Is it just me or is the idea of centralising security bad?
There is a trade-off between better system security and user security. Single sign-on is very helpful to users. Security personnel can focus on reviewing a smaller set of audit logs, account policy can be applied once, effective everywhere, etc., etc.
On the other hand, yeah, there is a higher risk that compromising a user's account can allow access to numerous systems or services. But with good administrative practices in place and security reviews, the risks can be identified and managed accordingly.
After building a server and applying vendor patches, configuring for AD access is a snap and allows the users access without having to tell them anything more than server name.
Somehow the buzz to make everything easier overrules normal safety practises. Do we not get told not to have the same PIN for different credit cards?
Sometimes I wish I had as many credit cards as user accounts (even within the company).:>
Giving up my change to use my 2 remaining mod points in this thread by posting...
Mod something else... moderator points are a terrible thing to waste.:>
I'll take a 15% performance hit on my TiBook if it adds even 1% of additional stability. Nothing worse then going on the road (to Bermuda) and having the battery run down. Attempting a reboot and you get the infamous question mark disk. Urgh.
Plus, just try getting an OS X disc in Bermuda. Two weeks without my Mac, *that* is a terrible thing.
Haven't tried 'light mode' yet, but Avantify works like a dream. Just added the URL for my co-lo'ed server to the avantify CGI script. Formatting of/. looks good.
After all, iTunes rips audio into MP3 formats instead of some "protected" format. QuickTime does not (IIRC) support DRM, except for (weak) protections on streamed movies to prevent a person from saving the movie.
Apple, with iTunes has dabbled with DRM though. iTunes 3 supports Audible.com for audio books. I've used it and it's quite sweet.
Why in the world would they test something that pisses people off to no end on the entire island of Manhattan?! I can see this taking place in SanFran or some other laid-back city, but New Yawhk fer crissake?!!!!
More than likely some cabadmin (cable administrator) put his sammich down on the wrong button....
Incidently (so I don't get modded redundant) do online merchants use the 3 digit security number on the back of cards? I'm Canadian and in order to check my balance, etc, online with my CC I have to use it when I login (well, I did until they moved to a more secure password protected security model). Is that 3 digit code a Canadian thing or is it global?
Verisign does have that option. When renewing some domains, I had to provide the CVC2 number and billing address. Since it was my corporte card, and seeing that we get our bills hand delivered from the bank (we're in the credit card biz), the address of "Deliver by hand" didn't match up with the address check.
Good ol' Verisign kept resubmitting the transaction until the fraud system at the bank auto-crapped my card.
Big, enormous, credit card companies could make usage of credit cards more secure (and difficult) but they haven't because they probably don't want to do anything that will lower or hinder usage.
Actually the card associations have developed numerous security components to reduce fraud (fraud being bad for thieir brand and image).
Lets star with the previosuly mentioned CVV2/CVC card ID numbers. Not part of the card number nor embossed. Give's assurance that the *physical* card was used for the transaction.
Address verification service (AVS) matches cardholder billing or identified shipping addresses. Normally only used in N.A. and the U.K. (regional issues too).
Then on to the good old chip cards. Europeans have seen these in use for some time now with Mondex, Maestro, Solo (I think), etc. Using SET or 3DSET, it allows the issuer to authenticate the card (via PKI technology).
And we shouldn't forget SPA, 3DSPA, and other secure payment initiatives.
Each one of these have a cost that the issuer (bank who 'issues' the card to the card holder), the merchant (be it retail or online), the acquirier (org who processes the card on behalf of a merchant) and the other entities involved. When a 3DSET implementation can easily cost an acquirer and issuer upwards of USD$250K, and it's only effective when *everyone* plays, you see where the reluctance comes from.
What the card associations do is give better rates when these methods are used. In the payments industry, nothing is more of an incentive then money....
Hot-card lists are one instrument for fighting fraud. Some companies, such as HNC (now owned by FairIssac) have some pretty sophisticated fraud monitoring capabilities.
Auth checks happen all the time. It's also a hard fraud to check if the perp works for a large merchant. Daily I'll see stupid verification checks. First auth transaction goes through with expiration of 01/03. Then the same card with 02/03, etc, etc.
I capped more than one merchant (most online) for having such horrible e-commerce infrastructures that allow such cecks via the web.
As for debit vs. credit, make sure your bank does have fraud protection. It 's now common to get business from other banks. The point about only keeping a small amount of money in a debit account is good too.
Even with fraud protection, it would suck having to wait for your bank to sort out the details....
Ever wonder why stores take an imprint of your card? In looking up the rules for both MasterCard and Visa, this gives a lot of support to the merchant in case of a chargeback.
Merchants defintely have different internal policies for verifying the card and cardholder. At the low end of the scale (most stores), the card isn't even looked at, returned before you sign, etc.
