I checked some of the references in the post you cited.
Petraeus deliberately leaked classified material. A Marine Major transferred classified material to his personal device or devices, and took it home to the US. Drake deliberately leaked to the press. IIRC, the slashdot post mentioned someone who had been forced to resign, which is not prosecution. I couldn't get to one case because the web filters here blocked it as political, which I take as evidence that the story might be slanted. In all of these cases, there was intent to violate the law, which is absent in Clinton's case.
First of all, there is no requirement for intent. Secondly you cannot argue that she did not intend to break the law because she was specifically told that what she was doing was illegal? How do I know? Because I've had to deal with the mandatory DIA and FBI security briefings involved with dealing with sensitive material and they explicitly tell you that what she did was illegal. SO if she had been briefed and did something illegal anyway then she clearly intentionally violated the law. Whether or not she intended to distribute the material, she violated the law intentionally and knew she was violating the law the entire time.
Secondly, every single link I included was from MSM (NPR, NBC, NYC, Navy Times, and Washington Post) except one (Politico). So you're setting off my bullshit detector already. The Major in the Marine Corps did exactly the same thing as Hillary - sent classified material through personal email - again without intent to commit espionage or other crimes. He was dishonorably discharged which means that he was indicted under the UCMJ and convicted of misconduct. Whether or not he went to jail is unknown to me but also irrelevant because he was prosecuted for the same act as Hillary.
In other words, I still haven't seen a precedent for prosecution for being negligent with a few classified documents (less than 200 counts as "few" here), with no evidence that the documents went anywhere they shouldn't have. I'd be interested in hearing of one.
FWIW, a friend posted on Facebook a clip from a Republican Congressman who was clearly intent on putting Clinton in the worst light possible. He said there was no precedent for prosecution, and he wanted one.
Just go ahead and read up on John Deutch then. I mentioned him in my post. He was the director of the CIA and did not immediately return classified material upon leaving the CIA. He was facing prosecution when his former boss, President Bill Clinton, issued him a Presidential Pardon and thereby kept him from facing jail time. But you skipped over that part of my post because the NPR story involved was "blocked as political" by your web filters, I am sure.
I know large retailers like Wal-Mart are suing the card industry over that one. Apparently the claim is that it has nothing to do with what the card industry claims (they claim that US people are too stupid to move directly from swipe to chip and PIN) and has something to do with the card industry making more profit if they go to chip and signature. Lots of problems - many of them apparently politically and financially motivated by awful companies.
My understanding is that the banks do not want the capital expense of replacing all of their ATMs at once and are delaying PIN so they can do a slower deployment of chip capable ATMs.
but the other half, point-to-point encryption, is more important. The transaction gets encrypted in the credit card pad, and the merchant never sees the card information. So if you break into their network, there's nothing there to steal.
Unfortunately, that is just not at all true. P2PE (point to point encryption) does not require DUKPT (derived unique key per transaction) or that the merchant be unable to see the card data. It only requires that the transaction data be encrypted in some way from the terminal all the way to the issuing bank. You can send unencrypted card data over SSL and it counts for P2PE. In fact, I just recently had a terminal manufacturer come to me asking me to write a driver for their terminal that uses RS-232 and only encrypts the data from the terminal to the POS application. The problem is that they want the driver to absolve the merchant from PCI compliance and that's absolutely impossible to do unless I can secure the POS hardware and then send the data myself via SSL (because you know no processing gateway is going to give me their base derived key so that I can do DUKPT inside the POS application).
As khallow said, they add the taps during scheduled downtime. They also add the taps during an outage. And you can imagine how easy it is to arrange for a trawler to "accidentally" drag it's anchor across the ocean floor. There is some risk of being detected by diagnostic equipment at either end of the cable, since they can determine the distance to the break, but if the trawler break and submarine tap are 10 miles apart, the sub should go unnoticed, and the difference in distance is within a margin of error.
Is this why someone keeps cutting the fiber in the SF Bay Area? I had wondered if someone was putting in taps while the cable was cut further up the line.
Order over the web. Send it to an address where nobody is home during the day. When tracking says it's delivered, go get it.
Or steal the card.
Chip cannot do much to prevent Card Not Present fraud. It's not designed to do that, though it does have some protections in place. The CVV used during a chip transaction is NOT valid for Card Not Present so you cannot steal the card data that way. You'd have to physically get the CVV off the card itself. Otherwise, the Card Not Present transaction should be using 3D Secure, which will decline a card skimmed from contact. But you're right, the chip and signature implementation does not prevent (lost/stolen) card present fraud.
Actually a fair number of the older PINPads take a crazily long time to generate ARQCs and validate ARPCs. I suspect whoever was supplying the HSM equivalents for the PINPads decided to go green and power them with an easily-tired gerbil rather than electricity.
Since most of the chip capable terminals in the US are brand new deployments we should not be seeing these incredibly slow terminals anymore. I've written drivers for terminals - where I have full control over the transaction flow all the way down to getting notified of every single TRM stage event. I've seen very low power terminals that are able to kick out an ARQC or validate an ARC in fractions of a second. These are battery powered terminals that last for days.
Sure Chip + Sig will reduce card cloning, which is *by far* the biggest problem *at the moment*.
