Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 12»»

The Danger of Algorithms Expand / Collapse
Author
Message
Posted Sunday, July 26, 2009 10:33 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 4:16 PM
Points: 31,284, Visits: 15,748
Comments posted to this topic are about the item The Danger of Algorithms






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #759784
Posted Monday, July 27, 2009 6:19 AM


Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Monday, May 7, 2012 9:23 AM
Points: 304, Visits: 716
If codes and algorithms can be created, they can be reverse engineered. We need to recognize there is no perfectly secure method, and never will be.

As well, though we might be savvy computer users, we must recognize that most of the computing public is not. I will wager there are more users who simply and mindlessly hand out their SSN to web sites than there are those whose SSN is "figured out" by some algorithm.

Though not a solution, I personally would like to see better enforcement of existing laws. If the US extradites people around the world for drug dealing and this kind of thing, why not for computer scams? If someone in this country can go to jail for 10 to 20 years for buying a bag of pot, why do we simply slap the wrists of those who steal data, and run scams? Although I dont advocate drug use, surely computer scammers are doing far more damage than pot-smokers!

As a person who has had two credit card ripoffs in this lifetime, I dont have as much faith as you in banks - again, they are not 100% secure - nothing is - hence, I tend to think tougher and more strict enforcement is a better answer.

When you try to outsmart Hackers, you simply challenge them to work harder. When you throw a Hacker in jail for a few years without a computer, well... which would you choose?


There's no such thing as dumb questions, only poorly thought-out answers...
Post #759990
Posted Monday, July 27, 2009 6:32 AM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Monday, December 2, 2013 6:30 AM
Points: 346, Visits: 691
"Credit card companies, banks, and other institutions often have complex rules for how they handle and process data. I think this more of their secure methods of handling data should be published and taught so that other companies can better learn how to build more secure applications."

Um, no. Just no.

Banks and credit card companies (Visa, I'm looking at you) have elaborate rules for managing all sorts of things--and believe me you can drive a truck through some of the security holes in their procedures. Don't get me wrong, they *try*. But they have fundamental issues when deciding how to make things secure.

Let's take the SSN for example. The problem is it's being used incorrectly. It's *supposed* to identify you to the Social Security Office, and it's supposed to be used to track income (for the Social Security Office). That's all well and good.

The problem comes from using it as a "secret decoder ring ID". :p

That's just stupid, from a security standpoint. You have a critical identification ID that is *also* being used as a password. How does that make any sense? The SSN's dual role lies at the heart of most kinds of identity theft. Why does a credit reporting bureau need your SSN? I mean, think about it. Are they reporting your income to the Social Security Office? No? Then they shouldn't use it!

The problem isn't just SSN related. It's the underlying assumption that only the person themselves know certain information and that that information can therefore be used to authenticate the person is who they say they are. This idea is deeply broken. Yet it makes intuitive sense so people keep doing it. *facepalm*

Two factor ID is better, but still not perfect. People forget passwords, they lose token generators. Biometrics are just as broken as SSN and other "secret" info. Worse, you can't change your fingerprints once they've been used for ID theft.

Banks and Visa do not have a clue. They pretend otherwise, but having worked with Visa PCI security standards I can tell you they're a bad joke. The very complexity of the schemes often leave lots of room to hide bad actors and their actions. If you doubt me just look at all the data breaches Visa's had to deal with. It all comes down to using a flawed idea as the basis for securityl.

So please don't hold the banks and credit card companies up as shining examples of How It Should Be Done.

I may not know a better way, but I can see a swiss cheese defense when confronted with it.
Post #759998
Posted Monday, July 27, 2009 8:23 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Thursday, September 4, 2014 8:26 AM
Points: 109, Visits: 490
The fundamental problems are that there is not a unique identifier for a person (US citizen or not) (whether accurate or not), nor is there a universal way to authenticate identity (whether accurate or not).

It's clear that many government and private entities started to piggy back on a system which started to be universal in the US - the Social Security System, and was a tempting and good candidate to base their person identification on. It was obviously a poor choice in hindsight.

I'm not sure that a universal system can come into being any time soon, with issues of civil liberty and privacy always waiting to come into play. Faced with that, there will continue to be a hodge-podge of systems for the foreseeable future. Each will have to address the risks and security necessary for their applications.

I also don't think that looking at banking/credit cards for security is a panacea, but their successes and failures can be educational.

