Re: Column Redaction

* Thom Brown (thom@linux.com) wrote:
> To be honest, this all sounds rather flaky.  Even if you do rate-limit
> their queries, they can use methods that avoid rate-limiting, such as
> recursive queries.  And if you're only after one credit card number
> (to use the original example), you'd get it in a relatively short
> amount of time, despite some rate-limiting system.

The discussion about looking up specific card numbers in the original
email from Simon was actually an allowed use-case, as I understood it,
not a risk concern.  Indeed, if you know a valid credit card number
already, as in this example, then why are you bothering with the search?
Perhaps it would provide confirmation, but it's not the database's
responsibility to make you forget the number you already have.  Doing a
random walk through a keyspace of 10^16 and extracting a significant
enough number of results to be useful should be difficult.  I agree that
if we're completely unable to make it difficult then this is less
useful, but I feel it's a bit early to jump to that conclusion.

> This gives the vague impression of security, but it really seems just
> the placing of a few obstacles in the way.

One might consider that all security is just placing obstacles in the
way.

> And "auditing" sounds like a euphemism for "pass the problem of
> security on elsewhere anyway".

Auditing is a known requirement for good security..  There's certainly
different levels of it, but if you aren't at least auditing your
security configuration for the attack vectors you're concerned about,
then you're unlikely to have any real security.
Thanks,
    Stephen