My worry is that once since crime migrates, and the fraudsters have got a lot of very smart engineers and programmers working for them now, once card cloning isn't a big business, will they migrate to something that isn't protected by Chip + Sig and we'll have this heartache all over again.
I believe we'll have chip and pin in the US soon enough. It hasn't been announced but from what I have heard from MasterCard, they're planning to require it around 2018.
Certainly not helped by the fact that Visa and M/C are pushing merchants to do away with ARPCs and now they're even proposing to not include the amount in the ARQC data so they can do pre-insertion. Talk about reducing chip to the minimal possible security!
Again I think this stems from poor implementations. The card brands don't really want to get rid of these steps but everyone in the US is complaining at the same time that MCX is talking about attempting to replace the card brands via ACH and in store discounts. I know MCX is scrapping their current plans and looking for a new solution but the card brands don't want to lose out on trillions of dollars in CC transactions per year.
First of all, "But reading the chip seems to take much longer than just swiping." Big fucking whoop? That's the time it takes for the card to obtain authentication from the bank server instead of the terminal just blindly accepting the transaction. That's already more secure, so stop whining.
But more importantly, chip and PIN is known to be more secure than swipe and sign. That's not up for debate, it's a fact. Unfortunately, the US, in their wise ways, decided to bastardize the system into chip and sign, removing the vast majority of the additional security for no real benefit. Oh, you can't remember a 4-digit PIN? Tough fucking luck. Instead, you'll probably have to switch to chip and PIN at some point in the future, causing another confusing transition.
The US Should start transitioning to Chip and PIN during or shortly after 2017. It's anticipated that MasterCard and VISA will start requiring a transition to PIN in the US in 2018. The biggest obstacle was actually the banks trying to delay the capital costs of replacing all of their terminals and ATMs all at once. They used the "confusion of a PIN" to sell the argument that they should not roll out Chip and PIN immediately. However, I can tell you from the payment processing side that everyone is doing everything they can to support PIN at their gateways and to get certified. I keep seeing companies ask me to help them integrate PIN padless terminals and I keep telling them that they're making a short sided mistake.
Furthermore, the partial transition, various fuckups and all have largely been isolated to the US. Sure, Europe, Canada and others have also had a few hiccups when moving to the new system, but they had clear, strict deadlines that all providers followed. The US basically let the monkeys run the show, and so it's been a mess of delays.
You guys fucked up, now you get to live with the consequences. This isn't a failing of the chip system, it's a failing of the US thinking they could half-adopt it. That entire article sounds like entitled whining.
Not saying chip and pin is perfect, but I really don't get why this is such a big "disaster".
Editor is obviously using hyperbole. I just got a replacement card with a chip from my credit union. I went grocery shopping, and 2 of the stores had me swipe, the 3rd had me insert the card. It did take significantly longer, and you need to remove it at a specific time in the process or else the transaction will fail. That store also has Apple Pay, so I think I'll just use that at that particular store in the future. Other stores have told me that the chip reader on their unit doesn't work.
As someone who writes software dealing with those sorts of terminals and transactions for many many banks I can tell you that the problem with Chip and PIN (or Signature) is not the technology itself, but a lack of understanding of the people implementing it in the US. First of all, removing the card before the second application cryptogram (this is after your issuing bank authorizes the transaction and the card sees this auth) ALWAYS results in an automatic decline and reversal generated by the terminal. You could leave the card in the terminal forever after that and the transaction would still be authorized. If you see anything else, it's (again) due to someone not understanding how the process works!
The reason it's slow is probably due to the way the processing bank configured its terminal. I worked with one bank who wanted the terminal configured with every single possible application ID under the sun - even though there are brand specific applications you can use to say "I want to support all VISA". Instead they added over 10 different VISA applications that are region specific in addition to the global VISA application. So what happens when you dip the card? The terminal (usually) asks the card one by one "Hey do you support this application ID?" and it takes a long time to do this. You spend 30-45 seconds waiting for the card and the terminal to agree on what type of card will be presented for payment. I've seen MANY banks do this and its entirely unnecessary unless you want to exclude certain regions. Even then, it would be faster to accept the global AID at the start of the transaction and have the POS application decide that it didn't like your card due to the issuer country code or the application of the card rather than list the dozens of applications that can be available for each card brand.
And for those above who say that Chip and Signature is the worst of both worlds - you're entirely wrong! I can easily clone your mag stripe card and use it to my heart's content. I know of no current attacks against EMV that allow you to clone a chip and use it for online transactions. Since the US requires ALL transactions to go online (floor limit of 0), you cannot effectively use a cloned chip card in the United States. Furthermore, the chip card dynamically generates certain card information at the time of each transaction. This makes it very difficult to steal the track data from an EMV card and turn it into a cloned mag stripe card.
I want to know how much money Trump really owes to the Russian oligarchs? Would he pay them back in political favors if he become president?
To be quite honest, I suspect the reason that Trump doesn't want to release his tax data is because he's pretty broke. I mean that relatively, of course. I'm not saying he's on the verge of destitution but I am guessing his tax returns show just how much of a fraud his entire life is.
