I did not cheat the test. The test was a fraudulent, claiming to identify flaws in my network that were not present.
What I want is for the payment processing industry to adopt well understood cryptographic methods to enable customers to pay vendors, without exposing usable credentials to the vendor and to cease with the blackmail tactics that they use as a substitute.
Under every desk put a small plastic container with a lid. All your devices go in your container, only to be removed when you're done with the test.
You're welcome to put devices in your backpack instead, but any kind of device in sight other than the school-sanctioned TI-83 is grounds for dismissal.
To what end? How is anyone or anything helped by preventing access to information during an exam?
... New exam rule: no wearing of wristwatches, of any kind, while taking an exam. You want to know the time left? See this big clock on the wall. This solution seems too obvious. Am I missing something?
Yep. That closed book exams are stupid. I haven't noticed that when doing my day job, my employer requires that I do it without reference to documentation or textbooks, or web sites or references.
Bullshit. What part of credit card handling involving a third party processor, doesn't requires the $100 charge in return for reduced transaction fees? The standard isn't public. It's the work of a cartel. I can read it, but I have no democratic influence over its contents. Once I have transferred my credit card processing fully to a third party (I have), I still have to pay the protection money to avoid the higher charges.
There are. They don't have a great history of remaining either unbroken very long, unencumbered by patents or having key sizes that are reasonable.
However a remain a skeptic on effective factoring or DLP breaking quantum computers happening. I will stick to working to solve the much more immediate problems of crypto - weak RNGs, excess complexity in protocols, untrustable curves, fragile PKI models and clonable identities. There's plenty of time to fix those before physicists can build a freezer cold enough to entangle enough bits to make a decent crack at current public key algorithms.
PCI compliance is a joke anyway. 100% security theater.
I'm a PCI qualified security assessor for a smaller firm, not one of the ones that was included in the above list. For one thing, compliance is not necessarily the same thing as security. And while there are some subrequirements of questionable effectiveness, none of them would qualify as 'security theater'. If I had to level a criticism on the entire system, it's this: The rigor of testing from firm to firm, and willingness to interpret requirements in ways that are beneficial to lazy sysadmins varies greatly. When assessor firms are trying to win contracts, they may not leave enough hours to sufficiently test an environment, so they cut corners and miss things. Companies that don't see eye to eye with their QSAs (for example, we break the news that a very expensive configuration is not compliant) will ditch them, and shop for someone who will agree with them. This isn't allowed, but I haven't heard much in the way of enforcement.
To the article's point, what both assessed companies and the FTC need to understand is that assessments are a point in time. They may have recently gotten a clean report on compliance, but they probably still were not PCI compliant at the time of breach. And just because you're PCI compliant doesn't mean that you won't get breached. Like any other compliance measure, it is simply the cost of entry to be a standard-bearer of major card brands.
What you didn't mention is that the companies are being subject to blackmail. Pay $100 and get a PCI stamp of approval, or pay a higher per-transaction credit card fee. How this is not illegal is beyond me.
They failed my wife's company web site for PCI compliance, not because it wasn't PCI compliant, but they hit the honey pot (advertising an old version of mysql) I installed to create filter block lists for the intrusion filtering. So I pre-filtered the pointless PCI scanning service and the problem went away.
The PCI-DSS specs are written by incompetents. They exude incompetence. The documents seem to encourage an understanding that as long as you write down a bunch of procedures, your computers will be secure.
PCI-DSS is responsible for the ease of committing payment card fraud, by occupying the space that could otherwise be occupied by a comptent organization taking effective steps to improve the security of payment mechanisms.
I find the info quite aggressive agains WP, the plugin indeed has been banned, and before this second post...
WP deserve all the criticism they get. Publishing a plugin architecture so open to privilege escalation should be illegal. They claim to be secure against common attacks. Yet privilege escalation via plugin doesn't count?
From the Wordpress web site.. "Since its inception in 2003, WordPress has undergone continual hardening so its core software can address and mitigate common security threats, including the Top 10 list identified by The Open Web Application Security Project (OWASP) as common security vulnerabilities, which are discussed in this document."
