Chip cards aren't meant to prevent card breaches. For card-present transactions (in person at the store), the exact same encryption and cardholder data protection requirements are in place from the reader to the bank whether its EMV or old mag-stripe. For card-not-present transactions (online and e-commerce) EMV makes no difference at all.
Chip cards do one thing. They make it harder to make a fraudulent physical card. With mag-stripe it is trivial to take another credit card or even a subway gift card and recode its mag-stripe to use a stolen card number, so I can walk into a merchant and use that card.
The author appears to be confusing EMV standards with the PCI P2PE (point to point encryption) standard, which is meant to prevent breaches by doing many of the things the author describes.
It is not that hard to build a login process, a registration process and a password reset process that don't disclosed if a guessed username is a correct username. And these controls do add significant value.
Username enumeration is one of the first things I consistently look for when penetration testing a web-facing application. Why?
Because if I can start enumerating valid users I can start building a bit list of usernames. Once I have a list of usernames I can start password spraying.
What's password spraying? I try one password guess per day against each user account that I identified. Is it a company that rotates passwords every 90 days? OK then "Winter2017", "November2017", etc. Is it a retailer based in Wisconsin? OK then "Packers1", etc. This approach is probably about 80% effective at guessing at least one user's password if I can enumerate at least a few hundred usernames.
Some of the articles seem to indicate employees are stumbling across illegal images as part of their repair process. But they are retrieving images from slack space, which afaik is not something a best buy type repair tech would do as part of a repair. So the techs are at a minimum using forensic tools to recover data. Also where are they billing the time for these non repair activities?...forensic scans are time consuming.
I'm also very curious to know if the techs were then manually reviewing the recovered images, again time consuming, or if the FBI further assisted by providing the tech access to LE tools such as the databases of hashes of known CP to make their searching faster.
As a victim of CP myself I have no love for creeps who access or share it, but for the FBI to argue that best buy employees weren't being led to perform searches on their behalf sounds rediculous.
It looks like the vulnerability is in a PwC product called ACE, which analyzes SAP security settings. The flagship product of the security firm that produced the disclosure appears to be "ESNC Security Suite", which from what I could tell appears to be a competing product.
While I definitely support security research and responsible disclosure, it makes me a little uncomfortable that it appears this security firm could have chosen to target and test the PwC software because it is a competitor to software they produce.
This seems like a cool idea, but are we really going to get the world to start using an algorithm for determining location that appears to be proprietary and closed-source? I was looking to find specifically how it works and as far as I can tell you can only implement this by downloading apps or APIs from what3words, and their closed code will do all the work mapping locations to words and vice-versa.
Why would anyone build any type of important solution or process on top of this and have their hands tied to this one vendor to use it going forward. Its not like you could upgrade or convert to a different process later if your plan was to get people to use this new method for specifying their location.
The MiniPwner is a similar device built on a TP Link TL-Wr703N router, so you can build one for under $40. http://www.minipwner.com/
Also Hak5 has had their Wifi Pineapple available for a few years that is similar, however their MarkIV version which should come out really soon I think will trump both the Pwnie Express and the MiniPwner. http://hakshop.myshopify.com/products/wifi-pineapple
I recently started a similar project based on the $23 TPLink TL-WR703N travel router. Without any need for soldering or other "hardware hacking" you can build a battery-operated network drop box running OpenWrt linux. http://www.minipwner.com/
There is a serial interface on the circuit board for the WR703N but you have to crack the box and do some soldering to connect to it. I've been toying with the idea to do just that to interface it with an arduino/parallax processor or sensors or whatever. I'm also playing with connecting a USB sound card and adding a microphone to record audio in the local range of the box.
Probably not the case, but I could see as an interviewer asking this question not to see the interviewee's answer, but to see the interviewee's response to a conflict situation. Its actually a great and creative way to see how they'd react (do they get frustrated/angry, do they take a constructive approach to resolving the conflict, do they just accept it and not push back at all?) Great insight to get about someone during an interview.
