Linux Format forums Forum Index Linux Format forums
Help, discussion, magazine feedback and more
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Websites with transparent security
Goto page 1, 2  Next
 
Post new topic   Reply to topic    Linux Format forums Forum Index -> Off Topic
View previous topic :: View next topic  
Author Message
leke
LXF regular


Joined: Mon Oct 22, 2007 6:45 pm
Posts: 503
Location: Oulu, Finland

PostPosted: Mon Aug 13, 2012 4:38 pm    Post subject: Websites with transparent security Reply with quote

Should websites be legally required to be transparent about how they store their user data? I think it could improve the rather lapse security some sites are still using nowadays, and force them to rethink by getting complaints from users in the know.
_________________
http://truecenterpublishing.com/zenstory/maybe.html
Back to top
View user's profile Send private message
guy
LXF regular


Joined: Thu Apr 07, 2005 1:07 pm
Posts: 1071
Location: Worcestershire

PostPosted: Mon Aug 13, 2012 8:23 pm    Post subject: Re: Websites with transparent security Reply with quote

leke wrote:
Should websites be legally required to be transparent about how they store their user data? I think it could improve the rather lapse security some sites are still using nowadays, and force them to rethink by getting complaints from users in the know.

No. That's like a bank publishing where in the basement it keeps its strong boxes. It's an open invitation to thieves.

Privacy laws already require Tesco to keep your user data safe. If you think they are breaking the law, take it up with your MP - or, if you have evidence, take it to a solicitor who can advise you how to proceed without getting arrested for data theft.

Security through obscurity may be mostly bad for your software, but it is mostly good for your data.
_________________
Cheers,
Guy
The eternal help vampire
Back to top
View user's profile Send private message
nelz
Site admin


Joined: Mon Apr 04, 2005 12:52 pm
Posts: 8457
Location: Warrington, UK

PostPosted: Mon Aug 13, 2012 10:59 pm    Post subject: Reply with quote

Security through obscurity is never good, but the question was about how the data is stored, not where.

"Keep the algorithm open and the key secret". If data is stored using a proprietary system, how are we supposed to know it is secure? Not that forcing sites to publicise details of the strength of their security would do any good. All it would do is result in a pissing contest over how many more bits of security a site uses than its competitors. It would become a tool for marketing to the ignorant rather than a genuine statement of the relevant facts.
_________________
"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)
Back to top
View user's profile Send private message
Rhakios
Moderator


Joined: Thu Apr 07, 2005 12:18 am
Posts: 7628
Location: Midlands, UK

PostPosted: Mon Aug 13, 2012 11:10 pm    Post subject: Reply with quote

And as Lloyds Bank and Jessica Harper have demonstrated for us recently, it doesn't matter how good your security is if it's exploited from the inside.
_________________
Bye, Rhakios
Back to top
View user's profile Send private message
Debian Acolyte



Joined: Wed Jun 27, 2012 8:21 am
Posts: 25
Location: China

PostPosted: Tue Aug 14, 2012 12:32 am    Post subject: Re: Websites with transparent security Reply with quote

leke wrote:
Should websites be legally required to be transparent about how they store their user data?

I may be a little cynical, but as far as I am concerned, how they store data is irrelevant. What is important is what information they store. The safest operating procedure is to assume that every site one visits stores users' details, either for their own purposes or to sell it to advertisers. The best way to be safe is to be very careful to whom one gives any information. They get my IP address when I visit, but if they want anything else, not just anyone gets it.

One also needs to be careful about what activities one conducts on-line. As one example, I never have, and never shall, use on-line banking. I do not care how good a bank claims their security is. Banking and purchasing transactions require broadcasting sensitive information. The bank or store one is buying from and you, are not the only eyes on the internet.