"In addition, drivers involved in traffic crashes that resulted in pedestrian fatalities had less than two-thirds the rate of alcohol involvement as did the pedestrians killed"
So it's the drunk pedestrians contributing to more pedestrian fatalities that drunk drivers.
Uh, no. If you're driving under the influence you are going to ruin your life and others, it is guaranteed. That isn't thought crime.
Do you have any data to back that up. Does every act of driving under the influence ruin a life? Is the converse true - does every act of driving sober not lead to a life ruined? If not, what are the numbers for the 4 cases (sober - life ruined, drunk - life ruined, sober - life not ruied, drunk - life not ruined). Until you can quantify those things in a random sampling of car journeys, your claim is baseless.
It pays for the BBC and is a lot cheaper than a cable TV subscription in the USA. The alternative is no license fee, conventional ads on the BBC and much worse programming.
Designing computer circuits is engineering. Debugging is exactly like science.. You want to know what's going on, you make hypotheses, test them, iterate until you know. At least with chips, where you can't see what's happening directly. Software just expands to the point one step beyond our ability to debug it through observation.
Are you saying for all possible chip designs and all possible compiler designs, bubble sort will ALWAYS be slower than merge sort (for non-trivial sort sets of relatively random keys)?
Yes, as long as it's the type of computer that follows a sequence of steps (as opposed to some kind of weird slime computer that is magic). Although if it doesn't follow a sequence of steps, it's not bubble-sort anymore.
If so, can you provide the proof?
Yes, the proof involves counting the number of steps required to complete each algorithm.
It depends on the efficiency of the computational steps available to you. The classic example is the spaghetti sort, which is O(n). Hang each bit of spaghetti from a pole. Repeat until pole empty [pick the longest length of spaghetti]. This presumes that [pick the longest length of spaghetti] is an O(1) operation, which it is in normal human experience. Logical architecture matters.
Nope. It's designed to trip on when a sudden and significant overload is detected. Whether that's from a humorous bird dropping, or a more serious cause doesn't really matter - it detected a significant anomaly and took safe action. The system is reacting to measurements/inputs, not causes.
And, it's not simply "bird shit from above" as you so blithely put it, it was a "streamer" from a large bird, as mentioned in the summary. That's a continuous stream, which to a high voltage circuit is little different than a wire shorting two conductors.
Many things I keep in my house are protected from this failure mode, by use of a roof. It catches the bird poo before it reaches any exposed high voltage lines I may have left laying around.
The problem is the so called inventions. They are obvious and natural conclusions. There is no revolutionary idea or inspiration. Patents are to reward and motivate people to develop ideas, implement and produce useful products. These inventions were inevitable. If you could wipe everyone mind in the world and all evidence someone would "invent" it within a week if not days. There is no need to reward these "inventions". It is not revolutionary. It's nothing like the invention of transistors or semiconductors.
Right. That's why the real race is to identify the problems of the future. Once you know the problem, the solutions are often obvious. But getting there first is good enough for the patent office. The patent lawyers have twisted the test of obviousness to 'can you show someone thought of it before' which is hardly different to originality.
I know what a corporation is. I work for a big one and I have considered creating a small one in the past. Not too much paperwork, but the lawyer wanted paying.
>Obese individuals who lose as little as 5 percent of their body weight can improve their metabolic function Obese individuals who improve their metabolic function lose as little as 5 percent of their body weight.
There, fixed that for you, maybe. The world of nutrition research is full of the elementary school statistical error of assuming the arrow of causality to be one way when it's actually the other.
Slashdot Mirror
I did not cheat the test. The test was a fraudulent, claiming to identify flaws in my network that were not present.
What I want is for the payment processing industry to adopt well understood cryptographic methods to enable customers to pay vendors, without exposing usable credentials to the vendor and to cease with the blackmail tactics that they use as a substitute.
Under every desk put a small plastic container with a lid. All your devices go in your container, only to be removed when you're done with the test.
