, 
address, name, or ANYTHING about me (even to confirm whether or not i 
exist) in a way that is not authorized by law, their security has been 
compromised.

what i've outlined is NOT intended to be a substitute for best practices, 
due diligence, security (network, physical, personnel, etc) and common 
sense. it will however add a cushion for inevitable screw ups.


On Sat, 19 Mar 2005, Jason Coombs wrote:

> Good job! You've reduced by 99% the number of people who understand that 
> the SSN is still being stored as plaintext in the database.
>
> This should result in 100% efficacy for defense against lawsuits and 
> other complex liability that would otherwise arise out of pure neglect 
> and incompetency.
>
> I suspect that CA1386 could be circumvented entirely if companies would 
> just follow your advice. Why should anyone notify anyone else of a theft 
> involving a bunch of ?secure hashes? ... After all, they're not SSN's 
> any longer, and thus can't be considered personal confidential 
> information.
>
> Here's a general rule for everyone to follow:
>
> obscurity = 0;
> while(!obscurity) {obscurity += salt;}
> ...
> if(security_incident && obscurity) {ignore_danger = true;}
> ...
> if(neglect + incompetency + obscurity == best_practices) {security_business_profits += google;}


-- 
         ...atom

_________________________________________
  PGP key - http://atom.smasher.org/pgp.txt
  762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
  -------------------------------------------------

 	"The limitation of riots, moral questions aside, is that
 	 they cannot win and their participants know it. Hence,
 	 rioting is not revolutionary but reactionary because it
 	 invites defeat. It involves an emotional catharsis, but
 	 it must be followed by a sense of futility."
 		-- Martin Luther King, Jr.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