Re: postgres zeroization of dead tuples ? i.e scrubbing dead tuples with sensitive data. - Mailing list pgsql-general

From Adrian Klaver
Subject Re: postgres zeroization of dead tuples ? i.e scrubbing dead tuples with sensitive data.
Date
Msg-id 564D11DD.5040209@aklaver.com
Whole thread Raw
In response to Re: postgres zeroization of dead tuples ? i.e scrubbing dead tuples with sensitive data.  (John McKown <john.archie.mckown@gmail.com>)
List pgsql-general
On 11/18/2015 01:49 PM, John McKown wrote:
> On Wed, Nov 18, 2015 at 3:38 PM, Adrian Klaver
> <adrian.klaver@aklaver.com <mailto:adrian.klaver@aklaver.com>>wrote:
>
>     On 11/18/2015 01:34 PM, Andrew Sullivan wrote:
>
>         On Wed, Nov 18, 2015 at 03:22:44PM -0500, Tom Lane wrote:
>
>             It's quite unclear to me what threat model such a behavior
>             would add
>             useful protection against.
>
>
>         If you had some sort of high-security database and deleted some data
>         from it, it's important for the threat modeller to know whether the
>         data is gone-as-in-overwritten or gone-as-in-marked-free.  This
>         is the
>         same reason they want to know whether a deleted file is actually
>         just
>         unlinked on the disk.
>
>         This doesn't mean one thing is better than another; just that, if
>         you're trying to understand what data could possibly be exfiltrated,
>         you need to know the state of all of it.
>
>         For realistic cases, I expect that deleted data is usually more
>         important than updated data.  But a threat modeller needs to
>         understand all these variables anyway.
>
>
>     Alright, I was following you up to this. Seems to me deleted data
>     would represent stale/old data and would be less valuable.
>
>
> ​Not necessarily. Think PHI or HIPAA information which was "erased"
> because you lost a customer. ​Or just something as "simple" as a name,
> address, and credit card number for someone. It's still important and
> useful to thieves if it is "erase". I can see a smaller company using PG
> for accounting and billing information. But it really should be
> encrypted. I often wonder how many "small" businesses actually do that.
> I a truly ignorant on that point.

Well from the large scale leaks that have been reported, large
companies/organizations are not doing it either. I have credit watch on
my accounts courtesy of my health insurer(Premara) as they did not
protect my information.

>
> That's not even getting into government information that might be of
> interest to others such as the FSB or even Wikileaks (regardless of
> one's opinion them). Of course, I don't really know if any government or
> other "high security" industry is actually using PG for secure information.
>
>
>     --
>     Adrian Klaver
>     adrian.klaver@aklaver.com <mailto:adrian.klaver@aklaver.com>
>
>
> --
>
> Schrodinger's backup: The condition of any backup is unknown until a
> restore is attempted.
>
> Yoda of Borg, we are. Futile, resistance is, yes. Assimilated, you will be.
>
> He's about as useful as a wax frying pan.
>
> 10 to the 12th power microphones = 1 Megaphone
>
> Maranatha! <><
> John McKown


--
Adrian Klaver
adrian.klaver@aklaver.com


pgsql-general by date:

Previous
From: Adrian Klaver
Date:
Subject: Re: postgres zeroization of dead tuples ? i.e scrubbing dead tuples with sensitive data.
Next
From: Adrian Klaver
Date:
Subject: Re: postgres zeroization of dead tuples ? i.e scrubbing dead tuples with sensitive data.