Well, it's happening in the credit card handling businesses. There is a new standard for security being brought about by the Payment Card Industry (PCI.) Any firm that accepts credit cards needs to submit documented procedures for how security will be handled, and that includes things as diverse as encryption, patch schedules, security rights, data storage, longevity, and code reviews.
If you want to handle credit cards in the future, you had better be protecting the card data appropriately now. Penalties for non-compliance go as far as to have Visa, MasterCard, Discover and American Express blacklist you, which would be quick death for a card processor, or a slow, agonizing, terminal decline for a retailer.
Well, for the security reasons I mentioned above, you wouldn't need the cart or basket until checkout time, and then you'd only need it to carry the goods from the lane to the door (which is also where a cart return would be conveniently located.) Trying to track the carts through the store wouldn't gain you anything in the way of security, but it would be a marketer's dream: they could then answer burning questions of the day, such as how long do you pause looking at the televisions, or how quickly do you walk past the children's shoes? Did you spend half an hour in books, or did you spend all your time going up and down the grocery aisles? Do the customers who look at software and XBoxes typically then go to the toy area, or do they go to toothpaste next?
And seeing as how I don't have exactly 12 livers...
I don't think I'm actually going to count on Mountain Dew for any longevity properties, other than for the "copious amounts of fluids" I get from it. Right now, I'm mostly just a filter for Yellow dye #5.:-)
Yup, two different things, I was thinking about the RFID "tag swapping" the same way the idiot in TFA was barcode swapping, and I didn't think disabling the chip while in-store was going to be a viable attack path for the bad guys.
Yeah, jamming at the door could possibly work. RFID chips that do double-duty as EAS tags still don't have very long effective ranges (maybe a few meters at most) so it shouldn't take much signal to disrupt them. However, the readers are extremely sensitive, able to discern many dozens of tags per second, all of which are retransmitting on the same frequency simultaneously. You'd have to be extremely confident that your jammer would squelch all of your tags.
Even then, you might not get much of a head start over store security. I suspect that once the register has marked an item "sold" that the door readers are going to expect the tag to leave the building in a few minutes. If a cart full of expensive tags doesn't get out the door within a minute or so, the loss prevention people could start to take interest (think Best Buy's typical checkout lanes, where you are ushered out the door almost as soon as you pay.)
I just thought of something. What if you give every cart (and basket) its own tag? When you show up at a register, your physical cart should be noted. If the cart doesn't show up, it should trigger an alarm bell or two. And once it does show up, it better leave at the same time as the merchandise it carried to the register. At least that would restrict people to stealing only that which they could conceal under their clothing, keeping bulky items safer.
I learned something related earlier this year that was kind of a "duh!" moment for me. If you're going to have generated code, then the "source" for the generator is what you need to save, as far as source control goes. Save it off as a first-class source module.
What that gives you is the ability to re-generate the generated code in the future. It's even portable, assuming someone can put together a translator to generate the new output from the old source. But you can't do much of that with a "skeleton generator" or a "click-here-to-write-code" wizard.
Wizards are not necessarily evil. Why should a programmer have to go through all the syntactically redundant crap every time they want to create a class? It doesn't make you a better programmer to learn how to type "class foo { public: foo(); virtual ~foo(); };" all the time, it just makes you a more experienced typist.
If you were using a framework in the pre-.NET days (such as the old MFC stuff) the wizards would generate a lot of the required macro code and skeleton classes for you. Since the underlying framework itself was so hideous, there didn't seem to be a real need for everyone to understand what the wizards generated then either.
Yes, a guru can come along later and trim the macros, optimize the code, whatever, but hey, why not let the wizard do the crap work? Let the beginning programmer work out the application logic without worrying about the windowing code. That stuff can come later.
Three cores for the Aussie geeks, on their big island.
Seven cores for the anti-spy programs, in their halls of ivory.
Nine cores for trojans, doomed to spam.
One core for the user, all alone.
One chip to run them all
One northbridge to bind them
One RAM to feed them all
And in the SMP array bind them.
That was true many, many years ago. The rule of thumb in the 1980s regarding shrinkage was 1/3 external theft, 1/3 internal theft, and 1/3 bookkeeping errors. That was at a time when shrinkage averaged about 5% of sales industry-wide. But the industry has changed greatly since those numbers were first recognized.
