there was, but Ally Bank is letting its interest rates decay (3% a tear ago, 0.5-1.0% today). fee hikes come next, then they get a Close notice from me.
They added ssh. They probably considered that "securing the link" and didn't take another look at how the accesses themselves worked once you were in, because their interest was in "securing the link".
And while banks have the means (i.e., my money) to pay for experts, they rarely if ever do, unless some standard or regulatory body somewhere explicitly requires it.
Seriously. In 1994, when this was probably installed, nobody would have thought to stress-test putting random numbers into the fields in the URI. Banks were the ass-end of online computing, and careful attention to online security consisted of using a password other than "password". Separate the database and the URI by a few layers of browser and HTTP server and cgi-bin frosting, and there may have been nobody even cognizant that the number in the URI was passed unmolested to the database query.
Now the whole chain would be clad in adamantium. Then, SQL-injection city. I bet you can pwn citi's servers with the examples on CPAN.
I suppose you could decouple the hashed account number and the session ID, but why? The hashed value should be unique per session. Making it the session ID means you're not getting in with another hashed value, and you're not using that one again. Although now I think about it, hashing isn't necessarily guaranteed to produce a unique result, while sequential session IDs has a better chance of it. Okay. You need both a unique session ID and your hashed key, and the session ID should be hashed into the key with your account number, and maybe some other salty goodness as long as we're expanding it, although you'd want to be able to recreate it later, in case you need to trace something for technical or legal purposes, so adding a random salt would be a no-no.
The only mitigating factor that could possibly exist here is, Citi is probably one of the first few banks to even have online account access, and this may be in the oldest portion of their access system. Its design may have been done way before securing against such things would even come up in a programmer's mind. And once in place and working nominally, nobody would ever have had cause to review it until they decided to start a new system from scratch (something banks almost never do; i have daily interactions with a couple of banks that i keep exhorting to scrap their crappy user interfaces and start over; nothing ever changes, not even things I'm personally not complaining about; banks long ago stopped putting money into their online presence).
And while it's mitigating, it's not an excuse. Whoever's in charge of online security (and it's a CIO at least) is likely being ass-raped in the executive washroom (and I doubt I'm being metaphorical here) by the board over this, while the CEO holds the paper towels.
Account numbers don't need to be secret. In fact, you hand them out when you write checks.
It's the access using the account number that has to be protected by more than "is the rest of the URI formatted correctly and does the browser have a cookie we issued to it?"
Hashing the account number (and other info) into an identifier in that cookie, then using that as the session ID, and only allowing access to that one account from that port until another session was authenticated on it, would be more proper.
It's not just the URI that is screwy, it's the whole lifecycle design of the session, and a failure to partition the data in any meaningful way.
Same deal here, except it's more like a paper shredder.
Banks used to borrow (yes, borrow) your money and pay you interest for it. Now they pay 0.05% interest on Savings, which costs more to print than you can earn from it.
Since your money is now no longer holding its own against inflation in your Savings account, it's being shredded by the bank. Or rather, it's being stuffed in their pockets, since they are happily investing it in all sorts of things and making record profits on it.
So, to recap: you're shredding money that they're taping back together and spending on congressmen to keep the scam going.
You do realize that says that the federal government is paying for anything not covered by insurance for illegal aliens, right? Which means that any ER that has those costs can file a form to the feds and get their money back, right? Which means that I was wrong. Illegals are not a tolerably small portion of the costs of an ER. They are zero cost to the ER, and the way hospitals are run by grifters they are possibly a huge profit center for ERs. Clinic vists cost very little, and the ER can bill the government their usual profit-bloated price.
So I was right. No ER has ever closed down because of illegal aliens using them as clinics, because no ER should be losing money on them.
You brought up the illegal aliens. By expressly not calling you personally a bigot, I deliberately gave you an opportunity to blame those who misinformed you,
You missed the rational bus when you posted that list without checking to see if it supported your statement about illegals.
And I wouldn't feel right leave digressions alone when they are as disruptive to health and safety as the "illegals are fucking up healthcare" canard. Lives are at stake there. You can't lob that into the room and expect nobody to try to throw it back out at you.
I saw exactly that list while double-checking on Google if I was right before posting. Show me where it says that illegals with earaches shut those ERs. Next time don't pretend to bring proof, bring proof.
The fact is, it's never happened. The cost margins of low-criticality clinical care is bupkis compared with the the profit margins on real-emergency care that ERs give, which are reasonable compared with the profit margins on inpatient care ($6k per day to stay in a hospital room, and that doesn't technically count the rent and maintenance of the room itself; that's another $600/day; even if there's nothing really wrong with you). It's the base costs of keeping ERs open when they don't have many real-emergency patients that closes them down.
I've been to the hospital a few times in the past decade. ER twice. The $20 band-aid is still there, and pays for three kids with sore throats who have no insurance.
If you want to know why medicine costs so much, ask doctors how much they're making; check with insurance company profits and hospital-corporation profits and drug-company profits. How many of those were threatened with bankruptcy during the massive financial collapses of the past 12 years? Every other sector of the economy has been hammered, while they keep growing and making assloads of money.
