This would never work in the US. As others have stated, the CVV number that you see is different than the one in the stripe.
Since the advent of chip-and-pin finally starting to trickle into the US market, it has become less common, a lot of vendors still don't process transactions until the evening. For instance, when a restaurant uses your card, they may not go back and process your tip until the end of the day. In countries that have fully embraced chip-and-pin, transactions must be done at time of sale, so this type of dynamic pin can be utilized.
To be workable in the current US market, the bank would have to track the last several CVV patterns for a 24 hour period, however, if that is indeed what they are doing, they are effectively creating (60 / 3) * 24 = 480 valid pins in a sliding 24 hour window. That is far worse than a single pin. In fact, early implementations of chip-and-pin were vulnerable to these kind of problems due to the need to support long periods of time for transaction processing.
Bottom line: We can do a lot to fix fraud if the US would ever fully embrace chip-and-pin.
As the router has a sizable memory (168 MB), a decent CPU and good free space (235 MB) with complete toolkits installed by default (sshd, proxy, tcpdump )
So why not just take advantage of having awesome hardware, and replace the crappy firmware with something else like OpenWRT?
So Lenovo didn't want to out of their way to support a minor market segment. So what? They aren't selling to Linux users, if you don't like it, take your business elsewhere. Pretty sure the missing AHCI option was likely an oversight. If enough people want to run Linux, Lenovo will add back AHCI support or Linux/Lenovo will role out a driver.
I personally love Lenovo hardware. It's always been rock solid for me. Since I'm not a moron, I never keep the installed OS, so I don't have to deal with their crapware. Same goes with any other pre-installed laptop from anyone. Just a couple months ago I bought a Lenovo Y700-17ISK gaming laptop. I absolutely love it, and it is easy to work on (first thing I did was upgrade the hard drive size). Works fine with Linux. Right now I'm duel booting Qubes OS and Windows 10.
Few programs are more hellacious to write and maintain than code that has been overly-factored into classes, that inherit from other class, that implement some abstract that was inherited from other abstract, that isn't even called directly because it is actually a event handler or intent for yet another inheritance mess. OOP makes sense if used sparingly, if not, it makes GOTO spaghetti look sane.
You can prove that it is mathematical infeasible that your decryption, which is a valid file and displays a reasonable result, is NOT the one that the original user was expecting. That number, no matter how you arrive at it, is way, way less likely than a Fingerprint or DNA match being an accidental duplicate of an innocent person, so good luck making that argument to a jury...
I think what the EndGame CEO was trying to state was that security needs to focus more on indicators of compromise and less on "defense" against compromise. As a redteam hacker, I agree. The fact of the matter is that securing the perimeter and the endpoint against all attacks is an impossible exercise. Too many security teams have that type of mentality, "Oh, you got in? No worries, just tell us exactly what you did and we will block that specific attack vector." What they should be focusing on, is developing the capabilities to detect the intruder that has breached their defenses. We all like to talk about the magical "APT" that has unlimited time and resources and can teleport around your network without making a sound, but it just doesn't exist. Even a very advanced, skilled attacker, with months of time, is going to need to perform significant recon on the network. Much of that recon is atypical behavior for a non-malicious user.
Detecting malicious behavior isn't even that hard, it just takes some knowledge of what we hackers do. Alerting on specific domain events, looking for specific traffic patterns, and profiling normal system behavior. Even a small security shop can greatly benefit by well-placed honey pots around their network. These type of things are not visible to an attacker, and if your network is reasonably secure, the attacker is likely to trip over one or more of them before they get what they are after.
This whole kerfuffle is a bunch of FUD. I'm a KeePass2 user. As the author points out, the tool does not have an auto-update feature. The so called Man-in-the-middle only allows you to alert the client that there is a "new" version of KeePass. You still have to manually go to the website and download it. The files are Authenticode signed. In short you'd have to be dumb enough to not notice you were downloading the file from a trusted source or in the event that this was man in the middled, not notice that the file isn't signed or is signed by the wrong person.
