Colder climates are cold because they receive less energy from the sun. Not that you can't get harmful doses of UV in the colder climates, it just takes longer. Colder climates also require more covering of arms, legs, and the head - thus further reducing the overall exposure to the UV rays from the sun.
Some people drink less coffee when it's warm out, and more coffee in the winter. And some people drink coffee only when it's dark in the mornings - again, the sign of living at higher latitudes.
Perhaps this study is simply revealing a correlation between people who drink coffee and living closer to the poles?
Salt dissolved in water isn't just a bunch of wet table-salt-shaped crystals. It's a bunch of individual NaCl molecules floating around. And this filter has holes small enough to pass H2O molecules, but not NaCl molecules. Most other molecules, such as those of uric acid, are much larger than NaCl, and therefore this filter will trap them, too.
It isn't breaking anything down. It's not chemically altering the substances in solution. It's simply a filter that has holes so tiny that only molecules that are three atoms or smaller will pass through them.
Having atomic clock precision is not needed just for some short duration spoofing. GPS signals containing the satellite ephemeris are updated only every two hours, which gives you an idea of the window a spoofer would have to work in. Anyway, if it were, Symmetricom has developed an atomic clock on a chip that they could use. But what would be far more useful would be having the P signal's encryption broken, and there's no evidence that anyone has ever broken it.
Without breaking the encryption, the most you could try would be a sophisticated replay attack: having an earth-based receiving station collect the GPS L1 and L2 signals, forward those signals to another earth-based station to retransmit those signals to the target, and then you start physically moving the receiver and transmitter antennas to change its location. But you'd have to get the target to accept your fake transmitter's signals instead of the real signals it's already synchronized to, meaning both the receiver and transmitter would have to be physically very close to the target at the start of the attack. Keep in mind that the target in this case is a drone flying perhaps several hundred miles per hour (I assume they're fast but not supersonic.)
I suppose it could be done if the receiver and transmitter were on two separate aircraft, and they got close enough to the drone flying a parallel course. Once they were near the drone, they could transmit some bursts of interference, while slowly bringing up their transmitter's power to eventually convince its GPS receiver that they were the legitimate signals. Then the receiving aircraft could start slowly heading in the direction they wanted to steer the target, while the transmitter continued to fly parallel to the drone.
But if they could get close enough to pull off this attack, they would certainly be close enough to shoot it down. Spoofing the GPS would not give them command and control authority over the drone, so it's not like they'd ever be able to put its gear down to land it. Why bother with the sophisticated electronics and difficult aerobatics just to get it to crash anyway, if you can simply fly up to it and throw a slug into its engine?
Of course this is assuming the drone has no on-board radar to detect such nearby aircraft as threats, which is not likely. And because you can't fool a gyroscope, any GPS tampering would still conflict with the drone's inertial guidance system; so it would be completely unknown to anyone, including the Iranians, how the drone would behave if the GPS systems were attacked. And all this is assuming that the drone has no self-destruct capabilities and that it wouldn't be destroyed by the Air Force the moment it was compromised.
There is very little of the story that they "captured a US drone via GPS spoofing" that is believable.
Given the source is Iran, there are two much more plausible explanations; the first of which is that a US drone suffered a mechanical failure and Iran recovered it. The other potential explanation is they created a sophisticated P.R. campaign to impress their neighboring Islamic brethren, built a full sized fiberglass model based on a 1/144 scale model, and lied about bringing it down via technical measures so that their followers will believe them to be smarter than the Americans. It could even be a mix of both, with them having the PR campaign lying quietly ready until the US lost a drone somewhere near Iran (which was bound to happen.)
Thank you, I appreciate the correction. And yes, it was trollishly written with a blame-the-user bent (at least when the user is a techie), and for that I apologize.
I'm still arguing that the remote router is adequate for mom. She probably won't get hacked by owning it, and having Cisco keep her router up to date and working is probably a lot easier than having to manually go to her house to configure it. Cisco is somewhat (OK, just barely) trustworthy in that regard.
And I believe that's your point: you think Cisco, or any corporation anywhere, is completely untrustworthy in that regard. You think they'll turn over anyone who connects to thepiratebay to the MPAA; that they'll get hacked and leak a million routers login info across the net; and they'll have your router start injecting advertisements into your port 80 traffic. Or to use your Tucker analogy, they'll give you a trick google front-end where every search takes you to the highest bidder's site. And you may be absolutely right about Cisco - their track record is piss poor in many ways relating to privacy, in lots of ways pertaining to marketing, and not very good in protecting data.
