×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Comments

top

FTC Fines RockYou $250,000 For Storing User Data In Plain Text

sgifford Re:What is the advantage of hashing? (127 comments)

Yes, thanks for the clarification, it only increases the time by preventing the use of rainbow tables (or, nowadays, simply googling the hash).

more than 2 years ago
top

FTC Fines RockYou $250,000 For Storing User Data In Plain Text

sgifford Re:What is the advantage of hashing? (127 comments)

The advantage is that many people use the same password on multiple systems, so revealing a plaintext password to, say, Slashdot may also reveal your bank password. A hashed password can't be used to directly log into another account, though it can be cracked by a determined attacker if the password is simple. A salted and hashed password vastly increases the time required for an attacker to crack a hashed password, to the point where it is infeasible unless the password is very simple.

Of course everybody knows (or should know) that using the same password for Slashdot and your bank is a bad idea (you could have a bank support rep using up your precious karma!), but it is still very common, and it's irresponsible for a developer to expose their users' passwords if they have made this common mistake.

more than 2 years ago
top

FTC Fines RockYou $250,000 For Storing User Data In Plain Text

sgifford Re:Common/best practices for personal data (127 comments)

RAM of a running process is accessible to root via the debugger, so doesn't really provide better security than a file only root can read, although it may slow an attacker down a bit or foil a dim-witted attacker. As others have mentioned, there is also some systems management difficulty if services do not function until a password is entered into them.

At any rate, lots of interesting schemes are possible, but I was wondering if any of them were in wide use?

Thanks,

------Scott.

more than 2 years ago
top

FTC Fines RockYou $250,000 For Storing User Data In Plain Text

sgifford Common/best practices for personal data (127 comments)

Most applications I've worked with have stored passwords hashed and salted and stored credit card data offsite or not at all, but have kept other sorts of personal data (address, phone, etc.) in the database in plaintext.

I've always reasoned that encrypting the data is of little value, since the decryption keys would have to be on the server, and a server compromise would give the keys along with the data. This case is interesting though, since it seems only the database was compromised, so encrypted data in the database with keys outside of the database would have provided some protection.

I can come up with lots of simple schemes for encrypting personal data in the database, but what I'm wondering is, how is this typically handled? Is it common to encrypt this sort of data? If so using what techniques for encryption and key management? Are there some well-known best practices that I haven't come across?

Thanks!

----Scott.

more than 2 years ago
top

Debian GNU/Linux 5.0 "Lenny" Released

sgifford Installer support for software RAID? (386 comments)

Does this release include installer support for software RAID? I've been waiting for that for awhile; the elaborate dance to convert a system to RAID after installation is getting old. :-)

more than 5 years ago
top

When Not to Use chroot

sgifford Re:For daemons that don't run as root (407 comments)

That works if you have a copy of the application, su, some version of /etc/passwd, and all of the libraries needed by both programs inside the chroot area. To avoid that, you can use chroot_safe, which is a clever LD_PRELOAD hack to start the program, load all shared libraries, then do the chroot. For many programs, this is enough to make it work without copying anything into the chroot area. It's very handy; I use it for all sorts of things.

more than 7 years ago

Submissions

sgifford hasn't submitted any stories.

Journals

top

Michigan's fiasco of a primary

sgifford sgifford writes  |  more than 6 years ago There has been lots of attention to the Iowa caucuses and the New Hampshire primary, but less attention to the very strange, and somewhat disturbing, Michigan primary. Over the threats of the national parties, Michigan's legislature voted to move our primary to January 15th, making it one of the earliest. This fall the parties followed through on their threats: The Democratic National Committee is refusing to seat any of Michigan's delegates and prohibiting the candidates from campaigning here, which the Republican National Committee is counting only half of Michigan's delegates. This effectively gives Democrats no vote in their primary, and Republicans only half a vote in theirs. Many voters don't realize that there is no constitutional right to vote in the primary, and that their vote is essentially at the whim of the parties. If you are a Michigan voter unsure what to do, or a voter anywhere disturbed by all of this, you can learn more about the 2008 Michigan Democratic primary and how to let party leaders know your opinion at WhoStoleMiVote.org.

Slashdot Login

Need an Account?

Forgot your password?