DahGangalang @ DahGangalang @infosec.pub

Posts

1

Comments

398

Joined

2 yr. ago

Thats how I feel too.

Lol, I'd love to see the data hes trying to speak about (not that that'd be any kind of concerning for privacy /s). I don't think he's outright lying, but it definitely feels like a misrepresentation / wrong conclusion from the data.

But thanks for your part in helping me understand all this!

From what I'm seeing in other comments, it seems SSNs aren't used as primary keys, but they are part of generating the primary key. I haven't seen anyone directly say it, but it sounds like the primary key is a hash of SSN + DOB (I hope with more data to add entropy, because thats still a tiny bit of data to build a rainbow table from).

Still, assuming we haven't begun re-using SSNs, it seems concerning to me that a SSN is appearing multiple times in the database. It seems a safe assumption that the uniqueness of a SSN should make the resultant hash unique, so a SSN appearing as associated to multiple primary keys should be a concern, right?

Other comments have led me to believe the "duplicate SSNs" are probably appearing in "different fields" (e.g. a dead man's SSN would appear directly associated to him, but also as a sort of "collecting payments from" entry in his living wife's entry). That would a misrepresentation of the facts (which we know Vice Bro, Elon Musk the Wise and Honest would never do). Occam's Razor though has me leaning in that direction.

Ah the old "malware detectors have the selectors for malware and so they show up as malware to other malware detection systems" problem.

Yeah, that seems like a reasonable case to have duplicate SSNs.

Thats interesting. I didn't know anything about normal forms, but a quick glance at G4G has some interesting information. I don't have the time to go through their full article at the moment, but its been added to my to do list.

Link for the lazy: https://www.geeksforgeeks.org/types-of-normal-forms-in-dbms/

This sounds like a reasonable argument.

Can you pass any resources with examples on when having duplicate values would be useful/best practices?

Right, but if there were multiple entries with the same SSN, wouldnt that be a concern?

Just so I'm clear, you're implying that a given SSN could appear associated to multiple "keys" because the key-value pair in a NoSQL database could have complex data.

An example I can imagine is a widow collecting her dead husband's Social Security. Her SSN could appear in her own entry and also in her dead husband's as a payee of that benefit, thus appearing as a "duplicate" SSN.

Is that in line with what you're saying?

But they are implying SSN to SSN+Birthdate is a one-to-many relationship. Since SSN to SSN should be one-to-one, you can conclude the SSN to Birthdate is one-to-many, right?

A weak example would be my grandma. She was born before social security and was told as a kid she was born in 1938. Because I guess in the olden days, you just didn't need to pass your birth certificate around for anything, it wasn't until she went to get married at ~age 25 that she needed her birth certificate and when she got it, it actually said she was born in 1940 (I forget the actual years, but I remember it was a two year and two day gap between dates).

Its a weak example that should apply to only a microscopic portion of the population, but I could see her having some weird records in the databases as a result.

Edit: brain dropped out and I forgot part of a sentence.

A given SSN appearing in multiple tables actually makes sense. To someone not familiar with SQL (i.e. at about my level of understanding), I could see that being misinterpreted as having multiple SSN repeated "in the database".

Of all the comments ao far, I find yours the most compelling.

Beat me to asking this follow up, though you linking additional resources is probably more effort that I would have done. Thanks for that!

Look, I'm just glad I have the technical skills to reconfigure my system.

Talking to my parents/grandparents/other family that aren't tech savvy, they all complain about how one drive and Microsoft's ads, and Edge keep butting into their lives, but then they have no idea how to mitigate the constant pings about those things.

I'm glad someone is enjoying Microsoft's barrage of services tho.

I'd stop whining about it if they'd stop reinstalling it.

I think it depends on when you look back from.

I think of WWI, the Inter-War period, and WWII as three separate periods of time and they cover about 40 years.

I think of The Louisiana Purchase (1803), the start of the Monroe Doctrine (1823), and the Mexican-American War (1846-1848) as all happening about the same time, despite covering about 45 years (before double checking just now, I could've sworn the Mexican-American War was in the 1830's, and that Monroe was president in ~1816, which only drives the point home more).

I doubt we'll feel the difference by 2100, but between 2200 and 2300 is when I expect that blending to happen.

I've seen it vary widely from place to place (America is pretty big, after all).

I would say the prime candidate to be open to talking about mental health in America is a young (~15-25), wealthy, city-living person. As you move away from those traits, the less likely the person is to being candid about their mental health (i.e. older, poorer, and rural-living people are less likely to talk about it).

There's definitely some taboos about speaking about it among blue-collar workers. It seems like there was a push a decade or so ago to start doing psyche evals for people who worked in heavy machinery. I knew one guy who (as a wave of psyche evals ame through) was dropped from his machinist job (that he'd done for 20+ years without injuring hisself or others) after telling the doc he had 1-3 beers almost every night. Cause for firing was that "he is a hazard to himself and the people he worked with". I know everyone else in that shop clamped their mouths shut about any depression, anxiety, and sleep issues after that.

Word is they've gotten a lot better about how they conduct them, but the point is that among blue collar workers, it feels like talking about mental health issues has (historically) been a fast track to losing the ability to put bread on the table.

I do white collar work now, and on this side of the wall, its definitely a lot less taboo. There's still a stigma about it, but that could just be my own anecdotal experience.

All that is to say, there's a history of mental health being used to harm people, so its not yet an open subject, but that taboo is lifting, if not exactly quickly.

I'm strangely okay with this.

Hmmm, feels like I've seen this one before

Interesting.

It looks I was close on my understanding, but not quite there. Lol, guess I'll need to bust this back open.

So, if I recall correctly, I had to set up a device as an i2p server (seems like they were super light weight and you could configure your phone to do it) and then you could use your browser of choice with the "i2p server" as a proxy.

Its my understanding that each of the "i2p servers" acted as both an entry point and an exit point. That is to say, while my traffic entered the network there, there were other people's traffic that could be routed through and/or exit via my server.

Am I wrong on that assessment?