But you have to trust a lot of faceless corporations to be on the net anyway. The NSA is already sucking a feed straight out of AT&T's backbone. Some ISPs have done web ad injections to their clients ("view the web through our frame and get a discount" kinds of arrangements.) The MPAA is already participating in bittorrents so they can monitor who is downloading their stuff. Your on-line privacy is already nothing more than a transparent illusion, and you should never think otherwise. So across that backdrop, how awful is it to let them take care of mom's router settings and maintenance?
Most people do not enable remote management... Its not enabled by default. Most people do not disable the automatic firmware updates... which is a default enabled check box on the page/tab for upgrading firmware (which most people don't even look at much less change the settings.)
Wrong. Remote upgrade is disabled when remote management is disabled (at least on my E4200). Both were enabled by default.
And I know most (normal) people don't look at the settings on their gear, but the people here on Slashdot who might be all bent out of shape are the kinds of techies who should know better than to trust the default settings of anything they own.
I don't know that they are planning on scraping everyone's browser history. However, because the software can serve as a web proxy, and as such it would have URLs flow through its memory. Technically, someone who saw that information in memory (say in a swap file) would have access to at least some of your "internet history", which this disclaimer would cover.
However, because the disclaimer is so broad, it gives them license to stuff every URL you surf to into their corporate databases, and hold onto it forever. And there's nothing preventing them from starting out with good intentions (as in the first scenario) and then later providing a firmware update that descends into full-blown real-time reporting to the FBI. Either way, I wouldn't voluntarily trust them with the info.
Well, when I read this story I immediately logged into my router, and fortunately was not unexpectedly greeted by their cloud. It's still reporting the same firmware version that I last upgraded to. So you should also have no worries.
Actually, I'm seriously considering upgrading it. I want to make sure that any needed security patches are in place. But before I do, I will confirm that's it's not the case that remote management is mandatory.
On the brighter side, mine is an E4200.V1, which is supported by dd-wrt. Should someone discover a bug that they will not provide a secure remote-less upgrade for, I will simply replace the firmware.
And are your parents rabid Slashdot denizens? Does your dad have a 4 digit UID? Does your mom keep her CISSP current? Then no, I'm not shaming your parents.
You, on the other hand, if you owned one of these and accepted the defaults, well, why wouldn't you have looked? Why would you have left remote management enabled?
I know exactly why Cisco did it, so they could remotely administer routers for "average users". That's not necessarily a terrible thing.
My complaint is with technical people, such as the fine folks lurking here on slashdot, accepting any security device's defaults without checking them over. It's not like it requires arcane knowledge to look at the configuration screens; it just takes a mouse. You don't have to find a bunch of settings in a README.TXT file from some random website to know what you're looking for, or pull up a wiki page to explain what you're seeing. It's a button on a GUI screen that's clearly screaming out "LET SOMEONE ELSE RANDOMLY MESS AROUND WITH YOUR SECURITY", and these supposedly technical people left it checked. I clearly have no sympathy for them.
So who just plugs in a firewall/router and starts using it out of the box without changing the password and checking over all the settings?
Under the Administration / Management tab, you'll find a radio button clearly marked "Remote Management", and beneath that settings for Remote Upgrade. The day I installed it I discovered remote management was enabled by default, so I immediately set it to disabled. I remember thinking "My god, that's f*ing stupid! Who would ever want to expose router management to the wild side?" Apparently this answers my question.
Anyway, for anyone here who is outraged that their router has been pwnd by Cisco, SHAME ON YOU for not securing your own damn router yourself before hanging it on the intarwebs!
What led you to believe I thought this was done easily or lightly? I used simple words and a simplistic scenario to make my point easy to understand, and you only saw the example, not the point.
The law allows for an undercover agent to act his role. If there was a simple test that crooks could apply, such as "let's have the new guy be the pimp and tell the girls to go make him money, and if he refuses it must be 'cause he's a cop!" then no undercover operation would ever succeed.
Sting operations are not set up lightly. They take a considerable amount of time and resources, neither of which are in the typical police budget. And they may put the agents in situations of extreme risk. When a sting is being planned, they are usually targeting persons of very specific interest, and have a goal of producing a wealth of evidence that will strongly favor a guilty verdict.
