On Fri, Oct 10, 2014 at 10:56 AM, Stephen Frost <sfrost@snowman.net> wrote:
* Thom Brown (thom@linux.com) wrote: > On 10 October 2014 12:45, Stephen Frost <sfrost@snowman.net> wrote: > >> There's a difference between intending that there shouldn't be a way > >> past security and just making access a matter of walking a longer > >> route. > > > > Throwing random 16-digit numbers and associated information at a credit > > card processor could be viewed as "walking a longer route" too. The > > same goes for random key searches or password guesses. > > But those would need to be exhaustive, and in nearly all cases, > impractical.
That would be exactly the idea with this- we make it impractical to get at the unredacted information.
For fun I gave the search a try.
create table cards (id serial, cc bigint); insert into cards (cc) SELECT CAST(random() * 9999999999999999 AS bigint) FROM generate_series(1,10000);
\timing on WITH RECURSIVE t(id, range_min, range_max) AS ( SELECT id, 1::bigint, 9999999999999999 FROM cards UNION ALL SELECT id , CASE WHEN cc >= range_avg THEN range_avg ELSE range_min END , CASE WHEN cc <= range_avg THEN range_avg ELSE range_max END FROM (SELECT id, (range_min + range_max) / 2 AS range_avg, range_min, range_max FROM t ) AS t_avg JOIN cards USING (id) WHERE range_min != range_max ) SELECT id, range_min AS cc FROM t WHERE range_min = range_max;
On my laptop I can pull all 10,000 card numbers in less than 1 second. For a text based item I don't imagine it would be much different. Numbers are pretty easy to work with though.
