They didn't dance along the edge of legality. They danced over and never looked back. Legitimate pen test services are painfully aware of this and have the paperwork to prove it.
Ars should have enough sense to check things out for the sake of their own credibility. If Ars Technica bothered to ask anybody who's ever worked in the security industry they would have quickly learned the indemnification is taken very seriously.
The only people fooled by Gizmodo's phishing logic were the editors who signed off on this to begin with. Next time ask a pro before you publish, it will help you avoid looking the fool.
Piffle. War can be a very rational act to obtain something that one nation wants. The fact that it is immoral does not change the fact that it can be rational. Countries have been gaining treasure, minerals, slaves, property, land, rights and technology that they otherwise could not have gotten for thousands of years by declaring war.
When you think about it, the whole original point of treaties was to make less rational to attack you to begin with. Nations paid tribute as declaring war often was a rational act and if you could give someone what they wanted (money) than you could avoid going to war to begin with.
Whether the other nation wants to win a war or not is entirely moot. If they choose not to participate the other side will win. You don't have to fight to die.
These are the same people that have been presenting the doomsday clock. The same doomsday clock that for decades has been around 5 minutes from midnight & DOOM!!! They present themselves as non-partisan and neutral when in reality they are vehemently anti-nuclear.
Sounds like the old name has become so tarnished that a new name is is needed for propaganda purposes. Clearly their hyperbole and public messaging positions are effectively the same. Anybody want to bother seeing how close related the boards are between the two?
Slashdot is tentatively a science based site and should know better than to post an article for shills like this. Can the editors please do a bit better in the future?
This question has come a number of times in one form another for well over 15 years. If you can't answer yes to at least three of these four questions your chosen OS isn't a suitable replacement to windows for most people.
Can the average person use it for typical tasks (internet, printing, office etc.) without friction? If your OS makes someone feel like an idiot they'll lose all interest. Can the average person use it without being to be told RTFM? This attitude has done more to keep people on windows than Microsoft's FUD ever has. Can the average person run their existing games on it? You don't want to buy a second computer just to play some games. Can the average person run routine maintenance tasks at the GUI instead of the command line? The lay person doesn't want to deal with command lines.
Mac OS largely meets these requirements (games are a weak spot) and is certainly a viable alternative for most people. Android and Chrome are progressing and likely will become viable if Google ever merges the two and improves hardware support. Certainly Chromebooks have become viable for limited educational settings.
No one else has a product that is remotely viable for the lay person. Professionals and business users have additional requirements that go far beyond these.
Android came out in 2009. If the patents dated to that time they would still have 60% of their life left. Other countries have their own patent lengths which can be shorter or longer. For the meanwhile they are arguably make more profit from Android than any of the manufactures. That is a lot of billions over the years.
My point is that by keeping their phone OS alive they give a practical means by which their developers can look for 'new' things that can be patented. Those patents are worth far more than the cost of developing a lagging phone system (some of which is also offset by profits from the market place).
The author wrongly assumed that Microsoft's phone business is the manufacture and selling of cell phones. Microsoft's phone business is in patents, and it brings in far more money from patents that it does phones.
Reports range from 2 to 6 billions dollars every year in profits just from Android.
There's nothing embarrassing about not wanting to go into certain places. Chances are very good any company you can think of actively excludes themselves where things don't fit their business model.
Decisions based on where to offer services are based on demographics, target market, legal landscape, logistics, potential profits and so on. Chances are senior leadership is already going to be aware of their target market and probably doesn't need to do in-depth market analysis to realize certain countries don't make sense. In other words they can dismiss a country with half a second in thought - and be right.
Now if you want something that actually is embarrassing - we can talk about their data analytics.
Daylight savings is the perfect example of government's regulatory overreach interference in people's lives for theoretical gain. What is there is an increase in stress, time, money and heart attacks.
It's a concept that kills people, something studies have shown for years. Meanwhile anyone who wants an extra hour of daylight can make a personal choice and adjust their sleep schedule.
init strings modem connection sounds - and what they meant DOS memory management wiring pin outs for serial, parallel and Ethernet cables null modem cables SCSI IPX/SPX and how to tune the daylights out of it dip switches jumpers
Mind you, many of the above were necessary to do things like play games with your friends. Thinking about it, I learned a lot about networking and hardware because I wanted to play games with my friends and network games were only for the brave. We would hack games that were only supposed to work at the LAN level to work online so we didn't have to haul our computers over every time we wanted to play.