In short; security is our responsibility. Use a little common sense, trust no one and always remember that there are no secrets when data is transmitted (broadcasted) over the net.
_________________
Debian Stable
Openbox
Back to top
View user's profile Send private message
Dutch_Master
LXF regular


Joined: Tue Mar 27, 2007 2:49 am
Posts: 2431

PostPosted: Tue Aug 14, 2012 3:36 am    Post subject: Reply with quote

^^^ HEAR HEAR!!! Exclamation Exclamation
Back to top
View user's profile Send private message
towy71
Moderator


Joined: Wed Apr 06, 2005 3:11 pm
Posts: 4259
Location: wild West Wales

PostPosted: Tue Aug 14, 2012 9:53 am    Post subject: Reply with quote

I have one credit card that is only for online use, I do not bank online. I wrote to my bank saying that I would use their online service if they use pgp, they wrote back asking what that was Confused
_________________
still looking for that door into summer
Back to top
View user's profile Send private message
leke
LXF regular


Joined: Mon Oct 22, 2007 6:45 pm
Posts: 503
Location: Oulu, Finland

PostPosted: Tue Aug 14, 2012 11:00 am    Post subject: Reply with quote

My bank issues us with a card containing key => values, so when we try to pay a bill we have to enter one from our issued card. It seems the system was recently open to trickery though. It looks like something was changing the account number on the bill upon submission. The guy didn't check the payee's account number on the returning SMS (SMS is only issued when suspicion arises) and sent his money to another account.
_________________
http://truecenterpublishing.com/zenstory/maybe.html
Back to top
View user's profile Send private message
bobthebob1234
LXF regular


Joined: Thu Jan 03, 2008 9:38 pm
Posts: 1369
Location: A hole in a field

PostPosted: Tue Aug 14, 2012 12:43 pm    Post subject: Reply with quote

towy71 and others wrote:

I do not bank online.


But you are missing all the fun! 1 bank I use I have two passwords, and if I want to to move money to anyone else I get a fancy call from an automated voice which is all very exciting, and then I get texts and emails saying are you sure, then another bank I have 3 passwords and a weird calculator thing. Its all great fun and if you are a poor student like me you don't have much money for anyone to steal anyway!

And then I can tweet them when it all goes wrong*

* Thus revealing who I bank with to the world, in hopes that the spammers pick this up and send me phishing emails from the correct bank Very Happy
_________________
For certain you have to be lost to find the places that can't be found. Elseways, everyone would know where it was
Back to top
View user's profile Send private message
Nuke
LXF regular


Joined: Wed Feb 09, 2011 12:11 pm
Posts: 217
Location: Chepstow, UK

PostPosted: Tue Aug 14, 2012 1:49 pm    Post subject: Re: Websites with transparent security Reply with quote

Debian Acolyte wrote:
leke wrote:
Should websites be legally required to be transparent about how they store their user data?

I may be a little cynical, but as far as I am concerned, how they store data is irrelevant. What is important is what information they store.


No, Leke asked how they store it. What they store may (or may not) be more important, but that is a different question. There are things that you may have asked them to store such as your bank card details because you deal with them regularly. Maybe you don't yourself, but some of us do.

Debian Acolyte wrote:
I never have, and never shall, use on-line banking. I do not care how good a bank claims their security is. Banking and purchasing transactions require broadcasting sensitive information. The bank or store one is buying from and you, are not the only eyes on the internet.


Without knowing much about it I'm guessing that the bank's customer database is accessible from the internet anyway, even if your particular account is not flagged as activated for such use. They are hardly going to split their customer database into two parts just because some use Internet banking and some do not. So your not using it may not such a good barrier as you thought it was.

Are there actually any cases of hackers getting into someone's bank account other than the owner being careless with their passwords or card details, or them being stolen?

