not-kennethreitz/convore.json
1
0
Fork 0
mirror of https://github.com/not-kennethreitz/convore.json.git synced 2026-06-20 23:20:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
convore.json/groups/hacker-news/how-do-you-store-sensitive-data/messages.json
T
Kenneth Reitz add958b068 shuffle things around a bit
2012-02-21 01:15:00 -05:00

1 line
9.0 KiB
JSON
Raw Permalink Blame History

[{"user_id": 4149, "stars": [{"date_created": 1303528351.298955, "user_id": 14707}], "topic_id": 20885, "date_created": 1303503769.702384, "message": "depends if you need to check against data you have MD5 hash, if you need to store it, and this encrpytion best to store data and get it back using a private key http://en.wikipedia.org/wiki/Symmetric_key_algorithm", "group_id": 95, "id": 784647}, {"user_id": 17776, "stars": [], "topic_id": 20885, "date_created": 1303503551.2127609, "message": "If you absolutely must, how do you handle storing sensitive data such as socials, credit cards, etc? Any best practices to go by? Which technologies and techniques? ", "group_id": 95, "id": 784613}, {"user_id": 30715, "stars": [{"date_created": 1303528448.9345269, "user_id": 14707}, {"date_created": 1303533853.6874249, "user_id": 323}, {"date_created": 1303691855.188874, "user_id": 20025}], "topic_id": 20885, "date_created": 1303504712.9210989, "message": "Just a little advice - be very careful, it's fairly easy to use symmetric ciphers (such as AES) in an unsafe fashion. Check out the following post on SO for example: http://stackoverflow.com/questions/2797692/whats-the-best-way-to-store-sensitive-data-in-mysql", "group_id": 95, "id": 784760}, {"user_id": 30750, "stars": [], "topic_id": 20885, "date_created": 1303513171.7779119, "message": "Are you referring to sensitive data in your apps or your personal information ?", "group_id": 95, "id": 785893}, {"user_id": 22095, "stars": [], "topic_id": 20885, "date_created": 1303515379.5283761, "message": "dont ever keep cc info on the server", "group_id": 95, "id": 786125}, {"user_id": 30750, "stars": [], "topic_id": 20885, "date_created": 1303517040.0054381, "message": "Agreed, look into tokenization solutions if you need to store cc info. Or outsource to a payment processor like cybertrust.", "group_id": 95, "id": 786205}, {"user_id": 8391, "stars": [], "topic_id": 20885, "date_created": 1303517171.2259109, "message": "I use public/private rsa keys. the server has the public key, which can be used to encrypt any data it receives, and a server behind the firewall (heavily secured) fetches all the data and decrypts it with the private key on a regular basis.", "group_id": 95, "id": 786222}, {"user_id": 30768, "stars": [], "topic_id": 20885, "date_created": 1303517631.655103, "message": "hai guys waht's going on in this thread, heres a fish ulik? \u00b8.\u00b7\u00b4\u00af`\u00b7.\u00b4\u00af`\u00b7.\u00b8\u00b8.\u00b7\u00b4\u00af`\u00b7.\u00b8><(((\u00ba>", "group_id": 95, "id": 786251}, {"user_id": 18795, "stars": [], "topic_id": 20885, "date_created": 1303519243.607842, "message": "You didn't say in what form (i.e. are you storing in a database table for an application or just files). For files I like using TrueCrypt. its Free, Open Source, and vetted. But make sure you pick a strong password/key.", "group_id": 95, "id": 786337}, {"user_id": 323, "stars": [], "topic_id": 20885, "date_created": 1303533796.050828, "message": "If you need two-way crypto (read, not just verify), keep the private key out of the database and out of you source code, on files deployed to the servers. For extra security, you can password-protect the private keys, but that requires a human to be around to enter the password if the machine or process restarts.", "group_id": 95, "id": 787255}, {"user_id": 323, "stars": [], "topic_id": 20885, "date_created": 1303533694.9807091, "message": "If you need to store something only one-way, like verifying a password, use a crypto library and make sure it salts the input. Check out http://www.keyczar.org/", "group_id": 95, "id": 787250}, {"user_id": 323, "stars": [], "topic_id": 20885, "date_created": 1303533566.4450929, "message": "First off, you don't need to store CC numbers, and you are violating your merchant agreement with your cardnet processor if you do (unless you jump through tons of hoops, like owning your own servers, preventing physical access to the servers, and only accessing your production tier using two-factor authentication). Look into Braintree's vault and transparent redirect solutions.", "group_id": 95, "id": 787244}, {"user_id": 30768, "stars": [], "topic_id": 20885, "date_created": 1303550072.7028019, "message": "fishies", "group_id": 95, "id": 788255}, {"user_id": 17776, "stars": [], "topic_id": 20885, "date_created": 1303620468.7484159, "message": "I most likely won't be