On Fri, Oct 10, 2014 at 10:56 AM, Stephen Frost <sfr...@snowman.net> wrote:
> * Thom Brown (t...@linux.com) wrote: > > On 10 October 2014 12:45, Stephen Frost <sfr...@snowman.net> wrote: > > >> There's a difference between intending that there shouldn't be a way > > >> past security and just making access a matter of walking a longer > > >> route. > > > > > > Throwing random 16-digit numbers and associated information at a credit > > > card processor could be viewed as "walking a longer route" too. The > > > same goes for random key searches or password guesses. > > > > But those would need to be exhaustive, and in nearly all cases, > > impractical. > > That would be exactly the idea with this- we make it impractical to get > at the unredacted information. > For fun I gave the search a try. create table cards (id serial, cc bigint); insert into cards (cc) SELECT CAST(random() * 9999999999999999 AS bigint) FROM generate_series(1,10000); \timing on WITH RECURSIVE t(id, range_min, range_max) AS ( SELECT id, 1::bigint, 9999999999999999 FROM cards UNION ALL SELECT id , CASE WHEN cc >= range_avg THEN range_avg ELSE range_min END , CASE WHEN cc <= range_avg THEN range_avg ELSE range_max END FROM (SELECT id, (range_min + range_max) / 2 AS range_avg, range_min, range_max FROM t ) AS t_avg JOIN cards USING (id) WHERE range_min != range_max ) SELECT id, range_min AS cc FROM t WHERE range_min = range_max; On my laptop I can pull all 10,000 card numbers in less than 1 second. For a text based item I don't imagine it would be much different. Numbers are pretty easy to work with though.