These days, it's not uncommon to have shrinkage rates less than 2% of sales. Bookkeeping errors have been greatly reduced due to advanced inventory management systems and EDI. Internal theft detection systems typically find dishonest employees earlier, meaning they're now stopped long before they're able to swindle $500,000 worth of fraudulent returns (yes, I know of a fraudulent return scam that went on years, and was detected only because of a system enhancement.) And Electronic Article Surveillance (EAS) systems, extensive camera networks, and more effective training have all combined to reduce shoplifting rates.
Things like "damaged items found on floor, store defectives, store consumed" are indeed accounted for these days, and are actively tracked. They add up to nowhere near the amounts stolen by external and internal theft. And cashier errors of the type you mentioned are really only "intent" away from sweethearting (deliberate misringing to benefit a friendly customer.) Theft is now the biggest cause of shrink in retail.
RTFA. He's not "making one". He's receiving a donated used one from Johns Hopkins University. It's already fully functional, it just needs a power cord and a place to park it where the neighbors won't complain.
But you're right: I wouldn't worry too much about the nuclear splitting capabilities either. Adequate lead shielding will protect the neighbors just fine.
Well, you were talking about the "morally reprehensible people running these organizations" and "the dishonesty of corporate CEOs." I didn't have to dig far to find the names of dishonest, reprehensible CEOs such as Ken Lay, Bernie Ebbers, etc. And I haven't heard such things said about the CEO of Target.
It's a known fact that a good portion of the goods sold by Target are made in sweatshops where workers are subjected to egregious conditions for minimal pay.
Really? A "known fact" you say? Could you please provide recent citations, because I'd be really interested to know if they are indeed doing that. Not that I appreciate the factory work going overseas, but last I heard China's population was enjoying a boom similar to the U.S. in the mid-1950's, with a dramatically increased standard of living for the new middle class. The peasantry is still subsistence farming, but they're not the factory workers, either.
Ad hominem attacks only weaken your argument.
As do broad-brush stereotypical statements about the "people running these organizations" and "known facts" without sources. Pot, meet kettle.
A jammer works only when it's powered on, and will not disable an RFID tag in any way. They only jam the readers, not the transmitters. They're indiscriminate: they won't jam only the switched tag, they'll interfere with reading everything. If you turned a jammer on at checkout time, the cashier wouldn't be able to read any of your merchandise with an RF reader, and would end up hand-scanning (or worse, hand-keying) every item in your cart. The result would be a slower checkout, but likely no theft.
It's called "Servicing them out of the store" and retailers have done that for many, many years. Don't worry, they didn't lose nearly as much business as they saved in theft avoidance. Honest customers either appreciate the help or they don't, but thieves get nervous and leave.
It doesn't work so well for a store like Target, however. They don't have the sales staff to go hover over every teenager in a trenchcoat let alone notice them in the first place. That's why they resort to cameras everywhere.
What, because Ken Lay (CEO, Enron) was a reprehensible immoral thief, that makes Bob Ulrich (CEO, Target) a reprehensible immoral thief too? And somehow this mythical immorality trickles down to the shareholders, the employees and the whole corporation, so therefore it's OK to steal from them? I'd ask what drugs you've been taking, but I see you've already laid claim to LSD, which explains a lot.
Let's see, you are posting from a computer, so you must be a filthy identity thief hacker just like Kevin Mitnick. Oh, wait, you're not Kevin Mitnick? You don't commit ID thefts? Hmm, so not everyone who owns a computer is an evil hacker. What lessons about prejudice can we extrapolate from this, boys and girls? Perhaps it's the people who are actually criminals that should be treated like them? And just maybe stealing is stealing, regardless of whether you're stealing from Target or your next door neighbor?
Even if he had "simply walked out without paying", Target usually doesn't let anybody walk. About 25 years ago they used to slap kids on the wrist (maybe call the cops and the parents to scare the kid straight,) but these days almost every thief is put onto a legal assembly line. Cops, prosecution, court, jail time and restitution, the whole nine yards. All a part of the zero-tolerance society we live in. Every theft costs a lot of money, and their shareholders have demanded it.
