lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20050320000838.13065.qmail@smasher.org>
From: atom at smasher.org (Atom Smasher)
Subject: Re: choice-point screw-up and secure hashes

On Sat, 19 Mar 2005, Jason Coombs wrote:

>> i've been referring to a social engineering attack where people SIGNED 
>> UP FOR ACCOUNTS and got the info because they were paying customers and 
>> they asked for it!
>
> The whole choicepoint behind the business model is to sell the SSNs to 
> customers... If you choosepoint to defeat your own business model by 
> choicepointing your customers to secure hashes rather than the SSNs 
> they're really interested in acquiring, then your customers will 
> choosepoint your competition instead, and the endpoint of your business 
> strategy will be bankruptcy.
===============

the whole point of their operation, as i understand it, is to verify and 
sell data. some of their customers have a legitimate need for buying SSNs, 
some don't. among those who don't there may be a legitimate need to VERIFY 
SSNs. by grouping customers buy their legitimate needs and screening them 
accordingly this could have been avoided.


> Suppose legislation existed to require all SSNs to be stored in hashed 
> form, and encrypted while in transit. This way, your customers would be 
> required to preserve the hashes and never cross-reference your data set 
> with a data set that contains raw SSNs.
===================

requiring encryption of transported data, regardless of media, IS a good 
idea. requiring that all SSNs be hashed is NOT what i'm advocating... i am 
advocating it for situations where it would not cause any significant 
overhead. a lot of real-world applications would work just as well with 
hashed SSNs.


> What does ?in transit? mean? What does ?stored? mean? What does ?hashed? 
> mean? Look at digital signature legislation. Even in countries that have 
> tried to spell out required algorithms, the legislation still fails to 
> force people to do things ?right? by geek standards.
=====================

who ever said that the legislature could get it right? not me... it would 
be great if they could do it, but i'm not holding my breath. i think a 
better model involves civil liability. if a company can be sued for a 
security leak, they'll take steps to avoid it. of course, any big company 
will carry insurance to pay everyone off, but the insurance companies 
would require that standards are maintained. so, in the end, it's the 
mighty dollar that could keep everyone in line. far from perfect, but in 
many respects better than waiting for congress-critters to figure out the 
difference between a hash and a hard drive.


> It's hopeless. Give up now, before anyone else gets hurt. You're not 
> going to make things better by scraping some income for yourself off the 
> topline revenue for helping your employer pretend that what they're 
> doing is ?okay?.
===============

it's pretty bad, but it's not hopeless... the only way to make it better 
is to challenge it. telling anyone that what they're doing is OK is rarely 
part of my day.


-- 
         ...atom

  _________________________________________
  PGP key - http://atom.smasher.org/pgp.txt
  762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
  -------------------------------------------------

 	"To invent, you need a good imagination and a pile of junk."
 		-- Thomas Edison

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