| From: | John McKown <john(dot)archie(dot)mckown(at)gmail(dot)com> |
|---|---|
| To: | Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com> |
| Cc: | Andrew Sullivan <ajs(at)crankycanuck(dot)ca>, PostgreSQL General <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: postgres zeroization of dead tuples ? i.e scrubbing dead tuples with sensitive data. |
| Date: | 2015-11-18 21:49:35 |
| Message-ID: | CAAJSdjjU=GF=5M1oFiji_13Pqek6c1NcGetd2tYDYmzgy2LuZA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Wed, Nov 18, 2015 at 3:38 PM, Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com>
wrote:
> On 11/18/2015 01:34 PM, Andrew Sullivan wrote:
>
>> On Wed, Nov 18, 2015 at 03:22:44PM -0500, Tom Lane wrote:
>>
>>> It's quite unclear to me what threat model such a behavior would add
>>> useful protection against.
>>>
>>
>> If you had some sort of high-security database and deleted some data
>> from it, it's important for the threat modeller to know whether the
>> data is gone-as-in-overwritten or gone-as-in-marked-free. This is the
>> same reason they want to know whether a deleted file is actually just
>> unlinked on the disk.
>>
>> This doesn't mean one thing is better than another; just that, if
>> you're trying to understand what data could possibly be exfiltrated,
>> you need to know the state of all of it.
>>
>> For realistic cases, I expect that deleted data is usually more
>> important than updated data. But a threat modeller needs to
>> understand all these variables anyway.
>>
>
> Alright, I was following you up to this. Seems to me deleted data would
> represent stale/old data and would be less valuable.
>
Not necessarily. Think PHI or HIPAA information which was "erased" because
you lost a customer. Or just something as "simple" as a name, address, and
credit card number for someone. It's still important and useful to thieves
if it is "erase". I can see a smaller company using PG for accounting and
billing information. But it really should be encrypted. I often wonder how
many "small" businesses actually do that. I a truly ignorant on that point.
That's not even getting into government information that might be of
interest to others such as the FSB or even Wikileaks (regardless of one's
opinion them). Of course, I don't really know if any government or other
"high security" industry is actually using PG for secure information.
> --
> Adrian Klaver
> adrian(dot)klaver(at)aklaver(dot)com
>
>
--
Schrodinger's backup: The condition of any backup is unknown until a
restore is attempted.
Yoda of Borg, we are. Futile, resistance is, yes. Assimilated, you will be.
He's about as useful as a wax frying pan.
10 to the 12th power microphones = 1 Megaphone
Maranatha! <><
John McKown
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andrew Sullivan | 2015-11-18 21:51:24 | Re: postgres zeroization of dead tuples ? i.e scrubbing dead tuples with sensitive data. |
| Previous Message | Melvin Davidson | 2015-11-18 21:46:11 | Re: postgres zeroization of dead tuples ? i.e scrubbing dead tuples with sensitive data. |