In Atlanta, the CompUSA's require photo id. At the local Apple store, you have to take the ID out of your wallet.
Get too many chargebacks as a merchant, and notice just how high your "discount fee" (percentage paid to the acquirer) can get. Plus the per item chargeback fees too (upwards of $50-100 *per item*).
Agreed. Being a [re]new Mac user (past 6 months), I try to stay away from OS 9 solutions whenever possible. However, I can see why users with existing applications (or just like OS 9) would want the ability to at least boot their machine.
The only instance of "bundled" I can think of is the restore disc set that came with my system. Use those CD's and you did end up with an OS X system with OS 9 installed, and iPhoto, etc. too.
Jaguar was my first experience installing from scratch.
You *can* install OS9 afterwards (for Classic access).
Did a fresh install of Jaguar on my TiBook. Didn't even think of OS9 since all my apps are OS X approved. Wait, except for that damned Toast CD which is only OS9 (for the install). Popped out my OS9 CD that came with OS X 10.1.2, 'c' during startup, and installed a fresh copy of OS9.
Reboot back into Jaguar and launched Classic mode. It did its upgrade thang, and all was well.
(after installing Toast Titanium I was then able to apply the patch to make it an OS X app).
There are MAME controllers that have spinners on them. Slikstick being one of them. Have mine on order, now just need to find a decent cabinet to mount the bloody thing on!
We used to get data squirts from the South Pole station (environmental data). The onboard controllers running some RTOS (forget what) had to be programmed to transmit on their yagi antennas at predetermined times to take advantage of said orbits. At our downlink, we had to reposition the dish to point where the satellite was supposed to be. Thank god for everyone using UTC times instead of local timezones.
One of the rocket scientist guys explained that when the satellites lost the ability to station keep (or were purposefully pushed out of a geostationary orbit), you'd get a figure-8 orbit, hopefully North/South in direction. Some of the old GOES weather satellites did some major ass travelin'
Submarine fiber cables exist in some pretty harsh environments, but I'd be curious to the effects of freeze/thaw near the more temperate zones. Anyway, satellite is out, else how would the South Poler's ever get good at Quake or Counterstrike????
This is good, yes. I've been waiting for someone to buy PGP. Finance was about to pull some accruals for encryption software for our corporate PC's (2000/XP).
Slash-scraping with LWP
on
Perl & LWP
·
· Score: 2, Informative
Anyone who has used AvantGo to create a Slashdot channel understands the importance of reparsing the content. AvantSlash uses LWP to such down pages and do reparsing. Hell, for years (prior to losing my iPaq), this was how I got my daily fix of Slashdot.
I just read it during regular work hours like everyone else.:>
Seriously. I had a sweet Compaq PocketPC, but lost it (long story, long night). As such, I've been in the market to buy a new PDA.
Too bad some of the new integrated PDA/Cell phones weren't available (yet), so I looked at what my needs were:
1) Contacts - Read/only 2) Calendar 3) Storage 4) Cool new features - MP3 playback 5) Taking Notes
My usage is primary read-only and I use the PC (Mac) for managing everything. Seldom did I create contacts or calendar entries on my Pocket PC. However, daily I used to look up names and numbers or calendar entries. As for note taking, I always carry a pen. So as long as paper is still being made, I should be set.
With the new 10GB models and 1.2 of the code, I now have a new PDA. And it's a mad MP3 player as well!
Another recommendation for vlc (Videolan Client). Attempting to play DivX encoded movies under QuickTime is not always easy (although QT6 and DivX 5.02a is much better).
vlc plays pretty much anything that QT6 cannot do. The only missing feature so far (Mac OS X) is the ability to resize the playback window. Once that's in place, vlc hits the dock!
How often do you really need "true console" access on a box that has no network connectivity?
How about after the last OpenSSL patch? Take (1) RedHat server, add (1) RedHat Network remote install (i.e., push to the server), mix in pam-ldap and you get a broken SSH, even for users in the local passwd file.
Just had to beg a coworker to login into *7* servers from our trusty analog KVM to 'service sshd restart'. Two other servers in a co-lo out in London were done from my desk via the IP KVM (Avocent). Oh, and another 2 fixed via VMware GSX server console.
Morale of this story: just say no to RHN for updates that affect logins.
Anyone know a good solution for getting PAM to work when the LDAP server isn't available?
Slashdot Mirror
Is it just me or is the idea of centralising security bad?
:>
There is a trade-off between better system security and user security. Single sign-on is very helpful to users. Security personnel can focus on reviewing a smaller set of audit logs, account policy can be applied once, effective everywhere, etc., etc.
On the other hand, yeah, there is a higher risk that compromising a user's account can allow access to numerous systems or services. But with good administrative practices in place and security reviews, the risks can be identified and managed accordingly.
