On Fri, Oct 10, 2014 at 10:56 AM, Stephen Frost <sfr...@snowman.net> wrote:
> * Thom Brown (t...@linux.com) wrote:
> > On 10 October 2014 12:45, Stephen Frost <sfr...@snowman.net> wrote:
> > >> There's a difference between intending that there shouldn't be a way
> > >> past security and just making access a matter of walking a longer
> > >> route.
> > >
> > > Throwing random 16-digit numbers and associated information at a credit
> > > card processor could be viewed as "walking a longer route" too. The
> > > same goes for random key searches or password guesses.
> >
> > But those would need to be exhaustive, and in nearly all cases,
> > impractical.
>
> That would be exactly the idea with this- we make it impractical to get
> at the unredacted information.
>
For fun I gave the search a try.
create table cards (id serial, cc bigint);
insert into cards (cc)
SELECT CAST(random() * 9999999999999999 AS bigint) FROM
generate_series(1,10000);
\timing on
WITH RECURSIVE t(id, range_min, range_max) AS (
SELECT id, 1::bigint, 9999999999999999 FROM cards
UNION ALL
SELECT id
, CASE WHEN cc >= range_avg THEN range_avg ELSE range_min END
, CASE WHEN cc <= range_avg THEN range_avg ELSE range_max END
FROM (SELECT id, (range_min + range_max) / 2 AS range_avg, range_min,
range_max
FROM t
) AS t_avg
JOIN cards USING (id)
WHERE range_min != range_max
)
SELECT id, range_min AS cc FROM t WHERE range_min = range_max;
On my laptop I can pull all 10,000 card numbers in less than 1 second. For
a text based item I don't imagine it would be much different. Numbers are
pretty easy to work with though.