And How! The reason lunch is mandated is generally so the individual gets a break. For an extroverted person, a break means visiting with others. For an introverted person (introverted in the sense that she gets her energy from being along, and finds being with others draining, not that she is "shy") a break means being left alone to recharge. Pretty insulting for an extrovert to steal away all the introvert's time to recharge because he doesn't understand that the introverts are different than he is. Also pretty sad for his team that he's probably driving off all the introverts and losing the diversity in his team.
Instead of a one-time trip (like they do on the ghost hunter shows), if this is a family home that you could have 24x7 access to I would suggest setting up a DVR surveillance system like ZoneMinder. Find out where people see the most "Ghost" activity, and place various cameras to cover those areas. Then you ask the family members who live there to write down when and where they experience weird activities. Sure, if they saw an apparition the only thing you'll be able to show them is there was no apparition on film. But if they say that things are moved, doors open, etc. You'll have video evidence showing the real cause of the suspicious activity.
Having supported friends and family's home and small business computers for years, I'll go on record saying "in the cloud" is better than storing it locally for most of them. - I'm pretty confident Google is doing a better job securing their data in the cloud than many home users and small businesses do securing their local PC's from trojans and other malware. - I'm pretty sure Google is doing more frequent and reliable backups than many home users and small businesses.
Now I would never condone a business putting customer or sensitive company data on Google's cloud without a business contract with Google, and I would have friends and family avoid storing their taxes or other critical personal info in the cloud or on their personal computer, but for documents, pictures, etc. the cloud is probably a much better place for most home users.
From my experience generally credit cards do have a few nuances that make them safer than debit for online purchases. Both have zero liability for unauthorized purchases. With some (all?) credit cards you get a satisfaction guarantee for authorized purchases. For example, if you buy a collectible model car online and receive a poor quality, crappy cheap plastic toy, and the company wont do a refund, a credit card likely would refund, while a debit card wouldn"t. Or in another example, if you buy plane tickets and the airline folds before your flight, the CC generally would refund and the debit card would not.
I am not an Obama hater, but why is Obama doing this or at least getting credit for this? When I first read this story I thought "Isn't the legislative branch responsible for guiding what happens with the wireless spectrum?".
The FCC Website states "The Federal Communications Commission (FCC) is an independent US government agency, directly responsible to Congress, and regulates interstate..."
Does Obama even have the authority to double the available broadband wireless spectrum?
Its unfortunate that eating lunch by yourself makes someone appear to be a snobbish loser. Extroverts (I'm referring to people who get their energy from interacting with other people, and find it draining to be alone - not referring to outgoing people) assume that everyone is an extrovert. Introverts (referring to people who get their energy from being alone, and find it draining to be with other people - not referring to "shy" people) end up getting judged harshly when they just want to use their lunch break to actually just get a break and recharge.
I eat lunch alone nearly every day. When else am I going to read/. ?
It also seems crazy that this weekend I paid less for a gallon of milk that was pumped out of an animal than I paid for a gallon of gas that was pumped out of the ground.
I disagree with the parent's suggestion that they could have changed the data by combining zip codes without impacting the results. From what I've read about the netflix prize competition, the people involved really really had to work for the last quarter a percent or so to get to the 10% goal. Different zip codes in the same area could affect the results at this level - if you live downtown vs. the suburbs, etc.
I agree with the few posts here that the Galileoscope is a fun kit to assemble and learn about a telescope, but I'm afraid a lot of kids could get disappointed and turned-off to astronomy if its the only telescope they have available for observing. Even with a good camera tripod it is difficult to use to find objects and keep still enough to get a good view. The optics are good, but relatively small and the focus mechanism is not as good as most telescopes.
I definitely agree with the posts above that recommend a good quality reflector. The Celestron firstscope is around $50 and will give you a much better view and experience than the Galileoscope. If you want to get bigger there are tons of 4" reflectors out there of varying quality.
So I read the article about the reports of negative effects. They surveyed college students, and a result (for example) was that students who mixed energy drinks and alcohol were more likely to ride with a drunk driver. Or put another way, students who rode with a drunk driver were more likely to mix energy drinks and alcohol. Maybe riding with a drunk driver gives a person cravings for energy drinks mixed with alcohol. Or maybe People who are stupid or have poor regard for their own health and safety are likely to make multiple bad decisions, like riding with a drunk driver and mixing energy drinks and alcohol.