It's not about snot-nosed kids whose parents have accents.
No ER has ever shut down because of illegal aliens with ear infections. Ever. The cost of treating such cases is the cost of band-aids and aspirins, and spare time of doctors (which there is a lot of in an ER, when there aren't critical patients around, and when there are, the earaches do not get priority). Those costs get shifted to the other emergency cases, and take a small percentage of the massive profit margins that the hospitals, doctors, medical supply, and drug companies charge on them already.
Anyone who told you ERs are shutting down because illegals use them as clinics is full of bigoted political misinformation. It's bullshit promulgated by people who've forgotten the point of America is accepting those whose nations have failed them, not becoming just another one of those nations.
It's not illegal to kill yourself, owing to the obvious absurdity of the prosecution (although it's not outside the realm of the law for a dead man to be tried for a crime; it's been done). It's illegal to fail to kill yourself, and it's illegal to hire someone to kill you, and it's illegal to kill someone at their request.
So jumping off a bridge is still a clean getaway. It's just not a very reliable one.
Paradoxically, rather than hurting user privacy, it would have helped to protect user privacy in the long run if Google actually had been logging in to Facebook, spidering the information that was available to members, and making that information available in Google search results.
I wouldn't have to lock my door if you and others like you would stop breaking in then telling me I should lock it.
Will there be a sequel, and in it will his turtleneck take on a life of its own, controlling him to do evil things until he overcomes it by believing in himself?
the car uses realtime traffic data to do GPS route creation
there's also some weird stuff about comparing fuel economy with other car owners. something hypermilers have to do manually. of course, there's the question of why an all-electric car gives a fuck about fuel economy...
Like putting a swimming pool in your backyard, adding a feature that attracts one customer but drives away another gives you net zero increase in resale price.
Slashdot Mirror
Are you saying that 5.88 billion ERs have closed?
there was, but Ally Bank is letting its interest rates decay (3% a tear ago, 0.5-1.0% today). fee hikes come next, then they get a Close notice from me.
They added ssh. They probably considered that "securing the link" and didn't take another look at how the accesses themselves worked once you were in, because their interest was in "securing the link".
And while banks have the means (i.e., my money) to pay for experts, they rarely if ever do, unless some standard or regulatory body somewhere explicitly requires it.
Seriously. In 1994, when this was probably installed, nobody would have thought to stress-test putting random numbers into the fields in the URI. Banks were the ass-end of online computing, and careful attention to online security consisted of using a password other than "password". Separate the database and the URI by a few layers of browser and HTTP server and cgi-bin frosting, and there may have been nobody even cognizant that the number in the URI was passed unmolested to the database query.
Now the whole chain would be clad in adamantium. Then, SQL-injection city. I bet you can pwn citi's servers with the examples on CPAN.
I suppose you could decouple the hashed account number and the session ID, but why? The hashed value should be unique per session. Making it the session ID means you're not getting in with another hashed value, and you're not using that one again. Although now I think about it, hashing isn't necessarily guaranteed to produce a unique result, while sequential session IDs has a better chance of it. Okay. You need both a unique session ID and your hashed key, and the session ID should be hashed into the key with your account number, and maybe some other salty goodness as long as we're expanding it, although you'd want to be able to recreate it later, in case you need to trace something for technical or legal purposes, so adding a random salt would be a no-no.
Seriously?
You never heard of chatroulette?
The only mitigating factor that could possibly exist here is, Citi is probably one of the first few banks to even have online account access, and this may be in the oldest portion of their access system. Its design may have been done way before securing against such things would even come up in a programmer's mind. And once in place and working nominally, nobody would ever have had cause to review it until they decided to start a new system from scratch (something banks almost never do; i have daily interactions with a couple of banks that i keep exhorting to scrap their crappy user interfaces and start over; nothing ever changes, not even things I'm personally not complaining about; banks long ago stopped putting money into their online presence).
And while it's mitigating, it's not an excuse. Whoever's in charge of online security (and it's a CIO at least) is likely being ass-raped in the executive washroom (and I doubt I'm being metaphorical here) by the board over this, while the CEO holds the paper towels.
They can't pass the cost to their customers. Or rather, they have already ensured that their price is the maximum their customers can give.
If you have a bank account with Citi, you are probably earning 0.05% interest, and paying for all activities you perform through the bank.
Time to let Citi crash and burn, and move their customers' assets to a bank that isn't completely corrupted by profiteering and shitty service.
You didn't grab it?
Account numbers don't need to be secret. In fact, you hand them out when you write checks.
It's the access using the account number that has to be protected by more than "is the rest of the URI formatted correctly and does the browser have a cookie we issued to it?"
Hashing the account number (and other info) into an identifier in that cookie, then using that as the session ID, and only allowing access to that one account from that port until another session was authenticated on it, would be more proper.
It's not just the URI that is screwy, it's the whole lifecycle design of the session, and a failure to partition the data in any meaningful way.
Same deal here, except it's more like a paper shredder.