I can't be bothered to click through on the rest of the Apollo missions, but the only Apollo astronaut I am aware of not reaching their eighties is Ronald Evans from Apollo 17. Basically the Apollo astronauts looks to be living *VERY* full lives if you ask me.
Gus Grissom, Ed White, Roger Chafee; Apollo 1.
Oh you mean the three that died in a fire on the launch pad? Well I wonder why they didn't make it into their eighties?
Wrong. The FBI said nothing about her being too big to indict. The FBI said that, while she broke the law, and certainly shouldn't have done those things, there was no precedent involving prosecution for someone who was negligent in the case of a reasonably small number of classified documents with no good evidence that they got to anyone they shouldn't have. If you had done what she did, you would likely have lost your clearance, and maybe been fired. You would not have been charged.
Except that isn't true. I know it, the FBI knows it, NPR knows it, and so does anyone who knows how to use Google. But in case your GoogleFu needs some help you can see what 30 seconds of Google turns up on the matter.
Actually, Hillary knows it too, since her husband had to pardon the former Director of the CIA for not turning in all his classified files after he left office.
Lucky. In California it's $230 for 1 MPH over the limit $360 for 15+.
Is that state law now? I haven't lived in California for some time but I got a ticket for doing ~10 over in the Bay Area and it was over $300 and then later got one in the central valley for ~12 over and it was $82.
Fantastic! Now you can prove me wrong. Just find one person who did what Hillary did (mishandle classified data but with no intent to leak and with no data leaked) and is in jail, and you will prove me terribly mistaken.
Or, if you can't, then it will be clear that your hatred of Hillary is greater than your love of facts or fairness or patriotism, and that you will make anything up if it fits the narrative you wish were true.
How many cases would you like links to? Here is one from NPR that talks about David Petraeus who was indicted for mishandling classified data. He received one year of probation after pleading out. The same article mentions John Deutch, who was the CIA director under Bill Clinton. President Clinton had to grant him a pardon when he was facing indictment for "Improper handling of classified data." In fact, he basically did the same thing as Clinton - had classified data on a (government owned) computer at home. He was facing indictment because he didn't turn over classified material several days after leaving the CIA. How long did Clinton keep the classified data at her house? Oh and here's another Clinton aid mentioned in the same article: Samuel "Sandy" Berger who destroyed copies of classified data and then lied about doing so. Hmmm didn't Clinton do the same thing - only in her case it was to destroy evidence of wrongdoing? And then again we have Alberto Gonzales, AG under GW Bush. He was investigated just for storing material in a safe that non-cleared people had access to - inside the Justice Department office - though in this case there was no indictment. What about this Navy Engineer who was indicted and convicted for mishandling classified data with no intent to distribute it? This young sailor just took a picture on a submarine and then destroyed the evidence and was indicted and convicted. How about this Marine Corps Major who was dishonorably discharged after using personal email to send classified documents? And here is a lab tech who was prosecuted for taking classified material home from the office - again with no evidence of intent to distribute. How about an NSA Employee who was indicted for leaking material to the press? And a State Department Employeee indicted and convicted for taking classified material home. Are these enough references? Because it took me all of 30 seconds to find these news articles.
And what did the FBI basically say? She's too big to indict.
You have a rare talent, to interpret what people "basically" say. My poor brain can only handle what they "actually" say: "In looking back at our investigations into mishandling or removal of classified information, we cannot find a case that would support bringing criminal charges on these facts. All the cases prosecuted involved some combination of: [various bad stuff]. We do not see those things here."
How else can you interpret the comment that "No reasonable prosecutor would indict" when it was clearly a violation of the law and we can clearly see dozens of cases above where people were indicted for doing similar things, and in some cases, far less than Clinton? If they could not find cases of prosecution in events similar to hers then
So let's get this straight: you're proposing a level of voting fraud that dwarfs everything else in history outside of dictatorships?
Let's not forget that the MSM and Google were both counting Super Delegates as committed delegates to Clinton from the very first primary. After the first primary she already had a "huge lead" and looked like the candidate to win because the media said so. Don't you think this would have influenced people to either not vote or vote for Clinton because she's going to win anyway?
That's a red herring. The DNC candidate has been under near-constant "investigations" (which have produced close to zero evidence or crimes) for more than two decades and has little charisma; that's gonna cause disapproval from those who like investigations but dislike evidence. The RNC candidates have insulted just about every cultural, ethnic, and gender-based group in the country. It's a perfect storm, but neither one seems tied to the parties.
Okay I have to burn mod points to disagree with this statement. The FBI director just said a few weeks ago that Hillary Clinton broke the law. Then, with his own mouth, added words that don't exist to the applicable Civil Code claiming that Hillary did not show intent. There was no intent required. She volunteered to be given trust, was briefed on that trust countless times (you're required to be briefed at least once a year by the FBI or DIA), and just said "I'm too important for these silly rules." And what did the FBI basically say? She's too big to indict. I've said this countless times - if I had done what she did when I was in the position of dealing with DoD data, I would already be in jail!
The NIST most certainly can ban their use for government projects
Which part of "of course, some organizations may choose to make those guidelines mandatory" did you not understand?