Some of the RFID tags that have been developed are very resistant to disabling. I've read that some of the CASPIAN people have tried disabling hidden RFID tags by placing the merchandise in a microwave, but that hasn't worked at any level that didn't also destroy the merchandise. Plus, you probably don't want to carry a magnetron around in a store -- they're likely to be noticed.
It'll work as a good anti-theft tag in any electronic item: any energy levels high enough to disable the tag will certainly be high enough to fry the desirable electronics.
RFID may not be a "solution" to theft, but it will be a stronger deterrent than most other schemes have been. But I think it has too many other negative side effects on society to ever be widely accepted.
The item's serial number is kept in read-only memory on the tag. It's written at time of manufacture, and is not changeable. I'm not saying it couldn't be replaced or that the system couldn't be gamed; for example the old tag could be physically disabled and a fradulent tag put on the item in its place in a high-tech version of this iPod iDiot, but you can't alter the existing tag.
Sorry, but you're really incorrect there on a lot of counts. First, shrinkage as a percent of sales due to theft has actually shrunk in the past few years, mostly due to enormous investments in loss prevention systems and paid restitution from the theives they've caught. Yes, the major retailers account for shrinkage in the price, but they also spend incredible amounts of money on anti-theft systems. They'll even push the limits of alienating their best customers to stop thieves. And they will announce it, too. They've stopped worrying about "embarrasment" -- they want the thieves to know they'll be caught if they try to steal from them. If they can deter the thieves, it's better all around -- prosecution is expensive, even with the promise of restitution. Having the bad guys not show up is a win-win. The stores' costs go down. And the would-be thief isn't a bad guy, and doesn't go to jail and screw up his life with a criminal record.
Retail theft from big box stores is a huge business, you might be amazed at the levels of both sophistication and brutality involved in the crime rings that have developed around the practice. Retailers are in the position of having to come down hard on every thief in hopes that they're breaking into one of these rings. And the systems that are in place to catch these big thieves can also catch the little guys.
Even your advice is no good: if you steal from the big box stores, expect to be expertly prosecuted like a major-league thief if you get caught. If you steal from a mom & pop store, they might not have the resources to bring you to justice. For example, a friend of mine owns a convenience store in a summer resort town, and he's thinking he'll have to go out of business due to the theft of his 4th of July receipts. He can't afford to take time to fight all the legal battles and still hold down his day job. And any restitution he may hope for will take far too long to receive to keep the store open in the meantime.
So my advice is "Stealing is stealing: if you must steal, reconsider your options."
To solve his problem he wouldn't need to "parse all browser's requests." He could code it simply for the one he uses. Obviously if this is truly a minimal system, a pre-packaged web server is likely to be more than his resources can bear. But using a web interface eliminates the need to write a client side app.
So yeah, write a text interface to a socket, and telnet to it from off the box. It may not be clickably pretty, but he can probably solve his problems quickly. It's what I used to do twelve years ago when I had a similar situation, and it worked just fine then.
I recommend a new moderation category: +1 Incite-ful.
That'd be pretty useless around here. Do you know how many people can't tell the difference between incite and insight, let alone site, sight, and cite?
You are only looking at chargers, though. Consider instead the fixed devices with power requirements under my desk right now. Cable modem, router, 3 USB hubs, three printers, a film scanner, a set of speakers, a weather station receiver, and a TV tuner. Each of those came with a brick because it needs power, and there is no local source they could count on. These companies could all save the cost of the bricks if they could count on the users having a universal power supply.
If a universal power system were widely adopted, all of these bricks could go away. The device makers would have every incentive to not include a brick with each device (cost, weight, package size, etc.)
The almighty buck is an economic incentive only for the brickmakers -- they want to sell lots of power bricks. But they only sell wholesale to the device makers. They don't sell to the consumers, the device makers do. The device makers have it in their economic interest to offer the lowest price, not to sell a brick. If they could save two dollars by not buying bricks, they could drop their prices by one dollar and still pocket one dollar for themselves.
There is already a standard out there: USB PlusPower for cash registers. They've incorporated USB backward compatible piggybacked high-current +5VDC, +12VDC and +24VDC connectors. Several years ago some large retail chain stores refused to accept a half-dozen power bricks under each cash register, and demanded of IBM that they develop a way to power the many peripherals each cash register needs (scanners, printers, mag stripe readers, PIN pads, cash drawers, scales, etc.) NCR and Fujitsu added their support for a standard, and USB PlusPower was the result. All the large-player peripheral makers support it now, too. (Here's a sales document for a USB PlusPower hub for your PC that explains the standard.