If I access a router with a known backdoor password, and someone failed to patch it, that is breaking and entering. It is clear that such access was not intended by the owner of the device, and I am effectively breaching their perimeter without their permission. In this case the guy use anonymous FTP. The entire purpose of anonymous FTP is to allow anyone to download files. FTP technology and anonymous access is routinely employed by companies and websites specifically to exchange files with everyone. Therefore, given the plain and regular use of the technology, one can easily argue that they effective were inviting file downloads. Until this guy was able to validate the content of the files, he would arguably not have known that the files were supposed to be protected. The fact that he reported the finding shows that he was not behaving maliciously and acting in good faith.
She is right, Google is every bit as guilty as Google...which is to say they both shouldn't be held liable for what users upload. It is idiocy to criminalize a tool that can be use for a crime, instead of the criminal action.
The reason everyone loved Jill, is that unlike a human TA, I bet the robot just spat out the answer to the questions. No need to do any of that pesky guided learning stuff, when the AI will give you the textbook answer.
Until less than three years ago, I worked on the Hanford site. My father in law, still works on the site a regularly oversees and checks on tank levels. At least a couple times a year, there is a minor leak, and the media breathlessly goes screaming that the end of the world is nigh. It is rarely serious, but between the media's antinuclear stance, and the Hanford project's desperate need to drag out the project as long as possible, for jobs, these things get over-reported. At this point, all the waste has been relocated from single shelled tanks to double shelled tanks where it is waiting disposal at their vitrification plant that was recently finished. None of this waste actually leaked anywhere. What it means is that one of the innermost shells on one of the tanks has finally failed significantly. The waste is still contained. This isn't a surprise as even the double shelled tanks are getting old, hence the plan to vitrify (glassify the waste).
I see that literally no one read the spec (yes, I realize this is Slashdot). To the creator's credit, they have thought about security from the point of malicious Javascript accessing USB. They spec makes that highly unlikely as the USB device has complete control over who can talk to it. The problem is that as far as I can tell, they have given a malicious USB device yet another way to talk to a command-and-control server and get code execution (albeit in a sandboxed browser, using Javascript). Of course I can already do that by emulating a keyboard, but why add to the list of ways a USB device can screw you?
I know these articles are SJW click-bait, but there is a perfectly normal explanation:
I work in cyber security, and it is while understood phenomena that both men and women implicitly trust a female voice significantly more than a male voice. This is so well established that many pentesting companies hire women with pleasant voices just for social engineering gigs. When an AI is already trying to overcome people's inherent distrust of technology, it makes sense to employ psychological tricks they can make people feel more relaxed and trusting.
Competition is right, but not in the way you think. These guys all have their money squirreled away in off shore accounts, tied up in business ventures and live largely on their stock market earnings. They don't care about income tax, because they largely don't pay it. Those people who are trying desperately to make it into the club (their competition), are the ones that don't have enough liquid funds to keep it out of Uncle Sam's hands.
If you're going to college to "become a poet" or a sports writer, you've already failed math. You've failed to do even a trivial cost-benefit analysis on your "investment". If the math hurdle keeps a couple more dummies from throwing their money away, I say it's a good thing.
It'll be a cold day in hell before I willingly give my biometrics to my bank, my government, or a private agency. For one thing, I can't change them if they get stolen.
Secure payments is a very solve-able problem. The only reason it hasn't been solved yet is the reliance on old technology and infrastructure. The two primary problems are a lack of instance validation, and static card information.
Here's one answer:
Bank issues card with a chip. The chip has the bank's public key and a unique private key that the bank installs on the card, then keeps the associated public key. Encrypt the chip key with a 4 digit pin, or a real password.
Now the payment process is a public / private key asymmetric encryption process. The card chip encrypts the transaction details, and a nonce that the bank sends (encrypted). If you need to support offline card use, then every time the card is plugged in to an online system, have the bank send down 50 or so nonces that are encrypted and have the card chip store them encrypted locally. That way, if the terminal doesn't have direct network access, the card just uses and burns the next stored nonce. If the terminal needs to store information, it can wrap the card's encrypted information in it's own public/private key encryption that it passes to the banks.
The biggest remaining issue is key exchange, but in the case of the end user, that only needs to happen when they request a new card. For the the merchants, this can happen in the same process that handles reconciliation with the banks. They can exchange a list of merchant public-private keys as an extension of those protocols.
