No one like being in a plane for a long time, even if they have movies to watch or can check their email.
Probably of more relevance is cost efficiency. Not much else matters to Airlines. Airlines get paid for taking someone from point A to point B.
It's difficult to imagine it not being expensive, but if a single aircraft can make 5 trips round the world a day compared to 1 then it might be cost effective.
The payment card industry needs to fix its crappy, insecure payment cards first before accusing businesses,
It's not entirely clear what you mean by "payment card industry". The "payment card industry" is everybody, including "businesses" and there's an awful lot of existing infrastructure all that has to keep working. It sounds like you are complaining about card schemes (Visa, MasterCard, Amex) but the Tokenisation stuff they've come up with via EMVco is pretty good, it's just there's an awful lot of infrastructure (including at "businesses") that needs to be updated to work with it. (Indeed EMV one time payment tokens appear to be one of the modes supported by ApplePay, so it's probable that people are doing such payments today, but probably only in cases where the cardholder's bank supports it, the merchant supports it in their app, and the merchant's payment gateway supports it, etc etc etc).
But saying the payment industry should do X "before" trying to improve security at businesses is ludicrous, security is about dealing with the real world and trying to make what is already there better, not doing nothing until some ideal solution becomes available.
I did not cheat the test. The test was a fraudulent, claiming to identify flaws in my network that were not present.
Well, you did "cheat" the test. A scan is just a scan, it isn't 'fraudulently' doing anything, it's just reporting a possible problem. It's up to you to justify any listening port with a business reason and demonstrate appropriate controls for the service.
Of course it's not immediately clear what sort of compliancy tests you are doing. If it's just Tier 3 then you probably not paying much for your ASV and they are geared (and priced) for scenarios where scans show very little is in scope and not much manual appraisal is done. If it's a higher tier then you should be dealing with people who take the time (and are being paid to) to understand your system and make an informed assessment.
PCI isn't perfect but isn't awful as a set of minimum standards and guidelines.
for why they need SHA-1 certs? Old POS terminals using public CA roots, and still without SHA-256 support. Welcome to the embedded world. And yes, I'm sure they have lots of other vulnerabilities.
What I don't understand (and maybe because I haven't looked too hard) is what "Old POS terminals" have to do with Mozilla. I can understand why Worldpay might need to support SHA1 for their own stuff, I don't quite get why that means a general browser should.
Indeed, perhaps it's nothing to do with the browser at all, and it just means that Symantec can issue these certs without being considered by Mozilla (the group) in breach of some agreed to policy, but that these certs still won't we accepted (if they were seen) by Mozilla (the browser).
If that is the case, then really this isn't a big deal at all. Mozilla's response just gives Worldpay a little more time to get their shit together within the current framework (the alternative, cutting them off, could be less secure, as it would probably mean Worldpay would end up rolling their own SHA1 CA and distributing that root authority to their POS terminals, perpetuating the problem indefinitely rather than giving them a short grace period to catch up)
Even if you are defending against a potentially dodgy fingerprint scanner all you need to do is pop up a dialogue on boot saying there's a problem with the fingerprint scanner and that the phone won't accepting fingerprints from it.
Personally I can't imagine what sort of attack it's supposed to prevent, any adversary capable of replacing the fingerprint sensor in your phone is going to be an adversary capable of obtaining and replicating your finger print to the sensor.
If it's just the risk of cheap knock-off parts compromising security by doing something like sending the same "fingerprint" when touched without actually reading the surface then that is a good reason to stop trusting the fingerprint scanner, it's not a good reason to brick the phone.
because they don't integrate. Even politicians have to admit that multiculturalism failed.
This seems to suggest a misunderstanding of what multiculturalism is. The clue is in the name, it doesn't presuppose integration, at least in the sense you seem to be using it, (that would be a monoculture), rather the side by side existence of multiple cultures.
I'd be looking at moving that email server out of scope, ie out of your PCI environment.
You'd need some policies around your use of email (ie "We don't send cardholder data via email", with bonus points if you have a way of 'enforcing' that, eg a mail scanner) but with that in place there should be no reason why your mail server is in scope if it's seperate from your PCI environment (ie hosted elsewhere).
In the same situation I ended up going for the PS4. All in all they seemed pretty similar but the PS4 seemed marginally better performance wise. It's smaller size was also a factor for me.
