Posts by Xamol 93 publicly visible posts • joined 16 Jan 2013
There's some reasonable criticism of Apple for releasing a patch that bricks some of it's devices but I can't help thinking that if it had been an MS patch bricking a Surface, the reaction here would be orders of magnitude more outraged.
This isn't the first time Apple patches have caused this kind of problem. Surely there's only so long that users good will towards them can insulate them from the kind of backlash that MS would be receiving...
It seems there's concensus that there's no quick fix. Ban guns = bad, Status Quo = bad (unless you're at either end of the spectrum).
Is some of what Obama proposes so bad (maybe with some tweaks)?
- Legislate that new guns must have a device to prevent unauthorised use. If I were a gun owner, I would want this - it can't be fired by my kids and it can't be used against me by someone else. The features of the safety device would need to be agreed e.g. no override. I wouldn't want an override, (concerns about government abuse aside, what's to stop the bad guys from getting an override 'device') but I would want the additional safety.
- Legislate to prevent those with certain mental illnesses, violent criminals etc from owning guns legally. This can't be a bad idea, can it?
- Wait (a few years) for these "safer" guns to be accepted and widely adopted, then legislate that all legally held guns must have the safety device.
- Now you can start taking the illegal guns from the 'bad' guys.
No quick fix but better than doing nothing...
I've tried Keepass, 1Password and some others in the past but settled on LastPass because of the convenience and peace of mind from the zero knowledge setup. In my case, the clincher is that the corporate security policies where I work block access to personal cloud storage providers so using something like Dropbox for sync isn't an option.
I'm a premium subscriber to LastPass so I'll be looking at Dashlane again...
It also remains to be seen how re-uesable the SpaceX first stages are. How many re-uses can you get out of them? How costly are they to re-furbish? How reliable are they? etc
There's going to be some reticence around loading up your multi-million dollar satellite on a slightly used rocket.
I hope it works out the way SpaceX intends it to...
..sounds like hacking code to me.
@dogged good points, totally agree - especially about Unit testing. Who said that unit testing should be the only testing done before the software goes out the door?
On the one hand, he rubbished the most basic level of testing and on the other presumably advocates no pre-release testing at all in his 'move fast and break it' approach... Moron.
Did I read it wrong because 7x13 meters doesn't sound business-jet engine size. More like business-jet size.
One day, one of these announcements will prove true despite the negative, sceptical reaction it gets. Whether it's this time or not, if it's business-jet or business-jet engine size; it will still be an amazing acheivement.
I had a 3 Sim Zero that I used in a tablet for data only. I had it for nearly 3 years and was pretty happy with it until one day it just stopped working. Tech support said that it won't work because it's a phone sim, not a tablet sim. Turns out they updated their system and decided that it shouldn't work any more. They're still trying to charge me for the service even though I told them to terminate it when they broke it. Can't wait for my next call with them to explain that I won't pay for a service thay they're not providing.
...because in the real world not all websites will fit nicely into your categories and some will move from one to another depending on how they and/or your use of them changes over time.
Rather than manage this change, it's easier and more secure to have unique and strong passwords for everything. There are lots of ways to manage them now - KeePass, LastPass etc...
I run a number of VMs on a PCSpecialist.co.uk laptop (core-i7, SSD, 16GB although 32 is possible with other models). It's a company laptop and they normally buy Dell but as they couldn't get one with the right config (decent screen res and portability required) I got to go bespoke...
Worth a quick look when you're doing the rounds of the websites.
I couldn't find a portable (in my mind ~2kg) laptop with the right config and 32Gb RAM. They all seem to come in around 3kg.
@Billy Catringer
Sounds very simple and an interesting comparison drawn with Pearl Harbor. However, that was an overt act of war from a nation state so identifying those responsible was simple. I doubt it's so simple to identify the current terrorist cells in the UK and US.
Bureaucratic opportunism may have been at work but my point still holds that the elected representatives of the people should be held responsible for protecting the privacy of the people. How, is the difficult bit...
Firstly before I get instantly flamed; it'll happen anyway but let me start with this: Mass, indiscriminate, secret surveillance is bad. In my opinion (a fairly commonly held opinion) this is because of the potential for what the data collected could be used for in future. Very few people would agree that a state with such power is a good thing if they have any understanding at all of history or some current, less than benevolent regimes. I see that stance pretty much as a principle worthy of vigorous defence.
