Wrong. The attack works by faking the 'This PIN is correct' response from the card. The terminal will assume (wrongly) that the response came from the real card and tell the bank that the PIN was validated. The bank's logs will show a normal PIN authenticated transaction.
That would:
- Be a lousy key for any sort of encryption.
- Hurt especially bad because the protocol is bound to generate 'known plaintext'.
- Actually make it really easy to recover the pin from just sniffing a valid transaction.
The GP is wrong, it's not faking a no-PIN transaction in any way. It faking the 'Yeah this PIN is correct' response from the card when the request to verify the PIN is send. The real problem is that no verification is do to check that this response is actually send by the correct card.
I'm fairly certain that's at least a risky thing to do. Assuming the chips in the UK behave pretty much the same as those in the Netherlands, the chip will lock up and refuse to authorize anything after 3 failed attempts in a row. Up to the point where you have to go to your bank and request a new card, it won't (and hopefully can't) be reset.
Now imagine mistakenly using the PIN from your other card in a terminal which decides to pre-test with 2 random PINs.
Regardless, even though this attack is not technically extremely complex, it isn't that easy to pull it of in practice. You need to steel a card, and use a fake cards with wires dangling from it in a shop. You also need to buy something which isn't registered to your name in any way, which is easy to convert to cash, valuable enough to make it worth the risk and effort and preferably sold somewhere without CCTV.
It sure isn't impossible, but it's probably easier to earn your illegal cash some other way.
Don't race to work then, just cycle. You don't have to average 20mph, just take it easy and you'll be fine. Save the racing for the way back and take you're shower at home.
But he most definitely would have to be classified something today. I mean, you really can't be just Calvin (or Tom, or Bill) any more. You need to be classified.
I really doubt anyone was thinking in "what type of kid is Calvin" terms when the comic was first released...
I tend to agree that this is not where we should be going, but it may well be a part of how we get there. Flash isn't going to go away just like that, nor is HTML5 going to be all over the place all of a sudden. However, this may well ease the transition a bit.
Eventually Adobe will probably start spitting out HTML5 instead of.swf files, I'd guess they wouldn't mind not needing to maintain the player anymore.
I've been involved long enough to remember people saying DNS A6 records were the wave of the future, and look where they are today.
(Yes I know, use AAAA now, I'm just pointing out the turmoil)
$ host -t AAAA slashdot.org slashdot.org has no AAAA record
Quite clearly not there yet. Who needs ipv6 if it doesn't have/.?
But frankly, ipv6 is still growing. Way to slow, but it's far from dead. My ISP is currently experimenting with native ipv6 on there DSL lines, google is also pushing towards ipv6:
www.google.com is an alias for www.l.google.com. www.l.google.com has IPv6 address 2a00:1450:8001::63 www.l.google.com has IPv6 address 2a00:1450:8001::69 www.l.google.com has IPv6 address 2a00:1450:8001::6a www.l.google.com has IPv6 address 2a00:1450:8001::67 www.l.google.com has IPv6 address 2a00:1450:8001::68 www.l.google.com has IPv6 address 2a00:1450:8001::93
For now that's on selected ISPs only, but I'm using it daily. And more stuff like that is popping up regularly, all small steps, but moving in the right direction.
I've got several reasons to expect a proper ipv6 netblock from my ISP:
1. Thats what I'm currently already getting from my ISP.
2. Thats how ipv6 is supposed to work.
3. Thats will be the default configuration of big routers.
4. Ipv6 addresses will not be scarce, so handing out single addresses instead of blocks will not save any money.
5. Actually, not using the default mac-address based numbering scheme will complicate configuration and will raise the requirement on end-point routers, so it's actually likely to be more expensive.
6. I won't pay any ISP which offers 'ipv6' and then hands out single addresses, so should you.
I can easily identify the host internal to my ipv6 network, they all get the same prefix. With ipv6 your not getting random addresses assigned, instead you will normally get a block of adresses to use inside your network.
Re:Your argument is over 20 years out of date
on
A Requiem For Saab
·
· Score: 1
Oh dear, of Saab has to die because they produce mediocre cars, what will happen to rest of GM?
So let's assume the world is black and white only and all if this is entirely caused by cultural conditioning. That still doesn't make it a problem.
I mean, eating turkey with Christmas is cultural conditioning as well...
Is that really true in this case? It sure isn't for those 'open' android phones. From the article:
Google said consumers won't be able to download the operating system - it will only be available on hardware that meets Google's specifications. Hard disks are banned, for instance, while Google said it will also specify factors such as screen sizes and display resolutions.
What makes you think Google won't make sure this remains true? Actually, isn't Google trying to do exactly what Apple does here, make sure they have full control over the hardware their software runs on?