By far the best feature that they could possibly get would be remove their political bias. Twitter routinely censors or bans views that don't match their political views. Who seriously thinks excluding a significant portion of the population is a viable business?
Unfortunately they would rather burn their own house down than be politically tolerant. Political correctness strikes again....
An actual case where the manufacturer is disabling the product in the best interest of the public. Who knows when we'll see it's like again. Someday you'll get to tell your kids about the day this happened...
Credit card numbers that long aren't necessary. Changing how they are constructed is. Logically speaking the problem can be fixed (hashing etc.) The problem is that the infrastructure that supports it would also have to be changed and that would be a monumental undertaking. Which is why they are trying to avoid it at all costs. You also have the issue that the typical consumer is not going to tolerate an even longer number than they already have.
The unique credit card number solution has been offered by some banks already (e.g. Amex). Many payment terminals are configured to use DUKPT which creates a unique key per transaction (this is enough to take a cash register out of scope for PCI if properly configured).
Credit card transactions are fairly well documented (I'm a big fan of DUKPT myself and that is decently documented). However the process used to generate the account and CVC2 numbers themselves is obscure and proprietary to each bank. Most banks do not have the expertise or will to properly perform this function. They count on malicious actors not looking too hard at how they do things.
Unfortunately for the banks once you figure out how to generate these numbers you have broken the primary security used to prevent the public at large from using any given key (card no's) against a very public lock (merchant website). 2FA goes a long way to prevent this!!!
Processors, banks and merchants all have the ability to mitigate this risk by putting in additional controls (geo-location, address, shopping patterns etc.) These all help reduce the risk of a given transaction. However they must balance out approving most (probably legitimate) transactions against an acceptable level of fraud. They must also balance out the overhead involved in reviewing and approving transactions.
The result is the continued use of a system that is fundamentally broken. You will see this type of fraud increase significantly until the whole system is re-engineered.
Every company chooses their own method of generation for this code. Some vendors use weak encryption, some might use strong encryption, some don't use encryption at all, and some issue the codes in batches. It really all comes down to the company, their risk policies and their expertise. That's why large card dumps are risky, they provide material that can be used to look for patterns. It's a bit scary how many companies have told me they secure their product with base64.
Chip and pin really does help for card present transactions. Unfortunately it doesn't do much for card not present transactions (online). The article talks about the issues online merchants face.
This is a good opportunity to talk about why security through obscurity is bad:
Your typical credit card number has a theoretical 16 digits that are available. That's a huge number (9,999,999,999,999,999) that makes it look effectively impossible to guess. Let's pare that number down to size.
First, you aren't guessing anywhere near 16 digits. It turns out there's a lot you already know (1st digit is 4 for visa, 5 for mastercard etc.). That reduces the typical address space from 16 to 15 digits. That first number turns out to actually just be part of the bank identification number which is typically 6 digits long. All of the rest of it except for last digit is the actual account number. The last number itself is used for a checksum (Luhn) that is used to verify the number is good.
In other words to get the account number right you've only got an address space of 999,999,999. That's a significant reduction in magnitude to start with. Now let's go back to that Luhn checksum (it isn't a hash). Due to this detail you can easily validate the number to make sure that you haven't mistyped it (Luhn precedes using magnetic tape for credit cards).
The Luhn check uses a Mod 10 algorithm that excludes 90% of the previous address space. You now have 99,999,999 numbers to guess against. Your malicious actor isn't starting work in a quadrillion space number, they're working in the millions. All of that is just from the industry standards themselves. Now remember that each bank is going to have their own formulas for generating credit card numbers and that card thieves have data sets of the tens of millions - old dumps are good for providing data that can show patterns. This is a good example of how data at the aggregate level carries risk that it doesn't at the micro level.
Chances are the account number for the card itself isn't at all random. Chances are really good that the formulas used to generate these numbers for a number of large popular banks have been reverse engineered by any number of parties. You also have policies at many banks such as never reusing a number that also reduce this address space. All the malcious actor has to do is look for patterns. Patterns have a way of reducing the order of magnitude once you learn them.
