Comment Re:Steve Jobs set the standard... (Score 1) 262
Monty Python did it.
"FIVE Four Three Two ONE!"
Monty Python did it.
"FIVE Four Three Two ONE!"
No, the SSN is on the tax return or form, still highly insecure. The data associated with the SSN in the IRS DB is linked to the hashed SSN.
So unless someone actually has the tax form (trivial for a few forms, difficult for massive amounts of forms) they cannot associate you with your SSN or your tax data. A corrupt IRS employee (and there are many) can easily enter one SSN into their application and get all your tax & income data. But they can't download EVERYONE's data easily.
We're talking about remedies to large data breaches here, not single experiences. Yes, your data is at risk while your tax form is in the mail or in the hands of an IRS employee, but as soon as it goes into the DB the associative data should be hashed. You don't eliminate breaches this way, you make them easier to deal with.
BUT you can change the salt, or the hashing algorithm, in case of a breach. You don't have to replace all the CCs, just send out a new salt to the machines. Now the data lost in the breach is useless.
It's not foolproof, but it is easy to fix a breach. If your CC database gets hacked, you re-hash with a different salt and then send the new salt to the pre-processors, so the hash they send you is now completely different. That way you have effectively changed everyones CC # a lot quicker and easier than sending everyone a new card. If fact, regular re-hashing should be a standard in the CC industry. You keep the same card and card number but the number in the DB will change regularly.
I've actually used a system like this for processing financial data (not CC data) to keep the data associating account numbers with passwords as difficult as possible to breach. Both the account number and password are hashed. We would change the salts at the broker end every 3 to 5 weeks and keep a record of the past two salts in case some broker equipment didn't get the last update. So if our DB got hacked we didn't have to make everyone change their password or account number.
As far as I know they are still using that system.
Surprisingly enough, I used to work at the IRS and still have many friends who do.
We could hash all SSN/EIN data at the IRS and just deal with hashes, but the entrenched management there still does everything the old way. Why can't the EDI transaction just hash the SSN and have the IRS compare the hashes at the IRS end? Because the highly political management is too stupid to understand this.
There are many reasons I have left cushy gov't jobs, the lack of technological understanding by the higher ups is just one of them. The Peter Principle is in full force if you work in government.
Ideally, the payment processor is the only one who has the hash, the merchant passes the hash they made from customer data on to the processor.
The payment processor doesn't even need to have the CC#. They just need the hash.
No, passwords, SSNs, PINs and Credit Card numbers should be hashed before inserting into any table. There is NO reason for anyone to save that data unhashed.
To compare data, just hash what the customer enters and compare the hashes. Why is this so hard for 99.9% of companies to understand?
Unfortunately, lane keeping and distance keeping are skills that elude a lot of drivers.
And you can keep the pots and pans clean!
Yeah, screw all those farmers and ranchers and small town folks! They only provide all our food and stuff, why do they need movies?
News flash: Internet speeds more than a few miles from urban development usually suck donkey balls.
Sure, and have Spider man trying to kick your ass all the time?
I see that the kids at MIT have read their Niven.
I actually had a business called "rent a nerd" in the early 90's when I was in my mid 20's and in great shape. I got lots of repeat calls from lonely divorced women to fix very simple "problems" with their computers. e.g. Problem: "My screen is blank!" Solution: "Turn up the brightness knob" | Problem: "My software won't load!" Solution: "You have to run the install.exe program, not the readme.txt"
If I hadn't had a girlfriend and/or a conscience at the time I would have made even more money. I did get a lot of free sandwiches & beverages, and got to see a lot of low-neckline shirts.
Especially David St. Hubbins.
I bought a "Kick the Cheat" for my wife when they first came out.
It was amazing fun to kick while the batteries lasted. The Cheat would yell and curse when you kicked it across the room.
You're at Witt's End.