My point in mentioning this is to say that NIST is a government agency and that certain parts of the government are bound to NIST determinations. Not as a matter of self determination but a matter of law. And that you cannot just say that "NIST can't ban SMS 2FA" because they did exactly that for the US Government.
So it's not just a matter of verifying the phone is a mobile phone. There are more sophisticated attacks that SMS auth allows. Also, you can clone someone's SIM card or use a social engineering attack to get a new SIM issued for a specific number.
Those are not "sophisticated attacks" and other two factor authentication schemes are subject to cloning and social engineering. It is exceptionally stupid to give up the extra security and simplicity of SMS authentication because of such objections.
The problem is not 2FA but doing 2FA over SMS. And those are relatively sophisticated attacks as they require a bit more knowledge and planning than just taking over someone's email account and using the password reset option to capture password reset requests or something like that. You actually have to know who the person is and who their cell phone provider is in order to execute such an attack. If you're overseas, you may need a local accomplice to help you execute the attack. There are better ways to provide 2FA. For instance, you can use an auth system that uses secret information from the server plus a user PIN to help prevent someone from using a auth code captured by something like a MITM attack.
Considering that we are talking about a west to east passage (the other way makes not much sense, at least not in "sneaking"): yes you can.
a) the ocean currents are strong from west to east, like 6 knots IIRC, so you let the boat travel without power by the currents... it can only be detected by luck.
b) the gap between cape horn and antarctica is about 10 degrees big, that is 1852*60*10 meters = 1111200m aka 1111.200km about 690 land miles, or obviously 600 nautical miles.
It would be difficult to pilot the boat when depending on the current for propulsion. Not to mention the fact that the submarine requires power generation (or snorkeling if it is a battery/diesel) and life support systems. Those all make noise to some degree due to pumps and whatnot. It may still be possible to hear the submarine, it depends on how skilled they are at noise dampening.
NIST can't "ban" the use of SMS for two factor authentication in general. Those are NIST guidelines (of course, some organizations may choose to make those guidelines mandatory). Furthermore, they don't seem to have a problem with SMS verification per se, but as the announcement itself says, they merely want people to verify that the phone number is an actual mobile phone, a reasonable recommendation.
The NIST most certainly can ban their use for government projects. Also, you can clone someone's SIM card or use a social engineering attack to get a new SIM issued for a specific number. So it's not just a matter of verifying the phone is a mobile phone. There are more sophisticated attacks that SMS auth allows.
Many websites ask this - Facebook is top of the list. I fail to see the reason. It is just another part of their project to collect data on you.
Also, security questions are a joke. Where was I born? The whole world knows by now. Why would I provide yet another vector for compromising my account?
If the site insists, I type garbage, and save a copy in Lastpass.
Sheesh.
I always make up the answers to these questions using a system based on the question and the site that helps me remember the answer but prevents someone from just Googling my life store too find out the answer.
I don't trust the federal government to be telling the truth here.
Most drones are so cheap and light, that a 2mph breeze will make them uncontrollable. It strains believability that firefighting helicoptors are threatened by bits of plastic lighter than many birds. Are there really drones operating over forest fires? Until I see real evidence, a random pilot claiming "I couldn't do X because of a drone" isn't going to convince me to tighten regulations.
How about a common sense regulation saying that anyone operating a drone over a certain weight has to be available on a particilar CB radio channel?
The big difference in this case is that birds most likely flee immediately when faced with a fire and people are far more likely to bring their drones out to watch the carnage and firefighting attempts in the event of a fire. So you have fewer birds with the potential for more people to be flying drones in the area. I do agree that the FAA has lied about drone encounters, but they may have a legitimate concern here. When you're swooping in low over a lake to haul up a bunch of water, for instance, you don't have time to handle an inflight emergency revolving around a drone strike. There just isn't time. Ideally people would be smart enough to realize they need to stay out of the way with both their bodies and drones, but I don't think that's likely to happen.
When you have to pay $10/mo for Xbox Live, you're out another $120/year.
Both Xbox Live and PS+ are available for $50/yr, and you can find it them on sale for $35-40/yr.
When you have three people in the house and have to pay $40/yr for PS+ or Live on each of their consoles, you're out another $120/year.
I believe that MIcrosoft has a family plan that allows 5 accounts to all be connected simultaneously for $80 or $100 a year. I'm not sure the exact price or the exact number of users but I had considered doing it with friends as it is cheaper than the discounted prices you'll find.
"Microsoft Can't Shield User Data From Government, Says Government"
That certainly does make for a ringing endorsement that you should buy an Xbox one and attach an always on microphone...
They no longer bundle the Kinect with the Xbox. In fact, they also freed up the resources that they had dedicated to the kinect to allow developers to have more horsepower. Not only that, but the article you're referencing is the government's claim that Microsoft cannot shield the data, not Microsoft's actual position on the matter.
I'm sure the participation trophy CEO will be just fine. All the people who actually work there whose lives got ruined are another story but in the US workers are irrelevant anyway to most people including other workers.
She probably worked something into the sale that gives her a guaranteed position at the company for a fixed term. This is very common, I have never seen a company acquired without such a deal for the executives who wanted it. And it's a pretty cushy gig, too. You get paid to watch someone else run the company while you cash checks.
Slashdot Mirror
Jesus. Get a sense of humour.