Replying to myself but: part of my understanding was the bit about virtual terminals I described earlier; the other part I understand is that keeping all the details you need to put another transaction through at a later date is strictly verboten.
But neither of these seem to be particularly enforced, and the virtual terminal one is the thing that really gets me: payment processors advertising a solution and suggesting you use it in a fashion that by definition breaches PCI-DSS.
Regarding your first comment, audits of Tier 1 and Tier 2 retailers are strongly enforced. The last count I saw was 6 million merchants accepting Visa, but fewer than 50 are Tier 1, and less than a thousand are Tier 2. Tier 4 is where the vast majority of retailers are, and there is pretty much nothing done at that level - payment processors simply don't accept anything there that doesn't come through their provided-or-certified payment terminals. Tier 3 is kind of hit-or-miss.
PCI-DSS permits the storage (when properly protected) of the Primary Account Number and the expiration date. But it explicitly prohibits the storage of CVV2 and/or track data beyond the amount of time it takes to perform the authorization request. So technically, you can keep enough data to put another transaction through at a later date. Whether or not you will get paid for it is a different question.
Something that is often confused when dealing with credit transactions is that there are typically two interactions between the merchant and the issuing bank: the authorization, and the settlement. In authorization, the data is sent to the bank, and the bank decides whether or not to approve the transaction. If they approve, they return an approval code. In settlement, the merchant sends their transactions to the bank, and the bank transfers the money to the merchant. Technically, the bank only has to pay those that they agreed to during the approval process (those with valid approval codes.) They may also pay the unapproved transactions, but with the understanding that the merchant accepts all risk of the transaction, meaning if the customer complains to their bank about an unwanted charge that the bank didn't approve, the bank will be reimbursed by the merchant. These are called chargebacks. (Typically this is all done through intermediaries known as payment processors, but they're not important to the understanding.)
Now look at authorization. The bank has to decide within a few milliseconds whether or not to extend credit to this person. They use rules: is this account behind on its payments? Is it over its credit limit? And they look for fraud: are they truly convinced that it's the account holder with his or her card, or is this a fraudulent use of the account number? Are the authorization requests suddenly originating from an Estonian cyber cafe? Another factor is whether or not the card is present. Their evidence is if the track data is included in the authorization.
Merchants are given incentive to send "Card Present" authorization requests as much as possible, as they qualify for the lowest interchange rate (lower per-transaction fees to the merchant.) If a merchant sends too many "Card Not Present" requests, their interchange rates will rise, due to the increased risk of fraud. In addition, the merchant assumes the risk for chargebacks for all CNP authorizations.
So if all you have is account number and expiration date, you can still send an authorization request, but it will be an expensive CNP request.
Authorization is an optional step. The merchant can decide on their own whether or not to accept your credit card. So, using just the account number and expiration date, a merchant can put through a settlement request with no authorization at all. Depending on the bank and merchant, the bank will likely pay; but as in the card not present transaction, the merchant assumes all risk.
And finally, debit is a different animal altogether. Authorization and set
I don't know what you have in your understanding, so I'll leave #1 alone (although I suspect it's not the real explanation.)
As for #2, "enforcement" is a weird process. Merchants are broken into four Tiers, where retailers processing more than X million credit trans a year are in Tier 1, and so on. The higher the tier, the more stringent the auditing and requirements, and the higher the fines for non-compliance. A tier 1 retailer might be spending $5 million dollars per year (or more!) in compliance audits. Get down to the small business level of Linn Wu's Chinese Kitchen, and she doesn't care too much if she writes your card number down over the phone when she's taking your order. She might face a $150 fine for non-compliance, and that's only if someone complains.
Where PCI DSS makes most of a difference is if you have a breach. Then, they'll retroactively audit you, find out wherever the leak originated and then fine you like crazy for being out of compliance. The really weird thing is it doesn't matter what your pre-breach auditor determined whether or not you were in compliance - if you were breached, you couldn't have been compliant because had you been following their rules you obviously would have stopped the attack!
It's a noisy and expensive game that's making a small mountain of QSA auditing firms rich, but is providing little more than a dubious amount of "protection" to the retailers. And by "protection", I mean definition 5 of protection as in "Well suppose some of your tanks was to get broken and troops started getting lost, or fights started breaking out during general inspection, like. It wouldn't be good for business, would it, Colonel?"
