lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <200503200044.j2K0i2AD017217@turing-police.cc.vt.edu>
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: Re: choice-point screw-up and secure hashes 

On Sat, 19 Mar 2005 19:27:22 EST, Atom Smasher said:

> the way i see it, some people bought personal info from choicepoint. if 
> that info contained hashed SSNs it would be just as valuable to a 
> LEGITIMATE user for verification purposes.

Explain why.  Remember that I'm sitting down at the bank applying for a loan,
and *I* have no idea what my SSN hashes to, and the bank has a vested interest
in getting back a report they can easily verify  is The Right One - this means
that either the report back from ChoicePoint needs to contain a cleartext SSN
that the loan officer can verify, or the bank needs to be able to hash my SSN
and compare (ever eyeball-checked the MD5sum of a file you downloaded?  Now
imagine a non-techie doing that all day - it's significantly harder than using
eyeball compares for 2 sets of (3,2,4) digit numbers...)

And it has to have one of the 3 following characteristics:
1) It has to work over a fax machine,  because that's what the competing companies
have as the entry level technology.
2) It has to provide *such* additional benefit *to the subscriber* to make them
pay for an essentially one-use piece of hardware.  The fax machine they can use
for all their fax needs, a specialized hardware for connecting to your database
is probably not going to be a win.
3) You have to be willing to pay for the hardware for your subscribers.

Remember - the people who are going to end up paying for the security aren't the
people who care about the security - which will tend to limit your security budget.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050319/19cc92d6/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