Full Disclosure mailing list archives
Re: Re: choice-point screw-up and secure hashes
From: Valdis.Kletnieks () vt edu
Date: Sat, 19 Mar 2005 19:44:00 -0500
On Sat, 19 Mar 2005 19:27:22 EST, Atom Smasher said:
the way i see it, some people bought personal info from choicepoint. if that info contained hashed SSNs it would be just as valuable to a LEGITIMATE user for verification purposes.
Explain why. Remember that I'm sitting down at the bank applying for a loan, and *I* have no idea what my SSN hashes to, and the bank has a vested interest in getting back a report they can easily verify is The Right One - this means that either the report back from ChoicePoint needs to contain a cleartext SSN that the loan officer can verify, or the bank needs to be able to hash my SSN and compare (ever eyeball-checked the MD5sum of a file you downloaded? Now imagine a non-techie doing that all day - it's significantly harder than using eyeball compares for 2 sets of (3,2,4) digit numbers...) And it has to have one of the 3 following characteristics: 1) It has to work over a fax machine, because that's what the competing companies have as the entry level technology. 2) It has to provide *such* additional benefit *to the subscriber* to make them pay for an essentially one-use piece of hardware. The fax machine they can use for all their fax needs, a specialized hardware for connecting to your database is probably not going to be a win. 3) You have to be willing to pay for the hardware for your subscribers. Remember - the people who are going to end up paying for the security aren't the people who care about the security - which will tend to limit your security budget.
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Re: choice-point screw-up and secure hashes, (continued)
- Re: Re: choice-point screw-up and secure hashes Kurt Seifried (Mar 19)
- Re: Re: choice-point screw-up and secure hashes Vincent van Scherpenseel (Mar 19)
- Re: Re: choice-point screw-up and secure hashes Ron DuFresne (Mar 19)
- Re: Re: choice-point screw-up and secure hashes Ron DuFresne (Mar 19)
- Re: Re: choice-point screw-up and secure hashes Atom Smasher (Mar 19)
- Re: Re: choice-point screw-up and secure hashes Valdis . Kletnieks (Mar 19)
- Re: Re: choice-point screw-up and secure hashes Atom Smasher (Mar 19)
- Re: Re: choice-point screw-up and secure hashes Valdis . Kletnieks (Mar 19)
- Re: Re: choice-point screw-up and secure hashes Atom Smasher (Mar 19)
- Re: Re: choice-point screw-up and secure hashes Valdis . Kletnieks (Mar 19)
- Re: Re: choice-point screw-up and secure hashes Jason (Mar 19)
- Re: Re: choice-point screw-up and secure hashes Atom Smasher (Mar 19)
- Re: choice-point screw-up and secure hashes Atom Smasher (Mar 19)
- Re: Re: choice-point screw-up and secure hashes Valdis . Kletnieks (Mar 19)
- Re: choice-point screw-up and secure hashes Atom Smasher (Mar 19)