On the flip side, it seems to be having a positive effect on security. The attacks have had to become much more sophisticated, meaning the attackers need that much more skill to pull them off. That keeps more of the riff-raff skript kiddi3s out. And really, I think it stops a lot more of the internal theft of data by unskilled workers.
What's the difference between a Software Developer and a Software Engineer?
A software developer will be primarily concerned with writing code from the given requirements. A software engineer is concerned with the entire process of producing high quality code, how that code fits into the business, how the requirements are established, how bugs are tracked over time, ensuring code reviews are effective, that testing coverage is appropriate without costing too much, how projects are managed, creating and using metrics, and of course writing high quality code.
See the SWEBOK for a good description of software engineering.
I'd hang on to your copy of Harry Potter and the Half Blood Prince, too. To me, it's always looked like they used a model of George W. Bush for the face of Grawp, Hagrid's giant brother in the woods, then mixed in a little Alfred E. Newman to disguise it.
The problem here is a fundamental disconnect in how hotels do business with how card security is mandated.
Hotels don't trust travelers to pay after their stay. They don't want to ask you to pay up front, either, because then they can't give you the seamless sign-it-to-my-room experience. Credit card account numbers offered an easy middle path: "we'll hold your card number until checkout." it harkens from a bygone era where credit was the exclusive province of the wealthy, who were de facto trusted to pay. Hotels were glad to be able to extend the same profitable conveniences to anyone who could pay on credit.
So they've built an entire business model on storing credit card data, rather than a pay-as-you-go system. But account numbers alone simply aren't a safe way to do that. PCI DSS says they can't store cleartext account numbers beyond the time it takes to authorize them. Yet they still do.
Again, the fix is the same as is needed across the credit industry: separate identification from authorization. Then the hotels can store the account all they want, it's valueless without the authorization needed to release your money. At the pool, getting a drink? I dont need the card, just my auth to charge it.
They can provide a simulation of this if they could securely store the card, but they pretty much suck at it.
The card networks should tell Wyndham, "sorry, no holding cards at all. Don't trust your guests? Not our problem, switch to a pay-as-you-go system."
Pretending to be a fence and accepting stolen goods is not entrapment, but pretending to be a fence and telling someone to steal something to sell to you is.
Would you bet your freedom on that belief? Because you'd likely go to jail if you fell for it. The undercover cop can say "hey, go steal this thing for me", and as long as you're free to say no, and there's no coercion, it's not entrapment. If he said to steal this thing or he'll kill your dog, or Vinnie will beat up your sister, or it's implied that someone from the mob will break your fingers if you say no, then that's entrapment.
Don't believe everything you see on TV crime shows. They exist to entertain you, and to believably wrap the crime up in 44 minutes while exposing you to a barrage of advertisements. They are not there to teach you the law.
The honeypot itself is bait. And just like fishing in a lake, there's no particular reason that your bait must be an artificial lure - you often get better results using live bait.
Now, if you were privately investigating card fraud, perhaps on behalf of a victim, you might have come across the honeypot site and wanted to investigate it further to figure out who the bad guys are so you could report them. You'd probably do the same steps any investigator would to determine who owns the site: look up the registrar, google searches, hack the server and look at the logs to trace them back to real people, or maybe even infiltrate the organization and get some of the denizens to turn over the site owners.
But it's not like you can check the IP stack to look for the evil bit being turned off. There's no technical or legal requirement that they must identify their bait as such.
Crime is crime. Since there's more than enough crime to go around for the resources available to fight it, that means the fighting has to be prioritized. But it doesn't mean all low level crimes are completely ignored while the biggest crimes get 100% of the resources.
The fight against carders is statistical. While it's more of a "nuisance" crime to the hundreds of thousands of people who have to disrupt their lives cleaning up their credit messes, the total loss from those hundreds of thousands of individual crimes adds up to a significant financial theft from the banks who have to reimburse those victims.
The DOJ already spends billions of dollars on the War on Drugs. They can afford to spend a few hundred thousand on a sting that pulls many millions of dollars worth of criminals off the streets.
Slashdot Mirror
I think you're on to something.
Colder climates are cold because they receive less energy from the sun. Not that you can't get harmful doses of UV in the colder climates, it just takes longer. Colder climates also require more covering of arms, legs, and the head - thus further reducing the overall exposure to the UV rays from the sun.
