Follow Slashdot stories on Twitter


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Comment Re:"encrypted" my ass (Score 1) 51

I agree with your final conclusion that they're screwed, but your understanding of encryption and software is a little off.

And stored in a database, which for authentication purposes would need to be able to convert said "encrypted" data into plain text for any customer service representative, the billing systems, etc. The key has to be something that's widely accessible, or goes through a proxy.

Assuming that they are using widespread password encryption practices (i.e. only storing a salted, hashed version of the password) then they never convert the encrypted data back into plain text for authentication. Instead, they salt/hash the password that the user has entered using cryptographically strong but publicly known algorithms (no secret keys) and compare the result to what is in the database. Brute-force or dictionary attacks can be used against this, but there is no such thing as a decryption key that can reverse a hash operation.

Either way, it's highly unlikely the "encryption" scheme is much more sophisticated than a single XOR operation. Decrypting that field for a substantial portion of the database SELECT statements would be a huge overhead.

I disagree that their encryption scheme would be unsophisticated for the reasons you provide. Applications do not typically examine the password field on a substantial portion of database calls. Applications do typically use strong cryptography during authentication calls and the overhead is not prohibitive. If they are using XOR to encrypt passwords, it is not for technical reasons.

Comment Re:PCI-DSS expert (Score 1) 645

When you are talking about 77 million people, you will have thousands of people with their credit card data already compromised for various common reasons, but they will blame this Sony breach for their problem rather than admitting that maybe their local bartender learned to write or that their personal data has already been for sale for years. Unless it is found that Sony was storing unencrypted credit card numbers or that their encryption keys were compromised, people reporting unauthorized transactions from a sample size that large doesn't mean much.

Comment PCI-DSS expert (Score 1) 645

Sorry for being a few days late, but I noticed a schism between those who know PCI-DSS and those who don't. I won't insult you with the obvious things you can search online, but the basic idea is that if you are storing credit card info, you have to encrypt it strongly and keep the keys safe. As I implement PCI-DSS for a living, I would bet that somebody definitely had access to (but might not have found) encrypted credit card data, and since Sony can't be sure who it was they had to cautiously tell everyone about the worst case scenario. Since the only true protection in today's encryption is time, just change your password and credit card number today (I know it sucks), and you will be safe for now. - j

Comment balance (Score 1) 417

In response to those quoting studies recommending complete tech abstinence, I respect your goals and welcome your information. However, as with many things, while fools should abstain, some can use wisely. My 1 year old spends most of her time playing with peers, playing with toys, and acting silly. In small doses we count, write, play music, read, use laptops, stargaze, philosophize (yesterday she suggested that wild animals might move into barns if we offered them noodles), and I am constantly amazed at her. Her IQ is off the charts, she is already in age 3 classes, and while we can debate whether technology helped or hindered, my deep opinion is that everything I expose her to increases her sense of wonder, and that is what is giving her this wonderful momentum. If you just shove a computer in a kid's face and walk away, you're likely doing it wrong.

Comment music options (Score 1) 417

My 22 month old mostly plays with physical toys, but after seeing her love banging on a piano, I decided to let her play with my midi controllers (supervised, no liquids). I will load up a virtual synth, put on an arpeggiator sometimes so she can make more structured sounds, or put on a drum kit, and then she'll go wild on the keyboards/drumpads. You can find used midi gear dirt cheap, especially if a few keys are broken (toddler won't mind). She also has figured out the controls for VLC (video player) on her own. If you have gear that you don't mind breaking, you'll be amazed what they figure out so young. Just be sure to spend way more time outside than inside and they should be fine. She also likes to play with touchscreen drawing apps on my droid, but she has even dialed 911 by accident so I can't recommend it without constant supervision.

Comment Doubtful claim, but is China really the source? (Score 1) 507

What is more likely:
1. China is conducting military hacking activities against allies in such a way that will attract negative attention.
2. China has a lot of easy-to-hack computers that more sophisticated non-Chinese hackers are using as relays for their own hacking.

Perhaps it is both, but I would bet that there is a whole lot of #2 going on.

Slashdot Top Deals

Asynchronous inputs are at the root of our race problems. -- D. Winker and F. Prosser