The swinger though was probably Morpheus/Playstation VR. Obviously it's not out yet, but I've been waiting for decent VR since I was a kid (ie for over two decades) so the possibility of it coming to a home console holds a lot of excitement. Whether I end up getting it depends on reviews etc but, with all other thing being relatively equal between the consoles, keeping that option open down the road was a factor.
There are several layers here that make a solution quite "interesting". On the one hand you are trying to protect your users by avoiding serving them bad content. On the other hand you want to protect your service. Protecting your users means doing more work on the uploaded content which increases your own attack surface.
Personally if we are just talking about PNGs then I think that one of the safest things for your clients/customers would be to not serve the file as uploaded, but to serve a file that is the result of a successful render->save process (which might get you a bonus improvement of allowing you to optimise the image). That way you should end up serving a valid image without any dodgy stuff someone may have tried to sneak through. Of course there have been plenty of vulnerabilities in image handling over the years. So reprocessing the images does come with it's own risk that might suggest it's own mitigations (eg doing it on a seperate untrusted server that doesn't have access to anything interesting).
There might be third party services you could use, but of course that opens up it's own questions in terms of trust, security and availability.
As development for Wing Commander came to a close, the EMM386 memory manager the game used would give an exception when the user exited the game. It would print out a message similar to "EMM386 Memory manager error..." with additional information. The team could not isolate and fix the error and they needed to ship it as soon as possible. As a work-around, one of the game's programmers, Ken Demarest III, hex-edited the memory manager so it displayed a different message. Instead of the error message, it printed "Thank you for playing Wing Commander."
See, the introduction of the GST was to coincide with the bundling of a bunch of other taxes into one. For some goods, most notably electronics and "luxury items", they actually got cheaper. This was because it's truly a stealth tax on the poor, by taxing commodities like bread and orange juice (which previously would have been taxed at lower rates or even subsidized),
Well, businesses don't pay GST, they are just the mechanism for collecting it.
Putting GST on Google Adwords won't really raise any additional revenue as the only entities buying Adwords (to a significant degree) are businesses who just claim the GST back.
There is literally nothing for me to buy right now. Why can't this 10% off be in the form of a code that we can use any time we wish?
Isn't that pretty much what Sony are saying they will give. A code you get to apply to a shopping cart once?
"In addition, sometime this month we will announce that for a limited time, we will be offering a 10 percent discount code good for a one-time discount off a total cart purchase in the PlayStation Store as a thank you to all PSN members."
I suppose the the "for a limited time" could be a problem, depending on how reasonable it is. If it was something like 6 months then it probably isn't too bad. In that time frame there would probably be something you would buy anyway. At that point it probably comes down to whether the code recipient us capable of delaying gratification. If there's plenty of time to use the code and you choose to use it to buy things you wouldn't have otherwise then that'd be your choice (no doubt one Sony would be happy with).
Personally I'll aim to hang on to it until there's something I want. If it turns out there's a game I want, a TV series I want and a movie or two I'd like to see then the 10% could be quite a saving. Then again I've already got more games queued up than I have time to play.
"well, distributions backport security fixes, so 5.3.3 is secure on distro XYZ".
Are you aware of any analysis as to the extent that is actually true, ie for distro X or Y which patches really have been backported and which are skipped?
I had a quick poke about the W3Tech site and couldn't really see much of their methodology, especially in terms of how they identify PHP usage and what version is being used. I'd have though that if you looked at their PHP page there should be a not insignificant number where they can reasonably guess it's using PHP (due to file extensions in URLs perhaps) but not be able to identify the version being used.
I wonder how much your "% of installs that are secure" statistic could be inaccurate due to most (I'd hope) sites that care even slightly about security suppressing the Apache header PHP version information. Are they just missing from the W3Tech stats? It's possible that a significant number of the "secure" PHP installs could be invisible to your calculations because the sort of people who keep their software up to date are the same people who follow fairly basic server set up recommendations.
I suppose there are also questions as to what "insecure" means in practice. For bulk hosting sites running unknown third party code everything is critical but for a lot of sites running their own code whether they are actually "insecure" depends not only on what PHP does but also what their code does. Eg for the most recent PHP 5.4 release there is a fix for a fairly nasty looking bug in unserialize(), but (as I understand it) a site admin with a defined codebase might quite legitimately determine that they never use unserialize() on user generated data and not be in any rush to update if they have other things to be doing. PHP version 5.4.35 might be "insecure" for the purposes of your stats but may not be in practice someone's server if they know they don't use unserialize() in an exploitable fashion (or mcrypt).