Some people drink less coffee when it's warm out, and more coffee in the winter. And some people drink coffee only when it's dark in the mornings - again, the sign of living at higher latitudes.
Perhaps this study is simply revealing a correlation between people who drink coffee and living closer to the poles?
Salt dissolved in water isn't just a bunch of wet table-salt-shaped crystals. It's a bunch of individual NaCl molecules floating around. And this filter has holes small enough to pass H2O molecules, but not NaCl molecules. Most other molecules, such as those of uric acid, are much larger than NaCl, and therefore this filter will trap them, too.
It isn't breaking anything down. It's not chemically altering the substances in solution. It's simply a filter that has holes so tiny that only molecules that are three atoms or smaller will pass through them.
Having atomic clock precision is not needed just for some short duration spoofing. GPS signals containing the satellite ephemeris are updated only every two hours, which gives you an idea of the window a spoofer would have to work in. Anyway, if it were, Symmetricom has developed an atomic clock on a chip that they could use. But what would be far more useful would be having the P signal's encryption broken, and there's no evidence that anyone has ever broken it.
Without breaking the encryption, the most you could try would be a sophisticated replay attack: having an earth-based receiving station collect the GPS L1 and L2 signals, forward those signals to another earth-based station to retransmit those signals to the target, and then you start physically moving the receiver and transmitter antennas to change its location. But you'd have to get the target to accept your fake transmitter's signals instead of the real signals it's already synchronized to, meaning both the receiver and transmitter would have to be physically very close to the target at the start of the attack. Keep in mind that the target in this case is a drone flying perhaps several hundred miles per hour (I assume they're fast but not supersonic.)
I suppose it could be done if the receiver and transmitter were on two separate aircraft, and they got close enough to the drone flying a parallel course. Once they were near the drone, they could transmit some bursts of interference, while slowly bringing up their transmitter's power to eventually convince its GPS receiver that they were the legitimate signals. Then the receiving aircraft could start slowly heading in the direction they wanted to steer the target, while the transmitter continued to fly parallel to the drone.
But if they could get close enough to pull off this attack, they would certainly be close enough to shoot it down. Spoofing the GPS would not give them command and control authority over the drone, so it's not like they'd ever be able to put its gear down to land it. Why bother with the sophisticated electronics and difficult aerobatics just to get it to crash anyway, if you can simply fly up to it and throw a slug into its engine?
Of course this is assuming the drone has no on-board radar to detect such nearby aircraft as threats, which is not likely. And because you can't fool a gyroscope, any GPS tampering would still conflict with the drone's inertial guidance system; so it would be completely unknown to anyone, including the Iranians, how the drone would behave if the GPS systems were attacked. And all this is assuming that the drone has no self-destruct capabilities and that it wouldn't be destroyed by the Air Force the moment it was compromised.
There is very little of the story that they "captured a US drone via GPS spoofing" that is believable.
Given the source is Iran, there are two much more plausible explanations; the first of which is that a US drone suffered a mechanical failure and Iran recovered it. The other potential explanation is they created a sophisticated P.R. campaign to impress their neighboring Islamic brethren, built a full sized fiberglass model based on a 1/144 scale model, and lied about bringing it down via technical measures so that their followers will believe them to be smarter than the Americans. It could even be a mix of both, with them having the PR campaign lying quietly ready until the US lost a drone somewhere near Iran (which was bound to happen.)
Thank you, I appreciate the correction. And yes, it was trollishly written with a blame-the-user bent (at least when the user is a techie), and for that I apologize.
I'm still arguing that the remote router is adequate for mom. She probably won't get hacked by owning it, and having Cisco keep her router up to date and working is probably a lot easier than having to manually go to her house to configure it. Cisco is somewhat (OK, just barely) trustworthy in that regard.
And I believe that's your point: you think Cisco, or any corporation anywhere, is completely untrustworthy in that regard. You think they'll turn over anyone who connects to thepiratebay to the MPAA; that they'll get hacked and leak a million routers login info across the net; and they'll have your router start injecting advertisements into your port 80 traffic. Or to use your Tucker analogy, they'll give you a trick google front-end where every search takes you to the highest bidder's site. And you may be absolutely right about Cisco - their track record is piss poor in many ways relating to privacy, in lots of ways pertaining to marketing, and not very good in protecting data.