Unlike for Apple when they started, Google doesn't actually have to design their own hardware though, it has become a commodity, available from many vendors. Google just has to pick one which will do exactly what they want.
If have a debian install running here which started it's live as a woody install. Over time it has been through in 3 different systems, it's been moved to a different HD about 4 times. But do as the parent suggests, install nothing but the base system and then hand-pick the packages you need. There really is no reason to use an older distro, just select ligthweight software.
No, they really are saying exactly that. Look at the sentence: "Endaget is reporting..." (statement of fact) "...that Nokia is suing Apple..." (statement of fact) "...because the iPhone infringes on 10 patents" (statement of fact).
I used to copy-edit at CNN, and this is a textbook case of convicting someone through sloppy writing. The summary should say "...because Nokia says the iPhone..." or "...because the iPhone allegedly..."
Of course, the other funny thing is that most every other patent story on Slashdot howls at the ridiculousness of patent cases, if not the implausibility of patents themselves.
Sorry, I forgot to cover my ass at least five times before saying anything about a court case.
Still, as far as I can see "the iPhone infringes on 10 patents" is the reason Nokia is suing Apple. Even if that claim turns out to be totally absurd it is still the reason Nokia sued Apple. But I'm not a native English speaker so I might just read that differently.
That UTMS thingy however, that was just sloppy writing...
On trusted networks, yes, perfectly acceptable. Any security measure is a balance cost and benefit, for a trusted network the benefit of encrypting passwords is none at all. All it does is adding to a sense of security, not to real security.
Even on the big bad internet the chances of you password being hijacked by a keylogger or because you typed it into a 'Check these pics!!' page are way bigger then it being picked up by a network sniffer.
I fetch my mail from my ISP using POP and a plain text password. I trust my ISP to make sure their routers aren't hacked and aren't running all sorts of sniffers. If I wouldn't trust them that much I should not be receiving any email through their servers anyway.
And I'm not ignorant, I noticed those bruteforce attacks TFA is talking about in my logs before I read about it. Did you?
Why do people assume that "the lan" is some magical secure place?
Because I don't let just anybody into my home and I don't have a wireless network either?
And somehow I doubt somebody will break into my house just to hijack another linux box, but when they do they'll probably access the box directly instead of over the network.
Perhaps they stopped trading, but that very week turned out to be a record week in terms of automatic trading volume. It could ofcourse be that they others have been extremely busy and reached that record without GS, even though they are normally the biggest automatic trader, but that would be really suprising.
Slashdot Mirror
Wrong. The attack works by faking the 'This PIN is correct' response from the card. The terminal will assume (wrongly) that the response came from the real card and tell the bank that the PIN was validated. The bank's logs will show a normal PIN authenticated transaction.
That would:
- Be a lousy key for any sort of encryption.
- Hurt especially bad because the protocol is bound to generate 'known plaintext'.
- Actually make it really easy to recover the pin from just sniffing a valid transaction.
The GP is wrong, it's not faking a no-PIN transaction in any way. It faking the 'Yeah this PIN is correct' response from the card when the request to verify the PIN is send. The real problem is that no verification is do to check that this response is actually send by the correct card.
I'm fairly certain that's at least a risky thing to do. Assuming the chips in the UK behave pretty much the same as those in the Netherlands, the chip will lock up and refuse to authorize anything after 3 failed attempts in a row. Up to the point where you have to go to your bank and request a new card, it won't (and hopefully can't) be reset.
Now imagine mistakenly using the PIN from your other card in a terminal which decides to pre-test with 2 random PINs.
Regardless, even though this attack is not technically extremely complex, it isn't that easy to pull it of in practice. You need to steel a card, and use a fake cards with wires dangling from it in a shop. You also need to buy something which isn't registered to your name in any way, which is easy to convert to cash, valuable enough to make it worth the risk and effort and preferably sold somewhere without CCTV.
It sure isn't impossible, but it's probably easier to earn your illegal cash some other way.
That's just wishful thinking.
Perhaps "tits" is intentionally not thread-safe, and therefore this is essentially a spinlock.
Like, you could get out of this endless quest, but only if somebody else finds you some tits?
Don't race to work then, just cycle. You don't have to average 20mph, just take it easy and you'll be fine. Save the racing for the way back and take you're shower at home.
More likely good old fashioned protectionism.
But he most definitely would have to be classified something today. I mean, you really can't be just Calvin (or Tom, or Bill) any more. You need to be classified.
I really doubt anyone was thinking in "what type of kid is Calvin" terms when the comic was first released...
I tend to agree that this is not where we should be going, but it may well be a part of how we get there. Flash isn't going to go away just like that, nor is HTML5 going to be all over the place all of a sudden. However, this may well ease the transition a bit. .swf files, I'd guess they wouldn't mind not needing to maintain the player anymore.
