[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <246045308-1111271352-cardhu_blackberry.rim.net-7997-@engine144>
From: jasonc at science.org (Jason Coombs)
Subject: Re: choice-point screw-up and secure hashes
Atom Smasher wrote:
> tell ya what... here's my SSN
> hashed with a salt:
>
> e36c98b34d5ba979fb0bf0c64dc7b3
> a66c9ce841437d6460390e63808
> 10f1440
>
> as soon as you recover my SSN,
> just let me know.
A fine challenge. Give us access to your hashing machine, or at least hash the following SSN for us using the salt that you've selected for yours and your SSN will be on full-disclosure in the not-too-distant future.
123-45-6789
Your implication that the person who intercepts a hard drive filled with ?secure hashes? will not also have some reference point for decoding the hashes is just wrong.
Before I make off with your hard drive, I'm going to try very hard to add some known SSNs to the database using your own hashing machine (which presumably I won't be able to own outright, such that I could discover your salting algorithm directly).
I'm expecting you to salt the input SSN only, not use a keyed hash algorithm. Don't change the rules of the game in the middle of play... Your proposed scenario didn't mention the use of a keyed hash algorithm, so no fair using one after you salt my SSN.
Your original message was complicated enough that I am pretty sure you weren't suggesting that companies should encrypt the information they store in databases. That would have taken too few words to recommend, and if it's that easy to solve the underlying problem, who will hire you?
Cheers,
Jason Coombs
jasonc@...ence.org
-----Original Message-----
From: Atom Smasher <atom@...sher.org>
Date: Sat, 19 Mar 2005 13:34:53
To:Jason Coombs <jasonc@...ence.org>
Cc:Full-Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: choice-point screw-up and secure hashes
tell ya what... here's my SSN hashed with a salt:
e36c98b34d5ba979fb0bf0c64dc7b3a66c9ce841437d6460390e6380810f1440
as soon as you recover my SSN, just let me know.
btw, if an information clearing house discloses my phone number, DOB,
address, name, or ANYTHING about me (even to confirm whether or not i
exist) in a way that is not authorized by law, their security has been
compromised.
what i've outlined is NOT intended to be a substitute for best practices,
due diligence, security (network, physical, personnel, etc) and common
sense. it will however add a cushion for inevitable screw ups.
On Sat, 19 Mar 2005, Jason Coombs wrote:
> Good job! You've reduced by 99% the number of people who understand that
> the SSN is still being stored as plaintext in the database.
>
> This should result in 100% efficacy for defense against lawsuits and
> other complex liability that would otherwise arise out of pure neglect
> and incompetency.
>
> I suspect that CA1386 could be circumvented entirely if companies would
> just follow your advice. Why should anyone notify anyone else of a theft
> involving a bunch of ?secure hashes? ... After all, they're not SSN's
> any longer, and thus can't be considered personal confidential
> information.
>
> Here's a general rule for everyone to follow:
>
> obscurity = 0;
> while(!obscurity) {obscurity += salt;}
> ...
> if(security_incident && obscurity) {ignore_danger = true;}
> ...
> if(neglect + incompetency + obscurity == best_practices) {security_business_profits += google;}
--
...atom
_________________________________________
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"The limitation of riots, moral questions aside, is that
they cannot win and their participants know it. Hence,
rioting is not revolutionary but reactionary because it
invites defeat. It involves an emotional catharsis, but
it must be followed by a sense of futility."
-- Martin Luther King, Jr.
Powered by blists - more mailing lists