Chip and PIN cards don't work at most U.S. retailers today, but as of October 2015 the Payment Card Industry has scheduled a change to the contracts to in what is being called the "liability shift". It means that whoever has the least security in the payment chain will be held liable for non-payment or fraud for the charges incurred. So if Home Depot doesn't accept a chip card, and your bank's card has a chip on it, then Home Depot will be liable because their system is the least secure. Or if Home Depot's systems are able to accept the chip cards, but your bank's card doesn't have a chip, then your bank will be liable. This penalty is a huge financial incentive for both retailers and banks to upgrade the security of their systems to fully support Chip and PIN by that date so they don't get left holding the bag.
Once Chip and PIN systems are deployed to most places, they will begin requiring the removal of mag stripes. That's when the final pieces of security will kick in, and account number theft will be essentially eliminated.
You don't think people are trying to find underlying causes? OWASP? CERT? Every university with an IT security program? Every OS maker? Every web server author? Every database author?
There are plenty of highly motivated, well funded, intelligent people working on these problems. The fact is that security is not a mathematical absolute, and no such underlying cause exists, despite your imaginings. There is no grand conspiracy creating security problems.
There are typically two phases to processing credit. In the first phase, called authorization, the terminal sends the request to the bank via their processor and requests authorization: hey, bank, will you approve $100? The bank sends back a 'yes' which is returned to the terminal, but no money changes hands at this time. The processor saves up the day's batch of authorization requests.
In the second phase, called settlement, the processor sends the batch to the bank, either later that night, or every few hours, or whenever. The bank then transfers the funds for every authorized transaction in the batch.
This is different from debit, where the funds are transferred in a single step.
Of course DEFCON sold out. That's what they call "Blackhat". And I'm sorry that you can't understand the need of hackers to eat and pay rent. They obviously should just go work for the thieves, so that "the man" doesn't keep his money.
The security industry isn't self-perpetuating - the number of crappy, insecure sites and apps is astronomical and doesn't appear to be trending down anytime soon. Nobody is out there injecting deliberate flaws (except the NSA), there is an abundance of flaws, and a shortage of people fixing them.
OK, but apart from the sanitation, medicine, education, wine, public order, irrigation, roads, the fresh water system and public health, what has IPV4 ever done for us?
You'll also have a lot of us dinosaurs who think 80 wpm is good enough for any coder. We tend to have a very narrow world view in that we know where we want the curly braces, we want our tabs to be the right distances, we line things up, etc. We simply don't know how anyone could write readable code with a "word-oriented" keyboard like that. How does it do camelCase? How do you put in dot operators without it starting a new sentence? And how's it all going to look - is the software going to grind all your code through a prettyprint module before painting it on the screen? We have all these questions that we use to justify our crusted-over worldviews.
But we're engineers, too. If this video showed a coder banging in C at some Hollywoodesque speed of 200 wpm, it would pique our curiosity. Of course, they aren't showing us that yet, but the promise is on the horizon. The expectation, though, is that our fears describe the truly hard problems that nobody's yet tackled, so we'll hear the familiar chorus "it's open source, you can do it yourself!" And at the end of that song, it implies we'll end up with 100 incompatible standards for entering code on a stenographer's keyboard. Been there, done that, bought the souvenir Betamax video, and watched it on a SECAM TV.
For me, it's interesting from the viewpoint that open source designs are being used to make such simple things possible, and that it could be providing real competition to an "old-guard" oligopoly.
You are correct. The IR laser and IR camera are used to measure depth, while the visual light camera only picks up the image.
The cool thing about the Kinect's IR pair is that it senses depth in the same way a pair of eyes does, in that the delta between left and right eyes provides the depth info. But instead of using two eyes, it projects a grid from the location where one eye would be, and the camera in the other location measures the deltas of "where the dot is expected - where the dot is detected". The grid is slightly randomized so that straight edges can be detected. If you've ever stared into one of those Magic Eye random dot stereogram posters, you're doing pretty much the same thing the Kinect does.
