Hetzner client data exposed after attack

Sweevo said:
TDE is fairly easy to implement, so is FDE. You may as well encrypt it all. If the data is sensitive enough and it's worth the effort, then introduce record level encryption too.

"Access to the endpoint" is a little vague. Please explain.
Click to expand...

You're conflating so many issues its absolutely painful. Maybe google endpoint and copy and paste some more.
 
Sweevo said:
No it's not. You're confusing full disk encryption (FDE) - file based, with Transparent Data Encryption (TDE).
https://www.thalesesecurity.com/products/data-encryption/selecting-the-right-encryption-approach
Click to expand...

No I'm 100% on this. Maybe read your own link. What does transparent to applications mean under FDE/SED advantages? Then what does ""Addresses a very limited set of threats—protects only from physical loss of storage media." actually mean?

So once again if I can query the database either directly or via an application and receive unencrypted data how are you protecting sensitive information?

You have no understanding of the concepts you are discussing.
 
Sweevo said:
Saying you know it all and actually demonstrating it are two different things. So tell us your problem with my statement that passwords are not stored, encrypted or otherwise.
Click to expand...
You still didn't read my question. Try again. I'm not saying I know it all but I have many years of experience implementing many of the concepts you're copy/pasting and understanding the fundamental pros/cons and practical impact of each.
 
Sweevo said:
Passwords are not stored, encrypted or otherwise, PLEASE EXPLAIN WHY YOU'D ASK HOW PASSWORDS ARE ENCRYPTED? Remember, we're not talking about data in transit, but storage.
Click to expand...
I was testing your understanding but if you cannot understand the original question it's pointless. I asked the difference between encrypting a password vs encrypting other data such as an ID number within a database. It wasn't a catch-you-out question. And for good measure of course you need to store a password in a database in some encrypted form if you want to use password-based access using an DB-based credential/auth system.
 
Sweevo said:
No dude, you spend two or more pages insulting me with claims of not understanding concepts, then when your misunderstanding of one of the most elementary concepts is pointed out you call it nitpicking? It's hardly a small point. The whole principal of password security is based on the fact that passwords are not stored.
Click to expand...

No Sweevo. You made the argument that everything needs to be encrypted. Encrypt, Encrypt, Encrypt. My argument was a simple statement of fact - you cannot encrypt everything for a variety of reasons including practicality & performance. I never argued against encryption but that you can have a solution with no encryption being as secure or more secure as a solution with encryption based on a secure implementation.

You then proceeded to copy past every form of encryption technology you deemed effective for your argument.

My point and others still stands. Since MOST databases are by general best practice not public facing and the vector for attack is thus generally the endpoint eg. a website frontend. If the endpoint has been exploited then the data, which the endpoint has access to and the ability to decrypt, is ALSO compromised even if it is protected by transport encryption, database encryption, disk encryption and any other form of encryption is rendered INEFFECTIVE.
 
Last edited:
Sweevo said:
Not true. Suggesting that excluding a well established security measure has no effect on security is absurd.
Click to expand...

That is your opinion yet there are plenty of examples of ERP and accounting systems that are safe and secure without row level data encryption, database encryption, transport encryption because they are mitigated by other processes, implementations and practices based on an individual analysis and risk assessment.

Sweevo said:
There's absolutely nothing untoward about backing a point up. It's the preferred thing to do when choosing between that and insults.
Click to expand...

It wasn't an insult but a genuine observation. If you feel insulted then I apologise.

Sweevo said:
In other words, you're arguing against encryption, contrary to your opening statement.
Click to expand...

No, that is your interpretation.
 
Sweevo said:
It's hardly opinion. Those 'safe and secure' systems are simply not as safe and secure as they would be with DB encryption - you can know this without going into a case-by-case analysis by simply judging the facts on merit. DB encryption adds a layer of security not there without it. Systems fail, people fail, when they do, the more you have in place to protect your data, the better. I can see there's no point in flogging that horse. You can't even do business with some clients without the basics of an encrypted data set. There's good reason for that.
Click to expand...

You are conflating different types of encryption as the same with the same benefit and no possible down sides which is not the case. We agree though on the proverbial horse.
 
Surely this is a violation of the POPI Act and Hetzner should be investigated and fined accordingly ?
 
internetless said:
I moved a bunch of stuff last year, but then thought I'd give them another chance and leave some stuff there. No longer....
Click to expand...

So I moved some stuff away last night, and cancelled some of my services. Unlike last year, this time I actually got a phone call to ask why I'm cancelling. They seemed more interested in helping me move the remaining stuff than in explaining the situation or convincing me to stay, though :laugh:
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X