Re: choice-point screw-up and secure hashes

[Atom Smasher <atom () smasher org>]

On Sat, 19 Mar 2005, Jason Coombs wrote:

> > i've been referring to a social engineering attack where people SIGNED 
> > UP FOR ACCOUNTS and got the info because they were paying customers and 
> > they asked for it!
>
> The whole choicepoint behind the business model is to sell the SSNs to 
> customers... If you choosepoint to defeat your own business model by 
> choicepointing your customers to secure hashes rather than the SSNs 
> they're really interested in acquiring, then your customers will 
> choosepoint your competition instead, and the endpoint of your business 
> strategy will be bankruptcy.
===============

the whole point of their operation, as i understand it, is to verify and 
sell data. some of their customers have a legitimate need for buying SSNs, 
some don't. among those who don't there may be a legitimate need to VERIFY 
SSNs. by grouping customers buy their legitimate needs and screening them 
accordingly this could have been avoided.


> Suppose legislation existed to require all SSNs to be stored in hashed 
> form, and encrypted while in transit. This way, your customers would be 
> required to preserve the hashes and never cross-reference your data set 
> with a data set that contains raw SSNs.
===================

requiring encryption of transported data, regardless of media, IS a good 
idea. requiring that all SSNs be hashed is NOT what i'm advocating... i am 
advocating it for situations where it would not cause any significant 
overhead. a lot of real-world applications would work just as well with 
hashed SSNs.


> What does “in transit” mean? What does “stored” mean? What does “hashed” 
> mean? Look at digital signature legislation. Even in countries that have 
> tried to spell out required algorithms, the legislation still fails to 
> force people to do things “right” by geek standards.
=====================

who ever said that the legislature could get it right? not me... it would 
be great if they could do it, but i'm not holding my breath. i think a 
better model involves civil liability. if a company can be sued for a 
security leak, they'll take steps to avoid it. of course, any big company 
will carry insurance to pay everyone off, but the insurance companies 
would require that standards are maintained. so, in the end, it's the 
mighty dollar that could keep everyone in line. far from perfect, but in 
many respects better than waiting for congress-critters to figure out the 
difference between a hash and a hard drive.


> It's hopeless. Give up now, before anyone else gets hurt. You're not 
> going to make things better by scraping some income for yourself off the 
> topline revenue for helping your employer pretend that what they're 
> doing is “okay”.
===============

it's pretty bad, but it's not hopeless... the only way to make it better 
is to challenge it. telling anyone that what they're doing is OK is rarely 
part of my day.


--
        ...atom

 _________________________________________
 PGP key - http://atom.smasher.org/pgp.txt
 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
 -------------------------------------------------

        "To invent, you need a good imagination and a pile of junk."
                -- Thomas Edison

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/