But you have to trust a lot of faceless corporations to be on the net anyway. The NSA is already sucking a feed straight out of AT&T's backbone. Some ISPs have done web ad injections to their clients ("view the web through our frame and get a discount" kinds of arrangements.) The MPAA is already participating in bittorrents so they can monitor who is downloading their stuff. Your on-line privacy is already nothing more than a transparent illusion, and you should never think otherwise. So across that backdrop, how awful is it to let them take care of mom's router settings and maintenance?
Remote Management != Firmware Upgrade
Most people do not enable remote management... Its not enabled by default.
Most people do not disable the automatic firmware updates... which is a default enabled check box on the page/tab for upgrading firmware (which most people don't even look at much less change the settings.)
Wrong. Remote upgrade is disabled when remote management is disabled (at least on my E4200). Both were enabled by default.
And I know most (normal) people don't look at the settings on their gear, but the people here on Slashdot who might be all bent out of shape are the kinds of techies who should know better than to trust the default settings of anything they own.
But why do they need browsing history?
I don't know that they are planning on scraping everyone's browser history. However, because the software can serve as a web proxy, and as such it would have URLs flow through its memory. Technically, someone who saw that information in memory (say in a swap file) would have access to at least some of your "internet history", which this disclaimer would cover.
However, because the disclaimer is so broad, it gives them license to stuff every URL you surf to into their corporate databases, and hold onto it forever. And there's nothing preventing them from starting out with good intentions (as in the first scenario) and then later providing a firmware update that descends into full-blown real-time reporting to the FBI. Either way, I wouldn't voluntarily trust them with the info.
And that's precisely why it holds value.
Do you know if you can configure the "post-cloud" firmware to refuse remote management? I'm still trying to learn that before I upgrade.
Reread it. I said "ANYONE HERE". That means slashdot readers who don't check their own security settings should be ashamed, not "normal people".
Well, when I read this story I immediately logged into my router, and fortunately was not unexpectedly greeted by their cloud. It's still reporting the same firmware version that I last upgraded to. So you should also have no worries.
Actually, I'm seriously considering upgrading it. I want to make sure that any needed security patches are in place. But before I do, I will confirm that's it's not the case that remote management is mandatory.
On the brighter side, mine is an E4200.V1, which is supported by dd-wrt. Should someone discover a bug that they will not provide a secure remote-less upgrade for, I will simply replace the firmware.
And are your parents rabid Slashdot denizens? Does your dad have a 4 digit UID? Does your mom keep her CISSP current? Then no, I'm not shaming your parents.
You, on the other hand, if you owned one of these and accepted the defaults, well, why wouldn't you have looked? Why would you have left remote management enabled?
I know exactly why Cisco did it, so they could remotely administer routers for "average users". That's not necessarily a terrible thing.
My complaint is with technical people, such as the fine folks lurking here on slashdot, accepting any security device's defaults without checking them over. It's not like it requires arcane knowledge to look at the configuration screens; it just takes a mouse. You don't have to find a bunch of settings in a README.TXT file from some random website to know what you're looking for, or pull up a wiki page to explain what you're seeing. It's a button on a GUI screen that's clearly screaming out "LET SOMEONE ELSE RANDOMLY MESS AROUND WITH YOUR SECURITY", and these supposedly technical people left it checked. I clearly have no sympathy for them.
So who just plugs in a firewall/router and starts using it out of the box without changing the password and checking over all the settings?
Under the Administration / Management tab, you'll find a radio button clearly marked "Remote Management", and beneath that settings for Remote Upgrade. The day I installed it I discovered remote management was enabled by default, so I immediately set it to disabled. I remember thinking "My god, that's f*ing stupid! Who would ever want to expose router management to the wild side?" Apparently this answers my question.
Anyway, for anyone here who is outraged that their router has been pwnd by Cisco, SHAME ON YOU for not securing your own damn router yourself before hanging it on the intarwebs!
What led you to believe I thought this was done easily or lightly? I used simple words and a simplistic scenario to make my point easy to understand, and you only saw the example, not the point.
The law allows for an undercover agent to act his role. If there was a simple test that crooks could apply, such as "let's have the new guy be the pimp and tell the girls to go make him money, and if he refuses it must be 'cause he's a cop!" then no undercover operation would ever succeed.