None of the above should be interpreted as criticism of your analysis, just food for thought. I find what you have done very interesting and expect that even if there are 'hidden' secure servers, the number of insecure ones would still be alarmingly high.
Deleting all of Cosby's TV shows and movies would still be wrong as they are a part of our cultural history.
No one is doing that though, there is a difference between no longer promoting something and erasing it from history.
To stretch the Cosby link further, you might (quite reasonably) think things Cosby did in the past are funny and even have value beyond pure humour, as social commentary etc. If that were the case and you know someone who had been abused by Cosby, would you choose to put a Cosby video on for them and expect them to find it an enjoyable experience?
That is the situation MIT is in. They aren't just dealing with 'theoretical' students who might somehow be deprived of some value that only those videos can impart. They are dealing with real students actually effected by the situation at hand.
If you wouldn't knowingly ask someone you care about to be entertained by someone who had abused them, why would you expect MIT to ask someone to be educated by someone who harassed them?
If you can't separate presenter from content, that's your serious character flaw, leave the rest of us out of it.
If you were someone taking the course who had been harassed by him would you consider it a "serious character flaw" not to be able to "separate presenter from the content"?
I imagine a lot of people might find that difficult and wouldn't need to have a "serious character flaw" to struggle with it. I think it's entirely reasonable for MIT to ditch (and replace) the content if it means the effected people can continue on with their education without having the chap popping up in their courseware.
I don't think it makes sense to worry about the (theoretical) "students (...) punished by removing good lectures" and not consider the (evidently real) students actually effected by what has happened.
How does taking them down in any way help the victim(s)?
If they are still taking the courses or might want to continue on taking other courses that contained his videos it probably helps them not to have to sit through his lectures any more.
However I think that if there are people he harassed taking the courses (or who might like to take further courses in future) then it isn't a bad idea to cut him out of them rather than ask those people to interact with him further, even relatively passively on video.
Even if the lectures are high quality, they probably aren't irreplaceable.
True, but how is that any different to the normal situation where the maximum amount is £20?
Arguably it could make the attack more worthwhile. The effort and hit rate involved might not make it worthwhile at low ticket amount (might as well have a real job) but could be worthwhile as the money starts going up.
Realistically though it sounds like the attacker needs a merchant account to benefit (and presumably enough legitimate volume to hide the fraudulent transactions in without raising suspicions). From the sounds of it the biggest problem would occur if you were actually overseas and you were using your card in cafes and the like. Then perhaps an unscrupulous vendor might be able to get close enough to charge your card without you noticing and you might not notice it as fraudulent when you got your statement.
Slashdot Mirror
No one like being in a plane for a long time, even if they have movies to watch or can check their email.
Probably of more relevance is cost efficiency. Not much else matters to Airlines. Airlines get paid for taking someone from point A to point B. It's difficult to imagine it not being expensive, but if a single aircraft can make 5 trips round the world a day compared to 1 then it might be cost effective.
It's not entirely clear what you mean by "payment card industry". The "payment card industry" is everybody, including "businesses" and there's an awful lot of existing infrastructure all that has to keep working. It sounds like you are complaining about card schemes (Visa, MasterCard, Amex) but the Tokenisation stuff they've come up with via EMVco is pretty good, it's just there's an awful lot of infrastructure (including at "businesses") that needs to be updated to work with it. (Indeed EMV one time payment tokens appear to be one of the modes supported by ApplePay, so it's probable that people are doing such payments today, but probably only in cases where the cardholder's bank supports it, the merchant supports it in their app, and the merchant's payment gateway supports it, etc etc etc).
But saying the payment industry should do X "before" trying to improve security at businesses is ludicrous, security is about dealing with the real world and trying to make what is already there better, not doing nothing until some ideal solution becomes available.
Well, you did "cheat" the test. A scan is just a scan, it isn't 'fraudulently' doing anything, it's just reporting a possible problem. It's up to you to justify any listening port with a business reason and demonstrate appropriate controls for the service.
Of course it's not immediately clear what sort of compliancy tests you are doing. If it's just Tier 3 then you probably not paying much for your ASV and they are geared (and priced) for scenarios where scans show very little is in scope and not much manual appraisal is done. If it's a higher tier then you should be dealing with people who take the time (and are being paid to) to understand your system and make an informed assessment.
