Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×

Comment Re:Info needs to be accessible to them, IRS(ACA), (Score 1) 223

by jeffmeden (#48989193) Attached to: US Health Insurer Anthem Suffers Massive Data Breach

So only the guy in the server room can access any patient^H^H^H^H^H^H customer data, for a company with millions of customers? That's going to be one busy guy! Roughly everyone who works at the insurance company needs some access to their customers' information, so it has to be on the network. The IRS demands access too, so the insurance company has to connect it to the internet.

The notion of an operator-provided or operator-unlocked key is the way it used to work "back in the days" when every server had a monitor plugged into it. You would provide a password on bootup which was a mini-key to decrypt the actual SSL/TLS keys. It would get stashed in memory at that point and (hopefully) operator intervention wouldn't be needed again until the next scheduled reboot. Before too long, the threat of in-memory attacks far eclipsed the threat of physical server theft and this practice was ditched.

Comment Re:That's why nobody sensible wants them (Score 1) 223

by jeffmeden (#48989115) Attached to: US Health Insurer Anthem Suffers Massive Data Breach

If it really needs to be exceptionally secure and you're dealing with a system that is constantly running, why not just keep any encryption keys in memory only where it's that much harder to get them and have them manually be entered by someone if the system needs to be brought down. That or use some module with the encryption baked in at a physical level to handle encryption and decryption. Yes, it's more expensive, but these systems are already hugely expensive and it makes it incredibly difficult for anyone without physical access to get at the actual data.

Is there some practical reason why it couldn't be done this way or something else that I'm missing outside of the obvious that there's another, cheaper way of doing things?

Putting the key alongside the data is a bad idea no matter how the key gets there. Finding it in RAM would be no different than finding it somewhere on the disk (assuming the disk approach is more complex than c:\config\crypto.key) so that's out. There are TPM solutions that can make it secure (storing the key in tamperproof memory, never releasing it, doing the encryption/decryption only at the request of signed binaries) but at this scale I don't know if the TPM can keep up or if doing it all on one closed system is enough of a safeguard. Would security go up by having one hardened database server and one hardened decrypt server in different auth realms, or would it go down since the attack surface is larger?

Comment Re:income data? (Score 1) 223

by jeffmeden (#48988329) Attached to: US Health Insurer Anthem Suffers Massive Data Breach

Marketing demographic information most liklely. It doesn't say how accurate or what the source of that portion of the data is.

Like many companies, my company has various different methods that we obtain leads. We automatically run every lead through a service to obtain demographic information about the email address that can tell us household size, residence value, own or rent, income, education level, field of employment, interests, age, etc. All those go towards scoring the lead as it relates to our target market.

While a data breach is a data breach, if it's somewhat public information or otherwise readily available from any number of other sources it's not like the damage from having income information is catastrophic.

In this case, it was one less step the miscreants have to go through to grade each record set for sale on the black market. No doubt they are going to (or already have) sort by income descending, break them into nice 100 ID chunks, and sell them to the highest bidder.

Comment Re:That's why nobody sensible wants them (Score 1) 223

by jeffmeden (#48988261) Attached to: US Health Insurer Anthem Suffers Massive Data Breach

PII should be classified based on sensitivity. At a certain level, that PII must be encrypted during transit. At the highest level, it must be encrypted during transit and at rest. SSN falls in the highest sensitivity level. SOP for years. This doesn't guarantee you won't get hacked, but it reduces / minimizes the impact if you are hacked.

PII - Personally Identifiable Information
SSN - Social Security Number
SOP - Standard Operating Procedure

Out of curiosity since you are familiar with the subject, where is the acceptable place to keep the encryption key? During a compromise it doesn't do much good when it's on or near the same server as the DB with the data. Two servers, with two distinct access control credentials?

Comment Re:Yes meanwhile.. (Score 1) 167

by jeffmeden (#48987821) Attached to: Google Quietly Unveils Android 5.1 Lollipop

My Nexus 7 2012 has been unusably slow since upgrading to 5.0 and 5.0.2 isn't much better. The web browser is useless. Granted, I have a lot of apps loaded, but it was far better with Kit Kat compared to Lollipop. It looks like the biggest culprit is Google Mail since I have several accounts with a LOT of email.

It's annoying but doing a full reset (via the bootloader menus) helped my 2012 N7 to run great again with 5.0. I realized how few apps I actually needed to make good use of it, too. Battery life is still subpar, but it's almost 3 years old at this point so I don't expect it to be fresh as a daisy.

Comment Re:So, Staples Is Evil? (Score 1) 105

by jeffmeden (#48980319) Attached to: Staples To Buy Office Depot For $6.3 Billion

If you had clicked the "show more" button you would have gotten to:

enormity
inôrmd/
noun
noun: enormity; plural noun: enormities
1.
the great or extreme scale, seriousness, or extent of something perceived as bad or morally wrong.
"a thorough search disclosed the full enormity of the crime"
(in neutral use) the large size or scale of something.
"I began to get a sense of the enormity of the task"
synonyms: immensity, hugeness; More

Comment Re:Speaking of mistakes (Score 2) 425

by jeffmeden (#48971489) Attached to: One Man's Quest To Rid Wikipedia of Exactly One Grammatical Mistake

Using a code to crawl for uses of "comprised of" throughout all of Wiki's articles

Wikipedia is not "Wiki." Wikipedia is a wiki. There are many wikis in the world, and they are not all Wikipedia. Wikipedia is the publication, and wiki is the medium. "All of Wiki's articles" is like saying "All of Newspaper's articles."

