It's too bad you wasted all of your time posting that because you didn't comprehend what was written. Read it again. "Something similar to MD5 but which is guaranteed to be unique". The GP didn't say that MD5 or hashes like it are guaranteed to be unique. The "but" clause admits that it's not guaranteed, essentially saying "Find something like it -- except -- one that actually is unique."
And there is no such thing. It's not mathematically possible, unless the hash is longer than the input data, which makes it mostly pointless.
Ok...so it gives you a unique identifier to replace the D/L number or SSN with. But to what end? Like I stated, the entire keyspace can be calculated within a few weeks at most with a modest number of computers. It's not like D/L numbers are completely random length and characters. They're limited to a very predictable pattern. They're all the same length, and have numbers in all the same spots, letters in all the same spots......
It's like a website saying "Your password must be exactly 8 characters long, and can contain only the characters g, f, e, c, j, u, b, q. Letters cannot be repeated." How many possible passwords can you make out of that? 40,320.
Simply put, the keyspace of a D/L number, SSN, or any other such thing is not big enough to prevent practical brute force attacks, making them useless for any kind of a security measure, regardless of what algorythmic shenanigans you perform on them.
"with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law."
It doesn't appear they are doing the second part.
Requiring the SSN for non-government uses is an unlawful activity.
(something similar to md5 but which is guaranteed to be unique).
No such algorythm is guaranteed to be unique, because it's lossy. It's the same reason you can't zip and rezip a 100 MB file down to 1 byte. There are only a certain number of combinations that you can fit in 32 bits, and eventually you're going to get collisions. This is for any hash, not just MD5. It's not possible to make a hash function that doesn't have collisions. The only reason they're an issue for security is that vulnerabilities can make those collisions predictable. Collisions aren't a security risk. Predictable collisions are.
But let's think about your "irreversible algorythm" idea:
An SSN is a 9 digit number. That's a maximum of 1 billion SSN numbers across the country. If this "standard method" uses an algorythm that's publicly known (and it wouldn't be a standard if it didn't) then someone simply needs to do:
x=1 while (x++ 1000000000) { store_data(perform_algorythm(x)) }
and they've got a lookup table for the encrypted data. A billion calculations won't take long, even on a single computer. Let's say it takes 1 second (a horrendously complex hash) to calculate this hash for a given number. That's a billion seconds. It would take only 31 years to calculate the entire SSN keyspace, on that single machine. Get 60 machines doing it, and you've got it in 6 months.
What criminal gang wouldn't do this, since it would give them access to "encrypted" identity theft information for...well....ever?
Now, to give you an idea of how complex that 1 second hash is, to determine a WPA-PSK key from a passphrase involves 4096 iterations of the hash function. This is for a single key. I tested performance on an old 400MHz Pentium 2, and it calculated about 10 keys per second. So that's 40,960 hashes per second, for a standard hash. 1 hash per second on a current machine would be unbelievably slow.
If the has used were similar in performance to HMAC-SHA1 used for WPA-PSK, it would take that 400MHz machine not quite 7 hours to calculate the entire encrypted data value for every SSN in the USA.
I don't know what driver's licence numbers are like in the US, but in Canada (Ontario) they're a letter followed by 14 digits. That makes the entire keyspace 2600 trillion possibilities. That increases the possibilities quite a bit, but current computers are exponentially more powerful than the 400MHz PII I tested on.
A current machine can do more like a million hashes per second, or more. Get a couple of dozen machines working on this, and you'll have usable data sooner, rather than later.
I didn't say the kernel ran as root. I said it runs at the same privilege level. Meaning, removing the root account will still leave any root exploit in the kernel just as open as it was before.
If you don't like the fact that the accused can get off by testimony from "Great Aunt Sadie," that implies that removing this possibility is a good thing. Which also means removing the possibility of an innocent person getting off when they only have a somewhat shaky alibi.
so what do you do when you want to install an update?:_)
"return the system to a known state":-)
My question is, how does he do backups, if no account has permission to access those system files that only root can access? Or has he done a "chmod g+rw -R/", and added himself to every group on the machine? Or maybe "chmod a+wrx -R/"?
Disabling the ability to login as root/administrator does not remove the account from the machine.
The kernel on a *nix machine still runs at the same privilege level, along with a bunch of system daemons.
Same with Windows. You can't log in as Administrator on an XP Home machine....until you boot in safe mode. But programs can still run with administrator privileges, even when the account forbids login.
In fact, completely removing the root/administrator account on a machine would probably render it non-bootable, or at least very screwed up. Keep in mind, you need root/admin privileges to bring up network interfaces, directly access hardware for sound, video, or other output, and a bunch of other stuff. So with no root privs on the machine at all, you can't get sound, networking, or video, unless you assign regular users to be able to access those hardware interfaces, at which point you've just replaced the root account with a differently named root account, which you run all the time, thereby lowering your security, instead of improving it.
At the same time, I do not like the old pattern of the accused getting off because out of the blue they called as witness Mrs Bloggs, without the prosecution having time to establish that she is actually the defendant's Great Aunt Sadie with a criminal record even longer than his.