PCI isn't perfect but isn't awful as a set of minimum standards and guidelines.
What I don't understand (and maybe because I haven't looked too hard) is what "Old POS terminals" have to do with Mozilla. I can understand why Worldpay might need to support SHA1 for their own stuff, I don't quite get why that means a general browser should.
Indeed, perhaps it's nothing to do with the browser at all, and it just means that Symantec can issue these certs without being considered by Mozilla (the group) in breach of some agreed to policy, but that these certs still won't we accepted (if they were seen) by Mozilla (the browser).
If that is the case, then really this isn't a big deal at all. Mozilla's response just gives Worldpay a little more time to get their shit together within the current framework (the alternative, cutting them off, could be less secure, as it would probably mean Worldpay would end up rolling their own SHA1 CA and distributing that root authority to their POS terminals, perpetuating the problem indefinitely rather than giving them a short grace period to catch up)
Even if you are defending against a potentially dodgy fingerprint scanner all you need to do is pop up a dialogue on boot saying there's a problem with the fingerprint scanner and that the phone won't accepting fingerprints from it.
Personally I can't imagine what sort of attack it's supposed to prevent, any adversary capable of replacing the fingerprint sensor in your phone is going to be an adversary capable of obtaining and replicating your finger print to the sensor.
If it's just the risk of cheap knock-off parts compromising security by doing something like sending the same "fingerprint" when touched without actually reading the surface then that is a good reason to stop trusting the fingerprint scanner, it's not a good reason to brick the phone.
That would save me so much time!
This seems to suggest a misunderstanding of what multiculturalism is. The clue is in the name, it doesn't presuppose integration, at least in the sense you seem to be using it, (that would be a monoculture), rather the side by side existence of multiple cultures.
I'd be looking at moving that email server out of scope, ie out of your PCI environment.
You'd need some policies around your use of email (ie "We don't send cardholder data via email", with bonus points if you have a way of 'enforcing' that, eg a mail scanner) but with that in place there should be no reason why your mail server is in scope if it's seperate from your PCI environment (ie hosted elsewhere).
In the same situation I ended up going for the PS4. All in all they seemed pretty similar but the PS4 seemed marginally better performance wise. It's smaller size was also a factor for me.
The swinger though was probably Morpheus/Playstation VR. Obviously it's not out yet, but I've been waiting for decent VR since I was a kid (ie for over two decades) so the possibility of it coming to a home console holds a lot of excitement. Whether I end up getting it depends on reviews etc but, with all other thing being relatively equal between the consoles, keeping that option open down the road was a factor.
There are several layers here that make a solution quite "interesting". On the one hand you are trying to protect your users by avoiding serving them bad content. On the other hand you want to protect your service. Protecting your users means doing more work on the uploaded content which increases your own attack surface.
Personally if we are just talking about PNGs then I think that one of the safest things for your clients/customers would be to not serve the file as uploaded, but to serve a file that is the result of a successful render->save process (which might get you a bonus improvement of allowing you to optimise the image). That way you should end up serving a valid image without any dodgy stuff someone may have tried to sneak through. Of course there have been plenty of vulnerabilities in image handling over the years. So reprocessing the images does come with it's own risk that might suggest it's own mitigations (eg doing it on a seperate untrusted server that doesn't have access to anything interesting).
There might be third party services you could use, but of course that opens up it's own questions in terms of trust, security and availability.
Indeed, it would be much better spent on things like improving reading comprehension.
On the upside, at least these people will be able to check their Facebook while driving and still keep an eye on the road.
https://en.wikipedia.org/wiki/...
Bread and orange juice are not subject to GST.
Well, businesses don't pay GST, they are just the mechanism for collecting it. Putting GST on Google Adwords won't really raise any additional revenue as the only entities buying Adwords (to a significant degree) are businesses who just claim the GST back.
That's possible, though there have been (somewhat) successful "take me to X" style hijackings since 9-11.
To be fair, the other half end in death.
They aren't "trying to punish" anyone. They just want to host their convention somewhere where all their attendees will be welcomed.
Isn't that pretty much what Sony are saying they will give. A code you get to apply to a shopping cart once?
"In addition, sometime this month we will announce that for a limited time, we will be offering a 10 percent discount code good for a one-time discount off a total cart purchase in the PlayStation Store as a thank you to all PSN members."
