Yep... and the "attack" is that anybody, the chip or anybody else can send the in-the-clear "OK" message and the terminal goes through with the transaction. Essentially, the PIN check is a "feel good" level of security that doesn't protect against much.
Yep. That was a typo... I was referring to the "contactless" systems like Blink and the such where you waive your card at a designated point and your card number is read.
Like I said elsewhere, this is from the branch of security known as "false sense of". If you're constantly troubled for a PIN it means you'll feel safer... but when that PIN isn't needed by the fraudster we're back to the same point we were with "dumb" cards.
No. The problem is that the terminal isn't validating the PIN against anything it can trust... it's sending the entered PIN to the card and trusting the result returned, which can easily be spoofed. If the PIN was server-side, it could trust a results-only message... but that's not what's happening here.
Seems like the problem with this system is that the problem is that the PIN is stored on the chip... and that's just as stupid as writing it on the card! The attacks are simple... either a card that always agrees the PIN given is correct, or a terminal that tries to authenticate all 10000 PINS and then learns the right one.
Payment processors have for years been wanting to have an offline secure system, but it just doesn't work. With cheap enough data systems available everywhere, it's not hard for every Wal-Mart most rural gas stations to see a satellite. Get a $20/mo. dial-up account if you have to... there's no reason for anything that does money to be off the grid.
If the PIN is stored online like traditional ATM cards, then there would be a quick way to be sure there's honest checking of the pin and alarms if somebody fails too many times. The American "contact" systems are actually reasons to not require a signature or a PIN... but those are also designed for small-dollar transactions and keeping the fast food line moving. Sure, they're open to cloning risk, but they're willing to take that downside because there's enough upside to using the system.
It's basically Linux-designed apps running with the ultimate control panel. If you know what you're doing it's a waste of money. However, if you don't know Linux, then OSX Server can save you a ton of time showing you around with Mac-designed interfaces leading the way.
Any old TV antenna should work just fine in the new era because the digital TV band is a subset of the TV bands used before. I'm pulling in digital HD signals from stations that I used to get a fuzzy picture from using the same rooftop antenna. HD Radio works too!
This is a rather odd story to drop into the Slashdot cycle on a Friday Night (East Coast USA), it's basically just a warning that the typical Patch Tuesday (Second Tuesday of every month) is next week and the typical 0-day bugs that will be fixed which leads to the "bad guys" finding out what the bug was and deploying their attacks in the next few days.
This really is a notice to the IT guys and people who don't have automatic update downloads installed... nothing newsworthy or out of the normal cycle of things.
I'm with Apple on this one. Does anybody think Barnes and Noble would be willing to post a sign saying your book was #38 in its category on Amazon? Do you think Best Buy will post an ad saying the censored version of your album is a Wal-Mart exclusive?
You can't expect to place ads for a competing store's award in another retail store.
You want $5.5 Billion? And the stated goal is to learn about particles that don't apply to anything Newtonian? Excuse me... how do you expect to make this money back? No way I'm investing in this. Consider me "out".
Announcer: "The first Slashdotter is out. Femilab needs to raise $5.5 billion from the other Slashdotters or they leave with nothing."
If you know somebody who has Lexis-Nexis access, the article written by the Syracuse Post-Standard is there and that article went national via the AP. Slashdot picked up that story, but trying to find something from 2002 is nearly impossible these days.
The MPAA tried to hit every IT program in the nation with a "if you didn't pay for it, you stole it" presentation. Word of this spread through/., so everyone saw it coming. Nearly everybody in the class walked out when the MPAA's presenter entered the room... she wanted to cancel the presentation when they saw just me left, but I told the professor I'd demand a refund for the skipped class if he didn't present something, so the MPAA lady went through the script.
Then, it was time for questions. And I attacked the DVDCCA (DVD Copy Control Authority) by asking where they came from, who owned them, and who pays to keeps the lights on in their office. She nicely backed up in her presentation to show that they were paid for by the makers of DVD players, and they had to pay dues to this organization or you won't be able to play new DVD releases.
Mentioned this on/. and then it just happens that my school's law program was also interested in this. Here was the theory... the DVDCCA had become an illegal cartel. DVD makers were being blackmailed to maintain compatibility, but they weren't the people gaining any benefit. There they go...
And their first defense was to attack me. They tried to discredit me on/. but what they ended up doing was exposing their arguments to the world, and were being shot down by law students who knew more than me.
So their next tactic was to offer me money to go away. I had a number in my head, but it was off by more than an order of magnitude from what they offered, so no deal.
