Re: choice-point screw-up and secure hashes

["Jason Coombs" <jasonc () science org>]

Atom Smasher wrote:
> tell ya what... here's my SSN
> hashed with a salt:
>
> e36c98b34d5ba979fb0bf0c64dc7b3
> a66c9ce841437d6460390e63808
> 10f1440
>
> as soon as you recover my SSN,
> just let me know.

A fine challenge. Give us access to your hashing machine, or at least hash the following SSN for us using the salt that 
you've selected for yours and your SSN will be on full-disclosure in the not-too-distant future.

123-45-6789

Your implication that the person who intercepts a hard drive filled with “secure hashes” will not also have some 
reference point for decoding the hashes is just wrong.

Before I make off with your hard drive, I'm going to try very hard to add some known SSNs to the database using your 
own hashing machine (which presumably I won't be able to own outright, such that I could discover your salting 
algorithm directly).

I'm expecting you to salt the input SSN only, not use a keyed hash algorithm. Don't change the rules of the game in the 
middle of play... Your proposed scenario didn't mention the use of a keyed hash algorithm, so no fair using one after 
you salt my SSN.

Your original message was complicated enough that I am pretty sure you weren't suggesting that companies should encrypt 
the information they store in databases. That would have taken too few words to recommend, and if it's that easy to 
solve the underlying problem, who will hire you?

Cheers,

Jason Coombs
jasonc () science org


-----Original Message-----
From: Atom Smasher <atom () smasher org>
Date: Sat, 19 Mar 2005 13:34:53 
To:Jason Coombs <jasonc () science org>
Cc:Full-Disclosure <full-disclosure () lists grok org uk>
Subject: Re: choice-point screw-up and secure hashes

tell ya what... here's my SSN hashed with a salt:
        e36c98b34d5ba979fb0bf0c64dc7b3a66c9ce841437d6460390e6380810f1440

as soon as you recover my SSN, just let me know.

btw, if an information clearing house discloses my phone number, DOB, 
address, name, or ANYTHING about me (even to confirm whether or not i 
exist) in a way that is not authorized by law, their security has been 
compromised.

what i've outlined is NOT intended to be a substitute for best practices, 
due diligence, security (network, physical, personnel, etc) and common 
sense. it will however add a cushion for inevitable screw ups.


On Sat, 19 Mar 2005, Jason Coombs wrote:

> Good job! You've reduced by 99% the number of people who understand that 
> the SSN is still being stored as plaintext in the database.
>
> This should result in 100% efficacy for defense against lawsuits and 
> other complex liability that would otherwise arise out of pure neglect 
> and incompetency.
>
> I suspect that CA1386 could be circumvented entirely if companies would 
> just follow your advice. Why should anyone notify anyone else of a theft 
> involving a bunch of “secure hashes” ... After all, they're not SSN's 
> any longer, and thus can't be considered personal confidential 
> information.
>
> Here's a general rule for everyone to follow:
>
> obscurity = 0;
> while(!obscurity) {obscurity += salt;}
> ...
> if(security_incident && obscurity) {ignore_danger = true;}
> ...
> if(neglect + incompetency + obscurity == best_practices) {security_business_profits += google;}


-- 
         ...atom

_________________________________________
  PGP key - http://atom.smasher.org/pgp.txt
  762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
  -------------------------------------------------

        "The limitation of riots, moral questions aside, is that
         they cannot win and their participants know it. Hence,
         rioting is not revolutionary but reactionary because it
         invites defeat. It involves an emotional catharsis, but
         it must be followed by a sense of futility."
                -- Martin Luther King, Jr.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/