There is not really a single concept of "security". Security is a process as well as an actor in a set of tradeoffs with functionality. It is true that a secure (to some level on some scale) system which also is usable (to some level on some scale) and functional (to some level on some scale) is not always possible.
Post #760104
Posted Monday, July 27, 2009 8:32 AM


SSChampion

SSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampion

Group: General Forum Members
Last Login: Monday, November 17, 2014 12:50 PM
Points: 13,872, Visits: 9,598
Think it's interesting now? The current national health care bill in the US House includes a mandatory National Health ID, and the federal government is supposed to have real-time access to personal financial data in order to verify insurance data. Issues with SSNs are going to be nothing compared to that, if it goes through.

- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread

"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
Post #760117
Posted Monday, July 27, 2009 8:44 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 4:16 PM
Points: 31,284, Visits: 15,748
The idea of a system to uniquely identify people is both scary and comforting. I get mistaken for other people regularly, so I'd like to differentiate. However, I also like my privacy. We need a double-blind way to verify things somehow. Let them verify without details.

As far as banks and VISA. They do make mistakes, but they also have procedures and ideas about security. They get attacked, and maybe if they had to disclose more, we would all have more of an idea what does and does not work. Maybe they could disclose changes after 1 year so we'd know the problems with the old system?

It's a strange balance.

And I agree with blandry. We need to enforce laws, not just make more of them.







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #760136
Posted Monday, July 27, 2009 9:15 AM


Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Friday, October 25, 2013 12:22 PM
Points: 363, Visits: 147

The problem, in this particular case, is that the Social Security number was never designed to be a secure identifier. It was designed just to disambiguate "John Smith" of 10th St, MyTown, form "John Smith" of 12th St., MyTown. By assigning an account number to each covered worker, they could easily do this.

Unfortunately, since the 1950's, the SSN has been massively misused. Some people believe it uniquely identifies an individual, but the reality is that it does not. Both the Social Security Administration and the Internal Revenue Service use the SSN plus part of the person's name to uniquely identify an individual. Also, many schools, courts, local governments and the US Military used the SSN as an ID number, frequently PUBLISHING it in various documents, many of which are now available on-line.

We need to get back to the basic use - identifying a person to the Federal government. All other uses should be outlawed, with significant penalties imposed. Absolutely FORBID financial institutions from using the SSN for any purpose other than IRS filings.[p]I believe this is the only way to prevent the SSN from being further misused.

Post #760158
Posted Monday, July 27, 2009 9:47 AM


Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Yesterday @ 6:55 AM
Points: 1,332, Visits: 19,319
Agree with the group, SSN misuse and abuse is a huge problem. University I attended used it for student IDs on everything, so I just assume that someday I'll be screwed.

---------------------------------------------------------
How best to post your question
How to post performance problems
Tally Table:What it is and how it replaces a loop

"stewsterl 80804 (10/16/2009)I guess when you stop and try to understand the solution provided you not only learn, but save yourself some headaches when you need to make any slight changes."
Post #760190
Posted Monday, July 27, 2009 9:58 AM


SSChampion

SSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampion

Group: General Forum Members
Last Login: Monday, November 17, 2014 12:50 PM
Points: 13,872, Visits: 9,598
I recently read an interesting argument in favor of publishing all SSNs publicly, and removing them from all security systems. Not sure I agree, but it should be considered.

- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread

"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
Post #760202
Posted Monday, July 27, 2009 10:18 AM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Wednesday, October 21, 2009 12:47 PM
Points: 49, Visits: 130
Convenience and Security do not go hand in hand. Convenience is having a single universal number for identifying and tracking a person. Security demands that we have multiple numbers for each type of information source and no direct links between them. Unfortunately any single number that is linked to all of a person data, no matter how many bits associated with that number, is a point of vulnerability. If you have a sequence of numbers and I manage to break one of them, I should only be able to access one part of your information not use it to access all.

Recently my mother had charges made to all of her credit cards, one of which she hasn't used in over a year. She checked they were all in the drawer where she always kept them (she only carries one). This indicates a hack and a pretty good one, since the one card she never uses, has never been used in an online transaction. Visa and Mastercard, told her point blank they had no idea what to do. They just sold her credit protection and went on their merry way.
Post #760224
« Prev Topic | Next Topic »

Add to briefcase 12»»

Permissions Expand / Collapse