After building a server and applying vendor patches, configuring for AD access is a snap and allows the users access without having to tell them anything more than server name.
Somehow the buzz to make everything easier overrules normal safety practises. Do we not get told not to have the same PIN for different credit cards?
Sometimes I wish I had as many credit cards as user accounts (even within the company).
Giving up my change to use my 2 remaining mod points in this
:>
thread by posting...
Mod something else... moderator points are a terrible thing to waste.
I'll take a 15% performance hit on my TiBook if it adds even 1% of additional stability. Nothing worse then going on the road (to Bermuda) and having the battery run down. Attempting a reboot and you get the infamous question mark disk. Urgh.
Plus, just try getting an OS X disc in Bermuda. Two weeks without my Mac, *that* is a terrible thing.
Haven't tried 'light mode' yet, but Avantify works like a dream. Just added the URL for my co-lo'ed server to the avantify CGI script. Formatting of /. looks good.
After all, iTunes rips audio into MP3 formats instead of some "protected" format. QuickTime does not (IIRC) support DRM, except for (weak) protections on streamed movies to prevent a person from saving the movie.
Apple, with iTunes has dabbled with DRM though. iTunes 3 supports Audible.com for audio books. I've used it and it's quite sweet.
Why in the world would they test something that pisses people off to no end on the entire island of Manhattan?! I can see this taking place in SanFran or some other laid-back city, but New Yawhk fer crissake?!!!!
More than likely some cabadmin (cable administrator) put his sammich down on the wrong button....
Because the BMW factory provided NAV systems for Bimmers, well, suck compared to those offered by Lexus and other Japanese luxury car mgs.
Oh, you mean like UCAF/SPA????
Incidently (so I don't get modded redundant) do online merchants use the 3 digit security number on the back of cards? I'm Canadian and in order to check my balance, etc, online with my CC I have to use it when I login (well, I did until they moved to a more secure password protected security model).
Is that 3 digit code a Canadian thing or is it global?
Verisign does have that option. When renewing some domains, I had to provide the CVC2 number and billing address. Since it was my corporte card, and seeing that we get our bills hand delivered from the bank (we're in the credit card biz), the address of "Deliver by hand" didn't match up with the address check.
Good ol' Verisign kept resubmitting the transaction until the fraud system at the bank auto-crapped my card.
Big, enormous, credit card companies could make usage of credit cards more secure (and difficult) but they haven't because they probably don't want to do anything that will lower or hinder usage.
Actually the card associations have developed numerous security components to reduce fraud (fraud being bad for thieir brand and image).
Lets star with the previosuly mentioned CVV2/CVC card ID numbers. Not part of the card number nor embossed. Give's assurance that the *physical* card was used for the transaction.
Address verification service (AVS) matches cardholder billing or identified shipping addresses. Normally only used in N.A. and the U.K. (regional issues too).
Then on to the good old chip cards. Europeans have seen these in use for some time now with Mondex, Maestro, Solo (I think), etc. Using SET or 3DSET, it allows the issuer to authenticate the card (via PKI technology).
And we shouldn't forget SPA, 3DSPA, and other secure payment initiatives.
Each one of these have a cost that the issuer (bank who 'issues' the card to the card holder), the merchant (be it retail or online), the acquirier (org who processes the card on behalf of a merchant) and the other entities involved. When a 3DSET implementation can easily cost an acquirer and issuer upwards of USD$250K, and it's only effective when *everyone* plays, you see where the reluctance comes from.
What the card associations do is give better rates when these methods are used. In the payments industry, nothing is more of an incentive then money....
Hot-card lists are one instrument for fighting fraud. Some companies, such as HNC (now owned by FairIssac) have some pretty sophisticated fraud monitoring capabilities.
Auth checks happen all the time. It's also a hard fraud to check if the perp works for a large merchant. Daily I'll see stupid verification checks. First auth transaction goes through with expiration of 01/03. Then the same card with 02/03, etc, etc.
I capped more than one merchant (most online) for having such horrible e-commerce infrastructures that allow such cecks via the web.
As for debit vs. credit, make sure your bank does have fraud protection. It 's now common to get business from other banks. The point about only keeping a small amount of money in a debit account is good too.
Even with fraud protection, it would suck having to wait for your bank to sort out the details....
The best signature I've seen was:
* * * CHECK ID * * *
Although I'm not sure if that's valid per the card associations or the issuing bank rules or not. Hmmm.
Ever wonder why stores take an imprint of your card? In looking up the rules for both MasterCard and Visa, this gives a lot of support to the merchant in case of a chargeback.
Merchants defintely have different internal policies for verifying the card and cardholder. At the low end of the scale (most stores), the card isn't even looked at, returned before you sign, etc.