With that in mind, try putting yourself in the position of the NSA, GCHQ etc imagine there's a tool you could have that has the potential to help you identify threats to security - on some level you are going to want to have it. It's human nature to believe that you'll use that tool responsibly and for the good of your community. The best of us believe that we can be trusted but even so, you may resist that desire based on your principles. Add to that the pressure that these organisations are under to produce results and it must become very hard to defend a principle that potentially hampers your duty and is probably at odds with other principles you hold regarding protection of life. I guess the point is that I don't think it's realistic to expect these organisations to have behaved much differently. It's also very possible that they have to date, largely been using their power responsibly and for the good of the community etc. (I can feel the down votes coming but please read on...)
In my opinion, it's the responsibility of the elected government to defend such principles. Unfortunately, at this point politics is introduced so how the hell do you get a clear, sensible position on such an important issue? Imagine yourself in that situation: GCHQ etc tell you it could implement a mass surveillance program and potentially improve security. Great, but you're a good person blah blah blah and mass surveillance is against a strongly held principle blah blah blah. On the other hand, the people who elected you aren't going to be happy about being blown up. What do you do? Well you could put the responsibility onto the people and hold a referendum. Thing is, you were elected to represent the people and to make decisions for them... and besides most people don't have the information or understanding required to make a balanced decision anyway. What do you do?
Our government(s) went ahead and implemented the surveillance programs with a level of oversight. What would you have done? I think I would have done the same thing, but differently (please read on before you flame me...)
Firstly, I wouldn't have done it secretly. I would have tried to get broad, cross party agreement on how to proceed - including what oversight, checks and balances should be in place. Then I would have had all parties communicate that agreement with a common message. I recognise that in achieving this I would have to have attained god like power but part of my point is that none of this is easy for the people actually dealing with it for real.
Anyway, to continue with my plan... The oversight and control of collected data would be from an openly elected body (separate from the users of the data) who would have to publicly report every requested use of that data as well as other details such as when individuals have been identified/associated with the data (i.e. anonymity has been lost) and how many identified individuals are being routinely tracked via this data etc. Add as many measures here as needed to identify if/when the program is being used to monitor the masses rather than select individuals. I'd also have measures to identify when the data had actually done something useful like leading to conviction (none of that and it gets shut down). Naturally, on an IT level, all data that could be used to identify an individual would be encrypted and procedures would be in place to enforce the publicly communicated processes for accessing that data. There would also need to be regular IT reviews from different external companies to ensure that those procedures are properly in place and that data is secure end to end.
I would also pass a bill that automatically shuts the program down after x years unless that bill is re-ratified in parliament/congress before it expires. This gives the opportunity for it to be amended or ended on a regular basis. Also, the people elected to that body wouldn't be able to hold the position for more than a defined period of time. Hopefully this would help create an environment where whistle blowing is encouraged.
The elected officials running the body would also have responsibility for reviewing why data has been requested i.e. they would have access to the operationally sensitive information that led to the security services requesting the data. They would also have access to the names of those being investigated (ummm - why are we tracking a Mr Iain Thomson???).
I'm sure there are lots of other ideas out there that could build on or replace mine but it would be a step in the right direction. I recognise that we would still have mass surveillance but at least it wouldn't be secret, it wouldn't be indiscriminate, it would be demonstrably anonymous (for the masses at least) and it would be easier for the people to influence when it is stopped.
I know I've proposed that the principle is compromised (which I dislike too) and that's enough for a few down votes at least but would you still be so inflexible if you had just walked out of a tube station that had been blown up? If you would then I very much respect your stance - down vote away...
I can think of lots of other reasons for down voting this as well; after all, this is a comment on el Reg not a comprehensive political manifesto but I defy anyone to come up with something that isn't objectionable in some way. So before you down vote me or flame me, try coming up with an alternative and post that as well...
We're all IT professionals and hopefully quite intelligent... so what would you do?
Just a thought/question...
Since Galileo we've been limited to releasing relatively small objects (balls, feathers and hammers etc) close to large objects (earth and moon) in order to observe the effects of gravity. That these observations reveal no difference in behaviour due to the smaller objects size or mass may be a limitation of the experiment. Couldn't size or mass be a factor weighted by the relative size or mass compared to the other object(s)?
Is this one reason why they're trying to find solar system sized experiments to observe?