This system is very different. The Kinect has a deep field of view, but all the demos show this working in a very short range. I haven't yet read the paper, but I'm wondering if that's the point of the IR.
Tell you what: you build and program such a system, and see if anyone on Slashdot crucifies you for your demo's UI. Oh, what's that? You've never built anything so cool in your life? Guess that won't happen then.
Windows 8 isn't going to get another chance. It's a crappy interface for anything but a tablet. It's OK on a tablet, but on my Surface Pro 2 I find I spend almost all my time in "desktop" anyway, which is where the non-Metro programs run with their old familiar UIs. (I'm tapping this in via Firefox.) Without a touch screen, Windows 8 is utterly unusable.
Windows 9, should such an OS ever come out, had better get its ship together for the desktop users, before they jump ship for any alternatives. That means a big marketing push that says "sorry about Metro, we've heard you and are restoring the old familiar desktop." If they don't, they can forget about selling any more desktop OS systems.
Actually, having the guru ask for help from the rookie is a good way to engage the rookie. It's pretty motivating to the FNG to be able to say "hey, I really helped the smart guy, I must be doing something right!" Pair programming is one way to put them both in that situation.
Yeah, I thought the editing failure was typical. "Relatively unknown", "obscure", or even "all-but-forgotten" would have been a better choice. But to hyperlink to the guy's wiki bio from the word unknown? That's just lame.
Sony's strong push for DRM on everything from VHS to DAT to DVD to BluRay to Memory Stick has made me a Sony hater forever. They have lobbied for every industry restriction on fair use they can, and their campaign donations have funded congressional campaigns to advance their anti-fair-use agenda. I stopped buying their products in the 1990s, and I dropped my last aged Sony appliance off at the recycle center just a few weekends ago (a VCR that had been cluttering up the basement.) I can easily survive the rest of my days without Sony products, but I probably won't ever get my missing rights back.
So it's kind of surprising to me to learn that their e-reader wasn't as crippled as their other devices; but then again it could have been completely DRM-free, and it would still have been too little, too late.
I figured as much. So since you're deep into the electronics, I have a question about my Ford that perhaps you can answer. Is the CAN bus extended out to the side mirrors that are filled with electronics, such as lighting, heaters, motors, and blind spot indicators? (My Taurus has all of the above.) Or is the bus terminated inside the panel of the door, and dedicated wires run to the various mirror assembly components? I've often thought that a thief who wouldn't mind trashing the passenger side mirror could access the CAN bus and unlock the doors.
I also figure with our inept, corrupt lawmakers, they'll mandate something too specific that will tie future classrooms full of kids into the 2014 equivalent of punch cards.
Why manned? Because the record they are planning to break is for manned wing-borne flight. Atmospheric flights capable of carrying people and food have been limited by the need to carry fuel. Unmanned aircraft can already run indefinitely on solar power, but don't have the lift capacity to carry passengers and all the supplies they need.
Agreed. GA failed lesson one in jailbreak release 101: wait until the next major release comes out before you give away the exploit.
Actually, they figured out Advanced Jailbreak Releasing 301: advertise the hell out of the version that has been jailbroken, but give Apple no clue as to how to fix it. Allow as many as people as possible to download and install 7.1.2 in preparation for jailbreaking.
Apple's pattern of responding to jailbreaks is very predictable: the day after someone announces the jailbreak, Apple will spring into action, releasing a patched version, and immediately preventing anyone from downloading or installing the now-vulnerable 7.1.2. This advertising campaign maximizes the vulnerability window in a way that Apple cannot yet prevent.
Amen. When I was at University, I used our library's ACM and IEEE access to get to lots of useful articles, so I know the value of having that access. But once I graduated, up came the paywalls, and up came my revulsion. It's not about the money - I waste more than the ACM membership fees funding offbeat kickstarters. While I'm still tempted every year by those ACM offers. I'm not going to support an organization dedicated to preventing the dissemination of information, not at any price.