I'm not saying mixing energy drinks and alcohol is not bad, I'm sure it is, I'm just saying the study may be flawed.
We use a pair of Coyotepoint Equalizer E250 appliances for our web load balancing. About $5,000 for the HA pair, but its about the easiest load balancer to install and run that I could imagine...so if you are more worried about the ability to support and maintain the system than you are the cost then this could be a better choice than building your own from open source tools.
Re:Writing hello world is not a manager job
on
Fire Your IT Boss
·
· Score: 1
I absolutely agree. Someone who can lead, motivate, and develop people does more for the organization and the employees than a supervisor who knows how to do the technical stuff but lacks these skills and talents needed to lead.
Though a person can be both, technical and leadership skills are not mutually exclusive.
Yerkes Observatory (in Williams Bay, Wisconsin, home of the world's largest refracting telescope) recently sold of a portion of its grounds to developers to be able to keep funding preservation of the observatory. Actually the Observatory itself was sold to developers, in agreement that they would donate it to the village of Williams Bay.
While I've heard Blechley Park is a pretty awesome tour, I've always been underwhelmed by tours at Yerkes...maybe the money can help their outreach program improve.
There is an inherent flaw with many of the commercial laptop full-disk encryption solutions out there. I have the most experience with Utimaco's Safeguard Easy, but I know many of the other big players have the same fault -
The software has a feature called "Pre-boot Authentication", by which the encryption software is loaded after the bios, but before the (generally Windows) operating system. The user's password is used to generate the decryption key, so theorhetically not even the NSA could decrypt the laptop without the user's password.
Here's the flaw - the software has a checkbox to disable Pre-boot authentication. What this does is generate a default user with a random password, and then store this random password obfuscated but in clear-text in the same disk area decryption software. When you talk to the sales-people, they sell this as a feature, in fact about half of Utimaco's customers (so I'm told) run it in this mode because the encryption becomes transparent and it is much less intrusive on the user. (Basically the disk is automatically decrypted each time the laptop is booted, but you have to have a valid Windows login to get in.) Buried in the help documentation are warnings "For security reasons, you should Never disable pre-boot authentication". So the engineers and the company know the weakness of disabling pre-boot authentication, but they don't tell their customers when they sell the software.
Today it seems to break into these laptops with pre-boot authentication disabled you would need somewhat sophisticated tools and techniques, basically the same tools and techniques people commonly use to "crack" commercial software today. But I'm guessing that it won't be very long before someone takes the time to build this crack and releases it, rendering the laptop encryption useless to anyone who can Google for "Utimaco Crack", etc. Basically all the crack would need to do is grab the default user's password off the disk and use or duplicate the decryption algorithms that are also in clear-text on the disk.
I've talked to a number of IT security folks, and basically it seems like most people trust the sales folks and don't understand that its basically impossible to have strong encryption without having the decryption key stored off the disk (like on a smart card, or in the brain of the user.)
IANAL as well, but its my understanding that only Law Enforcement can perform and illegal search. If someone steals information and gives it to Law Enforcement its still admissible.
Otherwise, if I thought that the police were about to crack down on my best friend's counterfeiting operation, I could just steal all the stuff related to the operation and drop it off at the police station, basically nullifying all of it as an illegal search.
The defense's best tactic would be to claim that there's no way to know if the messages have been tampered with (unless the originals can be subpeona'd off MediaDefender's systems). Though I'm sure MediaDefender is in a tailspin right now trying to figure out if they should be purging all the email from their systems quickly, or if there's already a substantial likelihood of legal action - which would forcing them at this point to retain all the related email they have today.
And How! Now I don't like the tactics of the RIAA/MPAA any more than the next geek, but as I was reading this I was amazed at the attitude of slashdot commenters supporting the criminal who violated a number of serious laws to break into a computer system, steal this private corporate data, and post in publically. I think I learned in kindergarden that two wrongs don't make a right. I also suspect that a number of entities will pitch together and spend a great deal more than the average time and energy to track down the people who accomplished this.
Slashdot Mirror
There's a lot of misinformation here.