Sting operations are not set up lightly. They take a considerable amount of time and resources, neither of which are in the typical police budget. And they may put the agents in situations of extreme risk. When a sting is being planned, they are usually targeting persons of very specific interest, and have a goal of producing a wealth of evidence that will strongly favor a guilty verdict.
Replying to myself but: part of my understanding was the bit about virtual terminals I described earlier; the other part I understand is that keeping all the details you need to put another transaction through at a later date is strictly verboten.
But neither of these seem to be particularly enforced, and the virtual terminal one is the thing that really gets me: payment processors advertising a solution and suggesting you use it in a fashion that by definition breaches PCI-DSS.
Regarding your first comment, audits of Tier 1 and Tier 2 retailers are strongly enforced. The last count I saw was 6 million merchants accepting Visa, but fewer than 50 are Tier 1, and less than a thousand are Tier 2. Tier 4 is where the vast majority of retailers are, and there is pretty much nothing done at that level - payment processors simply don't accept anything there that doesn't come through their provided-or-certified payment terminals. Tier 3 is kind of hit-or-miss.
PCI-DSS permits the storage (when properly protected) of the Primary Account Number and the expiration date. But it explicitly prohibits the storage of CVV2 and/or track data beyond the amount of time it takes to perform the authorization request. So technically, you can keep enough data to put another transaction through at a later date. Whether or not you will get paid for it is a different question.
Something that is often confused when dealing with credit transactions is that there are typically two interactions between the merchant and the issuing bank: the authorization, and the settlement. In authorization, the data is sent to the bank, and the bank decides whether or not to approve the transaction. If they approve, they return an approval code. In settlement, the merchant sends their transactions to the bank, and the bank transfers the money to the merchant. Technically, the bank only has to pay those that they agreed to during the approval process (those with valid approval codes.) They may also pay the unapproved transactions, but with the understanding that the merchant accepts all risk of the transaction, meaning if the customer complains to their bank about an unwanted charge that the bank didn't approve, the bank will be reimbursed by the merchant. These are called chargebacks. (Typically this is all done through intermediaries known as payment processors, but they're not important to the understanding.)
Now look at authorization. The bank has to decide within a few milliseconds whether or not to extend credit to this person. They use rules: is this account behind on its payments? Is it over its credit limit? And they look for fraud: are they truly convinced that it's the account holder with his or her card, or is this a fraudulent use of the account number? Are the authorization requests suddenly originating from an Estonian cyber cafe? Another factor is whether or not the card is present. Their evidence is if the track data is included in the authorization.
Merchants are given incentive to send "Card Present" authorization requests as much as possible, as they qualify for the lowest interchange rate (lower per-transaction fees to the merchant.) If a merchant sends too many "Card Not Present" requests, their interchange rates will rise, due to the increased risk of fraud. In addition, the merchant assumes the risk for chargebacks for all CNP authorizations.
So if all you have is account number and expiration date, you can still send an authorization request, but it will be an expensive CNP request.
Authorization is an optional step. The merchant can decide on their own whether or not to accept your credit card. So, using just the account number and expiration date, a merchant can put through a settlement request with no authorization at all. Depending on the bank and merchant, the bank will likely pay; but as in the card not present transaction, the merchant assumes all risk.
And finally, debit is a different animal altogether. Authorization and set
The Itanic is sinking!
I wonder if their bail bondsmen took Visa or MasterCard?
I don't know what you have in your understanding, so I'll leave #1 alone (although I suspect it's not the real explanation.)
As for #2, "enforcement" is a weird process. Merchants are broken into four Tiers, where retailers processing more than X million credit trans a year are in Tier 1, and so on. The higher the tier, the more stringent the auditing and requirements, and the higher the fines for non-compliance. A tier 1 retailer might be spending $5 million dollars per year (or more!) in compliance audits. Get down to the small business level of Linn Wu's Chinese Kitchen, and she doesn't care too much if she writes your card number down over the phone when she's taking your order. She might face a $150 fine for non-compliance, and that's only if someone complains.
Where PCI DSS makes most of a difference is if you have a breach. Then, they'll retroactively audit you, find out wherever the leak originated and then fine you like crazy for being out of compliance. The really weird thing is it doesn't matter what your pre-breach auditor determined whether or not you were in compliance - if you were breached, you couldn't have been compliant because had you been following their rules you obviously would have stopped the attack!