There are still some avenues of research I occasionally need, and fortunately many authors retain the rights to self-publish or pre-publish on arXiv, so DuckDuckGo can still deliver them. Most surprisingly, Microsoft Research has made thousands of papers freely available.
Ironically, it's a lot like the old Windows / Linux argument, and Linux has shown that open source doesn't implicitly mean low quality.
My point is there are not enough searchers working on our behalf, primarily because there is not enough incentive. (The NSA and Chinese may have found the bug years ago, for all we know, but they have a strong incentive to find vulnerabilities. Not enough people are paying White Hats to find these bugs and get them fixed.) Linus' Observation uses the clause "given enough eyeballs", which implies to the reader that someone is actually providing the appropriate number of eyeballs required. That implied assumption is made every time someone says "Open Source software is more secure than proprietary software, because of Linus' Law." But it simply hasn't proven to be a realistic assessment, or a very effective guarantor of security.
There's an unwritten corollary at play here: "given enough code, you won't have enough eyeballs." And that's something else keeping Linus' Observation from becoming a valid hypothesis. It even applies to this story, as well. "Given enough Wikipedia articles, there aren't enough fact checkers."
It doesn't matter if it's a rational argument backed up by facts or not, or if he's done a risk assessment, or if it's a free, cheap, or expensive firewall. The Payment Card Industry's Data Security Standard (PCI DSS) has as their very first requirement 1: "Install and maintain a firewall configuration to protect cardholder data." It's not an optional requirement, and you can't justify not having one.
If you're going to handle credit cards on the system, it has to be protected with a firewall.
If your POS vendor isn't requiring a firewall, either they are not selling a system that takes credit cards, or they are selling shoddy, insecure systems that are in violation of PCI DSS. Fixing these problems will cost you dearly; worst case, they are setting you up for a breach.
Slashdot Mirror
Chip and PIN cards don't work at most U.S. retailers today, but as of October 2015 the Payment Card Industry has scheduled a change to the contracts to in what is being called the "liability shift". It means that whoever has the least security in the payment chain will be held liable for non-payment or fraud for the charges incurred. So if Home Depot doesn't accept a chip card, and your bank's card has a chip on it, then Home Depot will be liable because their system is the least secure. Or if Home Depot's systems are able to accept the chip cards, but your bank's card doesn't have a chip, then your bank will be liable. This penalty is a huge financial incentive for both retailers and banks to upgrade the security of their systems to fully support Chip and PIN by that date so they don't get left holding the bag.
Once Chip and PIN systems are deployed to most places, they will begin requiring the removal of mag stripes. That's when the final pieces of security will kick in, and account number theft will be essentially eliminated.
You don't think people are trying to find underlying causes? OWASP? CERT? Every university with an IT security program? Every OS maker? Every web server author? Every database author?
There are plenty of highly motivated, well funded, intelligent people working on these problems. The fact is that security is not a mathematical absolute, and no such underlying cause exists, despite your imaginings. There is no grand conspiracy creating security problems.
There are typically two phases to processing credit. In the first phase, called authorization, the terminal sends the request to the bank via their processor and requests authorization: hey, bank, will you approve $100? The bank sends back a 'yes' which is returned to the terminal, but no money changes hands at this time. The processor saves up the day's batch of authorization requests.
In the second phase, called settlement, the processor sends the batch to the bank, either later that night, or every few hours, or whenever. The bank then transfers the funds for every authorized transaction in the batch.
This is different from debit, where the funds are transferred in a single step.
The rating system would be gamed even more than Googl's PageRank system. Too much money at stake.
Of course DEFCON sold out. That's what they call "Blackhat". And I'm sorry that you can't understand the need of hackers to eat and pay rent. They obviously should just go work for the thieves, so that "the man" doesn't keep his money.
The security industry isn't self-perpetuating - the number of crappy, insecure sites and apps is astronomical and doesn't appear to be trending down anytime soon. Nobody is out there injecting deliberate flaws (except the NSA), there is an abundance of flaws, and a shortage of people fixing them.
