The backdoor mentioned in Bruce Schneier's article requires the knowledge of a key related to the numbers in the algorithm, and the key can only be generated when generating the numbers in the algorithm (which was done by the NSA, and I'd seriously doubt that the NSA would let the key get out). So while yes, you're right in that an unsecured backdoor can be exploited by "the enemy", you've picked a bad example.
Yes. Auditors have to be quite careful about which devices are in scope and minimising the scope of what needs to follow the requirements greatly decreases the cost of being compliant.
From the standard:
These security requirements apply to all "system components." System components are defined as any
network component, server, or application that is included in or connected to the cardholder data
environment. The cardholder data environment is that part of the network that possesses cardholder data
or sensitive authentication data. Adequate network segmentation, which isolates systems that store,
process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data
environment. Network components include but are not limited to firewalls, switches, routers, wireless
access points, network appliances, and other security appliances.
Note that POST requests don't prevent CSRF. You can easily bypass it using an automatically submitted form. This also gets past the CSRF protection in ajax functions.
In short, you need to use a randomly generated form specific value to protect against CSRF whether you're using GET or POST if the action is sensitive. All this falls down of course as soon as you have a XSS flaw though.
Next you can tell everyone why a spider was allowed to access deletion pages.
Why is the Sydney Morning Herald running an AFP report on an important Australian issue? The report's badly written, misspells the name of one of the two major political parties in Australia and measures costs in US$...
For the record, much more accurate and informative news on Australian Broadband can be found at Whirlpool at http://whirlpool.net.au/.
Could I just note that the average lifetime is around about 70 years, which means that by the end of it chances are pretty much nil that the original author would have even met the current copyright holder. Extending this much further will make the chances exactly nil.
It is actually Catch-22. If the boy is innocent then he will not have to go to jail. If the boy says he's guilty then he will have to go to jail. If the boy says he's innocent then the principal assumes he is just trying to save going to jail, therefore he is guilty and therefore he should still go to jail.
Think of it this way: The statement made by the principal is Begging the Question. The situation the student was put in was a Catch-22.
Slashdot Mirror
The backdoor mentioned in Bruce Schneier's article requires the knowledge of a key related to the numbers in the algorithm, and the key can only be generated when generating the numbers in the algorithm (which was done by the NSA, and I'd seriously doubt that the NSA would let the key get out). So while yes, you're right in that an unsecured backdoor can be exploited by "the enemy", you've picked a bad example.
From the standard: The standard itself can be read by simply going to the PCI Security Standards Council web site and following the links.
(For the record, PCI auditing is part of my job)
Note that POST requests don't prevent CSRF. You can easily bypass it using an automatically submitted form. This also gets past the CSRF protection in ajax functions.
<html><body onload="document.myform.submit()">
<form method=POST action=target name=myform>
<input type=hidden name=targetvalname value=targetvalname>
</form>
</body></html>
In short, you need to use a randomly generated form specific value to protect against CSRF whether you're using GET or POST if the action is sensitive. All this falls down of course as soon as you have a XSS flaw though.
Next you can tell everyone why a spider was allowed to access deletion pages.
Why is the Sydney Morning Herald running an AFP report on an important Australian issue? The report's badly written, misspells the name of one of the two major political parties in Australia and measures costs in US$...
For the record, much more accurate and informative news on Australian Broadband can be found at Whirlpool at http://whirlpool.net.au/.
Could I just note that the average lifetime is around about 70 years, which means that by the end of it chances are pretty much nil that the original author would have even met the current copyright holder. Extending this much further will make the chances exactly nil.
It is actually Catch-22. If the boy is innocent then he will not have to go to jail. If the boy says he's guilty then he will have to go to jail. If the boy says he's innocent then the principal assumes he is just trying to save going to jail, therefore he is guilty and therefore he should still go to jail.
Think of it this way: The statement made by the principal is Begging the Question. The situation the student was put in was a Catch-22.