; Cc: Full-Disclosure
> Subject: Re: [Full-disclosure] Re: choice-point screw-up and
> secure hashes
>
> On Sat, 19 Mar 2005, Vincent van Scherpenseel wrote:
>
> > On Saturday 19 March 2005 13:02, Kurt Seifried wrote:
> > > > Don't forget that it's bad for
> When the merchants enjoy lower
> liabilities as a result of fraud
> reduction things become a little
> different
That's what Visa and Mastercard said about Secure Electronic Transactions (SET)
as a replacement for SSL and merchant risk management business expertise.
Oddly, neither the banks no
On Sat, 19 Mar 2005 [EMAIL PROTECTED] wrote:
the way i see it, some people bought personal info from choicepoint. if
that info contained hashed SSNs it would be just as valuable to a
LEGITIMATE user for verification purposes.
Explain why. Remember that I'm sitting down at the bank applying for a
On Sat, 19 Mar 2005 [EMAIL PROTECTED] wrote:
some companies have a legitimate need to ask that question. they should
be subject to more stringent checks than our recent bad guys. FTMP,
however, that question is of very little use... if you want to know the
SSN of "john smith", born 1976-07-04 yo
I don't see any disclosure in this thread but what the heck.
[EMAIL PROTECTED] wrote:
On Sat, 19 Mar 2005 19:27:22 EST, Atom Smasher said:
the way i see it, some people bought personal info from choicepoint. if
that info contained hashed SSNs it would be just as valuable to a
LEGITIMATE user for
On Sat, 19 Mar 2005 19:27:22 EST, Atom Smasher said:
> the way i see it, some people bought personal info from choicepoint. if
> that info contained hashed SSNs it would be just as valuable to a
> LEGITIMATE user for verification purposes.
Explain why. Remember that I'm sitting down at the ban
On Sat, 19 Mar 2005, Jason Coombs wrote:
i've been referring to a social engineering attack where people SIGNED
UP FOR ACCOUNTS and got the info because they were paying customers and
they asked for it!
The whole choicepoint behind the business model is to sell the SSNs to
customers... If you ch
On Sat, 19 Mar 2005 [EMAIL PROTECTED] wrote:
Remember that the company probably needs an *invertible* function as
they need to be able to access the original value, so the trick of "hash
the SSN and see if you get the same to compare for equality" isn't
usable. You can use a one-way function if
On Sat, 19 Mar 2005, Jason Coombs wrote:
Before I make off with your hard drive, I'm going to try very hard to
add some known SSNs to the database using your own hashing machine
(which presumably I won't be able to own outright, such that I could
discover your salting algorithm directly).
==
On Sat, 19 Mar 2005 18:18:46 EST, Atom Smasher said:
> some companies have a legitimate need to ask that question. they should be
> subject to more stringent checks than our recent bad guys. FTMP, however,
> that question is of very little use... if you want to know the SSN of
> "john smith", b
On Sat, 19 Mar 2005 23:02:36 GMT, Jason Coombs said:
> > reverse hashing
>
> By reverse hashing you mean defeating the protection by forward hashing all
> possible SSNs, presumably.
No, that's me writing in a hurry and failing to make clear that if you're
using an invertible function, you'll hav
> i've been referring to a social
> engineering attack where people
> SIGNED UP FOR ACCOUNTS and got
> the info because they were paying
> customers and they asked for it!
The whole choicepoint behind the business model is to sell the SSNs to
customers... If you choosepoint to defeat your own bus
gt;, Full-Disclosure
Subject: Re: [Full-disclosure] Re: choice-point screw-up and secure hashes
On Sat, 19 Mar 2005 13:34:53 EST, Atom Smasher said:
> tell ya what... here's my SSN hashed with a salt:
> =09e36c98b34d5ba979fb0bf0c64dc7b3a66c9ce841437d6460390e6380810f1440
>
> as
On Sat, 19 Mar 2005 13:34:53 EST, Atom Smasher said:
> tell ya what... here's my SSN hashed with a salt:
> =09e36c98b34d5ba979fb0bf0c64dc7b3a66c9ce841437d6460390e6380810f1440
>
> as soon as you recover my SSN, just let me know.
Tell you what - give me the salt and the hash algorithm, and it wil
Atom Smasher wrote:
> tell ya what... here's my SSN
> hashed with a salt:
>
> e36c98b34d5ba979fb0bf0c64dc7b3
> a66c9ce841437d6460390e63808
> 10f1440
>
> as soon as you recover my SSN,
> just let me know.
A fine challenge. Give us access to your hashing machine, or at least hash the
following SSN
On Sat, 19 Mar 2005, Vincent van Scherpenseel wrote:
> On Saturday 19 March 2005 13:02, Kurt Seifried wrote:
> > > Don't forget that it's bad for the company's image to have confidential
> > > customer data stolen. As soon as the press catches on it's bad for
> > > business.
> > > So, companies *d
On Sat, 19 Mar 2005, Kurt Seifried wrote:
> > Don't forget that it's bad for the company's image to have confidential
> > customer data stolen. As soon as the press catches on it's bad for
> > business.
> > So, companies *do* have a drive to secure your private data.
>
> Uhhh no. See consumers suc
On Sat, 19 Mar 2005, Kurt Seifried wrote:
Hashing SSN numbers and CC numbers doesn't matter unless you use a
really huge salt that is stored seperately. Why? Not enough variation. A
credit card number for example:
4520 1234 1234 1234
except the first 4 digits (4520) are the bank code, so for exa
tell ya what... here's my SSN hashed with a salt:
e36c98b34d5ba979fb0bf0c64dc7b3a66c9ce841437d6460390e6380810f1440
as soon as you recover my SSN, just let me know.
btw, if an information clearing house discloses my phone number, DOB,
address, name, or ANYTHING about me (even to confirm whe
On Saturday 19 March 2005 13:02, Kurt Seifried wrote:
> > Don't forget that it's bad for the company's image to have confidential
> > customer data stolen. As soon as the press catches on it's bad for
> > business.
> > So, companies *do* have a drive to secure your private data.
>
> Uhhh no. See co
Don't forget that it's bad for the company's image to have confidential
customer data stolen. As soon as the press catches on it's bad for
business.
So, companies *do* have a drive to secure your private data.
Uhhh no. See consumers such as yourself don't actually purchase services
from choicepoi
On Saturday 19 March 2005 09:36, Kurt Seifried wrote:
> The sad part is there is NO (Zero, Nada, Zilch) incentive for companies to
> treat this data securely. Information for a hundred thousand people is
> stolen. So what? The company is not criminally liable in any way (I haven't
> heard of any l
Hashing SSN numbers and CC numbers doesn't matter unless you use a really
huge salt that is stored seperately. Why? Not enough variation. A credit
card number for example:
4520 1234 1234 1234
except the first 4 digits (4520) are the bank code, so for example in canada
if you guess 4520 as the f
Good job! You've reduced by 99% the number of people who understand that the
SSN is still being stored as plaintext in the database.
This should result in 100% efficacy for defense against lawsuits and other
complex liability that would otherwise arise out of pure neglect and
incompetency.
I s
24 matches
Mail list logo