Anyway, I do not think banks are much of a problem - they would fall over themselves to restore things as they would not want a public panic. Small merchants are a bigger threat - you know, the ones who see your credit or debit card every time you buy something.
_________________
Unsolved mysteries of the Universe, No 13 :-
How many remakes of Anna Karenina does the World need?
Back to top
View user's profile Send private message
Nuke
LXF regular


Joined: Wed Feb 09, 2011 12:11 pm
Posts: 217
Location: Chepstow, UK

PostPosted: Tue Aug 14, 2012 2:08 pm    Post subject: Reply with quote

Another point is that I have bank accounts with more than one bank, and one account I run purely for potentially dodgy deals, such as buying things over the Internet. I do not keep much in it, have a deliberately low overdraft limit, and my income is not paid into it. Moreover, it would not inconvenience me to pick up the phone and shut it down if I had to.

So if an on-line merchant rooks me over it, then, like bobthebob1234 the poor student earlier here, I would not lose much even if the Bank stone-walled over it.

PS It is with First Direct. I only opened it because they said they would pay me 50 if I did. Having opened it they also then sent me a crate of wine "in gratitude". I think they blundered into giving me two promotional gifts Laughing Best business I ever did. Funny, they have this "Go ahead" image but they were one of the last banks to offer Internet Banking.

TSB (now Lloyds TSB) were much earlier and I was told I was TSB's first on-line customer in SW England. It went through a special Windows app which I ran under OS/2. I was also told I was their only ever OS/2 customer (that they knew of anyway). Sad
_________________
Unsolved mysteries of the Universe, No 13 :-
How many remakes of Anna Karenina does the World need?
Back to top
View user's profile Send private message
guy
LXF regular


Joined: Thu Apr 07, 2005 1:07 pm
Posts: 1071
Location: Worcestershire

PostPosted: Wed Aug 15, 2012 9:54 pm    Post subject: Reply with quote

nelz wrote:
Security through obscurity is never good
...

"Keep ... the key secret".


Isn't that a contradiction in terms? The purpose of needing a key is to provide obscurity.
_________________
Cheers,
Guy
The eternal help vampire
Back to top
View user's profile Send private message
nelz
Site admin


Joined: Mon Apr 04, 2005 12:52 pm
Posts: 8457
Location: Warrington, UK

PostPosted: Wed Aug 15, 2012 11:20 pm    Post subject: Reply with quote

how do you work that out? A great big locked door is not obscure, a small door with a poor lock hidden behind a curtain is the physical equivalent of security through obscurity.

The point of that quote, which a first heard from a cryptography professional, is that it is important for all affected to know that the method of securing the data really is secure. Millions of people know how PGP works, but not one of them has cracked it when used with a secure key.
_________________
"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)
Back to top
View user's profile Send private message
leke
LXF regular


Joined: Mon Oct 22, 2007 6:45 pm
Posts: 503
Location: Oulu, Finland

PostPosted: Thu Aug 16, 2012 6:51 am    Post subject: Reply with quote

So let's take a real life example. If Linkedin would have had a security page that published that user passwords where stored as unsalted MD5 hashes, do you think they would have become an obvious target for hackers (before they where hacked and the hashes obtained), or would you say they would be bothered by their community to use a more secure system to secure password contents before the hack happened?

I think there is enough of a time-frame were the users can force a web-company make a change before hackers can obtain the hashes.
_________________
http://truecenterpublishing.com/zenstory/maybe.html
Back to top
View user's profile Send private message
nelz
Site admin


Joined: Mon Apr 04, 2005 12:52 pm
Posts: 8457
Location: Warrington, UK

PostPosted: Thu Aug 16, 2012 8:32 am    Post subject: Reply with quote

I'd say that if they had to publish the information, they would never have used such an insecure method. Especially on a site with a large number of technically aware members. The hackers are going to find out anyway, the only people they are hiding the information from are the honest users who trust the organisation to do things properly, even when they do not.
_________________
"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)
Back to top
View user's profile Send private message
View previous topic :: View next topic  
Display posts from previous:   
Post new topic   Reply to topic    Linux Format forums Forum Index -> Off Topic All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Linux Format forums topic RSS feed 


Powered by phpBB © 2001, 2005 phpBB Group


Copyright 2011 Future Publishing, all rights reserved.


Web hosting by UKFast