The expiration dates themselves are typically within 2 years giving a range of only 24 to pick from for the typical transaction. Guess a valid account number, try it at 24 websites and chances are really good one of them will work. That leaves the CVC2 number itself, which of course isn't random either.
The system is broken, it's just a matter of time before industry must recalibrate how it works.
Al Gore once titled a movie of his "an inconvenient truth". The premise being that the truth can be isn't convenient, pretty or profitable. It's an argument that was widely embraced by the left when it was in there favor. Now that it is against their favor it is condemned (flashbacks of wikileaks anyone?).
Milo has previously stated that in today's society only trolls are allowed to speak the truth. This position used to be taken by the court jester or fool, the one person who could speak freely, to say what no one else dared. In today's society sites like 4chan have become the fool, saying what no one else dares.
4chan or it's replacement while always exist because history has always demanded that the truth be told, no matter how politically incorrect it is.
It seems every time someone discovers how to do old thing on a new medium and it makes news. Put missiles on a drone, bully someone online, use a new technology to commit a heinous crime? All of these things received widespread news coverage, when they are really nothing more than pencils with erasers:
In reality these are human nature stories, not technology stories. There is nothing new here, just the combination of things that have already been invented. I want to hear about innovation and invention, not pencil erasers. This is a technology site and should be better than this.
Slashdot Mirror
They didn't dance along the edge of legality. They danced over and never looked back. Legitimate pen test services are painfully aware of this and have the paperwork to prove it.
Ars should have enough sense to check things out for the sake of their own credibility. If Ars Technica bothered to ask anybody who's ever worked in the security industry they would have quickly learned the indemnification is taken very seriously.
http://www.isaca.org/chapters3...
https://pen-testing.sans.org/b...
Hell, even metasploit has been talked about this for years!
https://dev.metasploit.com/pip...
The only people fooled by Gizmodo's phishing logic were the editors who signed off on this to begin with. Next time ask a pro before you publish, it will help you avoid looking the fool.
Piffle. War can be a very rational act to obtain something that one nation wants. The fact that it is immoral does not change the fact that it can be rational. Countries have been gaining treasure, minerals, slaves, property, land, rights and technology that they otherwise could not have gotten for thousands of years by declaring war.
When you think about it, the whole original point of treaties was to make less rational to attack you to begin with. Nations paid tribute as declaring war often was a rational act and if you could give someone what they wanted (money) than you could avoid going to war to begin with.
Whether the other nation wants to win a war or not is entirely moot. If they choose not to participate the other side will win. You don't have to fight to die.
These are the same people that have been presenting the doomsday clock. The same doomsday clock that for decades has been around 5 minutes from midnight & DOOM!!! They present themselves as non-partisan and neutral when in reality they are vehemently anti-nuclear.
Sounds like the old name has become so tarnished that a new name is is needed for propaganda purposes. Clearly their hyperbole and public messaging positions are effectively the same. Anybody want to bother seeing how close related the boards are between the two?
Slashdot is tentatively a science based site and should know better than to post an article for shills like this. Can the editors please do a bit better in the future?
This question has come a number of times in one form another for well over 15 years. If you can't answer yes to at least three of these four questions your chosen OS isn't a suitable replacement to windows for most people.
Can the average person use it for typical tasks (internet, printing, office etc.) without friction? If your OS makes someone feel like an idiot they'll lose all interest.
Can the average person use it without being to be told RTFM? This attitude has done more to keep people on windows than Microsoft's FUD ever has.
Can the average person run their existing games on it? You don't want to buy a second computer just to play some games.
Can the average person run routine maintenance tasks at the GUI instead of the command line? The lay person doesn't want to deal with command lines.
Mac OS largely meets these requirements (games are a weak spot) and is certainly a viable alternative for most people. Android and Chrome are progressing and likely will become viable if Google ever merges the two and improves hardware support. Certainly Chromebooks have become viable for limited educational settings.
No one else has a product that is remotely viable for the lay person. Professionals and business users have additional requirements that go far beyond these.
Android came out in 2009. If the patents dated to that time they would still have 60% of their life left. Other countries have their own patent lengths which can be shorter or longer. For the meanwhile they are arguably make more profit from Android than any of the manufactures. That is a lot of billions over the years.