Chip cards aren't meant to prevent card breaches. For card-present transactions (in person at the store), the exact same encryption and cardholder data protection requirements are in place from the reader to the bank whether its EMV or old mag-stripe. For card-not-present transactions (online and e-commerce) EMV makes no difference at all.
Chip cards do one thing. They make it harder to make a fraudulent physical card. With mag-stripe it is trivial to take another credit card or even a subway gift card and recode its mag-stripe to use a stolen card number, so I can walk into a merchant and use that card.
The author appears to be confusing EMV standards with the PCI P2PE (point to point encryption) standard, which is meant to prevent breaches by doing many of the things the author describes.
It is not that hard to build a login process, a registration process and a password reset process that don't disclosed if a guessed username is a correct username. And these controls do add significant value.
Username enumeration is one of the first things I consistently look for when penetration testing a web-facing application.
Why?
Because if I can start enumerating valid users I can start building a bit list of usernames.
Once I have a list of usernames I can start password spraying.
What's password spraying? I try one password guess per day against each user account that I identified.
Is it a company that rotates passwords every 90 days? OK then "Winter2017", "November2017", etc.
Is it a retailer based in Wisconsin? OK then "Packers1", etc.
This approach is probably about 80% effective at guessing at least one user's password if I can enumerate at least a few hundred usernames.
Some of the articles seem to indicate employees are stumbling across illegal images as part of their repair process. But they are retrieving images from slack space, which afaik is not something a best buy type repair tech would do as part of a repair. So the techs are at a minimum using forensic tools to recover data. Also where are they billing the time for these non repair activities?...forensic scans are time consuming.
I'm also very curious to know if the techs were then manually reviewing the recovered images, again time consuming, or if the FBI further assisted by providing the tech access to LE tools such as the databases of hashes of known CP to make their searching faster.
As a victim of CP myself I have no love for creeps who access or share it, but for the FBI to argue that best buy employees weren't being led to perform searches on their behalf sounds rediculous.
It looks like the vulnerability is in a PwC product called ACE, which analyzes SAP security settings.
The flagship product of the security firm that produced the disclosure appears to be "ESNC Security Suite", which from what I could tell appears to be a competing product.
While I definitely support security research and responsible disclosure, it makes me a little uncomfortable that it appears this security firm could have chosen to target and test the PwC software because it is a competitor to software they produce.
This seems like a cool idea, but are we really going to get the world to start using an algorithm for determining location that appears to be proprietary and closed-source? I was looking to find specifically how it works and as far as I can tell you can only implement this by downloading apps or APIs from what3words, and their closed code will do all the work mapping locations to words and vice-versa.
Why would anyone build any type of important solution or process on top of this and have their hands tied to this one vendor to use it going forward. Its not like you could upgrade or convert to a different process later if your plan was to get people to use this new method for specifying their location.
After some hunting around, I figured out how to unbrick a bricked FTDI device (set the PID back to 6001) using the ft232 tool on Linux.
I wrote up the steps here for those that are interested:
http://www.minipwner.com/index...
The MiniPwner is a similar device built on a TP Link TL-Wr703N router, so you can build one for under $40. http://www.minipwner.com/
Also Hak5 has had their Wifi Pineapple available for a few years that is similar, however their MarkIV version which should come out really soon I think will trump both the Pwnie Express and the MiniPwner. http://hakshop.myshopify.com/products/wifi-pineapple
I recently started a similar project based on the $23 TPLink TL-WR703N travel router. Without any need for soldering or other "hardware hacking" you can build a battery-operated network drop box running OpenWrt linux.
http://www.minipwner.com/
There is a serial interface on the circuit board for the WR703N but you have to crack the box and do some soldering to connect to it. I've been toying with the idea to do just that to interface it with an arduino/parallax processor or sensors or whatever. I'm also playing with connecting a USB sound card and adding a microphone to record audio in the local range of the box.
Probably not the case, but I could see as an interviewer asking this question not to see the interviewee's answer, but to see the interviewee's response to a conflict situation. Its actually a great and creative way to see how they'd react (do they get frustrated/angry, do they take a constructive approach to resolving the conflict, do they just accept it and not push back at all?) Great insight to get about someone during an interview.