Wait wait wait. Jesus is posting as an AC? And he has no sense of humor? That sounds like conjecture. Do you have any evidence to back this up?
I checked some of the references in the post you cited.
Petraeus deliberately leaked classified material. A Marine Major transferred classified material to his personal device or devices, and took it home to the US. Drake deliberately leaked to the press. IIRC, the slashdot post mentioned someone who had been forced to resign, which is not prosecution. I couldn't get to one case because the web filters here blocked it as political, which I take as evidence that the story might be slanted. In all of these cases, there was intent to violate the law, which is absent in Clinton's case.
First of all, there is no requirement for intent. Secondly you cannot argue that she did not intend to break the law because she was specifically told that what she was doing was illegal? How do I know? Because I've had to deal with the mandatory DIA and FBI security briefings involved with dealing with sensitive material and they explicitly tell you that what she did was illegal. SO if she had been briefed and did something illegal anyway then she clearly intentionally violated the law. Whether or not she intended to distribute the material, she violated the law intentionally and knew she was violating the law the entire time.
Secondly, every single link I included was from MSM (NPR, NBC, NYC, Navy Times, and Washington Post) except one (Politico). So you're setting off my bullshit detector already. The Major in the Marine Corps did exactly the same thing as Hillary - sent classified material through personal email - again without intent to commit espionage or other crimes. He was dishonorably discharged which means that he was indicted under the UCMJ and convicted of misconduct. Whether or not he went to jail is unknown to me but also irrelevant because he was prosecuted for the same act as Hillary.
In other words, I still haven't seen a precedent for prosecution for being negligent with a few classified documents (less than 200 counts as "few" here), with no evidence that the documents went anywhere they shouldn't have. I'd be interested in hearing of one.
FWIW, a friend posted on Facebook a clip from a Republican Congressman who was clearly intent on putting Clinton in the worst light possible. He said there was no precedent for prosecution, and he wanted one.
Just go ahead and read up on John Deutch then. I mentioned him in my post. He was the director of the CIA and did not immediately return classified material upon leaving the CIA. He was facing prosecution when his former boss, President Bill Clinton, issued him a Presidential Pardon and thereby kept him from facing jail time. But you skipped over that part of my post because the NPR story involved was "blocked as political" by your web filters, I am sure.
I know large retailers like Wal-Mart are suing the card industry over that one. Apparently the claim is that it has nothing to do with what the card industry claims (they claim that US people are too stupid to move directly from swipe to chip and PIN) and has something to do with the card industry making more profit if they go to chip and signature. Lots of problems - many of them apparently politically and financially motivated by awful companies.
My understanding is that the banks do not want the capital expense of replacing all of their ATMs at once and are delaying PIN so they can do a slower deployment of chip capable ATMs.
but the other half, point-to-point encryption, is more important. The transaction gets encrypted in the credit card pad, and the merchant never sees the card information. So if you break into their network, there's nothing there to steal.
Unfortunately, that is just not at all true. P2PE (point to point encryption) does not require DUKPT (derived unique key per transaction) or that the merchant be unable to see the card data. It only requires that the transaction data be encrypted in some way from the terminal all the way to the issuing bank. You can send unencrypted card data over SSL and it counts for P2PE. In fact, I just recently had a terminal manufacturer come to me asking me to write a driver for their terminal that uses RS-232 and only encrypts the data from the terminal to the POS application. The problem is that they want the driver to absolve the merchant from PCI compliance and that's absolutely impossible to do unless I can secure the POS hardware and then send the data myself via SSL (because you know no processing gateway is going to give me their base derived key so that I can do DUKPT inside the POS application).
As khallow said, they add the taps during scheduled downtime. They also add the taps during an outage. And you can imagine how easy it is to arrange for a trawler to "accidentally" drag it's anchor across the ocean floor. There is some risk of being detected by diagnostic equipment at either end of the cable, since they can determine the distance to the break, but if the trawler break and submarine tap are 10 miles apart, the sub should go unnoticed, and the difference in distance is within a margin of error.
Is this why someone keeps cutting the fiber in the SF Bay Area? I had wondered if someone was putting in taps while the cable was cut further up the line.
Order over the web. Send it to an address where nobody is home during the day. When tracking says it's delivered, go get it.
Or steal the card.
Chip cannot do much to prevent Card Not Present fraud. It's not designed to do that, though it does have some protections in place. The CVV used during a chip transaction is NOT valid for Card Not Present so you cannot steal the card data that way. You'd have to physically get the CVV off the card itself. Otherwise, the Card Not Present transaction should be using 3D Secure, which will decline a card skimmed from contact. But you're right, the chip and signature implementation does not prevent (lost/stolen) card present fraud.
Actually a fair number of the older PINPads take a crazily long time to generate ARQCs and validate ARPCs. I suspect whoever was supplying the HSM equivalents for the PINPads decided to go green and power them with an easily-tired gerbil rather than electricity.
Since most of the chip capable terminals in the US are brand new deployments we should not be seeing these incredibly slow terminals anymore. I've written drivers for terminals - where I have full control over the transaction flow all the way down to getting notified of every single TRM stage event. I've seen very low power terminals that are able to kick out an ARQC or validate an ARC in fractions of a second. These are battery powered terminals that last for days.