My point is that by keeping their phone OS alive they give a practical means by which their developers can look for 'new' things that can be patented. Those patents are worth far more than the cost of developing a lagging phone system (some of which is also offset by profits from the market place).
The author wrongly assumed that Microsoft's phone business is the manufacture and selling of cell phones. Microsoft's phone business is in patents, and it brings in far more money from patents that it does phones.
Reports range from 2 to 6 billions dollars every year in profits just from Android.
https://www.howtogeek.com/1837...
https://fossbytes.com/microsof...
Samsung alone pays Microsoft 1 billion per year
http://www.theverge.com/2014/1...
Making handsets is simply a convenient way to stay in the patent creation business.
Amen
There's nothing embarrassing about not wanting to go into certain places. Chances are very good any company you can think of actively excludes themselves where things don't fit their business model.
Decisions based on where to offer services are based on demographics, target market, legal landscape, logistics, potential profits and so on. Chances are senior leadership is already going to be aware of their target market and probably doesn't need to do in-depth market analysis to realize certain countries don't make sense. In other words they can dismiss a country with half a second in thought - and be right.
Now if you want something that actually is embarrassing - we can talk about their data analytics.
Daylight savings is the perfect example of government's regulatory overreach interference in people's lives for theoretical gain. What is there is an increase in stress, time, money and heart attacks.
It's a concept that kills people, something studies have shown for years. Meanwhile anyone who wants an extra hour of daylight can make a personal choice and adjust their sleep schedule.
http://www.livescience.com/567...
https://permies.com/t/509/Debu...
http://www.nytimes.com/roomfor...
https://www.theatlantic.com/na...
init strings
modem connection sounds - and what they meant
DOS memory management
wiring pin outs for serial, parallel and Ethernet cables
null modem cables
SCSI
IPX/SPX and how to tune the daylights out of it
dip switches
jumpers
Mind you, many of the above were necessary to do things like play games with your friends. Thinking about it, I learned a lot about networking and hardware because I wanted to play games with my friends and network games were only for the brave. We would hack games that were only supposed to work at the LAN level to work online so we didn't have to haul our computers over every time we wanted to play.
They do allow hate speech and threats against other peoples lives. Twitters double standards on hate speech are well documented:
http://dailycaller.com/2011/01...
http://www.breitbart.com/tech/...
http://www.truthrevolt.org/new...
http://www.dailywire.com/news/...
http://www.redstate.com/diary/...
When you get to define hate speech as speech that disagree with than everything quickly becomes hate speech.
By far the best feature that they could possibly get would be remove their political bias. Twitter routinely censors or bans views that don't match their political views. Who seriously thinks excluding a significant portion of the population is a viable business?
Unfortunately they would rather burn their own house down than be politically tolerant. Political correctness strikes again....
Western Union has turned a blind eye to criminals using their services for fraud for decades. Why did this take so long?
You can rest assured that this is one company that wont credit Trump in any way for these jobs.
An actual case where the manufacturer is disabling the product in the best interest of the public. Who knows when we'll see it's like again. Someday you'll get to tell your kids about the day this happened...
Credit card numbers that long aren't necessary. Changing how they are constructed is. Logically speaking the problem can be fixed (hashing etc.) The problem is that the infrastructure that supports it would also have to be changed and that would be a monumental undertaking. Which is why they are trying to avoid it at all costs. You also have the issue that the typical consumer is not going to tolerate an even longer number than they already have.
The unique credit card number solution has been offered by some banks already (e.g. Amex). Many payment terminals are configured to use DUKPT which creates a unique key per transaction (this is enough to take a cash register out of scope for PCI if properly configured).
You may find this interesting:
http://www.maravis.com/derived...
Even 2FA is broken if it is done via SMS
https://pages.nist.gov/800-63-...
Thanks, glad it's helpful :)
Credit card transactions are fairly well documented (I'm a big fan of DUKPT myself and that is decently documented). However the process used to generate the account and CVC2 numbers themselves is obscure and proprietary to each bank. Most banks do not have the expertise or will to properly perform this function. They count on malicious actors not looking too hard at how they do things.
Unfortunately for the banks once you figure out how to generate these numbers you have broken the primary security used to prevent the public at large from using any given key (card no's) against a very public lock (merchant website). 2FA goes a long way to prevent this!!!