I wonder if these ATMs were configured to only boot from HDD and had a BIOS password set up? If they did, then they can start looking for service engineers with extra CDs in their bags - I'd probably start there anyway...
There are better defences against this kind of attack (white listing type software) and they're already available from the ATM manufacturers. Maybe more banks will start using them but I doubt it.
At least what they steal this way comes directly from the banks and not from a customer's account.
Cash has its own arms race - counterfeit notes...
ECB rules for counterfeit notes state that they should be confiscated if they are positively identified as being counterfeit. In practice nobody wants to confiscate them because of all the hassle so they just won't accept them. I wouldn't want to try to deposit a counterfeit at a bank though. That might be testing your luck a bit too much and you might find yourself out of pocket.
No need to get the whole transaction.
All you need is the track2 data and the PIN. That's why ATM fraud generally consists of a skimmer/leb loop to get track2 from the mag stripe or the physical card and a camera/shoulder surfer etc to get the PIN.
That won't change until EMV is global at which point the mag stripe can be made redundant. There are already cards out there with no useful data on track2 - only problem is they can't be used in countries without EMV - like the good ol' USA.
EMV is something a slightly different, it's more to do with security of the card rather than the PIN. PCI has separate mandates for hardware security that are outwith EMV.
I take your point about willingness to implement security measures; the banks/retailers wont want to do it because of costs... My point is that it is possible to make a POS terminal far more secure than it currently is.
The terminal manufacturers and PCI (VISA, Mastercard et al) will make the relevant mandates eventually because it's all revenue for them from either sales of kit or certification against the mandates.
Keyboard overlays are already used on ATMs and I'm sure that they would be used on POS terminals as well.
At least if there's a keyboard overlay, you have a chance to see it. That's why on ATMs they aren't as popular as covert cameras to capture the PIN.
As ever, it's move and counter move - the alternative is to give up...
Erm... yes you can.
If the terminal has a secure hardware encryption module which is manufactured in a secure environment and contains the manufacturers private key, then it can be identified as a genuine terminal.
The encryptor can also be used to validate any firmware updates so that it can protect itself from unauthorised updates as well as physical tampering.
I'm not going to say that someone could never find a way around tamper protection but that depends on the implementation.
PIN pads on ATMs have to accept the PIN directly into the encryptor (with tamper protection to prevent people inserting secondary key membranes between the keys and encryptor), so that a PIN is never sent over a wire in the clear and the software on the ATM never gets to see a clear PIN. Why isn't the same thing mandated on POS terminals?
OK, so your card details can be harvested but at least the PIN would be secure.
Do you really think they sit there looking at your emails in Outlook or do you think they maybe scan the content of the message in raw format then laugh at the people 'hiding' messages in white on white?
I hope you were being ironic/sarcastic. If not, you should maybe cast your natural eye for security over your new 'much better' system once more - just to make sure it's not got any tiny flaws...
Lee, almost all ATM transactions are online at least to the acquirer system (which may be permitted to carry out stand in processing if the card issuers systems are unavailable). Normal operation is that every transaction will be routed to the card issuer for authorisation before any money is dispensed apart from said stand in scenarios.
I don't rule out the possibility of some deployments of ATMs allowing offline transactions but they should be limited to processing 'on us' transactions (for cards issued by the ATM deployer). They certainly shouldn't be authorising international cards offline. Having said that, these were pre-paid travel cards so the rules set for them can be different from normal credit/debit cards.
AC is right that complex fraud checks aren't done before the transaction completes so there is a window there, but basic velocity checks can and should be done before authorisation.
That's not what a velocity check is. A velocity check would simply be something like a daily withdrawal amount limit or a limit on the number of transactions a card can perform in a set time etc.
Analysing the location of transactions on a per card basis and then applying fraud checking rules would be the job of a dedicated fraud prevention system, not done by the transaction processing system - it has enough to do without running complex algorithms to identify fraud.
Also, in the article it says that their systems may have been compromised so these velocity checks may have been disabled.
I've read the Reg articles on the carrier, catapult, F-35B/C debacle and they're very persuasive; the selection of the F-35C seems like a no-brainer.
Is it really that simple? Is there really no other case for the F-35B other than the stated cost of installing catapults in the carriers? If there is a case, it should be presented in these articles so that we have a more balanced/interesting article to read.
Just asking...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