It's a noisy and expensive game that's making a small mountain of QSA auditing firms rich, but is providing little more than a dubious amount of "protection" to the retailers. And by "protection", I mean definition 5 of protection as in "Well suppose some of your tanks was to get broken and troops started getting lost, or fights started breaking out during general inspection, like. It wouldn't be good for business, would it, Colonel?"
On the flip side, it seems to be having a positive effect on security. The attacks have had to become much more sophisticated, meaning the attackers need that much more skill to pull them off. That keeps more of the riff-raff skript kiddi3s out. And really, I think it stops a lot more of the internal theft of data by unskilled workers.
What's the difference between a Software Developer and a Software Engineer?
A software developer will be primarily concerned with writing code from the given requirements. A software engineer is concerned with the entire process of producing high quality code, how that code fits into the business, how the requirements are established, how bugs are tracked over time, ensuring code reviews are effective, that testing coverage is appropriate without costing too much, how projects are managed, creating and using metrics, and of course writing high quality code.
See the SWEBOK for a good description of software engineering.
I'd hang on to your copy of Harry Potter and the Half Blood Prince, too. To me, it's always looked like they used a model of George W. Bush for the face of Grawp, Hagrid's giant brother in the woods, then mixed in a little Alfred E. Newman to disguise it.
Trust me, once you see it, you can't unsee it.
The problem here is a fundamental disconnect in how hotels do business with how card security is mandated.
Hotels don't trust travelers to pay after their stay. They don't want to ask you to pay up front, either, because then they can't give you the seamless sign-it-to-my-room experience. Credit card account numbers offered an easy middle path: "we'll hold your card number until checkout." it harkens from a bygone era where credit was the exclusive province of the wealthy, who were de facto trusted to pay. Hotels were glad to be able to extend the same profitable conveniences to anyone who could pay on credit.
So they've built an entire business model on storing credit card data, rather than a pay-as-you-go system. But account numbers alone simply aren't a safe way to do that. PCI DSS says they can't store cleartext account numbers beyond the time it takes to authorize them. Yet they still do.
Again, the fix is the same as is needed across the credit industry: separate identification from authorization. Then the hotels can store the account all they want, it's valueless without the authorization needed to release your money. At the pool, getting a drink? I dont need the card, just my auth to charge it.
They can provide a simulation of this if they could securely store the card, but they pretty much suck at it.
The card networks should tell Wyndham, "sorry, no holding cards at all. Don't trust your guests? Not our problem, switch to a pay-as-you-go system."
Pretending to be a fence and accepting stolen goods is not entrapment, but pretending to be a fence and telling someone to steal something to sell to you is.
Would you bet your freedom on that belief? Because you'd likely go to jail if you fell for it. The undercover cop can say "hey, go steal this thing for me", and as long as you're free to say no, and there's no coercion, it's not entrapment. If he said to steal this thing or he'll kill your dog, or Vinnie will beat up your sister, or it's implied that someone from the mob will break your fingers if you say no, then that's entrapment.
Don't believe everything you see on TV crime shows. They exist to entertain you, and to believably wrap the crime up in 44 minutes while exposing you to a barrage of advertisements. They are not there to teach you the law.
You wouldn't.
This is very close to the right answer.
The honeypot itself is bait. And just like fishing in a lake, there's no particular reason that your bait must be an artificial lure - you often get better results using live bait.
Now, if you were privately investigating card fraud, perhaps on behalf of a victim, you might have come across the honeypot site and wanted to investigate it further to figure out who the bad guys are so you could report them. You'd probably do the same steps any investigator would to determine who owns the site: look up the registrar, google searches, hack the server and look at the logs to trace them back to real people, or maybe even infiltrate the organization and get some of the denizens to turn over the site owners.
But it's not like you can check the IP stack to look for the evil bit being turned off. There's no technical or legal requirement that they must identify their bait as such.
Crime is crime. Since there's more than enough crime to go around for the resources available to fight it, that means the fighting has to be prioritized. But it doesn't mean all low level crimes are completely ignored while the biggest crimes get 100% of the resources.
The fight against carders is statistical. While it's more of a "nuisance" crime to the hundreds of thousands of people who have to disrupt their lives cleaning up their credit messes, the total loss from those hundreds of thousands of individual crimes adds up to a significant financial theft from the banks who have to reimburse those victims.
The DOJ already spends billions of dollars on the War on Drugs. They can afford to spend a few hundred thousand on a sting that pulls many millions of dollars worth of criminals off the streets.