And How! The reason lunch is mandated is generally so the individual gets a break. For an extroverted person, a break means visiting with others. For an introverted person (introverted in the sense that she gets her energy from being along, and finds being with others draining, not that she is "shy") a break means being left alone to recharge. Pretty insulting for an extrovert to steal away all the introvert's time to recharge because he doesn't understand that the introverts are different than he is. Also pretty sad for his team that he's probably driving off all the introverts and losing the diversity in his team.
Instead of a one-time trip (like they do on the ghost hunter shows), if this is a family home that you could have 24x7 access to I would suggest setting up a DVR surveillance system like ZoneMinder. Find out where people see the most "Ghost" activity, and place various cameras to cover those areas. Then you ask the family members who live there to write down when and where they experience weird activities. Sure, if they saw an apparition the only thing you'll be able to show them is there was no apparition on film. But if they say that things are moved, doors open, etc. You'll have video evidence showing the real cause of the suspicious activity.
Having supported friends and family's home and small business computers for years, I'll go on record saying "in the cloud" is better than storing it locally for most of them.
- I'm pretty confident Google is doing a better job securing their data in the cloud than many home users and small businesses do securing their local PC's from trojans and other malware.
- I'm pretty sure Google is doing more frequent and reliable backups than many home users and small businesses.
Now I would never condone a business putting customer or sensitive company data on Google's cloud without a business contract with Google, and I would have friends and family avoid storing their taxes or other critical personal info in the cloud or on their personal computer, but for documents, pictures, etc. the cloud is probably a much better place for most home users.
From my experience generally credit cards do have a few nuances that make them safer than debit for online purchases.
Both have zero liability for unauthorized purchases.
With some (all?) credit cards you get a satisfaction guarantee for authorized purchases. For example, if you buy a collectible model car online and receive a poor quality, crappy cheap plastic toy, and the company wont do a refund, a credit card likely would refund, while a debit card wouldn"t. Or in another example, if you buy plane tickets and the airline folds before your flight, the CC generally would refund and the debit card would not.
I am not an Obama hater, but why is Obama doing this or at least getting credit for this? When I first read this story I thought "Isn't the legislative branch responsible for guiding what happens with the wireless spectrum?".
The FCC Website states "The Federal Communications Commission (FCC) is an independent US government agency, directly responsible to Congress, and regulates interstate ..."
Does Obama even have the authority to double the available broadband wireless spectrum?
Its unfortunate that eating lunch by yourself makes someone appear to be a snobbish loser.
Extroverts (I'm referring to people who get their energy from interacting with other people, and find it draining to be alone - not referring to outgoing people) assume that everyone is an extrovert. Introverts (referring to people who get their energy from being alone, and find it draining to be with other people - not referring to "shy" people) end up getting judged harshly when they just want to use their lunch break to actually just get a break and recharge.
I eat lunch alone nearly every day. When else am I going to read /. ?
It also seems crazy that this weekend I paid less for a gallon of milk that was pumped out of an animal than I paid for a gallon of gas that was pumped out of the ground.
I disagree with the parent's suggestion that they could have changed the data by combining zip codes without impacting the results. From what I've read about the netflix prize competition, the people involved really really had to work for the last quarter a percent or so to get to the 10% goal. Different zip codes in the same area could affect the results at this level - if you live downtown vs. the suburbs, etc.
I agree with the few posts here that the Galileoscope is a fun kit to assemble and learn about a telescope, but I'm afraid a lot of kids could get disappointed and turned-off to astronomy if its the only telescope they have available for observing. Even with a good camera tripod it is difficult to use to find objects and keep still enough to get a good view. The optics are good, but relatively small and the focus mechanism is not as good as most telescopes.
I definitely agree with the posts above that recommend a good quality reflector. The Celestron firstscope is around $50 and will give you a much better view and experience than the Galileoscope. If you want to get bigger there are tons of 4" reflectors out there of varying quality.
So I read the article about the reports of negative effects. They surveyed college students, and a result (for example) was that students who mixed energy drinks and alcohol were more likely to ride with a drunk driver. Or put another way, students who rode with a drunk driver were more likely to mix energy drinks and alcohol. Maybe riding with a drunk driver gives a person cravings for energy drinks mixed with alcohol. Or maybe People who are stupid or have poor regard for their own health and safety are likely to make multiple bad decisions, like riding with a drunk driver and mixing energy drinks and alcohol.
