Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!



FTC Fines RockYou $250,000 For Storing User Data In Plain Text

sgifford Re:What is the advantage of hashing? (127 comments)

Yes, thanks for the clarification, it only increases the time by preventing the use of rainbow tables (or, nowadays, simply googling the hash).

more than 2 years ago

FTC Fines RockYou $250,000 For Storing User Data In Plain Text

sgifford Re:What is the advantage of hashing? (127 comments)

The advantage is that many people use the same password on multiple systems, so revealing a plaintext password to, say, Slashdot may also reveal your bank password. A hashed password can't be used to directly log into another account, though it can be cracked by a determined attacker if the password is simple. A salted and hashed password vastly increases the time required for an attacker to crack a hashed password, to the point where it is infeasible unless the password is very simple.

Of course everybody knows (or should know) that using the same password for Slashdot and your bank is a bad idea (you could have a bank support rep using up your precious karma!), but it is still very common, and it's irresponsible for a developer to expose their users' passwords if they have made this common mistake.

more than 2 years ago

FTC Fines RockYou $250,000 For Storing User Data In Plain Text

sgifford Re:Common/best practices for personal data (127 comments)

RAM of a running process is accessible to root via the debugger, so doesn't really provide better security than a file only root can read, although it may slow an attacker down a bit or foil a dim-witted attacker. As others have mentioned, there is also some systems management difficulty if services do not function until a password is entered into them.

At any rate, lots of interesting schemes are possible, but I was wondering if any of them were in wide use?



more than 2 years ago

FTC Fines RockYou $250,000 For Storing User Data In Plain Text

sgifford Common/best practices for personal data (127 comments)

Most applications I've worked with have stored passwords hashed and salted and stored credit card data offsite or not at all, but have kept other sorts of personal data (address, phone, etc.) in the database in plaintext.

I've always reasoned that encrypting the data is of little value, since the decryption keys would have to be on the server, and a server compromise would give the keys along with the data. This case is interesting though, since it seems only the database was compromised, so encrypted data in the database with keys outside of the database would have provided some protection.

I can come up with lots of simple schemes for encrypting personal data in the database, but what I'm wondering is, how is this typically handled? Is it common to encrypt this sort of data? If so using what techniques for encryption and key management? Are there some well-known best practices that I haven't come across?



more than 2 years ago

Debian GNU/Linux 5.0 "Lenny" Released

sgifford Installer support for software RAID? (386 comments)

Does this release include installer support for software RAID? I've been waiting for that for awhile; the elaborate dance to convert a system to RAID after installation is getting old. :-)

more than 5 years ago

When Not to Use chroot

sgifford Re:For daemons that don't run as root (407 comments)

That works if you have a copy of the application, su, some version of /etc/passwd, and all of the libraries needed by both programs inside the chroot area. To avoid that, you can use chroot_safe, which is a clever LD_PRELOAD hack to start the program, load all shared libraries, then do the chroot. For many programs, this is enough to make it work without copying anything into the chroot area. It's very handy; I use it for all sorts of things.

more than 6 years ago


sgifford hasn't submitted any stories.



Michigan's fiasco of a primary

sgifford sgifford writes  |  more than 6 years ago There has been lots of attention to the Iowa caucuses and the New Hampshire primary, but less attention to the very strange, and somewhat disturbing, Michigan primary. Over the threats of the national parties, Michigan's legislature voted to move our primary to January 15th, making it one of the earliest. This fall the parties followed through on their threats: The Democratic National Committee is refusing to seat any of Michigan's delegates and prohibiting the candidates from campaigning here, which the Republican National Committee is counting only half of Michigan's delegates. This effectively gives Democrats no vote in their primary, and Republicans only half a vote in theirs. Many voters don't realize that there is no constitutional right to vote in the primary, and that their vote is essentially at the whim of the parties. If you are a Michigan voter unsure what to do, or a voter anywhere disturbed by all of this, you can learn more about the 2008 Michigan Democratic primary and how to let party leaders know your opinion at

Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>