Yes! I HATE the fact they have replaced the really effective Shinfield Rd mini-roundabout with that set of lights. I tend to only drive in Reading for a week, once a year, but know it quite well because I used to live there. Also I question myself every time I have to navigate Winnersh Triangle roundabout and have ended up in Lower Earley more than once instead of Wokingham Rd.
It doesn't have to be gratuitous, and I like a good score arranged multi-channel - it feels more immersive. A good 5.1 system combined with a good centre speaker will allow the dialog to be more intelligible.
Haha absolutely (and that is just from someone who tries to edit HD 1080i). From the viewer's perspective though I think most TVs today don't flicker at 50 or 60Hz
540p would be less lines than SD in PAL regions where SD is 576i. Actually 576i is called out as SD at the beginning of TFA. Would progressive scan really make up for this?
OK gotcha - I failed to adjust my context correctly when reading your comment.
I believe that most of the hassle of identity theft is cleaning up your credit report after the fact and letting the creditors know they've been duped.
I do know that in the UK you can get credit without ID, and you can apply online but they mail a credit agreement for signing which you send back before you get a card.
In the US I wonder how much of the talk of identity theft is the credit agencies selling credit report monitoring services.:)
Actually I was thinking more about doing something like applying for a credit card where I don't think its necessary to supply any ID (not covered by the PATRIOT act). A few years back it was possible (don't know if it is still possible) to apply for a credit card online with not much more than your address and social security number. You could get instant approval and they'd supply the credit card number on the approval screen so you could start spending online immediately!
I suspect that if someone applies for credit in your name with your social security number online this would be classed as 'identity theft'. Also if identity theft is generally only large scale operations why is talk of it so prevalent?
While not a supporter of national ID cards I definitely see the benefit of a crypto card with a private key stored on it where authentication can be done via RSA or some other asymetrical algorithm.
Using insecure methods to 'authenticate' (SSN, name etc) people is absolutely an issue of identity and identification!:)
Does that mean that if a criminal has both those numbers he can sign up online for a credit card in your name? I think that is where a lot of identity theft issues come from: being identified by a number with no form of authentication. I've never experienced identity theft myself but I know from moving house that online credit applications never seem to complain when I give an address that isn't already on my credit file. Anyone have any statistics or info on the most common forms of identity theft are in the US?
But you've ignored my main point which is that no alternative OS protects from this scenario (without using some unmanageable SELinux configuration that you will switch off): User gets program as attachment, authorises the running of said program and program accesses everything user normally accesses. Therefore no privilege escalation. It is not 'more secure' in this scenario.
What privileged operation is required to access resources that are readily available to the user context? None that I can think of. You can read files and connect to the network without root/administrator. This can only be solved with a combination of policy and user education. AV and attachment filtering would be a start. As this was a targeted attack I don't think that security by obscurity would necessarily work (i.e. running a different OS)
Interesting, however typically there is no necessity for an application to be compiled from source for it to be signed. People could just sign a binary.
The issue for me is that Windows will reboot even if you have unsaved documents open (e.g. notepad). Also if you leave a manually installed update for long enough without rebooting the popup window informing you that you need to reboot becomes a countdown to an automatic reboot, again with the potential loss of any unsaved documents.
I don't think Windows Update is a bad thing, but this behaviour I find kind of annoying.
The most recent version of PCI DSS states that any direct external availability of DBMS is an instant failure, and this is tested by the ASVs (or at least it should be). Any buffer overflows in remote available services should also be detected by the required quarterly vulnerability scans.
The PCI DSS has nothing to do with stopping fraudulent credit applications. It's about making sure that payment information you have given to a merchant is protected from security breaches. The merchant is rightly responsible for this.
Agreed, prepared statements are definitely the best protection against SQL injections. I don't see why this point starts with a "but" though. If that is what is "recommended" then those doing the recommending need more education.
Some blame lies with the way certain web-app languages have been put together; e.g. default output to the browser not being escaped. Further abstraction by newer languages, or in-house built layers can solve these problems though, if the programming team understands the risks.
I think this misses the point. Common vulnerability types could be avoided with a little education on how they actually work. By understanding how vulnerabilities come about would allow programmers to avoid creating instances of them in the first place.
If you monitor the bugtraq list you can see that the vast majority of reported vulnerabilities are XSS and SQL injections in web apps. Most of these can be easily avoided if you know how they occur.
This would mean less time needed for reviews as the code would be more secure in the first place.
I don't know anyone who has just a 1mbps connection any more. I have an NTL (NTHell) 10mbps cable internet service and I truly do get over a megabyte a second download if I use a FireFox download accelerator like DownThemAll.
Slashdot Mirror
Yes! I HATE the fact they have replaced the really effective Shinfield Rd mini-roundabout with that set of lights. I tend to only drive in Reading for a week, once a year, but know it quite well because I used to live there. Also I question myself every time I have to navigate Winnersh Triangle roundabout and have ended up in Lower Earley more than once instead of Wokingham Rd.