From the document: "The USB PlusPower design provides the following voltage and current
+5 volts DC at up to 6 amps per connector (up to 30 Watts)
+12 volts DC at up to 6 amps per connector (up to 72 Watts)
+24 volts DC at up to 6 amps per connector (up to 144 Watts)"
Consumers need to do the same thing, but as of yet have never organized and demanded such a thing. It's considerably tougher to do at a consumer level. Consumers have never organized very well. And there are very few cash register manufacturers in comparison to all the motherboard and system builders out there. There are very few "large customers" that can use their buying power to influence the industry.
"Bug exploiter" as in the Slammer worm, Code Red, the most recent image processing dll thing, the now-critical IE arbitrary execution bug, etc. They propagate through holes in existing programs, typically through bugs like buffer overflow exploits.
Yes, I know you were thinking of the chump scripts and the more traditional "floppy sharing viruses", but there are bug exploiters out there. Perhaps I should have labeled them "worms", since some people seem to have a semantic hangup about things like that; but wasn't Norton Anti-Wormer that we were talking about, was it?
What, are you expressing disappointment that there aren't Mac adware and spyware programs? What piece of magic software is there in a Mac that prevents a person from installing an adware client right along with their latest version of iKazaa?
I think it's purely market share right now that's keeping your box as safe as it is. That, and the impression that average Mac users are ever-so-slightly more savvy than average PC users. I'll grant you that removing a piece of spyware MIGHT be easier on a Mac, ('cuz it would be hard to top registry crawling through an infested PC) but regardless of platform, ultimately spyware and adware arrives along with a legitimate or desired package, kind of like a remora arrives with a shark. Being a Mac doesn't grant you any magical powers of defense against click-happy users.
It removes the "rootkit" but does not remove the DRM that the rootkit was installed to hide. The DRM is still there to restrict you to three copies. If you have their DRMware and want to get rid of it, go to sunncomm.com and click on their uninstaller.
Ooh, you just gave me a good idea. I think when I'm around our Microsoft consultants I'll start mis-pronouncing these beta programs as "live", as in "live long and prosper". I'll do it just to get their goats, because they are under standing orders to never tell a customer he's wrong.
If you want to handle credit cards in the future, you had better be protecting the card data appropriately now. Penalties for non-compliance go as far as to have Visa, MasterCard, Discover and American Express blacklist you, which would be quick death for a card processor, or a slow, agonizing, terminal decline for a retailer.
Yeah, that would be big.
I don't think I'm actually going to count on Mountain Dew for any longevity properties, other than for the "copious amounts of fluids" I get from it. Right now, I'm mostly just a filter for Yellow dye #5. :-)
Yeah, jamming at the door could possibly work. RFID chips that do double-duty as EAS tags still don't have very long effective ranges (maybe a few meters at most) so it shouldn't take much signal to disrupt them. However, the readers are extremely sensitive, able to discern many dozens of tags per second, all of which are retransmitting on the same frequency simultaneously. You'd have to be extremely confident that your jammer would squelch all of your tags.
Even then, you might not get much of a head start over store security. I suspect that once the register has marked an item "sold" that the door readers are going to expect the tag to leave the building in a few minutes. If a cart full of expensive tags doesn't get out the door within a minute or so, the loss prevention people could start to take interest (think Best Buy's typical checkout lanes, where you are ushered out the door almost as soon as you pay.)
I just thought of something. What if you give every cart (and basket) its own tag? When you show up at a register, your physical cart should be noted. If the cart doesn't show up, it should trigger an alarm bell or two. And once it does show up, it better leave at the same time as the merchandise it carried to the register. At least that would restrict people to stealing only that which they could conceal under their clothing, keeping bulky items safer.
With all the Mountain Dew I drink I should have enough protection to go around for about 12 livers.
I learned something related earlier this year that was kind of a "duh!" moment for me. If you're going to have generated code, then the "source" for the generator is what you need to save, as far as source control goes. Save it off as a first-class source module.