Sure Chip + Sig will reduce card cloning, which is *by far* the biggest problem *at the moment*.
My worry is that once since crime migrates, and the fraudsters have got a lot of very smart engineers and programmers working for them now, once card cloning isn't a big business, will they migrate to something that isn't protected by Chip + Sig and we'll have this heartache all over again.
I believe we'll have chip and pin in the US soon enough. It hasn't been announced but from what I have heard from MasterCard, they're planning to require it around 2018.
Certainly not helped by the fact that Visa and M/C are pushing merchants to do away with ARPCs and now they're even proposing to not include the amount in the ARQC data so they can do pre-insertion. Talk about reducing chip to the minimal possible security!
Again I think this stems from poor implementations. The card brands don't really want to get rid of these steps but everyone in the US is complaining at the same time that MCX is talking about attempting to replace the card brands via ACH and in store discounts. I know MCX is scrapping their current plans and looking for a new solution but the card brands don't want to lose out on trillions of dollars in CC transactions per year.
First of all, "But reading the chip seems to take much longer than just swiping." Big fucking whoop? That's the time it takes for the card to obtain authentication from the bank server instead of the terminal just blindly accepting the transaction. That's already more secure, so stop whining. But more importantly, chip and PIN is known to be more secure than swipe and sign. That's not up for debate, it's a fact. Unfortunately, the US, in their wise ways, decided to bastardize the system into chip and sign, removing the vast majority of the additional security for no real benefit. Oh, you can't remember a 4-digit PIN? Tough fucking luck. Instead, you'll probably have to switch to chip and PIN at some point in the future, causing another confusing transition.
The US Should start transitioning to Chip and PIN during or shortly after 2017. It's anticipated that MasterCard and VISA will start requiring a transition to PIN in the US in 2018. The biggest obstacle was actually the banks trying to delay the capital costs of replacing all of their terminals and ATMs all at once. They used the "confusion of a PIN" to sell the argument that they should not roll out Chip and PIN immediately. However, I can tell you from the payment processing side that everyone is doing everything they can to support PIN at their gateways and to get certified. I keep seeing companies ask me to help them integrate PIN padless terminals and I keep telling them that they're making a short sided mistake.
Furthermore, the partial transition, various fuckups and all have largely been isolated to the US. Sure, Europe, Canada and others have also had a few hiccups when moving to the new system, but they had clear, strict deadlines that all providers followed. The US basically let the monkeys run the show, and so it's been a mess of delays. You guys fucked up, now you get to live with the consequences. This isn't a failing of the chip system, it's a failing of the US thinking they could half-adopt it. That entire article sounds like entitled whining.
Not saying chip and pin is perfect, but I really don't get why this is such a big "disaster".
Editor is obviously using hyperbole. I just got a replacement card with a chip from my credit union. I went grocery shopping, and 2 of the stores had me swipe, the 3rd had me insert the card. It did take significantly longer, and you need to remove it at a specific time in the process or else the transaction will fail. That store also has Apple Pay, so I think I'll just use that at that particular store in the future. Other stores have told me that the chip reader on their unit doesn't work.
As someone who writes software dealing with those sorts of terminals and transactions for many many banks I can tell you that the problem with Chip and PIN (or Signature) is not the technology itself, but a lack of understanding of the people implementing it in the US. First of all, removing the card before the second application cryptogram (this is after your issuing bank authorizes the transaction and the card sees this auth) ALWAYS results in an automatic decline and reversal generated by the terminal. You could leave the card in the terminal forever after that and the transaction would still be authorized. If you see anything else, it's (again) due to someone not understanding how the process works!
The reason it's slow is probably due to the way the processing bank configured its terminal. I worked with one bank who wanted the terminal configured with every single possible application ID under the sun - even though there are brand specific applications you can use to say "I want to support all VISA". Instead they added over 10 different VISA applications that are region specific in addition to the global VISA application. So what happens when you dip the card? The terminal (usually) asks the card one by one "Hey do you support this application ID?" and it takes a long time to do this. You spend 30-45 seconds waiting for the card and the terminal to agree on what type of card will be presented for payment. I've seen MANY banks do this and its entirely unnecessary unless you want to exclude certain regions. Even then, it would be faster to accept the global AID at the start of the transaction and have the POS application decide that it didn't like your card due to the issuer country code or the application of the card rather than list the dozens of applications that can be available for each card brand.
And for those above who say that Chip and Signature is the worst of both worlds - you're entirely wrong! I can easily clone your mag stripe card and use it to my heart's content. I know of no current attacks against EMV that allow you to clone a chip and use it for online transactions. Since the US requires ALL transactions to go online (floor limit of 0), you cannot effectively use a cloned chip card in the United States. Furthermore, the chip card dynamically generates certain card information at the time of each transaction. This makes it very difficult to steal the track data from an EMV card and turn it into a cloned mag stripe card.
I want to know how much money Trump really owes to the Russian oligarchs? Would he pay them back in political favors if he become president?
To be quite honest, I suspect the reason that Trump doesn't want to release his tax data is because he's pretty broke. I mean that relatively, of course. I'm not saying he's on the verge of destitution but I am guessing his tax returns show just how much of a fraud his entire life is.