Processors, banks and merchants all have the ability to mitigate this risk by putting in additional controls (geo-location, address, shopping patterns etc.) These all help reduce the risk of a given transaction. However they must balance out approving most (probably legitimate) transactions against an acceptable level of fraud. They must also balance out the overhead involved in reviewing and approving transactions.
The result is the continued use of a system that is fundamentally broken. You will see this type of fraud increase significantly until the whole system is re-engineered.
Every company chooses their own method of generation for this code. Some vendors use weak encryption, some might use strong encryption, some don't use encryption at all, and some issue the codes in batches. It really all comes down to the company, their risk policies and their expertise. That's why large card dumps are risky, they provide material that can be used to look for patterns. It's a bit scary how many companies have told me they secure their product with base64.
Agreed, Chip and pin is better, however it is also broken. The whole thing needs rebuilt.
2 factor should /always/ be required
Chip and pin really does help for card present transactions. Unfortunately it doesn't do much for card not present transactions (online). The article talks about the issues online merchants face.
Citations were in the sources I provided.
This is a good opportunity to talk about why security through obscurity is bad:
Your typical credit card number has a theoretical 16 digits that are available. That's a huge number (9,999,999,999,999,999) that makes it look effectively impossible to guess. Let's pare that number down to size.
First, you aren't guessing anywhere near 16 digits. It turns out there's a lot you already know (1st digit is 4 for visa, 5 for mastercard etc.). That reduces the typical address space from 16 to 15 digits. That first number turns out to actually just be part of the bank identification number which is typically 6 digits long. All of the rest of it except for last digit is the actual account number. The last number itself is used for a checksum (Luhn) that is used to verify the number is good.
In other words to get the account number right you've only got an address space of 999,999,999. That's a significant reduction in magnitude to start with. Now let's go back to that Luhn checksum (it isn't a hash). Due to this detail you can easily validate the number to make sure that you haven't mistyped it (Luhn precedes using magnetic tape for credit cards).
The Luhn check uses a Mod 10 algorithm that excludes 90% of the previous address space. You now have 99,999,999 numbers to guess against. Your malicious actor isn't starting work in a quadrillion space number, they're working in the millions. All of that is just from the industry standards themselves. Now remember that each bank is going to have their own formulas for generating credit card numbers and that card thieves have data sets of the tens of millions - old dumps are good for providing data that can show patterns. This is a good example of how data at the aggregate level carries risk that it doesn't at the micro level.
Chances are the account number for the card itself isn't at all random. Chances are really good that the formulas used to generate these numbers for a number of large popular banks have been reverse engineered by any number of parties. You also have policies at many banks such as never reusing a number that also reduce this address space. All the malcious actor has to do is look for patterns. Patterns have a way of reducing the order of magnitude once you learn them.
The expiration dates themselves are typically within 2 years giving a range of only 24 to pick from for the typical transaction. Guess a valid account number, try it at 24 websites and chances are really good one of them will work. That leaves the CVC2 number itself, which of course isn't random either.
The system is broken, it's just a matter of time before industry must recalibrate how it works.
More below for those who are curious:
http://www.creditcards.com/cre...
http://datagenetics.com/blog/j...
http://www.darkcoding.net/cred...
http://blog.opensecurityresear...
http://www.ibm.com/support/kno...
Al Gore once titled a movie of his "an inconvenient truth". The premise being that the truth can be isn't convenient, pretty or profitable. It's an argument that was widely embraced by the left when it was in there favor. Now that it is against their favor it is condemned (flashbacks of wikileaks anyone?).
Milo has previously stated that in today's society only trolls are allowed to speak the truth. This position used to be taken by the court jester or fool, the one person who could speak freely, to say what no one else dared. In today's society sites like 4chan have become the fool, saying what no one else dares.
4chan or it's replacement while always exist because history has always demanded that the truth be told, no matter how politically incorrect it is.
It seems every time someone discovers how to do old thing on a new medium and it makes news. Put missiles on a drone, bully someone online, use a new technology to commit a heinous crime? All of these things received widespread news coverage, when they are really nothing more than pencils with erasers:
http://www.nytimes.com/2013/09...
In reality these are human nature stories, not technology stories. There is nothing new here, just the combination of things that have already been invented. I want to hear about innovation and invention, not pencil erasers. This is a technology site and should be better than this.