The article, though not as clear as it maybe should have been, clearly states that all traffic is encrypted using asymmetric encryption between the users, and I would also infer from the setup, further encrypted between the end-user and the server (it mentions that all users know each other public keys as well as the service's public key, thus implying asymmetric encryption). Therefore, the fake traffic need not be particularly realistic, as long as the overall length of the unencrypted traffic somewhat realistically mirrors normal conversations. After the multiple rounds of encryption, both a fake and a real message should be indistinguishable from random bits.
They are doing all the right things:
1) Raising the Minimum Wage (Raises the cost of everything including taxes).
2) Stupid projects like the light rail (Must be funded with more taxes, is already a huge multi-billion dollar boondoggle)
3) Talking about Rent control and anti-gentrification (Nothing like preventing new development to limit supply and thus raise costs).
I was standing in a long line, and watched two people at the counter trying to simultaneously mail parcels and talk on their phone. In both cases the postal worker had to explain things multiple times, and wait for them to finish chatting for a second before paying. One even turned to the postal worker and said, "Excuse me, can you hold on a second?". People suck.
Set up an MX record and an email server. Create an email address that's a bit off (to avoid spam) and occasionally forward an unimportant email to that address. Now you are using the domain for "email".
Sometimes I feel bad using off-brand products when I realize how much money the original innovator is losing to a copy-cat...then there are times like these. GM will have to raise their prices for an already over-priced product just so they can pander to suckers. I'll take my GMO's and other "artificial" food items where are completely harmless for half the price, thank you very much.
Well, for one thing Computer Science went from being a largely theoretical, mathematical field, to being more about useful programming and system architecture. When people make arguments like the one you are making, you completely ignore that the CS field is constantly going through giant paradigm shifts. It is completely unfair to compare interest of the various genders/sexes from 30 years ago because the field is completely different.
This isn't proof as it is entirely anecdotal, but I have a lot of women friends who love hard math and absolutely hate practical programming problems, while the majority of my guy friends fall on the other side of that divide. That is only one possible explanation.
Slashdot Mirror
This would never work in the US. As others have stated, the CVV number that you see is different than the one in the stripe. Since the advent of chip-and-pin finally starting to trickle into the US market, it has become less common, a lot of vendors still don't process transactions until the evening. For instance, when a restaurant uses your card, they may not go back and process your tip until the end of the day. In countries that have fully embraced chip-and-pin, transactions must be done at time of sale, so this type of dynamic pin can be utilized.
To be workable in the current US market, the bank would have to track the last several CVV patterns for a 24 hour period, however, if that is indeed what they are doing, they are effectively creating (60 / 3) * 24 = 480 valid pins in a sliding 24 hour window. That is far worse than a single pin. In fact, early implementations of chip-and-pin were vulnerable to these kind of problems due to the need to support long periods of time for transaction processing.
Bottom line: We can do a lot to fix fraud if the US would ever fully embrace chip-and-pin.
As the router has a sizable memory (168 MB), a decent CPU and good free space (235 MB) with complete toolkits installed by default (sshd, proxy, tcpdump )
So why not just take advantage of having awesome hardware, and replace the crappy firmware with something else like OpenWRT?
So Lenovo didn't want to out of their way to support a minor market segment. So what? They aren't selling to Linux users, if you don't like it, take your business elsewhere. Pretty sure the missing AHCI option was likely an oversight. If enough people want to run Linux, Lenovo will add back AHCI support or Linux/Lenovo will role out a driver.
I personally love Lenovo hardware. It's always been rock solid for me. Since I'm not a moron, I never keep the installed OS, so I don't have to deal with their crapware. Same goes with any other pre-installed laptop from anyone. Just a couple months ago I bought a Lenovo Y700-17ISK gaming laptop. I absolutely love it, and it is easy to work on (first thing I did was upgrade the hard drive size). Works fine with Linux. Right now I'm duel booting Qubes OS and Windows 10.
Few programs are more hellacious to write and maintain than code that has been overly-factored into classes, that inherit from other class, that implement some abstract that was inherited from other abstract, that isn't even called directly because it is actually a event handler or intent for yet another inheritance mess. OOP makes sense if used sparingly, if not, it makes GOTO spaghetti look sane.