I can't be bothered to click through on the rest of the Apollo missions, but the only Apollo astronaut I am aware of not reaching their eighties is Ronald Evans from Apollo 17. Basically the Apollo astronauts looks to be living *VERY* full lives if you ask me.
Gus Grissom, Ed White, Roger Chafee; Apollo 1.
Oh you mean the three that died in a fire on the launch pad? Well I wonder why they didn't make it into their eighties?
Wrong. The FBI said nothing about her being too big to indict. The FBI said that, while she broke the law, and certainly shouldn't have done those things, there was no precedent involving prosecution for someone who was negligent in the case of a reasonably small number of classified documents with no good evidence that they got to anyone they shouldn't have. If you had done what she did, you would likely have lost your clearance, and maybe been fired. You would not have been charged.
Except that isn't true. I know it, the FBI knows it, NPR knows it, and so does anyone who knows how to use Google. But in case your GoogleFu needs some help you can see what 30 seconds of Google turns up on the matter.
Actually, Hillary knows it too, since her husband had to pardon the former Director of the CIA for not turning in all his classified files after he left office.
Lucky. In California it's $230 for 1 MPH over the limit $360 for 15+.
Is that state law now? I haven't lived in California for some time but I got a ticket for doing ~10 over in the Bay Area and it was over $300 and then later got one in the central valley for ~12 over and it was $82.
Well dampening should be easy seeing as they are under water.
P.S. Unless you meant "damping", of course.
See definition 2 and let me know what you think I meant.
Fantastic! Now you can prove me wrong. Just find one person who did what Hillary did (mishandle classified data but with no intent to leak and with no data leaked) and is in jail, and you will prove me terribly mistaken.
Or, if you can't, then it will be clear that your hatred of Hillary is greater than your love of facts or fairness or patriotism, and that you will make anything up if it fits the narrative you wish were true.
How many cases would you like links to? Here is one from NPR that talks about David Petraeus who was indicted for mishandling classified data. He received one year of probation after pleading out. The same article mentions John Deutch, who was the CIA director under Bill Clinton. President Clinton had to grant him a pardon when he was facing indictment for "Improper handling of classified data." In fact, he basically did the same thing as Clinton - had classified data on a (government owned) computer at home. He was facing indictment because he didn't turn over classified material several days after leaving the CIA. How long did Clinton keep the classified data at her house? Oh and here's another Clinton aid mentioned in the same article: Samuel "Sandy" Berger who destroyed copies of classified data and then lied about doing so. Hmmm didn't Clinton do the same thing - only in her case it was to destroy evidence of wrongdoing? And then again we have Alberto Gonzales, AG under GW Bush. He was investigated just for storing material in a safe that non-cleared people had access to - inside the Justice Department office - though in this case there was no indictment. What about this Navy Engineer who was indicted and convicted for mishandling classified data with no intent to distribute it? This young sailor just took a picture on a submarine and then destroyed the evidence and was indicted and convicted. How about this Marine Corps Major who was dishonorably discharged after using personal email to send classified documents? And here is a lab tech who was prosecuted for taking classified material home from the office - again with no evidence of intent to distribute. How about an NSA Employee who was indicted for leaking material to the press? And a State Department Employeee indicted and convicted for taking classified material home. Are these enough references? Because it took me all of 30 seconds to find these news articles.
And what did the FBI basically say? She's too big to indict.
You have a rare talent, to interpret what people "basically" say. My poor brain can only handle what they "actually" say: "In looking back at our investigations into mishandling or removal of classified information, we cannot find a case that would support bringing criminal charges on these facts. All the cases prosecuted involved some combination of: [various bad stuff]. We do not see those things here."
How else can you interpret the comment that "No reasonable prosecutor would indict" when it was clearly a violation of the law and we can clearly see dozens of cases above where people were indicted for doing similar things, and in some cases, far less than Clinton? If they could not find cases of prosecution in events similar to hers then
So let's get this straight: you're proposing a level of voting fraud that dwarfs everything else in history outside of dictatorships?
Let's not forget that the MSM and Google were both counting Super Delegates as committed delegates to Clinton from the very first primary. After the first primary she already had a "huge lead" and looked like the candidate to win because the media said so. Don't you think this would have influenced people to either not vote or vote for Clinton because she's going to win anyway?
That's a red herring. The DNC candidate has been under near-constant "investigations" (which have produced close to zero evidence or crimes) for more than two decades and has little charisma; that's gonna cause disapproval from those who like investigations but dislike evidence. The RNC candidates have insulted just about every cultural, ethnic, and gender-based group in the country. It's a perfect storm, but neither one seems tied to the parties.
Okay I have to burn mod points to disagree with this statement. The FBI director just said a few weeks ago that Hillary Clinton broke the law. Then, with his own mouth, added words that don't exist to the applicable Civil Code claiming that Hillary did not show intent. There was no intent required. She volunteered to be given trust, was briefed on that trust countless times (you're required to be briefed at least once a year by the FBI or DIA), and just said "I'm too important for these silly rules." And what did the FBI basically say? She's too big to indict. I've said this countless times - if I had done what she did when I was in the position of dealing with DoD data, I would already be in jail!