storing them on a web server if their isn't a practical, secure method of doing so on a low budget. I was leaning towards some type of outsourced solution, redirect or credit bureau API that would alleviate the security burden, but also integrate with a client web application. Anyone know of something along those lines?", "group_id": 95, "id": 792908}, {"user_id": 17776, "stars": [], "topic_id": 20885, "date_created": 1303620280.6329379, "message": "I'm referring to storing social security numbers in this case, not credit cards. Just was giving examples of the level of sensitivity. This would be socials captured via a form and potentially stored on the web, to serve as information that could be used to pre-screen potential tenants and run credit checks.", "group_id": 95, "id": 792904}, {"user_id": 30768, "stars": [], "topic_id": 20885, "date_created": 1303652163.293757, "message": "I'd really worry about liability with storing that kind of information. I recommend just not doing it if you're on a low budget and you're asking for advice about it in a public forum. It seems like you don't have experience with this kind of thing. I recommend working someplace where they already do this to see what's involved. There's a lot to know.", "group_id": 95, "id": 794767}, {"user_id": 12641, "stars": [], "topic_id": 20885, "date_created": 1303711788.90804, "message": "Quick example though: If you must store it, do you actually need to retrieve it or simply verify input from the user? I suggest you stick to the latter, and store a salted hash of the secure data for verification instead. Hope that helps.", "group_id": 95, "id": 800381}, {"user_id": 12641, "stars": [], "topic_id": 20885, "date_created": 1303711663.3352971, "message": "I strongly second apphacker's last comment. This is an advanced topic that REQUIRES expertise and carries consequences if you mess it up. I suggest you don't store such information unless you consult a professional.", "group_id": 95, "id": 800349}, {"user_id": 17776, "stars": [], "topic_id": 20885, "date_created": 1303739038.9772611, "message": "I'm definitely strongly leaning towards not doing it, I work with databases all the time and have built a few web applications, but I feel this level of sensitivity is essentially its own field.", "group_id": 95, "id": 803307}, {"user_id": 17776, "stars": [], "topic_id": 20885, "date_created": 1303739435.174011, "message": "I posted this mostly for exploratory reasons assuming someone has to deal with this end of security/data storage and it's probably worth knowing about. Feel free to chime in if that's you.", "group_id": 95, "id": 803385}, {"user_id": 30768, "stars": [], "topic_id": 20885, "date_created": 1303745914.182013, "message": "It's an interesting topic, I'd like to learn more about myself", "group_id": 95, "id": 804464}, {"user_id": 4149, "stars": [], "topic_id": 20885, "date_created": 1303747877.1432321, "message": "we all could stand to learn this just use better encryption on data handling", "group_id": 95, "id": 804751}, {"user_id": 12641, "stars": [], "topic_id": 20885, "date_created": 1303799446.250493, "message": "A few general pointers: 1) Don't store any personal information that you don't need. (users are less comfortable the more you request.) 2) Assume your data will be breached, and plan accordingly. (internal/employee breaches are the most common type.) 3) When you store passwords and credentials, don't store them in a recoverable manner. Instead, use a methodology that allows you to validate the credentials without knowing what they are (e.g. use a strong hashing algorithm with a salted input). 4) If possible, don't store authentication data on the same DB/system as your regular production data. (We're limiting exposure here, tighter access control, etc.).", "group_id": 95, "id": 810956}, {"user_id": 12641, "stars": [], "topic_id": 20885, "date_created": 1303799023.178488, "message": "I deal with this sort of thing and thoroughly enjoy it. However, I'm having a hard time narrowing down the information to give you because it is such a large knowledge domain, covering data storage, encryption, access methodologies, etc. It is also answered very specifically depending on each particular use case.", "group_id": 95, "id": 810879}, {"user_id": 31293, "stars": [], "topic_id": 20885, "date_created": 1303928840.7064719, "message": "Outside of storing CCs, your best methods are going to rely on PKI and using a secure platform. Basically forget any cloud hosting/apps unless you can guarantee that the data is never decrypted inside of the service because otherwise its vulnerable to sniffing. You'll need to be doing this on dedicated hardware, ideally with keys stored in hardware.", "group_id": 95, "id": 829764}]
Reference in New Issue View Git Blame Copy Permalink