You can prove that it is mathematical infeasible that your decryption, which is a valid file and displays a reasonable result, is NOT the one that the original user was expecting. That number, no matter how you arrive at it, is way, way less likely than a Fingerprint or DNA match being an accidental duplicate of an innocent person, so good luck making that argument to a jury...
I think what the EndGame CEO was trying to state was that security needs to focus more on indicators of compromise and less on "defense" against compromise. As a redteam hacker, I agree. The fact of the matter is that securing the perimeter and the endpoint against all attacks is an impossible exercise. Too many security teams have that type of mentality, "Oh, you got in? No worries, just tell us exactly what you did and we will block that specific attack vector." What they should be focusing on, is developing the capabilities to detect the intruder that has breached their defenses. We all like to talk about the magical "APT" that has unlimited time and resources and can teleport around your network without making a sound, but it just doesn't exist. Even a very advanced, skilled attacker, with months of time, is going to need to perform significant recon on the network. Much of that recon is atypical behavior for a non-malicious user.
Detecting malicious behavior isn't even that hard, it just takes some knowledge of what we hackers do. Alerting on specific domain events, looking for specific traffic patterns, and profiling normal system behavior. Even a small security shop can greatly benefit by well-placed honey pots around their network. These type of things are not visible to an attacker, and if your network is reasonably secure, the attacker is likely to trip over one or more of them before they get what they are after.
This whole kerfuffle is a bunch of FUD. I'm a KeePass2 user. As the author points out, the tool does not have an auto-update feature. The so called Man-in-the-middle only allows you to alert the client that there is a "new" version of KeePass. You still have to manually go to the website and download it. The files are Authenticode signed. In short you'd have to be dumb enough to not notice you were downloading the file from a trusted source or in the event that this was man in the middled, not notice that the file isn't signed or is signed by the wrong person.
If I access a router with a known backdoor password, and someone failed to patch it, that is breaking and entering. It is clear that such access was not intended by the owner of the device, and I am effectively breaching their perimeter without their permission. In this case the guy use anonymous FTP. The entire purpose of anonymous FTP is to allow anyone to download files. FTP technology and anonymous access is routinely employed by companies and websites specifically to exchange files with everyone. Therefore, given the plain and regular use of the technology, one can easily argue that they effective were inviting file downloads. Until this guy was able to validate the content of the files, he would arguably not have known that the files were supposed to be protected. The fact that he reported the finding shows that he was not behaving maliciously and acting in good faith.
Backstop, nuff said: https://chrome.google.com/webs...
She is right, Google is every bit as guilty as Google...which is to say they both shouldn't be held liable for what users upload. It is idiocy to criminalize a tool that can be use for a crime, instead of the criminal action.
The reason everyone loved Jill, is that unlike a human TA, I bet the robot just spat out the answer to the questions. No need to do any of that pesky guided learning stuff, when the AI will give you the textbook answer.
Until less than three years ago, I worked on the Hanford site. My father in law, still works on the site a regularly oversees and checks on tank levels. At least a couple times a year, there is a minor leak, and the media breathlessly goes screaming that the end of the world is nigh. It is rarely serious, but between the media's antinuclear stance, and the Hanford project's desperate need to drag out the project as long as possible, for jobs, these things get over-reported. At this point, all the waste has been relocated from single shelled tanks to double shelled tanks where it is waiting disposal at their vitrification plant that was recently finished. None of this waste actually leaked anywhere. What it means is that one of the innermost shells on one of the tanks has finally failed significantly. The waste is still contained. This isn't a surprise as even the double shelled tanks are getting old, hence the plan to vitrify (glassify the waste).
I see that literally no one read the spec (yes, I realize this is Slashdot). To the creator's credit, they have thought about security from the point of malicious Javascript accessing USB. They spec makes that highly unlikely as the USB device has complete control over who can talk to it. The problem is that as far as I can tell, they have given a malicious USB device yet another way to talk to a command-and-control server and get code execution (albeit in a sandboxed browser, using Javascript). Of course I can already do that by emulating a keyboard, but why add to the list of ways a USB device can screw you?
