Profile picture
Matthew Green @matthew_d_green
, 6 tweets, 1 min read Read on Twitter
Looking at this Marriot breach I’m starting to think maybe they didn’t encrypt their credit card data very well.
The question is whether plaintext card numbers were stolen at the point of sale terminals (do hotels have real PoS terminals?), some other system that saw plaintext, some point of decryption, or if the attackers just got the private keys.
Sometimes I feel like encryption is counterproductive, just because bad encryption is often worse than no encryption — in the sense that it makes regulators go away without doing anything to protect customer data.
🤷‍♀️
Notice the phrasing here: both components (meaning the decryption keys) may have been “taken”. Not “accessed”. Sounds like they didn’t store the keys inside of an HSM, they just put them on a server somewhere.
“We locked our doors with two separate keys and put them under two completely different potted plants.”
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Matthew Green
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @matthew_d_green see all

Profile picture
The Facebook stablecoin (if it works, scales, gets deployed and adopted by non-Facebook companies, doesn’t get regulated into dust) is going to be a massive game-changer for the financial services industry. Fight me.
Hell, even if Facebook is able to make a credible run at deploying the thing, it will give them huge leverage with their banking relationships. No more closed (to FB) instant networks like Zelle, reduced transaction fees, etc.
Summary of the comments: (1) a bunch of people seem to think asset-backed stablecoins won’t be allowed by regulators, or that people won’t use/trust them. That horse has already bolted. google.com/amp/s/www.coin…
Read 5 tweets
Profile picture
The theory, for what it’s worth, was that the big brand name services would behave better than the fly-by-night shady data brokers. Much as CVS is perceived as less likely to put Fentanyl into your medicine than, say, the drug dealer on the corner.
The sole redeeming feature of the centralization of the web was supposed to be improved data handling. Better security and oversight of partners (like ad networks etc.) Instead we got Facebook treating your data the way a teenager treats a house when the parents go out of town.
The Facebooks and Googles would do this voluntarily, in part because it’s smart business — don’t give away the store. But mostly because it’s way easier for governments to target them with punitive regulations.
Read 4 tweets
Profile picture
@LargeCardinal The group messaging mechanism is very different. In Signal (app) group messages are layered on top of the existing pairwise messaging system. To add a new user, you (an existing user) have to send encrypted control messages to each existing user. The server can’t do this.
@LargeCardinal In fact, the Signal server doesn’t even know what a group message is. As far as it’s concerned, when I send a message to a group of N people, it just looks like I’m sending a bunch of pairwise messages at the same time.
@LargeCardinal In WhatsApp (as of a few months ago) the server knows what group messages are. It actually sends special control (add/remove) requests to the members of the group, and it handles multiplexing group messages to all of the other users.
Read 4 tweets

Related threads

Profile picture
Good
300M people impacted by @Marriott data breach
pps @Trump 14 properties have had their Customer’s data breached in:
2014
2015
2016
2017
A.G. Schneiderman Announces Settlement With Trump Hotel Collection After Data Breaches Expose Over 70K Credit Card Numbers
ag.ny.gov/press-release/…
In late 2017 @Trump notified its customers via this 9 page statement to their customers.
The Sabre Data Breach was massive. But I’m not sure the Trump Org actually took corrective action

trumphotels.com/uploads/14111/…
Read 3 tweets
Profile picture
It’s soooooo crazy how time flies! Today marks my ONE YEAR ANNIVERSARY reverting to Islam 😭❤️
Since I don’t talk much about my journey and today marks one year for me. I’ll talk about my journey thus far...
In The beginning I was all alone. I had very minimal support, I got put out my home.... I was staying from one family memeber house to the next... living with my uncle first.
Read 38 tweets
Profile picture
At the Texas Tribune Festival in Austin. I’ve hardly slept, my bag got lost, I haven’t showered, I’m about to go see a panel on women in political power and to either break my heart or restore it
Wendy Davis will be there and also I am eating a breakfast taco, not everything is bad
I’m at a panel about blue wave vs. tsunami; interesting point from Dave Wasserman - rural areas in Texas have become more GOP, but the suburban areas that voted for Trump were never crazy about him, which is why the GOP reps are fighting for their political lives
Read 49 tweets
Profile picture
So an NPR reporter is asserting that Trump must obviously have meant that you have to show ID to use a credit card when he said ID is required when you buy groceries. It's what "popped into her head", and also "she was there".

WELL. Okay, then.

Except... except...
Except it's not that there's a requirement to show ID that is "rarely enforced" (as she puts it). It's the exact opposite. Credit card companies FORBID checking ID as part of the standard vendor agreement. Why? Because they want to make it easy for people to use credit cards!
At the point of sale, the credit card company's primary concern is making sure that it's never more of a hassle to use a card than it is to pull out cash, and preferably far less of one. They want the experience to be seamless and invisible, so you can do it without thinking.
Read 14 tweets
Profile picture
An article and thread by @dnahinga on affordable housing has led me down a rabbit hole imagining a day when I'll be able to buy a house in Kenya without looting, massive loans, killing, mismanagement or doing all four through becoming president.

*THREAD*
Here's the article that inspired the thought. It left me with more questions than answers but that's why I liked it - it leaves us with a lot of thinking to do.

ub.co.ke/index.php/2018…
So what is affordable housing? What does affordable housing mean to you based on your current economic (mis) fortune depending on which side your tender is buttered?
Read 30 tweets
Profile picture
I think it's necessary to examine the link between cryptography and cryptocurrency more closely.

Implementing a central bank of the internet is a political project. But it produced a huge, radical revival in general cryptography. This is very much like the 1990s all over again.
Cryptography is why we have e-commerce: you can't move credit card numbers without encryption. Trillions of dollars generated in new trade. But no central bank function, of course. This is just trade optimization.

And it gives rise to surveillance capitalism. Not *enough* crypto
Can crypto central banking survive: can cypherpunks continue to print their own money?

Almost certainly not. Almost certainly not.

Why? Because anonymity technology is weak. ZKSNARKS don't protect you from network surveillance. Encirclement by financial regulators and Facebook.
Read 17 tweets

Trending hashtags

#ethics #Perspective #PeoplesVote #WeAreQ #TribFest18 #people #ExplainableAI #InformationWar #MAGA #fighting #BelieveEvidence #Trump #FakeNews #info #ThanQ #SubstanceOverSmear #DeepState #Transparency #CRI #ConspiracyTheorists #fighters #peace #AI #Army #Intel

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!