Or makeup: http://cvdazzle.com/
OK, but apart from the sanitation, medicine, education, wine, public order, irrigation, roads, the fresh water system and public health, what has IPV4 ever done for us?
Damn. I'm just interested in plovers.
You'll also have a lot of us dinosaurs who think 80 wpm is good enough for any coder. We tend to have a very narrow world view in that we know where we want the curly braces, we want our tabs to be the right distances, we line things up, etc. We simply don't know how anyone could write readable code with a "word-oriented" keyboard like that. How does it do camelCase? How do you put in dot operators without it starting a new sentence? And how's it all going to look - is the software going to grind all your code through a prettyprint module before painting it on the screen? We have all these questions that we use to justify our crusted-over worldviews.
But we're engineers, too. If this video showed a coder banging in C at some Hollywoodesque speed of 200 wpm, it would pique our curiosity. Of course, they aren't showing us that yet, but the promise is on the horizon. The expectation, though, is that our fears describe the truly hard problems that nobody's yet tackled, so we'll hear the familiar chorus "it's open source, you can do it yourself!" And at the end of that song, it implies we'll end up with 100 incompatible standards for entering code on a stenographer's keyboard. Been there, done that, bought the souvenir Betamax video, and watched it on a SECAM TV.
For me, it's interesting from the viewpoint that open source designs are being used to make such simple things possible, and that it could be providing real competition to an "old-guard" oligopoly.
You are correct. The IR laser and IR camera are used to measure depth, while the visual light camera only picks up the image.
The cool thing about the Kinect's IR pair is that it senses depth in the same way a pair of eyes does, in that the delta between left and right eyes provides the depth info. But instead of using two eyes, it projects a grid from the location where one eye would be, and the camera in the other location measures the deltas of "where the dot is expected - where the dot is detected". The grid is slightly randomized so that straight edges can be detected. If you've ever stared into one of those Magic Eye random dot stereogram posters, you're doing pretty much the same thing the Kinect does.
This system is very different. The Kinect has a deep field of view, but all the demos show this working in a very short range. I haven't yet read the paper, but I'm wondering if that's the point of the IR.
Tell you what: you build and program such a system, and see if anyone on Slashdot crucifies you for your demo's UI. Oh, what's that? You've never built anything so cool in your life? Guess that won't happen then.
Windows 8 isn't going to get another chance. It's a crappy interface for anything but a tablet. It's OK on a tablet, but on my Surface Pro 2 I find I spend almost all my time in "desktop" anyway, which is where the non-Metro programs run with their old familiar UIs. (I'm tapping this in via Firefox.) Without a touch screen, Windows 8 is utterly unusable.
Windows 9, should such an OS ever come out, had better get its ship together for the desktop users, before they jump ship for any alternatives. That means a big marketing push that says "sorry about Metro, we've heard you and are restoring the old familiar desktop." If they don't, they can forget about selling any more desktop OS systems.
Actually, having the guru ask for help from the rookie is a good way to engage the rookie. It's pretty motivating to the FNG to be able to say "hey, I really helped the smart guy, I must be doing something right!" Pair programming is one way to put them both in that situation.
It could also be used as a convenient excuse to prosecute any undesirable person as a potential "Second Leaker".
Yeah, I thought the editing failure was typical. "Relatively unknown", "obscure", or even "all-but-forgotten" would have been a better choice. But to hyperlink to the guy's wiki bio from the word unknown? That's just lame.
Sony's strong push for DRM on everything from VHS to DAT to DVD to BluRay to Memory Stick has made me a Sony hater forever. They have lobbied for every industry restriction on fair use they can, and their campaign donations have funded congressional campaigns to advance their anti-fair-use agenda. I stopped buying their products in the 1990s, and I dropped my last aged Sony appliance off at the recycle center just a few weekends ago (a VCR that had been cluttering up the basement.) I can easily survive the rest of my days without Sony products, but I probably won't ever get my missing rights back.