So you'd rather have an innocent person with a somewhat shaky alibi get it shot full of holes and convicted of a crime they didn't commit, rather than a guilty person walk, who's likely to commit another crime later and get picked up again, anyway?
Remind me not to move to a country where you're a voting citizen....
I dont need my super Roomba 40000 to have a filesystem and keep detailed records. It really does not need to remember that the living room was cleaned 109 minutes ago and the ratio of Cheeri-o's was higher tan the last time, I better twitter about this and watch a movie from the SMB share in the house.
You're right. You don't.
But a Roomba isn't a robot. It's a self propelled vacuum cleaner with steering wheels that are turned by bumping into something. Think "When I push the bumper in on the front of my car, it turns the steering wheel." Only instead of a physical link, it's a motion sensor, I think. Big deal. Same thing.
Answer the question, eldavojohn! Produce your birth certificate!
How would a birth certificate demonstrate employment? Someone born in any country in the world could still be working as a Russian agent for Putin.....
If politicians are that gullible, and stupid enough to take everything said by people with vested interests at face value, then they shouldn't even have the authority to run their own life, forget the country.
Microsoft Campus Tours. ....make the Microsoft campus your travel destination of choice. Tour the number one software manufacturer's operations with hundreds of other guests from a worldwide audience, listening to a randomly muttering tour guide you can't hear rant on about how great Microsoft Windows Vista is......Priced at only $100 per person....
Slashdot Mirror
The thing that immediately popped into my head was SHODAN from System Shock.
It's too bad you wasted all of your time posting that because you didn't comprehend what was written. Read it again. "Something similar to MD5 but which is guaranteed to be unique". The GP didn't say that MD5 or hashes like it are guaranteed to be unique. The "but" clause admits that it's not guaranteed, essentially saying "Find something like it -- except -- one that actually is unique."
And there is no such thing. It's not mathematically possible, unless the hash is longer than the input data, which makes it mostly pointless.
Ok...so it gives you a unique identifier to replace the D/L number or SSN with. But to what end?
Like I stated, the entire keyspace can be calculated within a few weeks at most with a modest number of computers.
It's not like D/L numbers are completely random length and characters. They're limited to a very predictable pattern. They're all the same length, and have numbers in all the same spots, letters in all the same spots......
It's like a website saying "Your password must be exactly 8 characters long, and can contain only the characters g, f, e, c, j, u, b, q. Letters cannot be repeated."
How many possible passwords can you make out of that? 40,320.
Simply put, the keyspace of a D/L number, SSN, or any other such thing is not big enough to prevent practical brute force attacks, making them useless for any kind of a security measure, regardless of what algorythmic shenanigans you perform on them.
I see posses the SSN
- AND -
"with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law."
It doesn't appear they are doing the second part.
Requiring the SSN for non-government uses is an unlawful activity.
You're an idiot.
Corporations run the government. It _is_ government business, stupid! :-)
(something similar to md5 but which is guaranteed to be unique).
No such algorythm is guaranteed to be unique, because it's lossy. It's the same reason you can't zip and rezip a 100 MB file down to 1 byte. There are only a certain number of combinations that you can fit in 32 bits, and eventually you're going to get collisions. This is for any hash, not just MD5. It's not possible to make a hash function that doesn't have collisions. The only reason they're an issue for security is that vulnerabilities can make those collisions predictable. Collisions aren't a security risk. Predictable collisions are.
But let's think about your "irreversible algorythm" idea:
An SSN is a 9 digit number. That's a maximum of 1 billion SSN numbers across the country.
If this "standard method" uses an algorythm that's publicly known (and it wouldn't be a standard if it didn't) then someone simply needs to do:
x=1
while (x++ 1000000000)
{
store_data(perform_algorythm(x))
}
and they've got a lookup table for the encrypted data.
A billion calculations won't take long, even on a single computer. Let's say it takes 1 second (a horrendously complex hash) to calculate this hash for a given number. That's a billion seconds. It would take only 31 years to calculate the entire SSN keyspace, on that single machine.
Get 60 machines doing it, and you've got it in 6 months.
What criminal gang wouldn't do this, since it would give them access to "encrypted" identity theft information for...well....ever?
Now, to give you an idea of how complex that 1 second hash is, to determine a WPA-PSK key from a passphrase involves 4096 iterations of the hash function. This is for a single key. I tested performance on an old 400MHz Pentium 2, and it calculated about 10 keys per second. So that's 40,960 hashes per second, for a standard hash. 1 hash per second on a current machine would be unbelievably slow.
If the has used were similar in performance to HMAC-SHA1 used for WPA-PSK, it would take that 400MHz machine not quite 7 hours to calculate the entire encrypted data value for every SSN in the USA.
I don't know what driver's licence numbers are like in the US, but in Canada (Ontario) they're a letter followed by 14 digits. That makes the entire keyspace 2600 trillion possibilities. That increases the possibilities quite a bit, but current computers are exponentially more powerful than the 400MHz PII I tested on.
A current machine can do more like a million hashes per second, or more.