It doesn't have to be gratuitous, and I like a good score arranged multi-channel - it feels more immersive. A good 5.1 system combined with a good centre speaker will allow the dialog to be more intelligible.
Haha absolutely (and that is just from someone who tries to edit HD 1080i). From the viewer's perspective though I think most TVs today don't flicker at 50 or 60Hz
540p would be less lines than SD in PAL regions where SD is 576i. Actually 576i is called out as SD at the beginning of TFA. Would progressive scan really make up for this?
OK gotcha - I failed to adjust my context correctly when reading your comment.
I believe that most of the hassle of identity theft is cleaning up your credit report after the fact and letting the creditors know they've been duped.
I do know that in the UK you can get credit without ID, and you can apply online but they mail a credit agreement for signing which you send back before you get a card.
In the US I wonder how much of the talk of identity theft is the credit agencies selling credit report monitoring services. :)
Actually I was thinking more about doing something like applying for a credit card where I don't think its necessary to supply any ID (not covered by the PATRIOT act). A few years back it was possible (don't know if it is still possible) to apply for a credit card online with not much more than your address and social security number. You could get instant approval and they'd supply the credit card number on the approval screen so you could start spending online immediately! I suspect that if someone applies for credit in your name with your social security number online this would be classed as 'identity theft'. Also if identity theft is generally only large scale operations why is talk of it so prevalent? While not a supporter of national ID cards I definitely see the benefit of a crypto card with a private key stored on it where authentication can be done via RSA or some other asymetrical algorithm. Using insecure methods to 'authenticate' (SSN, name etc) people is absolutely an issue of identity and identification! :)
Does that mean that if a criminal has both those numbers he can sign up online for a credit card in your name? I think that is where a lot of identity theft issues come from: being identified by a number with no form of authentication. I've never experienced identity theft myself but I know from moving house that online credit applications never seem to complain when I give an address that isn't already on my credit file. Anyone have any statistics or info on the most common forms of identity theft are in the US?
Both of these suggestions are cool. You could also use AppLocker on Windows to do application whitelisting.
But you've ignored my main point which is that no alternative OS protects from this scenario (without using some unmanageable SELinux configuration that you will switch off): User gets program as attachment, authorises the running of said program and program accesses everything user normally accesses. Therefore no privilege escalation. It is not 'more secure' in this scenario.
What privileged operation is required to access resources that are readily available to the user context? None that I can think of. You can read files and connect to the network without root/administrator. This can only be solved with a combination of policy and user education. AV and attachment filtering would be a start. As this was a targeted attack I don't think that security by obscurity would necessarily work (i.e. running a different OS)
You guessed it: no interest.
There was when I did, as a new US arrival I had to put down an $800 deposit because I had no credit. Got it back a year later. This was AT&T
Vista discs with SP1 included are available for download on MSDN.
I believe it's because the chip is smaller therefore more fit on the same size wafer.
Interesting, however typically there is no necessity for an application to be compiled from source for it to be signed. People could just sign a binary.
The issue for me is that Windows will reboot even if you have unsaved documents open (e.g. notepad). Also if you leave a manually installed update for long enough without rebooting the popup window informing you that you need to reboot becomes a countdown to an automatic reboot, again with the potential loss of any unsaved documents. I don't think Windows Update is a bad thing, but this behaviour I find kind of annoying.
How do you make the payment information worthless to someone wishing to carry out fraudulent purchases without new hardware systems?
OK so this solution requires additional hardware to allow your computer to interface with the chip on the card.
To me the giveaway was El Reg posting new articles at the weekend :)
So how does the server learn the credit card number etc necessary to perform the transaction?
The most recent version of PCI DSS states that any direct external availability of DBMS is an instant failure, and this is tested by the ASVs (or at least it should be). Any buffer overflows in remote available services should also be detected by the required quarterly vulnerability scans.
The PCI DSS has nothing to do with stopping fraudulent credit applications. It's about making sure that payment information you have given to a merchant is protected from security breaches. The merchant is rightly responsible for this.
Agreed, prepared statements are definitely the best protection against SQL injections. I don't see why this point starts with a "but" though. If that is what is "recommended" then those doing the recommending need more education.
Some blame lies with the way certain web-app languages have been put together; e.g. default output to the browser not being escaped. Further abstraction by newer languages, or in-house built layers can solve these problems though, if the programming team understands the risks.
I think this misses the point. Common vulnerability types could be avoided with a little education on how they actually work. By understanding how vulnerabilities come about would allow programmers to avoid creating instances of them in the first place.
If you monitor the bugtraq list you can see that the vast majority of reported vulnerabilities are XSS and SQL injections in web apps. Most of these can be easily avoided if you know how they occur.
This would mean less time needed for reviews as the code would be more secure in the first place.
I don't know anyone who has just a 1mbps connection any more. I have an NTL (NTHell) 10mbps cable internet service and I truly do get over a megabyte a second download if I use a FireFox download accelerator like DownThemAll.