Re: choice-point screw-up and secure hashes

["Jason Coombs" <jasonc () science org>]

> i've been referring to a social
> engineering attack where people
> SIGNED UP FOR ACCOUNTS and got
> the info because they were paying
> customers and they asked for it!

The whole choicepoint behind the business model is to sell the SSNs to customers... If you choosepoint to defeat your 
own business model by choicepointing your customers to secure hashes rather than the SSNs they're really interested in 
acquiring, then your customers will choosepoint your competition instead, and the endpoint of your business strategy 
will be bankruptcy.

Suppose legislation existed to require all SSNs to be stored in hashed form, and encrypted while in transit. This way, 
your customers would be required to preserve the hashes and never cross-reference your data set with a data set that 
contains raw SSNs.

What does “in transit” mean? What does “stored” mean? What does “hashed” mean? Look at digital signature legislation. 
Even in countries that have tried to spell out required algorithms, the legislation still fails to force people to do 
things “right” by geek standards.

It's hopeless. Give up now, before anyone else gets hurt. You're not going to make things better by scraping some 
income for yourself off the topline revenue for helping your employer pretend that what they're doing is “okay”.

Sincerely,

Jason Coombs
jasonc () science org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/