Banks used to borrow (yes, borrow) your money and pay you interest for it. Now they pay 0.05% interest on Savings, which costs more to print than you can earn from it.
Since your money is now no longer holding its own against inflation in your Savings account, it's being shredded by the bank. Or rather, it's being stuffed in their pockets, since they are happily investing it in all sorts of things and making record profits on it.
So, to recap: you're shredding money that they're taping back together and spending on congressmen to keep the scam going.
http://www.kff.org/uninsured/upload/7651.pdf
Small percentage of the uninsured.
http://www.jpands.org/vol10no1/cosman.pdf
Takes a guess, gets lucky, comes up with the same small percentage.
http://en.wikipedia.org/wiki/Emergency_Medical_Treatment_and_Active_Labor_Act
You do realize that says that the federal government is paying for anything not covered by insurance for illegal aliens, right? Which means that any ER that has those costs can file a form to the feds and get their money back, right? Which means that I was wrong. Illegals are not a tolerably small portion of the costs of an ER. They are zero cost to the ER, and the way hospitals are run by grifters they are possibly a huge profit center for ERs. Clinic vists cost very little, and the ER can bill the government their usual profit-bloated price.
So I was right. No ER has ever closed down because of illegal aliens using them as clinics, because no ER should be losing money on them.
Paint you as a bigot?
You brought up the illegal aliens. By expressly not calling you personally a bigot, I deliberately gave you an opportunity to blame those who misinformed you,
You missed the rational bus when you posted that list without checking to see if it supported your statement about illegals.
And I wouldn't feel right leave digressions alone when they are as disruptive to health and safety as the "illegals are fucking up healthcare" canard. Lives are at stake there. You can't lob that into the room and expect nobody to try to throw it back out at you.
I saw exactly that list while double-checking on Google if I was right before posting. Show me where it says that illegals with earaches shut those ERs. Next time don't pretend to bring proof, bring proof.
The fact is, it's never happened. The cost margins of low-criticality clinical care is bupkis compared with the the profit margins on real-emergency care that ERs give, which are reasonable compared with the profit margins on inpatient care ($6k per day to stay in a hospital room, and that doesn't technically count the rent and maintenance of the room itself; that's another $600/day; even if there's nothing really wrong with you). It's the base costs of keeping ERs open when they don't have many real-emergency patients that closes them down.
I've been to the hospital a few times in the past decade. ER twice. The $20 band-aid is still there, and pays for three kids with sore throats who have no insurance.
If you want to know why medicine costs so much, ask doctors how much they're making; check with insurance company profits and hospital-corporation profits and drug-company profits. How many of those were threatened with bankruptcy during the massive financial collapses of the past 12 years? Every other sector of the economy has been hammered, while they keep growing and making assloads of money.
It's not about snot-nosed kids whose parents have accents.
it's high-tech, but as any geek knows, the vast majority of fuckable chicks still dig the neanderthals
No ER has ever shut down because of illegal aliens with ear infections. Ever. The cost of treating such cases is the cost of band-aids and aspirins, and spare time of doctors (which there is a lot of in an ER, when there aren't critical patients around, and when there are, the earaches do not get priority). Those costs get shifted to the other emergency cases, and take a small percentage of the massive profit margins that the hospitals, doctors, medical supply, and drug companies charge on them already.
Anyone who told you ERs are shutting down because illegals use them as clinics is full of bigoted political misinformation. It's bullshit promulgated by people who've forgotten the point of America is accepting those whose nations have failed them, not becoming just another one of those nations.
It's not illegal to kill yourself, owing to the obvious absurdity of the prosecution (although it's not outside the realm of the law for a dead man to be tried for a crime; it's been done). It's illegal to fail to kill yourself, and it's illegal to hire someone to kill you, and it's illegal to kill someone at their request.
So jumping off a bridge is still a clean getaway. It's just not a very reliable one.
No, they don't have the death penalty.
They may however put the "assisters" in jail for the rest of their lives.
Add in the price of the thousands of lives lost to fossil fuels every year.
I'm going to go buy all the oil-company stock I can find. These people are dumber than a box of biscotti.
Paradoxically, rather than hurting user privacy, it would have helped to protect user privacy in the long run if Google actually had been logging in to Facebook, spidering the information that was available to members, and making that information available in Google search results.
I wouldn't have to lock my door if you and others like you would stop breaking in then telling me I should lock it.
The more you post, the more new bitcoins they mine.
Cash. Mattress. Smoking in bed.
Same problem, different century.
Will there be a sequel, and in it will his turtleneck take on a life of its own, controlling him to do evil things until he overcomes it by believing in himself?
http://www.nissan-global.com/EN/ENVIRONMENT/SOCIAL/CARWINGS/
the car uses realtime traffic data to do GPS route creation
there's also some weird stuff about comparing fuel economy with other car owners. something hypermilers have to do manually. of course, there's the question of why an all-electric car gives a fuck about fuel economy...
Like putting a swimming pool in your backyard, adding a feature that attracts one customer but drives away another gives you net zero increase in resale price.