What that gives you is the ability to re-generate the generated code in the future. It's even portable, assuming someone can put together a translator to generate the new output from the old source. But you can't do much of that with a "skeleton generator" or a "click-here-to-write-code" wizard.
If you were using a framework in the pre-.NET days (such as the old MFC stuff) the wizards would generate a lot of the required macro code and skeleton classes for you. Since the underlying framework itself was so hideous, there didn't seem to be a real need for everyone to understand what the wizards generated then either.
Yes, a guru can come along later and trim the macros, optimize the code, whatever, but hey, why not let the wizard do the crap work? Let the beginning programmer work out the application logic without worrying about the windowing code. That stuff can come later.
Seven cores for the anti-spy programs, in their halls of ivory.
Nine cores for trojans, doomed to spam.
One core for the user, all alone.
One chip to run them all
One northbridge to bind them
One RAM to feed them all
And in the SMP array bind them.
In the land of Mobos where the shadows lie.
These days, it's not uncommon to have shrinkage rates less than 2% of sales. Bookkeeping errors have been greatly reduced due to advanced inventory management systems and EDI. Internal theft detection systems typically find dishonest employees earlier, meaning they're now stopped long before they're able to swindle $500,000 worth of fraudulent returns (yes, I know of a fraudulent return scam that went on years, and was detected only because of a system enhancement.) And Electronic Article Surveillance (EAS) systems, extensive camera networks, and more effective training have all combined to reduce shoplifting rates.
Things like "damaged items found on floor, store defectives, store consumed" are indeed accounted for these days, and are actively tracked. They add up to nowhere near the amounts stolen by external and internal theft. And cashier errors of the type you mentioned are really only "intent" away from sweethearting (deliberate misringing to benefit a friendly customer.) Theft is now the biggest cause of shrink in retail.
But you're right: I wouldn't worry too much about the nuclear splitting capabilities either. Adequate lead shielding will protect the neighbors just fine.
Well, you were talking about the "morally reprehensible people running these organizations" and "the dishonesty of corporate CEOs." I didn't have to dig far to find the names of dishonest, reprehensible CEOs such as Ken Lay, Bernie Ebbers, etc. And I haven't heard such things said about the CEO of Target.
It's a known fact that a good portion of the goods sold by Target are made in sweatshops where workers are subjected to egregious conditions for minimal pay.
Really? A "known fact" you say? Could you please provide recent citations, because I'd be really interested to know if they are indeed doing that. Not that I appreciate the factory work going overseas, but last I heard China's population was enjoying a boom similar to the U.S. in the mid-1950's, with a dramatically increased standard of living for the new middle class. The peasantry is still subsistence farming, but they're not the factory workers, either.
Ad hominem attacks only weaken your argument.
As do broad-brush stereotypical statements about the "people running these organizations" and "known facts" without sources. Pot, meet kettle.
A jammer works only when it's powered on, and will not disable an RFID tag in any way. They only jam the readers, not the transmitters. They're indiscriminate: they won't jam only the switched tag, they'll interfere with reading everything. If you turned a jammer on at checkout time, the cashier wouldn't be able to read any of your merchandise with an RF reader, and would end up hand-scanning (or worse, hand-keying) every item in your cart. The result would be a slower checkout, but likely no theft.
It doesn't work so well for a store like Target, however. They don't have the sales staff to go hover over every teenager in a trenchcoat let alone notice them in the first place. That's why they resort to cameras everywhere.
Let's see, you are posting from a computer, so you must be a filthy identity thief hacker just like Kevin Mitnick. Oh, wait, you're not Kevin Mitnick? You don't commit ID thefts? Hmm, so not everyone who owns a computer is an evil hacker. What lessons about prejudice can we extrapolate from this, boys and girls? Perhaps it's the people who are actually criminals that should be treated like them? And just maybe stealing is stealing, regardless of whether you're stealing from Target or your next door neighbor?
Even if he had "simply walked out without paying", Target usually doesn't let anybody walk. About 25 years ago they used to slap kids on the wrist (maybe call the cops and the parents to scare the kid straight,) but these days almost every thief is put onto a legal assembly line. Cops, prosecution, court, jail time and restitution, the whole nine yards. All a part of the zero-tolerance society we live in. Every theft costs a lot of money, and their shareholders have demanded it.
