[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Re: choice-point screw-up and secure hashes
- To: "Atom Smasher" <atom@xxxxxxxxxxx>
- Subject: [Full-disclosure] Re: choice-point screw-up and secure hashes
- From: "Jason Coombs" <jasonc@xxxxxxxxxxx>
- Date: Sat, 19 Mar 2005 23:16:18 +0000 GMT
> i've been referring to a social
> engineering attack where people
> SIGNED UP FOR ACCOUNTS and got
> the info because they were paying
> customers and they asked for it!
The whole choicepoint behind the business model is to sell the SSNs to
customers... If you choosepoint to defeat your own business model by
choicepointing your customers to secure hashes rather than the SSNs they're
really interested in acquiring, then your customers will choosepoint your
competition instead, and the endpoint of your business strategy will be
bankruptcy.
Suppose legislation existed to require all SSNs to be stored in hashed form,
and encrypted while in transit. This way, your customers would be required to
preserve the hashes and never cross-reference your data set with a data set
that contains raw SSNs.
What does “in transit” mean? What does “stored” mean? What does “hashed” mean?
Look at digital signature legislation. Even in countries that have tried to
spell out required algorithms, the legislation still fails to force people to
do things “right” by geek standards.
It's hopeless. Give up now, before anyone else gets hurt. You're not going to
make things better by scraping some income for yourself off the topline revenue
for helping your employer pretend that what they're doing is “okay”.
Sincerely,
Jason Coombs
jasonc@xxxxxxxxxxx
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/