lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1752314207-1111274285-cardhu_blackberry.rim.net-13374-@engine111>
From: jasonc at science.org (Jason Coombs)
Subject: Re: choice-point screw-up and secure hashes

> i've been referring to a social
> engineering attack where people
> SIGNED UP FOR ACCOUNTS and got
> the info because they were paying
> customers and they asked for it!

The whole choicepoint behind the business model is to sell the SSNs to customers... If you choosepoint to defeat your own business model by choicepointing your customers to secure hashes rather than the SSNs they're really interested in acquiring, then your customers will choosepoint your competition instead, and the endpoint of your business strategy will be bankruptcy.

Suppose legislation existed to require all SSNs to be stored in hashed form, and encrypted while in transit. This way, your customers would be required to preserve the hashes and never cross-reference your data set with a data set that contains raw SSNs.

What does ?in transit? mean? What does ?stored? mean? What does ?hashed? mean? Look at digital signature legislation. Even in countries that have tried to spell out required algorithms, the legislation still fails to force people to do things ?right? by geek standards.

It's hopeless. Give up now, before anyone else gets hurt. You're not going to make things better by scraping some income for yourself off the topline revenue for helping your employer pretend that what they're doing is ?okay?.

Sincerely,

Jason Coombs
jasonc@...ence.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