| From: | Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com> |
|---|---|
| To: | John McKown <john(dot)archie(dot)mckown(at)gmail(dot)com> |
| Cc: | Andrew Sullivan <ajs(at)crankycanuck(dot)ca>, PostgreSQL General <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: postgres zeroization of dead tuples ? i.e scrubbing dead tuples with sensitive data. |
| Date: | 2015-11-19 00:03:41 |
| Message-ID: | 564D11DD.5040209@aklaver.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On 11/18/2015 01:49 PM, John McKown wrote:
> On Wed, Nov 18, 2015 at 3:38 PM, Adrian Klaver
> <adrian(dot)klaver(at)aklaver(dot)com <mailto:adrian(dot)klaver(at)aklaver(dot)com>>wrote:
>
> On 11/18/2015 01:34 PM, Andrew Sullivan wrote:
>
> On Wed, Nov 18, 2015 at 03:22:44PM -0500, Tom Lane wrote:
>
> It's quite unclear to me what threat model such a behavior
> would add
> useful protection against.
>
>
> If you had some sort of high-security database and deleted some data
> from it, it's important for the threat modeller to know whether the
> data is gone-as-in-overwritten or gone-as-in-marked-free. This
> is the
> same reason they want to know whether a deleted file is actually
> just
> unlinked on the disk.
>
> This doesn't mean one thing is better than another; just that, if
> you're trying to understand what data could possibly be exfiltrated,
> you need to know the state of all of it.
>
> For realistic cases, I expect that deleted data is usually more
> important than updated data. But a threat modeller needs to
> understand all these variables anyway.
>
>
> Alright, I was following you up to this. Seems to me deleted data
> would represent stale/old data and would be less valuable.
>
>
> Not necessarily. Think PHI or HIPAA information which was "erased"
> because you lost a customer. Or just something as "simple" as a name,
> address, and credit card number for someone. It's still important and
> useful to thieves if it is "erase". I can see a smaller company using PG
> for accounting and billing information. But it really should be
> encrypted. I often wonder how many "small" businesses actually do that.
> I a truly ignorant on that point.
Well from the large scale leaks that have been reported, large
companies/organizations are not doing it either. I have credit watch on
my accounts courtesy of my health insurer(Premara) as they did not
protect my information.
>
> That's not even getting into government information that might be of
> interest to others such as the FSB or even Wikileaks (regardless of
> one's opinion them). Of course, I don't really know if any government or
> other "high security" industry is actually using PG for secure information.
>
>
> --
> Adrian Klaver
> adrian(dot)klaver(at)aklaver(dot)com <mailto:adrian(dot)klaver(at)aklaver(dot)com>
>
>
> --
>
> Schrodinger's backup: The condition of any backup is unknown until a
> restore is attempted.
>
> Yoda of Borg, we are. Futile, resistance is, yes. Assimilated, you will be.
>
> He's about as useful as a wax frying pan.
>
> 10 to the 12th power microphones = 1 Megaphone
>
> Maranatha! <><
> John McKown
--
Adrian Klaver
adrian(dot)klaver(at)aklaver(dot)com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Adrian Klaver | 2015-11-19 00:05:49 | Re: postgres zeroization of dead tuples ? i.e scrubbing dead tuples with sensitive data. |
| Previous Message | Adrian Klaver | 2015-11-19 00:00:09 | Re: postgres zeroization of dead tuples ? i.e scrubbing dead tuples with sensitive data. |