So it's kind of surprising to me to learn that their e-reader wasn't as crippled as their other devices; but then again it could have been completely DRM-free, and it would still have been too little, too late.
I figured as much. So since you're deep into the electronics, I have a question about my Ford that perhaps you can answer. Is the CAN bus extended out to the side mirrors that are filled with electronics, such as lighting, heaters, motors, and blind spot indicators? (My Taurus has all of the above.) Or is the bus terminated inside the panel of the door, and dedicated wires run to the various mirror assembly components? I've often thought that a thief who wouldn't mind trashing the passenger side mirror could access the CAN bus and unlock the doors.
"That's what I said: booty traps!"
I also figure with our inept, corrupt lawmakers, they'll mandate something too specific that will tie future classrooms full of kids into the 2014 equivalent of punch cards.
Why manned? Because the record they are planning to break is for manned wing-borne flight. Atmospheric flights capable of carrying people and food have been limited by the need to carry fuel. Unmanned aircraft can already run indefinitely on solar power, but don't have the lift capacity to carry passengers and all the supplies they need.
Agreed. GA failed lesson one in jailbreak release 101: wait until the next major release comes out before you give away the exploit.
Actually, they figured out Advanced Jailbreak Releasing 301: advertise the hell out of the version that has been jailbroken, but give Apple no clue as to how to fix it. Allow as many as people as possible to download and install 7.1.2 in preparation for jailbreaking.
Apple's pattern of responding to jailbreaks is very predictable: the day after someone announces the jailbreak, Apple will spring into action, releasing a patched version, and immediately preventing anyone from downloading or installing the now-vulnerable 7.1.2. This advertising campaign maximizes the vulnerability window in a way that Apple cannot yet prevent.
Amen. When I was at University, I used our library's ACM and IEEE access to get to lots of useful articles, so I know the value of having that access. But once I graduated, up came the paywalls, and up came my revulsion. It's not about the money - I waste more than the ACM membership fees funding offbeat kickstarters. While I'm still tempted every year by those ACM offers. I'm not going to support an organization dedicated to preventing the dissemination of information, not at any price.
There are still some avenues of research I occasionally need, and fortunately many authors retain the rights to self-publish or pre-publish on arXiv, so DuckDuckGo can still deliver them. Most surprisingly, Microsoft Research has made thousands of papers freely available.
Ironically, it's a lot like the old Windows / Linux argument, and Linux has shown that open source doesn't implicitly mean low quality.
Yeah, but does it do windows?
</ducks>
My point is there are not enough searchers working on our behalf, primarily because there is not enough incentive. (The NSA and Chinese may have found the bug years ago, for all we know, but they have a strong incentive to find vulnerabilities. Not enough people are paying White Hats to find these bugs and get them fixed.) Linus' Observation uses the clause "given enough eyeballs", which implies to the reader that someone is actually providing the appropriate number of eyeballs required. That implied assumption is made every time someone says "Open Source software is more secure than proprietary software, because of Linus' Law." But it simply hasn't proven to be a realistic assessment, or a very effective guarantor of security.
There's an unwritten corollary at play here: "given enough code, you won't have enough eyeballs." And that's something else keeping Linus' Observation from becoming a valid hypothesis. It even applies to this story, as well. "Given enough Wikipedia articles, there aren't enough fact checkers."
It doesn't matter if it's a rational argument backed up by facts or not, or if he's done a risk assessment, or if it's a free, cheap, or expensive firewall. The Payment Card Industry's Data Security Standard (PCI DSS) has as their very first requirement 1: "Install and maintain a firewall configuration to protect cardholder data." It's not an optional requirement, and you can't justify not having one.
If you're going to handle credit cards on the system, it has to be protected with a firewall.
If your POS vendor isn't requiring a firewall, either they are not selling a system that takes credit cards, or they are selling shoddy, insecure systems that are in violation of PCI DSS. Fixing these problems will cost you dearly; worst case, they are setting you up for a breach.