It'll work as a good anti-theft tag in any electronic item: any energy levels high enough to disable the tag will certainly be high enough to fry the desirable electronics.
RFID may not be a "solution" to theft, but it will be a stronger deterrent than most other schemes have been. But I think it has too many other negative side effects on society to ever be widely accepted.
The item's serial number is kept in read-only memory on the tag. It's written at time of manufacture, and is not changeable. I'm not saying it couldn't be replaced or that the system couldn't be gamed; for example the old tag could be physically disabled and a fradulent tag put on the item in its place in a high-tech version of this iPod iDiot, but you can't alter the existing tag.
Retail theft from big box stores is a huge business, you might be amazed at the levels of both sophistication and brutality involved in the crime rings that have developed around the practice. Retailers are in the position of having to come down hard on every thief in hopes that they're breaking into one of these rings. And the systems that are in place to catch these big thieves can also catch the little guys.
Even your advice is no good: if you steal from the big box stores, expect to be expertly prosecuted like a major-league thief if you get caught. If you steal from a mom & pop store, they might not have the resources to bring you to justice. For example, a friend of mine owns a convenience store in a summer resort town, and he's thinking he'll have to go out of business due to the theft of his 4th of July receipts. He can't afford to take time to fight all the legal battles and still hold down his day job. And any restitution he may hope for will take far too long to receive to keep the store open in the meantime.
So my advice is "Stealing is stealing: if you must steal, reconsider your options."
So yeah, write a text interface to a socket, and telnet to it from off the box. It may not be clickably pretty, but he can probably solve his problems quickly. It's what I used to do twelve years ago when I had a similar situation, and it worked just fine then.
That'd be pretty useless around here. Do you know how many people can't tell the difference between incite and insight, let alone site, sight, and cite?
If a universal power system were widely adopted, all of these bricks could go away. The device makers would have every incentive to not include a brick with each device (cost, weight, package size, etc.)
The almighty buck is an economic incentive only for the brickmakers -- they want to sell lots of power bricks. But they only sell wholesale to the device makers. They don't sell to the consumers, the device makers do. The device makers have it in their economic interest to offer the lowest price, not to sell a brick. If they could save two dollars by not buying bricks, they could drop their prices by one dollar and still pocket one dollar for themselves.
There is already a standard out there: USB PlusPower for cash registers. They've incorporated USB backward compatible piggybacked high-current +5VDC, +12VDC and +24VDC connectors. Several years ago some large retail chain stores refused to accept a half-dozen power bricks under each cash register, and demanded of IBM that they develop a way to power the many peripherals each cash register needs (scanners, printers, mag stripe readers, PIN pads, cash drawers, scales, etc.) NCR and Fujitsu added their support for a standard, and USB PlusPower was the result. All the large-player peripheral makers support it now, too. (Here's a sales document for a USB PlusPower hub for your PC that explains the standard.
From the document: "The USB PlusPower design provides the following voltage and current
Consumers need to do the same thing, but as of yet have never organized and demanded such a thing. It's considerably tougher to do at a consumer level. Consumers have never organized very well. And there are very few cash register manufacturers in comparison to all the motherboard and system builders out there. There are very few "large customers" that can use their buying power to influence the industry.
Yes, I know you were thinking of the chump scripts and the more traditional "floppy sharing viruses", but there are bug exploiters out there. Perhaps I should have labeled them "worms", since some people seem to have a semantic hangup about things like that; but wasn't Norton Anti-Wormer that we were talking about, was it?
I think it's purely market share right now that's keeping your box as safe as it is. That, and the impression that average Mac users are ever-so-slightly more savvy than average PC users. I'll grant you that removing a piece of spyware MIGHT be easier on a Mac, ('cuz it would be hard to top registry crawling through an infested PC) but regardless of platform, ultimately spyware and adware arrives along with a legitimate or desired package, kind of like a remora arrives with a shark. Being a Mac doesn't grant you any magical powers of defense against click-happy users.
It removes the "rootkit" but does not remove the DRM that the rootkit was installed to hide. The DRM is still there to restrict you to three copies. If you have their DRMware and want to get rid of it, go to sunncomm.com and click on their uninstaller.