Get a couple of dozen machines working on this, and you'll have usable data sooner, rather than later.
Yeah. I apparently loaded the page in the minute between your first and second posts.
But Troll? That's a little harsh, even for /.'s idiot moderators.
Maybe "-1 - Too much vodka" :-)
RTFS.
It "cost" the recipients, not the government.
It's more like saying your employer didn't pay you one month, and that it cost you a month's wages.
And then they had to go to court to get their employer to pay their salary for the month.
Ok....vagueness in the English language breaks conversation yet again.
When I said "The kernel runs at the same privilege level," you thought I meant the kernel ran at the same privilege level as root.
I meant the kernel runs at the same privilege level regardless of whether the root user exists or not.
Perhaps I should have continued my sentence, rather than implying that....
I didn't say the kernel ran as root. I said it runs at the same privilege level. Meaning, removing the root account will still leave any root exploit in the kernel just as open as it was before.
So, kinda like CSS. Which has, of course, also been around for a donkey's age.....
If you don't like the fact that the accused can get off by testimony from "Great Aunt Sadie," that implies that removing this possibility is a good thing.
Which also means removing the possibility of an innocent person getting off when they only have a somewhat shaky alibi.
so what do you do when you want to install an update? :_)
"return the system to a known state" :-)
My question is, how does he do backups, if no account has permission to access those system files that only root can access? /", and added himself to every group on the machine? /"?
Or has he done a "chmod g+rw -R
Or maybe "chmod a+wrx -R
Disabling the ability to login as root/administrator does not remove the account from the machine.
The kernel on a *nix machine still runs at the same privilege level, along with a bunch of system daemons.
Same with Windows. You can't log in as Administrator on an XP Home machine....until you boot in safe mode. But programs can still run with administrator privileges, even when the account forbids login.
In fact, completely removing the root/administrator account on a machine would probably render it non-bootable, or at least very screwed up.
Keep in mind, you need root/admin privileges to bring up network interfaces, directly access hardware for sound, video, or other output, and a bunch of other stuff. So with no root privs on the machine at all, you can't get sound, networking, or video, unless you assign regular users to be able to access those hardware interfaces, at which point you've just replaced the root account with a differently named root account, which you run all the time, thereby lowering your security, instead of improving it.
At the same time, I do not like the old pattern of the accused getting off because out of the blue they called as witness Mrs Bloggs, without the prosecution having time to establish that she is actually the defendant's Great Aunt Sadie with a criminal record even longer than his.
So you'd rather have an innocent person with a somewhat shaky alibi get it shot full of holes and convicted of a crime they didn't commit, rather than a guilty person walk, who's likely to commit another crime later and get picked up again, anyway?
Remind me not to move to a country where you're a voting citizen....
Speaking of software patents, didn't Microsoft just _get_ one for saving a word processing document as an XML file?
So how are they violating a patent on something they own a patent for?
Or is this just another example of how the USPTO is horrendously screwed up?
A Roomba is no more a robot than a driverless car that changes direction when it crashes into a concrete barrier.
A robot doesn't have to have a sophisticated AI, but it has to have _something_. A Roomba is dumb, in the same sense that a dumb terminal is.
It's not a robot.
I dont need my super Roomba 40000 to have a filesystem and keep detailed records. It really does not need to remember that the living room was cleaned 109 minutes ago and the ratio of Cheeri-o's was higher tan the last time, I better twitter about this and watch a movie from the SMB share in the house.
You're right. You don't.
But a Roomba isn't a robot. It's a self propelled vacuum cleaner with steering wheels that are turned by bumping into something. Think "When I push the bumper in on the front of my car, it turns the steering wheel." Only instead of a physical link, it's a motion sensor, I think. Big deal. Same thing.
I don't think any rootkits can hide from that.
You think wrong.
The Rootkit Revealer page itself says there are ways that a rootkit can hide from it.
Oh, believe me....Streisand affects people the world over.... :-)
Answer the question, eldavojohn! Produce your birth certificate!
How would a birth certificate demonstrate employment?
Someone born in any country in the world could still be working as a Russian agent for Putin.....
AbiWord uses an XML based format, and it was mature enough to win awards in 1999, 2000, and 2001.
"Why is Windows expensive", you're usually talking about the software.
If you search Google for "Why are windows expensive" you get more results pertaining to pieces of glass.
Now _that's_ a good algorithm.
but I'm guessing you don't want to try and use a scorched and carbonized passport.......
Yes, sir....I think that happened at my bomb making training session. Idiot next to me set his off prematurely.....
D'oh!!
If politicians are that gullible, and stupid enough to take everything said by people with vested interests at face value, then they shouldn't even have the authority to run their own life, forget the country.
www.bing.com
"Number one travel destination worldwide"..
click Search.....
Microsoft Campus Tours.
....make the Microsoft campus your travel destination of choice. Tour the number one software manufacturer's operations with hundreds of other guests from a worldwide audience, listening to a randomly muttering tour guide you can't hear rant on about how great Microsoft Windows Vista is......Priced at only $100 per person....