Re: Column Redaction

On Fri, Oct 10, 2014 at 10:56 AM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:

> * Thom Brown (thom(at)linux(dot)com) wrote:
> > On 10 October 2014 12:45, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> > >> There's a difference between intending that there shouldn't be a way
> > >> past security and just making access a matter of walking a longer
> > >> route.
> > >
> > > Throwing random 16-digit numbers and associated information at a credit
> > > card processor could be viewed as "walking a longer route" too. The
> > > same goes for random key searches or password guesses.
> >
> > But those would need to be exhaustive, and in nearly all cases,
> > impractical.
>
> That would be exactly the idea with this- we make it impractical to get
> at the unredacted information.
>

For fun I gave the search a try.

create table cards (id serial, cc bigint);
insert into cards (cc)
SELECT CAST(random() * 9999999999999999 AS bigint) FROM
generate_series(1,10000);

\timing on
WITH RECURSIVE t(id, range_min, range_max) AS (
SELECT id, 1::bigint, 9999999999999999 FROM cards
UNION ALL
SELECT id
, CASE WHEN cc >= range_avg THEN range_avg ELSE range_min END
, CASE WHEN cc <= range_avg THEN range_avg ELSE range_max END
FROM (SELECT id, (range_min + range_max) / 2 AS range_avg, range_min,
range_max
FROM t
) AS t_avg
JOIN cards USING (id)
WHERE range_min != range_max
)
SELECT id, range_min AS cc FROM t WHERE range_min = range_max;

On my laptop I can pull all 10,000 card numbers in less than 1 second. For
a text based item I don't imagine it would be much different. Numbers are
pretty easy to work with though.