I know these articles are SJW click-bait, but there is a perfectly normal explanation:
I work in cyber security, and it is while understood phenomena that both men and women implicitly trust a female voice significantly more than a male voice. This is so well established that many pentesting companies hire women with pleasant voices just for social engineering gigs. When an AI is already trying to overcome people's inherent distrust of technology, it makes sense to employ psychological tricks they can make people feel more relaxed and trusting.
Competition is right, but not in the way you think. These guys all have their money squirreled away in off shore accounts, tied up in business ventures and live largely on their stock market earnings. They don't care about income tax, because they largely don't pay it. Those people who are trying desperately to make it into the club (their competition), are the ones that don't have enough liquid funds to keep it out of Uncle Sam's hands.
Also there is a lot of value in NOT dealing with the asshole talking and texting in the movie.
If you're going to college to "become a poet" or a sports writer, you've already failed math. You've failed to do even a trivial cost-benefit analysis on your "investment". If the math hurdle keeps a couple more dummies from throwing their money away, I say it's a good thing.
Linux Mint isn't just Ubuntu. They also provide Linux Mint Debian Edition, which is far superior, IMHO.
It'll be a cold day in hell before I willingly give my biometrics to my bank, my government, or a private agency. For one thing, I can't change them if they get stolen.
Secure payments is a very solve-able problem. The only reason it hasn't been solved yet is the reliance on old technology and infrastructure. The two primary problems are a lack of instance validation, and static card information.
Here's one answer:
Bank issues card with a chip. The chip has the bank's public key and a unique private key that the bank installs on the card, then keeps the associated public key. Encrypt the chip key with a 4 digit pin, or a real password. Now the payment process is a public / private key asymmetric encryption process. The card chip encrypts the transaction details, and a nonce that the bank sends (encrypted). If you need to support offline card use, then every time the card is plugged in to an online system, have the bank send down 50 or so nonces that are encrypted and have the card chip store them encrypted locally. That way, if the terminal doesn't have direct network access, the card just uses and burns the next stored nonce. If the terminal needs to store information, it can wrap the card's encrypted information in it's own public/private key encryption that it passes to the banks.
The biggest remaining issue is key exchange, but in the case of the end user, that only needs to happen when they request a new card. For the the merchants, this can happen in the same process that handles reconciliation with the banks. They can exchange a list of merchant public-private keys as an extension of those protocols.
The article, though not as clear as it maybe should have been, clearly states that all traffic is encrypted using asymmetric encryption between the users, and I would also infer from the setup, further encrypted between the end-user and the server (it mentions that all users know each other public keys as well as the service's public key, thus implying asymmetric encryption). Therefore, the fake traffic need not be particularly realistic, as long as the overall length of the unencrypted traffic somewhat realistically mirrors normal conversations. After the multiple rounds of encryption, both a fake and a real message should be indistinguishable from random bits.
They are doing all the right things:
1) Raising the Minimum Wage (Raises the cost of everything including taxes).
2) Stupid projects like the light rail (Must be funded with more taxes, is already a huge multi-billion dollar boondoggle)
3) Talking about Rent control and anti-gentrification (Nothing like preventing new development to limit supply and thus raise costs).
I was standing in a long line, and watched two people at the counter trying to simultaneously mail parcels and talk on their phone. In both cases the postal worker had to explain things multiple times, and wait for them to finish chatting for a second before paying. One even turned to the postal worker and said, "Excuse me, can you hold on a second?". People suck.
Set up an MX record and an email server. Create an email address that's a bit off (to avoid spam) and occasionally forward an unimportant email to that address. Now you are using the domain for "email".
Sometimes I feel bad using off-brand products when I realize how much money the original innovator is losing to a copy-cat...then there are times like these. GM will have to raise their prices for an already over-priced product just so they can pander to suckers. I'll take my GMO's and other "artificial" food items where are completely harmless for half the price, thank you very much.
Well, for one thing Computer Science went from being a largely theoretical, mathematical field, to being more about useful programming and system architecture. When people make arguments like the one you are making, you completely ignore that the CS field is constantly going through giant paradigm shifts. It is completely unfair to compare interest of the various genders/sexes from 30 years ago because the field is completely different.
This isn't proof as it is entirely anecdotal, but I have a lot of women friends who love hard math and absolutely hate practical programming problems, while the majority of my guy friends fall on the other side of that divide. That is only one possible explanation.