I'm not saying mixing energy drinks and alcohol is not bad, I'm sure it is, I'm just saying the study may be flawed.
We use a pair of Coyotepoint Equalizer E250 appliances for our web load balancing. About $5,000 for the HA pair, but its about the easiest load balancer to install and run that I could imagine...so if you are more worried about the ability to support and maintain the system than you are the cost then this could be a better choice than building your own from open source tools.
I absolutely agree. Someone who can lead, motivate, and develop people does more for the organization and the employees than a supervisor who knows how to do the technical stuff but lacks these skills and talents needed to lead.
Though a person can be both, technical and leadership skills are not mutually exclusive.
Yerkes Observatory (in Williams Bay, Wisconsin, home of the world's largest refracting telescope) recently sold of a portion of its grounds to developers to be able to keep funding preservation of the observatory. Actually the Observatory itself was sold to developers, in agreement that they would donate it to the village of Williams Bay.
http://www-news.uchicago.edu/releases/06/060607.yerkes.shtml
While I've heard Blechley Park is a pretty awesome tour, I've always been underwhelmed by tours at Yerkes...maybe the money can help their outreach program improve.
There is an inherent flaw with many of the commercial laptop full-disk encryption solutions out there. I have the most experience with Utimaco's Safeguard Easy, but I know many of the other big players have the same fault -
The software has a feature called "Pre-boot Authentication", by which the encryption software is loaded after the bios, but before the (generally Windows) operating system. The user's password is used to generate the decryption key, so theorhetically not even the NSA could decrypt the laptop without the user's password.
Here's the flaw - the software has a checkbox to disable Pre-boot authentication. What this does is generate a default user with a random password, and then store this random password obfuscated but in clear-text in the same disk area decryption software. When you talk to the sales-people, they sell this as a feature, in fact about half of Utimaco's customers (so I'm told) run it in this mode because the encryption becomes transparent and it is much less intrusive on the user. (Basically the disk is automatically decrypted each time the laptop is booted, but you have to have a valid Windows login to get in.) Buried in the help documentation are warnings "For security reasons, you should Never disable pre-boot authentication". So the engineers and the company know the weakness of disabling pre-boot authentication, but they don't tell their customers when they sell the software.
Today it seems to break into these laptops with pre-boot authentication disabled you would need somewhat sophisticated tools and techniques, basically the same tools and techniques people commonly use to "crack" commercial software today. But I'm guessing that it won't be very long before someone takes the time to build this crack and releases it, rendering the laptop encryption useless to anyone who can Google for "Utimaco Crack", etc. Basically all the crack would need to do is grab the default user's password off the disk and use or duplicate the decryption algorithms that are also in clear-text on the disk.
I've talked to a number of IT security folks, and basically it seems like most people trust the sales folks and don't understand that its basically impossible to have strong encryption without having the decryption key stored off the disk (like on a smart card, or in the brain of the user.)
IANAL as well, but its my understanding that only Law Enforcement can perform and illegal search. If someone steals information and gives it to Law Enforcement its still admissible.
Otherwise, if I thought that the police were about to crack down on my best friend's counterfeiting operation, I could just steal all the stuff related to the operation and drop it off at the police station, basically nullifying all of it as an illegal search.
The defense's best tactic would be to claim that there's no way to know if the messages have been tampered with (unless the originals can be subpeona'd off MediaDefender's systems). Though I'm sure MediaDefender is in a tailspin right now trying to figure out if they should be purging all the email from their systems quickly, or if there's already a substantial likelihood of legal action - which would forcing them at this point to retain all the related email they have today.
And How!
Now I don't like the tactics of the RIAA/MPAA any more than the next geek, but as I was reading this I was amazed at the attitude of slashdot commenters supporting the criminal who violated a number of serious laws to break into a computer system, steal this private corporate data, and post in publically. I think I learned in kindergarden that two wrongs don't make a right. I also suspect that a number of entities will pitch together and spend a great deal more than the average time and energy to track down the people who accomplished this.