Eventually Adobe will probably start spitting out HTML5 instead of
But if your browser properly supports the tag and H.232 it will probably be pretty easy to start that through javascript...
What is going on here?
Marketing.
I've been involved long enough to remember people saying DNS A6 records were the wave of the future, and look where they are today.
(Yes I know, use AAAA now, I'm just pointing out the turmoil)
Quite clearly not there yet. Who needs ipv6 if it doesn't have /.?
But frankly, ipv6 is still growing. Way to slow, but it's far from dead. My ISP is currently experimenting with native ipv6 on there DSL lines, google is also pushing towards ipv6:
For now that's on selected ISPs only, but I'm using it daily. And more stuff like that is popping up regularly, all small steps, but moving in the right direction.
I've got several reasons to expect a proper ipv6 netblock from my ISP:
1. Thats what I'm currently already getting from my ISP.
2. Thats how ipv6 is supposed to work.
3. Thats will be the default configuration of big routers.
4. Ipv6 addresses will not be scarce, so handing out single addresses instead of blocks will not save any money.
5. Actually, not using the default mac-address based numbering scheme will complicate configuration and will raise the requirement on end-point routers, so it's actually likely to be more expensive.
6. I won't pay any ISP which offers 'ipv6' and then hands out single addresses, so should you.
I can easily identify the host internal to my ipv6 network, they all get the same prefix. With ipv6 your not getting random addresses assigned, instead you will normally get a block of adresses to use inside your network.
Oh dear, of Saab has to die because they produce mediocre cars, what will happen to rest of GM?
So let's assume the world is black and white only and all if this is entirely caused by cultural conditioning. That still doesn't make it a problem.
I mean, eating turkey with Christmas is cultural conditioning as well...
Google said consumers won't be able to download the operating system - it will only be available on hardware that meets Google's specifications. Hard disks are banned, for instance, while Google said it will also specify factors such as screen sizes and display resolutions.
What makes you think Google won't make sure this remains true? Actually, isn't Google trying to do exactly what Apple does here, make sure they have full control over the hardware their software runs on?
Unlike for Apple when they started, Google doesn't actually have to design their own hardware though, it has become a commodity, available from many vendors. Google just has to pick one which will do exactly what they want.
Been there, done that. Works like a charm.
If have a debian install running here which started it's live as a woody install. Over time it has been through in 3 different systems, it's been moved to a different HD about 4 times. But do as the parent suggests, install nothing but the base system and then hand-pick the packages you need. There really is no reason to use an older distro, just select ligthweight software.
Interestingly, the scroll and bounce back behaviour described in that article is in the N900 interface as well.
No, they really are saying exactly that. Look at the sentence: "Endaget is reporting..." (statement of fact) "...that Nokia is suing Apple..." (statement of fact) "...because the iPhone infringes on 10 patents" (statement of fact).
I used to copy-edit at CNN, and this is a textbook case of convicting someone through sloppy writing. The summary should say "...because Nokia says the iPhone..." or "...because the iPhone allegedly..."
Of course, the other funny thing is that most every other patent story on Slashdot howls at the ridiculousness of patent cases, if not the implausibility of patents themselves.
Sorry, I forgot to cover my ass at least five times before saying anything about a court case.
Still, as far as I can see "the iPhone infringes on 10 patents" is the reason Nokia is suing Apple. Even if that claim turns out to be totally absurd it is still the reason Nokia sued Apple. But I'm not a native English speaker so I might just read that differently.
That UTMS thingy however, that was just sloppy writing...
On trusted networks, yes, perfectly acceptable. Any security measure is a balance cost and benefit, for a trusted network the benefit of encrypting passwords is none at all. All it does is adding to a sense of security, not to real security.
Even on the big bad internet the chances of you password being hijacked by a keylogger or because you typed it into a 'Check these pics!!' page are way bigger then it being picked up by a network sniffer.
I fetch my mail from my ISP using POP and a plain text password. I trust my ISP to make sure their routers aren't hacked and aren't running all sorts of sniffers. If I wouldn't trust them that much I should not be receiving any email through their servers anyway.
And I'm not ignorant, I noticed those bruteforce attacks TFA is talking about in my logs before I read about it. Did you?
Why do people assume that "the lan" is some magical secure place?
Because I don't let just anybody into my home and I don't have a wireless network either? And somehow I doubt somebody will break into my house just to hijack another linux box, but when they do they'll probably access the box directly instead of over the network.
Sure, but at least Duke Nukem 3D is already available: http://maemo.org/downloads/product/OS2008/duke3d/
Perhaps they stopped trading, but that very week turned out to be a record week in terms of automatic trading volume. It could ofcourse be that they others have been extremely busy and reached that record without GS, even though they are normally the biggest automatic trader, but that would be really suprising.
Don't know about you, but I like my USB drives to be small things.