Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


The Danger of Algorithms


The Danger of Algorithms

Author
Message
Steve Jones
Steve Jones
SSC-Dedicated
SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)

Group: Administrators
Points: 36322 Visits: 18752
Comments posted to this topic are about the item The Danger of Algorithms

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
blandry
blandry
Old Hand
Old Hand (355 reputation)Old Hand (355 reputation)Old Hand (355 reputation)Old Hand (355 reputation)Old Hand (355 reputation)Old Hand (355 reputation)Old Hand (355 reputation)Old Hand (355 reputation)

Group: General Forum Members
Points: 355 Visits: 723
If codes and algorithms can be created, they can be reverse engineered. We need to recognize there is no perfectly secure method, and never will be.

As well, though we might be savvy computer users, we must recognize that most of the computing public is not. I will wager there are more users who simply and mindlessly hand out their SSN to web sites than there are those whose SSN is "figured out" by some algorithm.

Though not a solution, I personally would like to see better enforcement of existing laws. If the US extradites people around the world for drug dealing and this kind of thing, why not for computer scams? If someone in this country can go to jail for 10 to 20 years for buying a bag of pot, why do we simply slap the wrists of those who steal data, and run scams? Although I dont advocate drug use, surely computer scammers are doing far more damage than pot-smokers!

As a person who has had two credit card ripoffs in this lifetime, I dont have as much faith as you in banks - again, they are not 100% secure - nothing is - hence, I tend to think tougher and more strict enforcement is a better answer.

When you try to outsmart Hackers, you simply challenge them to work harder. When you throw a Hacker in jail for a few years without a computer, well... which would you choose?

There's no such thing as dumb questions, only poorly thought-out answers...
roger.plowman
roger.plowman
SSChasing Mays
SSChasing Mays (626 reputation)SSChasing Mays (626 reputation)SSChasing Mays (626 reputation)SSChasing Mays (626 reputation)SSChasing Mays (626 reputation)SSChasing Mays (626 reputation)SSChasing Mays (626 reputation)SSChasing Mays (626 reputation)

Group: General Forum Members
Points: 626 Visits: 1126
"Credit card companies, banks, and other institutions often have complex rules for how they handle and process data. I think this more of their secure methods of handling data should be published and taught so that other companies can better learn how to build more secure applications."

Um, no. Just no.

Banks and credit card companies (Visa, I'm looking at you) have elaborate rules for managing all sorts of things--and believe me you can drive a truck through some of the security holes in their procedures. Don't get me wrong, they *try*. But they have fundamental issues when deciding how to make things secure.

Let's take the SSN for example. The problem is it's being used incorrectly. It's *supposed* to identify you to the Social Security Office, and it's supposed to be used to track income (for the Social Security Office). That's all well and good.

The problem comes from using it as a "secret decoder ring ID". :p

That's just stupid, from a security standpoint. You have a critical identification ID that is *also* being used as a password. How does that make any sense? The SSN's dual role lies at the heart of most kinds of identity theft. Why does a credit reporting bureau need your SSN? I mean, think about it. Are they reporting your income to the Social Security Office? No? Then they shouldn't use it!

The problem isn't just SSN related. It's the underlying assumption that only the person themselves know certain information and that that information can therefore be used to authenticate the person is who they say they are. This idea is deeply broken. Yet it makes intuitive sense so people keep doing it. *facepalm*

Two factor ID is better, but still not perfect. People forget passwords, they lose token generators. Biometrics are just as broken as SSN and other "secret" info. Worse, you can't change your fingerprints once they've been used for ID theft.

Banks and Visa do not have a clue. They pretend otherwise, but having worked with Visa PCI security standards I can tell you they're a bad joke. The very complexity of the schemes often leave lots of room to hide bad actors and their actions. If you doubt me just look at all the data breaches Visa's had to deal with. It all comes down to using a flawed idea as the basis for securityl.

So please don't hold the banks and credit card companies up as shining examples of How It Should Be Done.

I may not know a better way, but I can see a swiss cheese defense when confronted with it.
Cade Roux
Cade Roux
SSC-Enthusiastic
SSC-Enthusiastic (130 reputation)SSC-Enthusiastic (130 reputation)SSC-Enthusiastic (130 reputation)SSC-Enthusiastic (130 reputation)SSC-Enthusiastic (130 reputation)SSC-Enthusiastic (130 reputation)SSC-Enthusiastic (130 reputation)SSC-Enthusiastic (130 reputation)

Group: General Forum Members
Points: 130 Visits: 491
The fundamental problems are that there is not a unique identifier for a person (US citizen or not) (whether accurate or not), nor is there a universal way to authenticate identity (whether accurate or not).

It's clear that many government and private entities started to piggy back on a system which started to be universal in the US - the Social Security System, and was a tempting and good candidate to base their person identification on. It was obviously a poor choice in hindsight.