I suppose the the "for a limited time" could be a problem, depending on how reasonable it is. If it was something like 6 months then it probably isn't too bad. In that time frame there would probably be something you would buy anyway. At that point it probably comes down to whether the code recipient us capable of delaying gratification. If there's plenty of time to use the code and you choose to use it to buy things you wouldn't have otherwise then that'd be your choice (no doubt one Sony would be happy with). Personally I'll aim to hang on to it until there's something I want. If it turns out there's a game I want, a TV series I want and a movie or two I'd like to see then the 10% could be quite a saving. Then again I've already got more games queued up than I have time to play.
Are you aware of any analysis as to the extent that is actually true, ie for distro X or Y which patches really have been backported and which are skipped?
I had a quick poke about the W3Tech site and couldn't really see much of their methodology, especially in terms of how they identify PHP usage and what version is being used. I'd have though that if you looked at their PHP page there should be a not insignificant number where they can reasonably guess it's using PHP (due to file extensions in URLs perhaps) but not be able to identify the version being used.
I wonder how much your "% of installs that are secure" statistic could be inaccurate due to most (I'd hope) sites that care even slightly about security suppressing the Apache header PHP version information. Are they just missing from the W3Tech stats? It's possible that a significant number of the "secure" PHP installs could be invisible to your calculations because the sort of people who keep their software up to date are the same people who follow fairly basic server set up recommendations.
I suppose there are also questions as to what "insecure" means in practice. For bulk hosting sites running unknown third party code everything is critical but for a lot of sites running their own code whether they are actually "insecure" depends not only on what PHP does but also what their code does. Eg for the most recent PHP 5.4 release there is a fix for a fairly nasty looking bug in unserialize(), but (as I understand it) a site admin with a defined codebase might quite legitimately determine that they never use unserialize() on user generated data and not be in any rush to update if they have other things to be doing. PHP version 5.4.35 might be "insecure" for the purposes of your stats but may not be in practice someone's server if they know they don't use unserialize() in an exploitable fashion (or mcrypt).
None of the above should be interpreted as criticism of your analysis, just food for thought. I find what you have done very interesting and expect that even if there are 'hidden' secure servers, the number of insecure ones would still be alarmingly high.
No one is doing that though, there is a difference between no longer promoting something and erasing it from history.
To stretch the Cosby link further, you might (quite reasonably) think things Cosby did in the past are funny and even have value beyond pure humour, as social commentary etc. If that were the case and you know someone who had been abused by Cosby, would you choose to put a Cosby video on for them and expect them to find it an enjoyable experience?
That is the situation MIT is in. They aren't just dealing with 'theoretical' students who might somehow be deprived of some value that only those videos can impart. They are dealing with real students actually effected by the situation at hand.
If you wouldn't knowingly ask someone you care about to be entertained by someone who had abused them, why would you expect MIT to ask someone to be educated by someone who harassed them?
If you were someone taking the course who had been harassed by him would you consider it a "serious character flaw" not to be able to "separate presenter from the content"?
I imagine a lot of people might find that difficult and wouldn't need to have a "serious character flaw" to struggle with it. I think it's entirely reasonable for MIT to ditch (and replace) the content if it means the effected people can continue on with their education without having the chap popping up in their courseware.
I don't think it makes sense to worry about the (theoretical) "students (...) punished by removing good lectures" and not consider the (evidently real) students actually effected by what has happened.
If they are still taking the courses or might want to continue on taking other courses that contained his videos it probably helps them not to have to sit through his lectures any more.
Probably not much for the average person.
However I think that if there are people he harassed taking the courses (or who might like to take further courses in future) then it isn't a bad idea to cut him out of them rather than ask those people to interact with him further, even relatively passively on video.
Even if the lectures are high quality, they probably aren't irreplaceable.
Arguably it could make the attack more worthwhile. The effort and hit rate involved might not make it worthwhile at low ticket amount (might as well have a real job) but could be worthwhile as the money starts going up.
Realistically though it sounds like the attacker needs a merchant account to benefit (and presumably enough legitimate volume to hide the fraudulent transactions in without raising suspicions). From the sounds of it the biggest problem would occur if you were actually overseas and you were using your card in cafes and the like. Then perhaps an unscrupulous vendor might be able to get close enough to charge your card without you noticing and you might not notice it as fraudulent when you got your statement.