In Atlanta, the CompUSA's require photo id. At the local Apple store, you have to take the ID out of your wallet.
Get too many chargebacks as a merchant, and notice just how high your "discount fee" (percentage paid to the acquirer) can get. Plus the per item chargeback fees too (upwards of $50-100 *per item*).
Agreed. Being a [re]new Mac user (past 6 months), I try to stay away from OS 9 solutions whenever possible. However, I can see why users with existing applications (or just like OS 9) would want the ability to at least boot their machine.
The only instance of "bundled" I can think of is the restore disc set that came with my system. Use those CD's and you did end up with an OS X system with OS 9 installed, and iPhoto, etc. too.
Jaguar was my first experience installing from scratch.
You *can* install OS9 afterwards (for Classic access).
Did a fresh install of Jaguar on my TiBook. Didn't even think of OS9 since all my apps are OS X approved. Wait, except for that damned Toast CD which is only OS9 (for the install). Popped out my OS9 CD that came with OS X 10.1.2, 'c' during startup, and installed a fresh copy of OS9.
Reboot back into Jaguar and launched Classic mode. It did its upgrade thang, and all was well.
(after installing Toast Titanium I was then able to apply the patch to make it an OS X app).
Move forward to February 17, 2003. According to iCal, Daylight Savings Time starts then.
Having a refresh period for subscribed calendars is a good thing, me thinks.
There are MAME controllers that have spinners on them. Slikstick being one of them. Have mine on order, now just need to find a decent cabinet to mount the bloody thing on!
[camera shot of laundry room - digital displays on machines]
Machines start to vibrate and bounce around.
S U K I -- S U K I -- S U K I
scrolls across all machines. Mayhem ensues.
[cut to cute little girl on home PC]
Mom: "Suki - time for bed!"
We used to get data squirts from the South Pole station (environmental data). The onboard controllers running some RTOS (forget what) had to be programmed to transmit on their yagi antennas at predetermined times to take advantage of said orbits. At our downlink, we had to reposition the dish to point where the satellite was supposed to be. Thank god for everyone using UTC times instead of local timezones.
One of the rocket scientist guys explained that when the satellites lost the ability to station keep (or were purposefully pushed out of a geostationary orbit), you'd get a figure-8 orbit, hopefully North/South in direction. Some of the old GOES weather satellites did some major ass travelin'
Submarine fiber cables exist in some pretty harsh environments, but I'd be curious to the effects of freeze/thaw near the more temperate zones. Anyway, satellite is out, else how would the South Poler's ever get good at Quake or Counterstrike????
This is good, yes. I've been waiting for someone to buy PGP. Finance was about to pull some accruals for encryption software for our corporate PC's (2000/XP).
Anyone who has used AvantGo to create a Slashdot channel understands the importance of reparsing the content. AvantSlash uses LWP to such down pages and do reparsing. Hell, for years (prior to losing my iPaq), this was how I got my daily fix of Slashdot.
I just read it during regular work hours like everyone else. :>
Seriously. I had a sweet Compaq PocketPC, but lost it (long story, long night). As such, I've been in the market to buy a new PDA.
Too bad some of the new integrated PDA/Cell phones weren't available (yet), so I looked at what my needs were:
1) Contacts - Read/only
2) Calendar
3) Storage
4) Cool new features - MP3 playback
5) Taking Notes
My usage is primary read-only and I use the PC (Mac) for managing everything. Seldom did I create contacts or calendar entries on my Pocket PC. However, daily I used to look up names and numbers or calendar entries. As for note taking, I always carry a pen. So as long as paper is still being made, I should be set.
With the new 10GB models and 1.2 of the code, I now have a new PDA. And it's a mad MP3 player as well!
Ack! Should be 'aren't rolling in money...'
No, you had it correct. But they should have been using $1 bills instead of $100's as rolling papers. Result is the same though....
Another recommendation for vlc (Videolan Client). Attempting to play DivX encoded movies under QuickTime is not always easy (although QT6 and DivX 5.02a is much better).
vlc plays pretty much anything that QT6 cannot do. The only missing feature so far (Mac OS X) is the ability to resize the playback window. Once that's in place, vlc hits the dock!
How often do you really need "true console" access on a box that has no network connectivity?
How about after the last OpenSSL patch? Take (1) RedHat server, add (1) RedHat Network remote install (i.e., push to the server), mix in pam-ldap and you get a broken SSH, even for users in the local passwd file.
Just had to beg a coworker to login into *7* servers from our trusty analog KVM to 'service sshd restart'. Two other servers in a co-lo out in London were done from my desk via the IP KVM (Avocent). Oh, and another 2 fixed via VMware GSX server console.
Morale of this story: just say no to RHN for updates that affect logins.
Anyone know a good solution for getting PAM to work when the LDAP server isn't available?