Maybe I can get away with this offtopic pedantic comment since this whole article is about a guy spending years trying to fix small errors. :)

To be completely pedantic, you don't actually know that he confined his search to just Wikipedia. The article revolves around Wikipedia but he might be crusading across the entire internet, for all you know. Many other Wiki systems allow user contributions just like Wikipedia.

Comment Re:We the Government (Score 1) 204

Business must be allowed perfect freedom.

Yes, just like the rest of us.

All other freedoms are coincidental.

No one's freedom is impeded by the prohibition for governments to compete with private interests. What we are talking about is not a bunch of people getting together to run cables. No — the talk is of coercing — at gun point (as all taxes are collected) — all of the town's residents (whether they want it or not) to pay for some Common Good[TM]. And that shall not be allowed to stand — not in a country, that calls itself free.

You are completely right that governments (big or small) shouldn't be in the business of indiscriminately creating arms that provide services at or near the level of existing commercial interests. However, if the US isn't a good example of freedom at work when we have bulk taxation for education, all manner of safety services, roads, waste removal, parks, etc after citizens all agreed that it was indeed a common good, then I want no part of what you do think a good example of freedom is. You might be interested in relocating to Freedom-rich Libya. Now with fewer taxes, and you can't even tell the government is there at all!

Comment Re:We the Government (Score 1) 204

Oh I see, government itself is the enemy of freedom!

Since the government hires the people to ... monitor cellphone calls, use radars to search people's homes, put people in prison, etc, ... I'd say you already know the answer.

If there were no government and no taxes we would all be perfectly free!

Artificial dichotomy. Too much water, you die. Too little water you die. Just the right amount of water -- you die from something else. Too much government, you lose freedoms. Too little government, you have the ultimate freedom to protect your own freedom. Just the right amount of government -- they don't take away freedoms arbitrarily and don't let others do so, either.

Government that competes using taxpayer dollars with existing corporations just because some people don't like the customer service they're getting is the wrong level of government. If there are so many people wanting another provider, another company would show up and eat the existing one's lunch. That doesn't happen. Hmmmm.

Maybe if you use the word freedom a few dozen more times it will all work itself out? You have arrived at the point where your awareness of the situation ends. "Another company" can't show up since many municipalities have incumbent agreements that specifically *forbid* anyone from competing with the cable or phone company that first installed infrastructure. Who thought of those laws? It wasn't the will of the people, not by a last mile, but I will give you one guess as to who did. There is such a terrifying patchwork of local laws surrounding utility construction and availability that no company large enough to pull it off would ever want that kind of risk (until Google showed up, but at their current buildout rate they are still about 1400 years from offering service to a substantial portion of the US).

Comment Re:Government Intervention (Score 1) 495

Actually, Google has shown that you need to have deep pockets to get over incumbant efforts to keep you out. Many municipal broadband efforts have fizzled because the incumbents muscled them out (sometimes without even serving the area that the municipal broadband network would have covered).

Muni broadband runs into funding problems from conservative officials who dont want to throw taxpayer money at the problem (I'm not taking sides, thats just how it is) and private broadband runs into pole attachment problems where incumbent exclusivity agreements exist with a muni. Same set of officials, but a completely different direction to pull them in. Google is making it look pretty easy, but then again they are throwing billions of dollars at it.

Comment Re:Government Intervention (Score 3, Insightful) 495

A market where utilities have government-mandated monopolies is not free.

Google is demonstrating that there isn't a mandated communications monopoly per se, but just an extremely high barrier to entry and some incumbent legislation that moves out of the way as soon as enough people are teased with hyperfast internet hookups.

Comment Your standards were low. Soooooo low. (Score 1) 495

Mid 90's was when modem technology still hadn't caught up to the phone line standards that were deployed far and wide across the US. Sure, you could get a nice solid 14400 or 28800 (if you were living high on the hog) and have lightning-fast IRC sessions. A few years later, you will be connecting at 31200 and bitching that you can't get a 56k handshake in your neck of the woods (as distance to the local CO and quality of lines really started to matter) and a few years after that you would have been bitching that no cable or telephone company wanted to bother spending $1M+ rolling out to a tiny town to try to grab a few hundred customers paying $40/mo for 1Mbit broadband. Meanwhile, those who did live in urban/suburban areas were being "treated" to broadband from the phone company and the cable company, neither of which was really prepared to deal with thousands of customers with 3Mbit+ connections all trying to pirate music. So, service "upgrades" were nonexistent as all the providers played catchup with customer demand for about 10 years.

And then, as if by some dark magic, wireless operators started rolling out handsets that could best all but the fastest wired connections (50Mbit+ coverage for 90% of the US pop). What a strange land we live in.

Slashdot Top Deals

Real Users know your home telephone number.

Close