1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News Third suspect arrested over TalkTalk breach

Discussion in 'Article Discussion' started by Gareth Halfacree, 2 Nov 2015.

Page 2 of 2
  1. Glix

    Glix Left Thumb Stick in the mud.

    Joined:
    11 May 2010
    Posts:
    318
    Likes Received:
    1
    When you have a million customers though.

    Also, we don't know what else that box hosts, could be another instance on there or database for managing/support side.

    When you publish articles and reviews, are they on the same server as the forums database, you don't need to answer this, security and all that, but you get my point.

    We simply don't know what practices TT did and did not follow. Recently any website that emails you back your password that you set when you sign up gets lambasted as it's considered bad practice. :D
     
    Glix, 3 Nov 2015
    #21
  2. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,154
    Likes Received:
    6,769
    Code:
    blacklaw@trioptimum[~]$ host forums.bit-tech.net
forums.bit-tech.net has address 195.78.94.76
blacklaw@trioptimum[~]$ host bit-tech.net
bit-tech.net has address 195.78.94.76
    Well, they're certainly on the same web server, but I have no idea what server any of the databases live on. I just work here, y'know?
    Yes, we do: they didn't hash passwords or encrypt data. They've said so, several times.
    Darn tootin'. As I've said upthread, there is no legitimate reason to be storing passwords in a reversible format, and anyone who is doing is Doing It Wrong.
     
    Gareth Halfacree, 3 Nov 2015
    #22
  3. theshadow2001

    theshadow2001 [DELETE] means [DELETE]

    Joined:
    3 May 2012
    Posts:
    5,284
    Likes Received:
    183
    Finding performance figures from someone that is not a vendor is difficult. You know how vendors like to test things in ideal scenarios. My point is, that using encrypted socket performance as a basis to extrapolate the performance of a database is fundamentally incorrect.
     
    theshadow2001, 3 Nov 2015
    #23
  4. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,154
    Likes Received:
    6,769
    Good job I didn't extrapolate anything then, isn't it? I mentioned the study as an aside and a way of demonstrating how what was once a performance-killer - encrypted web traffic - is now so negligible to be something to enable by default. Since then, I've linked to two benchmarks - one small-scale independent, one enterprise-scale vendor - which show database encryption to be equally negligible.

    If you can find a recent database benchmark that shows encryption has a non-negligible effect overall - no, the outliers that pointed to a 15% hit for selected transaction types in the independent benchmark don't count, 'cos it all averaged down to just 6.36% - then I'd love to see it.
     
    Gareth Halfacree, 3 Nov 2015
    #24
  5. theshadow2001

    theshadow2001 [DELETE] means [DELETE]

    Joined:
    3 May 2012
    Posts:
    5,284
    Likes Received:
    183
    I don't have time right now Gareth. I'll compile your posts where your posts where use the google report on SSL as a basis for extrapolating your point of view rather than what you later provided by way of actual database stats later. Or maybe you could just read over it yourself and save me the trouble.
     
    theshadow2001, 3 Nov 2015
    #25
  6. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,154
    Likes Received:
    6,769
    You mean this?
    I fail to see any extrapolation there. I do see an example of how encryption in general has become computationally negligible, using Google's SSL study as an example. I also was aware of benchmarks - but did not mention them directly - which showed the same for databases. There was no extrapolation involved, merely my direct knowledge - and the accuracy of my post has been proven by the links I have since provided which show database encryption to have negligible performance impact.

    I really don't know what's got under your bonnet, but you're attacking me for things that I haven't done - or, at least, I don't believe I've done.

    Let's cut to brass tacks, here: I have claimed that encryption of data coming into or going out of a computer is computationally negligible, and have provided benchmarks to back up those claims. Do you dispute that claim, and if so do you have benchmarks to support that?
     
    Gareth Halfacree, 3 Nov 2015
    #26
  7. Glix

    Glix Left Thumb Stick in the mud.

    Joined:
    11 May 2010
    Posts:
    318
    Likes Received:
    1
    And that could be a load balancing proxy ip for all we know. :p

    That's what she said. :D
     
    Glix, 3 Nov 2015
    #27
  8. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,154
    Likes Received:
    6,769
    Could well be; like I say, I just work 'ere. (In this case, "'ere" being my home office; the servers are Somewhere Else and Somebody Else's Problem, which after years of sysadmining is a wonderful feeling.)
     
    Gareth Halfacree, 3 Nov 2015
    #28
  9. Glix

    Glix Left Thumb Stick in the mud.

    Joined:
    11 May 2010
    Posts:
    318
    Likes Received:
    1
    You know a bit about computers, don't you? Could you take a look at my... ? :D
     
    Glix, 3 Nov 2015
    #29
  10. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,154
    Likes Received:
    6,769
    <twitches>
     
    Gareth Halfacree, 3 Nov 2015
    #30
Page 2 of 2
Tags: Edit

Share This Page