Which part of "of course, some organizations may choose to make those guidelines mandatory" did you not understand?
My point in mentioning this is to say that NIST is a government agency and that certain parts of the government are bound to NIST determinations. Not as a matter of self determination but a matter of law. And that you cannot just say that "NIST can't ban SMS 2FA" because they did exactly that for the US Government.
Those are not "sophisticated attacks" and other two factor authentication schemes are subject to cloning and social engineering. It is exceptionally stupid to give up the extra security and simplicity of SMS authentication because of such objections.
The problem is not 2FA but doing 2FA over SMS. And those are relatively sophisticated attacks as they require a bit more knowledge and planning than just taking over someone's email account and using the password reset option to capture password reset requests or something like that. You actually have to know who the person is and who their cell phone provider is in order to execute such an attack. If you're overseas, you may need a local accomplice to help you execute the attack. There are better ways to provide 2FA. For instance, you can use an auth system that uses secret information from the server plus a user PIN to help prevent someone from using a auth code captured by something like a MITM attack.
Considering that we are talking about a west to east passage (the other way makes not much sense, at least not in "sneaking"): yes you can. a) the ocean currents are strong from west to east, like 6 knots IIRC, so you let the boat travel without power by the currents ... it can only be detected by luck.
b) the gap between cape horn and antarctica is about 10 degrees big, that is 1852*60*10 meters = 1111200m aka 1111.200km about 690 land miles, or obviously 600 nautical miles.
It would be difficult to pilot the boat when depending on the current for propulsion. Not to mention the fact that the submarine requires power generation (or snorkeling if it is a battery/diesel) and life support systems. Those all make noise to some degree due to pumps and whatnot. It may still be possible to hear the submarine, it depends on how skilled they are at noise dampening.
NIST can't "ban" the use of SMS for two factor authentication in general. Those are NIST guidelines (of course, some organizations may choose to make those guidelines mandatory). Furthermore, they don't seem to have a problem with SMS verification per se, but as the announcement itself says, they merely want people to verify that the phone number is an actual mobile phone, a reasonable recommendation.
The NIST most certainly can ban their use for government projects. Also, you can clone someone's SIM card or use a social engineering attack to get a new SIM issued for a specific number. So it's not just a matter of verifying the phone is a mobile phone. There are more sophisticated attacks that SMS auth allows.
Many websites ask this - Facebook is top of the list. I fail to see the reason. It is just another part of their project to collect data on you.
Also, security questions are a joke. Where was I born? The whole world knows by now. Why would I provide yet another vector for compromising my account?
If the site insists, I type garbage, and save a copy in Lastpass.
Sheesh.
I always make up the answers to these questions using a system based on the question and the site that helps me remember the answer but prevents someone from just Googling my life store too find out the answer.
I don't trust the federal government to be telling the truth here.
Most drones are so cheap and light, that a 2mph breeze will make them uncontrollable. It strains believability that firefighting helicoptors are threatened by bits of plastic lighter than many birds. Are there really drones operating over forest fires? Until I see real evidence, a random pilot claiming "I couldn't do X because of a drone" isn't going to convince me to tighten regulations.
How about a common sense regulation saying that anyone operating a drone over a certain weight has to be available on a particilar CB radio channel?
The big difference in this case is that birds most likely flee immediately when faced with a fire and people are far more likely to bring their drones out to watch the carnage and firefighting attempts in the event of a fire. So you have fewer birds with the potential for more people to be flying drones in the area. I do agree that the FAA has lied about drone encounters, but they may have a legitimate concern here. When you're swooping in low over a lake to haul up a bunch of water, for instance, you don't have time to handle an inflight emergency revolving around a drone strike. There just isn't time. Ideally people would be smart enough to realize they need to stay out of the way with both their bodies and drones, but I don't think that's likely to happen.
When you have to pay $10/mo for Xbox Live, you're out another $120/year.
Both Xbox Live and PS+ are available for $50/yr, and you can find it them on sale for $35-40/yr.
When you have three people in the house and have to pay $40/yr for PS+ or Live on each of their consoles, you're out another $120/year.
I believe that MIcrosoft has a family plan that allows 5 accounts to all be connected simultaneously for $80 or $100 a year. I'm not sure the exact price or the exact number of users but I had considered doing it with friends as it is cheaper than the discounted prices you'll find.
Headline on the story just below this one:
"Microsoft Can't Shield User Data From Government, Says Government"
That certainly does make for a ringing endorsement that you should buy an Xbox one and attach an always on microphone...
They no longer bundle the Kinect with the Xbox. In fact, they also freed up the resources that they had dedicated to the kinect to allow developers to have more horsepower. Not only that, but the article you're referencing is the government's claim that Microsoft cannot shield the data, not Microsoft's actual position on the matter.
I'm sure the participation trophy CEO will be just fine. All the people who actually work there whose lives got ruined are another story but in the US workers are irrelevant anyway to most people including other workers.
She probably worked something into the sale that gives her a guaranteed position at the company for a fixed term. This is very common, I have never seen a company acquired without such a deal for the executives who wanted it. And it's a pretty cushy gig, too. You get paid to watch someone else run the company while you cash checks.