Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror

Comment: Re:What is the advantage of hashing? (Score 1) 127

by sgifford (#39570371) Attached to: FTC Fines RockYou $250,000 For Storing User Data In Plain Text

The advantage is that many people use the same password on multiple systems, so revealing a plaintext password to, say, Slashdot may also reveal your bank password. A hashed password can't be used to directly log into another account, though it can be cracked by a determined attacker if the password is simple. A salted and hashed password vastly increases the time required for an attacker to crack a hashed password, to the point where it is infeasible unless the password is very simple.

Of course everybody knows (or should know) that using the same password for Slashdot and your bank is a bad idea (you could have a bank support rep using up your precious karma!), but it is still very common, and it's irresponsible for a developer to expose their users' passwords if they have made this common mistake.

Comment: Re:Common/best practices for personal data (Score 1) 127

by sgifford (#39570309) Attached to: FTC Fines RockYou $250,000 For Storing User Data In Plain Text

RAM of a running process is accessible to root via the debugger, so doesn't really provide better security than a file only root can read, although it may slow an attacker down a bit or foil a dim-witted attacker. As others have mentioned, there is also some systems management difficulty if services do not function until a password is entered into them.

At any rate, lots of interesting schemes are possible, but I was wondering if any of them were in wide use?

Thanks,

------Scott.

Comment: Common/best practices for personal data (Score 1) 127

by sgifford (#39568455) Attached to: FTC Fines RockYou $250,000 For Storing User Data In Plain Text

Most applications I've worked with have stored passwords hashed and salted and stored credit card data offsite or not at all, but have kept other sorts of personal data (address, phone, etc.) in the database in plaintext.

I've always reasoned that encrypting the data is of little value, since the decryption keys would have to be on the server, and a server compromise would give the keys along with the data. This case is interesting though, since it seems only the database was compromised, so encrypted data in the database with keys outside of the database would have provided some protection.

I can come up with lots of simple schemes for encrypting personal data in the database, but what I'm wondering is, how is this typically handled? Is it common to encrypt this sort of data? If so using what techniques for encryption and key management? Are there some well-known best practices that I haven't come across?

Thanks!

----Scott.

Image

IT Worker's Revenge Lands Her In Jail 347

Posted by samzenpus
from the bad-idea dept.
aesoteric writes "A 30-year-old IT worker at a Florida-based health centre was this week sentenced to 19 months in a US federal prison for hacking, and then locking, her former employer's IT systems. Four days after being fired from the Suncoast Community Health Centers' for insubordination, Patricia Marie Fowler exacter her revenge by hacking the centre's systems, deleting files, changing passwords, removing access to infrastructure systems, and tampering with pay and accrued leave rates of staff."
Privacy

+ - Beware of Photo Printing at Walmart Canada

Submitted by dpolak
dpolak (711584) writes "I recently discovered that if you use Walmart's Canadian digital photo services you release all rights to your photos. Under their terms of service:

You grant to Wal*Mart Canada Corp. a non-exclusive, royalty-free, perpetual, irrevocable, unrestricted, world-wide right and license to access, use, copy, reproduce, distribute, transmit, display, perform, communicate to the public, modify, adapt, publish, translate, create derivative works from, and otherwise use such Materials (in whole or in part) in connection with the Site and/or the Products, using any form, media or technology now known or later developed, without providing compensation to you or any other person, without any liability to you or any other person, and free from any obligation of confidence or other duties on the part of Wal*Mart, its affiliates and their respective licensees; Uploaders beware!"

To avoid criticism, do nothing, say nothing, be nothing. -- Elbert Hubbard

Working...