> From: Wjhonson 
> en.wikipedia.org/wiki/AES_implementations
> Looks like "no" to me.
> Maybe someone could write one ?

Yeah, and maybe "someone" could give the source away for free too, eh?

Things like this shouldn't be built into a database. The database
should call to well-maintained underlying utilities written by people
who specialize in such things. That can be done with GCI or other

If you do link with a dedicated solution, I know some people have
expressed concern that simply by transferring credit card data into
another tool the data is exposed. For example, the most naïve approach
would be something like this:

CMD = \aes.encrypt \ : INFO : \ > result.file\
EXECUTE \sh  -C \ : cmd CAPTURING OUT ; * ignore syntax
READ ENCRYPTED FROM F.TMP,\result.file\ ...

The problem there is that a hacker could put code into the system to
log process activity. For example, the above commands would be openly
visible to a "ps auwx | grep encrypt". Some people like the idea of
writing stuff to disk, processing it there, and then importing the
results. But a simple file activity monitor could grab that data in
the time it takes to process and delete it.

Now someone could respond that if you have a hacker who can do that on
your system that the gig is already up. Sure, but that's the nature of
hacking, and blind confidence in security is exactly what leads to
announcements in the nightly news, fines, and law suits. One
disgruntled employee or consultant could easily accomplish that -
attacks like this don't always come from outside.

Just the concept of storage of credit cards brings up all kinds of
warnings. There are laws and protocols for such things requiring a Lot
of research and internal compliance - this game is not for amateurs.

The bottom line is usually simply not to do that, which leads to
authorize.net and similar solutions proposed in this thread. Don't
accept cards in your own web pages for local storage, and don't allow
customer service people to enter CC data in your green screen app. Use
resources provided by professionals. Integrate. Everything doesn't
need to be DIY.

Shout out to Gary Heiman - wow dude, it's been more than 25 years...


U2-Users mailing list

Reply via email to