I'm not sure that a universal system can come into being any time soon, with issues of civil liberty and privacy always waiting to come into play. Faced with that, there will continue to be a hodge-podge of systems for the foreseeable future. Each will have to address the risks and security necessary for their applications.

I also don't think that looking at banking/credit cards for security is a panacea, but their successes and failures can be educational.

There is not really a single concept of "security". Security is a process as well as an actor in a set of tradeoffs with functionality. It is true that a secure (to some level on some scale) system which also is usable (to some level on some scale) and functional (to some level on some scale) is not always possible.
GSquared
GSquared
SSChampion
SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)

Group: General Forum Members
Points: 14385 Visits: 9729
Think it's interesting now? The current national health care bill in the US House includes a mandatory National Health ID, and the federal government is supposed to have real-time access to personal financial data in order to verify insurance data. Issues with SSNs are going to be nothing compared to that, if it goes through.

- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread

"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
Steve Jones
Steve Jones
SSC-Dedicated
SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)

Group: Administrators
Points: 36322 Visits: 18752
The idea of a system to uniquely identify people is both scary and comforting. I get mistaken for other people regularly, so I'd like to differentiate. However, I also like my privacy. We need a double-blind way to verify things somehow. Let them verify without details.

As far as banks and VISA. They do make mistakes, but they also have procedures and ideas about security. They get attacked, and maybe if they had to disclose more, we would all have more of an idea what does and does not work. Maybe they could disclose changes after 1 year so we'd know the problems with the old system?

It's a strange balance.

And I agree with blandry. We need to enforce laws, not just make more of them.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Robert Domitz
Robert Domitz
Old Hand
Old Hand (369 reputation)Old Hand (369 reputation)Old Hand (369 reputation)Old Hand (369 reputation)Old Hand (369 reputation)Old Hand (369 reputation)Old Hand (369 reputation)Old Hand (369 reputation)

Group: General Forum Members
Points: 369 Visits: 159

The problem, in this particular case, is that the Social Security number was never designed to be a secure identifier. It was designed just to disambiguate "John Smith" of 10th St, MyTown, form "John Smith" of 12th St., MyTown. By assigning an account number to each covered worker, they could easily do this.

Unfortunately, since the 1950's, the SSN has been massively misused. Some people believe it uniquely identifies an individual, but the reality is that it does not. Both the Social Security Administration and the Internal Revenue Service use the SSN plus part of the person's name to uniquely identify an individual. Also, many schools, courts, local governments and the US Military used the SSN as an ID number, frequently PUBLISHING it in various documents, many of which are now available on-line.

We need to get back to the basic use - identifying a person to the Federal government. All other uses should be outlawed, with significant penalties imposed. Absolutely FORBID financial institutions from using the SSN for any purpose other than IRS filings.[p]I believe this is the only way to prevent the SSN from being further misused.


jcrawf02
jcrawf02
Ten Centuries
Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)

Group: General Forum Members
Points: 1432 Visits: 19324
Agree with the group, SSN misuse and abuse is a huge problem. University I attended used it for student IDs on everything, so I just assume that someday I'll be screwed.

---------------------------------------------------------
How best to post your question
How to post performance problems
Tally Table:What it is and how it replaces a loop

"stewsterl 80804 (10/16/2009)I guess when you stop and try to understand the solution provided you not only learn, but save yourself some headaches when you need to make any slight changes."
GSquared
GSquared
SSChampion
SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)

Group: General Forum Members
Points: 14385 Visits: 9729
I recently read an interesting argument in favor of publishing all SSNs publicly, and removing them from all security systems. Not sure I agree, but it should be considered.

- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread

"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
MattKent
MattKent
SSC Rookie
SSC Rookie (49 reputation)SSC Rookie (49 reputation)SSC Rookie (49 reputation)SSC Rookie (49 reputation)SSC Rookie (49 reputation)SSC Rookie (49 reputation)SSC Rookie (49 reputation)SSC Rookie (49 reputation)

Group: General Forum Members
Points: 49 Visits: 130
Convenience and Security do not go hand in hand. Convenience is having a single universal number for identifying and tracking a person. Security demands that we have multiple numbers for each type of information source and no direct links between them. Unfortunately any single number that is linked to all of a person data, no matter how many bits associated with that number, is a point of vulnerability. If you have a sequence of numbers and I manage to break one of them, I should only be able to access one part of your information not use it to access all.

Recently my mother had charges made to all of her credit cards, one of which she hasn't used in over a year. She checked they were all in the drawer where she always kept them (she only carries one). This indicates a hack and a pretty good one, since the one card she never uses, has never been used in an online transaction. Visa and Mastercard, told her point blank they had no idea what to do. They just sold her credit protection and went on their merry way.
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search