You're welcome to put devices in your backpack instead, but any kind of device in sight other than the school-sanctioned TI-83 is grounds for dismissal.
To what end? How is anyone or anything helped by preventing access to information during an exam?
... New exam rule: no wearing of wristwatches, of any kind, while taking an exam. You want to know the time left? See this big clock on the wall. This solution seems too obvious. Am I missing something?
Yep. That closed book exams are stupid. I haven't noticed that when doing my day job, my employer requires that I do it without reference to documentation or textbooks, or web sites or references.
Bullshit. What part of credit card handling involving a third party processor, doesn't requires the $100 charge in return for reduced transaction fees? The standard isn't public. It's the work of a cartel. I can read it, but I have no democratic influence over its contents. Once I have transferred my credit card processing fully to a third party (I have), I still have to pay the protection money to avoid the higher charges.
There are. They don't have a great history of remaining either unbroken very long, unencumbered by patents or having key sizes that are reasonable.
However a remain a skeptic on effective factoring or DLP breaking quantum computers happening. I will stick to working to solve the much more immediate problems of crypto - weak RNGs, excess complexity in protocols, untrustable curves, fragile PKI models and clonable identities. There's plenty of time to fix those before physicists can build a freezer cold enough to entangle enough bits to make a decent crack at current public key algorithms.
PCI compliance is a joke anyway. 100% security theater.
I'm a PCI qualified security assessor for a smaller firm, not one of the ones that was included in the above list. For one thing, compliance is not necessarily the same thing as security. And while there are some subrequirements of questionable effectiveness, none of them would qualify as 'security theater'. If I had to level a criticism on the entire system, it's this: The rigor of testing from firm to firm, and willingness to interpret requirements in ways that are beneficial to lazy sysadmins varies greatly. When assessor firms are trying to win contracts, they may not leave enough hours to sufficiently test an environment, so they cut corners and miss things. Companies that don't see eye to eye with their QSAs (for example, we break the news that a very expensive configuration is not compliant) will ditch them, and shop for someone who will agree with them. This isn't allowed, but I haven't heard much in the way of enforcement.
To the article's point, what both assessed companies and the FTC need to understand is that assessments are a point in time. They may have recently gotten a clean report on compliance, but they probably still were not PCI compliant at the time of breach. And just because you're PCI compliant doesn't mean that you won't get breached. Like any other compliance measure, it is simply the cost of entry to be a standard-bearer of major card brands.
What you didn't mention is that the companies are being subject to blackmail. Pay $100 and get a PCI stamp of approval, or pay a higher per-transaction credit card fee. How this is not illegal is beyond me.
They failed my wife's company web site for PCI compliance, not because it wasn't PCI compliant, but they hit the honey pot (advertising an old version of mysql) I installed to create filter block lists for the intrusion filtering. So I pre-filtered the pointless PCI scanning service and the problem went away.
The PCI-DSS specs are written by incompetents. They exude incompetence. The documents seem to encourage an understanding that as long as you write down a bunch of procedures, your computers will be secure.
PCI-DSS is responsible for the ease of committing payment card fraud, by occupying the space that could otherwise be occupied by a comptent organization taking effective steps to improve the security of payment mechanisms.
>how, exactly, we'll be able to secure our data once quantum computing becomes widely available
Look here
Summary..
Encryption and symmetric signing will need to double the key size for the same security bound.
RSA, ECDH and ECDSA will be insecure.
So key management goes back to the pre-DH days.
> Publishing a plugin architecture so open to privilege escalation should be illegal.
Really? Illegal? Really?
Yes. When you also make claims that your software is secure.
I find the info quite aggressive agains WP, the plugin indeed has been banned, and before this second post...
WP deserve all the criticism they get. Publishing a plugin architecture so open to privilege escalation should be illegal. They claim to be secure against common attacks. Yet privilege escalation via plugin doesn't count?
