Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Oracle Database Redaction Trivial To Bypass, Says David Litchfield

boristdog Re:Put in a separate table (62 comments)

No, the SSN is on the tax return or form, still highly insecure. The data associated with the SSN in the IRS DB is linked to the hashed SSN.
So unless someone actually has the tax form (trivial for a few forms, difficult for massive amounts of forms) they cannot associate you with your SSN or your tax data. A corrupt IRS employee (and there are many) can easily enter one SSN into their application and get all your tax & income data. But they can't download EVERYONE's data easily.

We're talking about remedies to large data breaches here, not single experiences. Yes, your data is at risk while your tax form is in the mail or in the hands of an IRS employee, but as soon as it goes into the DB the associative data should be hashed. You don't eliminate breaches this way, you make them easier to deal with.

about two weeks ago
top

Oracle Database Redaction Trivial To Bypass, Says David Litchfield

boristdog Re:Put in a separate table (62 comments)

BUT you can change the salt, or the hashing algorithm, in case of a breach. You don't have to replace all the CCs, just send out a new salt to the machines. Now the data lost in the breach is useless.

about two weeks ago
top

Oracle Database Redaction Trivial To Bypass, Says David Litchfield

boristdog Re:Put in a separate table (62 comments)

It's not foolproof, but it is easy to fix a breach. If your CC database gets hacked, you re-hash with a different salt and then send the new salt to the pre-processors, so the hash they send you is now completely different. That way you have effectively changed everyones CC # a lot quicker and easier than sending everyone a new card. If fact, regular re-hashing should be a standard in the CC industry. You keep the same card and card number but the number in the DB will change regularly.

I've actually used a system like this for processing financial data (not CC data) to keep the data associating account numbers with passwords as difficult as possible to breach. Both the account number and password are hashed. We would change the salts at the broker end every 3 to 5 weeks and keep a record of the past two salts in case some broker equipment didn't get the last update. So if our DB got hacked we didn't have to make everyone change their password or account number.

As far as I know they are still using that system.

about two weeks ago
top

Oracle Database Redaction Trivial To Bypass, Says David Litchfield

boristdog Re:Put in a separate table (62 comments)

Surprisingly enough, I used to work at the IRS and still have many friends who do.

We could hash all SSN/EIN data at the IRS and just deal with hashes, but the entrenched management there still does everything the old way. Why can't the EDI transaction just hash the SSN and have the IRS compare the hashes at the IRS end? Because the highly political management is too stupid to understand this.

There are many reasons I have left cushy gov't jobs, the lack of technological understanding by the higher ups is just one of them. The Peter Principle is in full force if you work in government.

about two weeks ago
top

Oracle Database Redaction Trivial To Bypass, Says David Litchfield

boristdog Re:Put in a separate table (62 comments)

Ideally, the payment processor is the only one who has the hash, the merchant passes the hash they made from customer data on to the processor.
The payment processor doesn't even need to have the CC#. They just need the hash.

about two weeks ago
top

Oracle Database Redaction Trivial To Bypass, Says David Litchfield

boristdog Re:Put in a separate table (62 comments)

No, passwords, SSNs, PINs and Credit Card numbers should be hashed before inserting into any table. There is NO reason for anyone to save that data unhashed.

To compare data, just hash what the customer enters and compare the hashes. Why is this so hard for 99.9% of companies to understand?

about two weeks ago
top

Fooling a Mercedes Into Autonomous Driving With a Soda Can

boristdog Re:Obvious (163 comments)

Unfortunately, lane keeping and distance keeping are skills that elude a lot of drivers.

about three weeks ago
top

Quiet Cooling With a Copper Foam Heatsink

boristdog Brillo-iant! (171 comments)

And you can keep the pots and pans clean!

about three weeks ago
top

Netflix Reduces Physical-Disc Processing, Keeps Prices the Same

boristdog Re:Why do you want pieces of plastic (354 comments)

Yeah, screw all those farmers and ranchers and small town folks! They only provide all our food and stuff, why do they need movies?

News flash: Internet speeds more than a few miles from urban development usually suck donkey balls.

about a month ago
top

Wearable Robot Adds Two Fingers To Your Hand

boristdog The Gripping Hand? (77 comments)

I see that the kids at MIT have read their Niven.

about a month ago
top

ChickTech Brings Hundreds of Young Women To Open Source

boristdog Re:Name (158 comments)

I actually had a business called "rent a nerd" in the early 90's when I was in my mid 20's and in great shape. I got lots of repeat calls from lonely divorced women to fix very simple "problems" with their computers. e.g. Problem: "My screen is blank!" Solution: "Turn up the brightness knob" | Problem: "My software won't load!" Solution: "You have to run the install.exe program, not the readme.txt"

If I hadn't had a girlfriend and/or a conscience at the time I would have made even more money. I did get a lot of free sandwiches & beverages, and got to see a lot of low-neckline shirts.

about a month ago
top

'Hidden From Google' Remembers the Sites Google Is Forced To Forget

boristdog Re:Awesome! (163 comments)

Especially David St. Hubbins.

about a month ago
top

Homestar Runner To Return Soon

boristdog Re:Have another trophy! (57 comments)

I bought a "Kick the Cheat" for my wife when they first came out.

It was amazing fun to kick while the batteries lasted. The Cheat would yell and curse when you kicked it across the room.

about a month and a half ago
top

Coddled, Surveilled, and Monetized: How Modern Houses Can Watch You

boristdog Re:Or, you know (150 comments)

For you maybe. I live out in the country in a house I built myself. No city councils, no neighborhood associations, no nothin'. The wife and I sit on the porch naked and smoke weed while enjoying the sunset over the hills damn near every evening.

Enjoy your city livin', kids.

about a month and a half ago
top

Coddled, Surveilled, and Monetized: How Modern Houses Can Watch You

boristdog Or, you know (150 comments)

You could just live in a regular house without all that crap.

about a month and a half ago
top

Goldman Sachs Demands Google Unsend One of Its E-mails

boristdog Yeah (346 comments)

Barbara Striesand never returns my e-mails either.

about a month and a half ago
top

IRS Recycled Lerner Hard Drive

boristdog Re:Fox News? (682 comments)

Never attribute to malice that which may be caused by incompetence.

I worked for the IRS for 6 years. It is a huge, bloated bureaucracy and everyone is afraid of it so no one messes with it. We lost data all the time, which was a boon to people who owed money based on that data. Honestly, there was more fucking going on amongst the people in the office than actual work. It was the land of office affairs.

about 2 months ago
top

Yahoo's Diversity Record Is Almost As Bad As Google's

boristdog Re:Most qualified and motivated candidates? (435 comments)

Women who prevail and succeed have a property similar to many men. They know what they want to do, and do not care what society, or Barbie, or fashion magazines think. And they are willing to do what it takes. My wife, the model of an Alpha female, is this way. The successful female techs, engineers, and scientists where I worked were this way.

You just described my network engineer wife. She doesn't give a crap about doing girly things. Awesome cook and a sex machine though. I'm a lucky SOB.

about 2 months ago

Submissions

boristdog hasn't submitted any stories.

Journals

boristdog has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>