lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20080904002313.F473.5922242B@shaunc.com>
Date: Thu, 04 Sep 2008 00:47:03 -0500
From: Shaun <shaun@...unc.com>
To: "Samuel Beckett" <beckett.samuel@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Hardcoded Keys

On Wed, 3 Sep 2008 16:31:25 +0700
"Samuel Beckett" <beckett.samuel@...il.com> wrote:

> What would be the the worst case if you implement the following scenario for
> a credit card transaction:
[..snip..]
> After the successful credit card transaction, certain credit card details
> are then encrypted and stored within the database.

There is your worst case. Game over.

You process my transaction, you are done with my certain credit card
details the moment you get an auth or nack from your gateway. You as a
vendor should never see my credit card number to start with. You should
be passing my transaction to an originating bank. Alas, we know this
rarely happens.

So I grant the fact that you, the vendor, see (even if only briefly) my
credit card number. If you're hanging onto that in an "encrypted" format,
either you're doing so because you can also decrypt it later - in which
case, anyone else who gets ahold of your database can also decrypt it
later - or you're doing it for no reason at all. Both of these are bogus
justifications.

Yes, it's handy to be able to login to your site 6 months from now and
buy something else without re-entering my credit card. No, as far as I'm
concerned, it's not worth saving 16 keystrokes for you to keep my shit
on file and have it go walking off on someone's laptop 2 years after I
did a single transaction with your business.

If I give you my credit card number, it is for one single transaction in
the here and now. If you want to store my credit card number, you do it
at the risk of showing up in the media in a few months, ala TJX, as some
bunch of incompetent assholes who couldn't keep my shit safe. 

Come to think of it, that happens just about every week and there never
seem to be any consequences, at least not here in the USA. Maybe we
should go into business together.

-s

/old school idiot

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