From the Wordpress web site.. "Since its inception in 2003, WordPress has undergone continual hardening so its core software can address and mitigate common security threats, including the Top 10 list identified by The Open Web Application Security Project (OWASP) as common security vulnerabilities, which are discussed in this document."
From that link..
"In addition, drivers involved in traffic crashes that resulted in pedestrian fatalities had less than two-thirds the rate of alcohol involvement as did the pedestrians killed"
So it's the drunk pedestrians contributing to more pedestrian fatalities that drunk drivers.
Don't do it!
Uh, no. If you're driving under the influence you are going to ruin your life and others, it is guaranteed. That isn't thought crime.
Do you have any data to back that up. Does every act of driving under the influence ruin a life? Is the converse true - does every act of driving sober not lead to a life ruined? If not, what are the numbers for the 4 cases (sober - life ruined, drunk - life ruined, sober - life not ruied, drunk - life not ruined). Until you can quantify those things in a random sampling of car journeys, your claim is baseless.
It pays for the BBC and is a lot cheaper than a cable TV subscription in the USA.
The alternative is no license fee, conventional ads on the BBC and much worse programming.
The length of one's pole can be a problem.
That's just implementation details. We're talking about formal models of abstract spaghetti here.
Designing computer circuits is engineering.
Debugging is exactly like science.. You want to know what's going on, you make hypotheses, test them, iterate until you know.
At least with chips, where you can't see what's happening directly. Software just expands to the point one step beyond our ability to debug it through observation.
Are you saying for all possible chip designs and all possible compiler designs, bubble sort will ALWAYS be slower than merge sort (for non-trivial sort sets of relatively random keys)?
Yes, as long as it's the type of computer that follows a sequence of steps (as opposed to some kind of weird slime computer that is magic). Although if it doesn't follow a sequence of steps, it's not bubble-sort anymore.
If so, can you provide the proof?
Yes, the proof involves counting the number of steps required to complete each algorithm.
It depends on the efficiency of the computational steps available to you. The classic example is the spaghetti sort, which is O(n). Hang each bit of spaghetti from a pole. Repeat until pole empty [pick the longest length of spaghetti]. This presumes that [pick the longest length of spaghetti] is an O(1) operation, which it is in normal human experience. Logical architecture matters.
"it's poorly designed"
Nope. It's designed to trip on when a sudden and significant overload is detected. Whether that's from a humorous bird dropping, or a more serious cause doesn't really matter - it detected a significant anomaly and took safe action. The system is reacting to measurements/inputs, not causes.
And, it's not simply "bird shit from above" as you so blithely put it, it was a "streamer" from a large bird, as mentioned in the summary. That's a continuous stream, which to a high voltage circuit is little different than a wire shorting two conductors.
Many things I keep in my house are protected from this failure mode, by use of a roof. It catches the bird poo before it reaches any exposed high voltage lines I may have left laying around.
The problem is the so called inventions. They are obvious and natural conclusions. There is no revolutionary idea or inspiration. Patents are to reward and motivate people to develop ideas, implement and produce useful products. These inventions were inevitable. If you could wipe everyone mind in the world and all evidence someone would "invent" it within a week if not days. There is no need to reward these "inventions". It is not revolutionary. It's nothing like the invention of transistors or semiconductors.
Right. That's why the real race is to identify the problems of the future. Once you know the problem, the solutions are often obvious. But getting there first is good enough for the patent office. The patent lawyers have twisted the test of obviousness to 'can you show someone thought of it before' which is hardly different to originality.
Prestel springs to mind.
I know what a corporation is. I work for a big one and I have considered creating a small one in the past. Not too much paperwork, but the lawyer wanted paying.
>but what type of weight that they lost was not specified.
It's a meta study. They don't know. This is bottom-of-the-barrel science.
>Obese individuals who lose as little as 5 percent of their body weight can improve their metabolic function
Obese individuals who improve their metabolic function lose as little as 5 percent of their body weight.
There, fixed that for you, maybe.
The world of nutrition research is full of the elementary school statistical error of assuming the arrow of causality to be one way when it's actually the other.
Or less effective even