At this point,/. turned over my IP address and the university was tricked into giving away my phone number. They sent the team doing the MPAA movie downloader shakedowns to me. I was smart enough to not tell them how much I had for a long while, and then I called University Legal Services.
I was connected with law professors at the university's law school and only had to tell them what I had done privately because they had already read and interacted with me on/. and knew the public writings of themselves, other/. users, and me.
They gave me the key... tell the "collectors" after three calls that they were harassing me, then hide behind the University Legal Service's representation. They were flustered... I was basically inviting the lawsuit, and everybody involved was sure I'd win. Their handbook didn't cover that situation.
So... now they've got a problem. We were dropping the c-word ("cartel") all over/. and they had no defense because they were guilty as charged on that. For a few days, it was thought that the DVDCCA would go bankrupt leading Hollywood to have to chose between unencrypted movies, or no further releases until a legal scheme could be thought up.
Just in time... they solved their part of the puzzle. If the MPAA member studies wanted copy protection, they'd have to pay for it themselves. The DVDCCA started collecting a fee on each disc that used their technology, and argued that publishers would pass that extra dollar and change on to customers, and the $19.99 price would be replaced by $22.99 thanks to me. Um, that never happened!
So, in the end I discovered something that the MPAA didn't like, and their first reaction was to accuse me of downloading I never did. When their proof on that came up empty, they then addressed the original problem.
I don't know about UGA, but when I went to college all students were covered with free lawyers and lawyers-in-training from the law school on campus for any dispute that didn't involve the university. They helped me fight off an MPAA attack when they didn't like my posting on Slashdot.
It should be a selling point to students that they'll be okay if they just need a little help by proving they did nothing wrong. Again, what side is UGA on here?
Seems like universities don't understand who's paying the bills... this job shouldn't have existed in the first place. Nobody from the school should be in the business of making copyright accusations. That's the RIAA's job, and they're doing a heck of a job.
ACTA is basically saying "We got the DMCA in the USA, so why don't you write a similar law where you are... or we're going to raise the price of our content to the point we break your economy!"
Slashdot Mirror
Yep... and the "attack" is that anybody, the chip or anybody else can send the in-the-clear "OK" message and the terminal goes through with the transaction. Essentially, the PIN check is a "feel good" level of security that doesn't protect against much.
Yep. That was a typo... I was referring to the "contactless" systems like Blink and the such where you waive your card at a designated point and your card number is read.
Like I said elsewhere, this is from the branch of security known as "false sense of". If you're constantly troubled for a PIN it means you'll feel safer... but when that PIN isn't needed by the fraudster we're back to the same point we were with "dumb" cards.
No. The problem is that the terminal isn't validating the PIN against anything it can trust... it's sending the entered PIN to the card and trusting the result returned, which can easily be spoofed. If the PIN was server-side, it could trust a results-only message... but that's not what's happening here.
They finally figured out how to get someone to bail them out
There... fixed that for you.
Citation needed... how do you verify a pin without trusting the card or having online access?
Seems like the problem with this system is that the problem is that the PIN is stored on the chip... and that's just as stupid as writing it on the card! The attacks are simple... either a card that always agrees the PIN given is correct, or a terminal that tries to authenticate all 10000 PINS and then learns the right one.
Payment processors have for years been wanting to have an offline secure system, but it just doesn't work. With cheap enough data systems available everywhere, it's not hard for every Wal-Mart most rural gas stations to see a satellite. Get a $20/mo. dial-up account if you have to... there's no reason for anything that does money to be off the grid.
If the PIN is stored online like traditional ATM cards, then there would be a quick way to be sure there's honest checking of the pin and alarms if somebody fails too many times. The American "contact" systems are actually reasons to not require a signature or a PIN... but those are also designed for small-dollar transactions and keeping the fast food line moving. Sure, they're open to cloning risk, but they're willing to take that downside because there's enough upside to using the system.
It's basically Linux-designed apps running with the ultimate control panel. If you know what you're doing it's a waste of money. However, if you don't know Linux, then OSX Server can save you a ton of time showing you around with Mac-designed interfaces leading the way.
Meanwhile, OSX's similarity to BSD makes it easy for Open Source Linux projects to be ported to Mac.
Any old TV antenna should work just fine in the new era because the digital TV band is a subset of the TV bands used before. I'm pulling in digital HD signals from stations that I used to get a fuzzy picture from using the same rooftop antenna. HD Radio works too!
This is a rather odd story to drop into the Slashdot cycle on a Friday Night (East Coast USA), it's basically just a warning that the typical Patch Tuesday (Second Tuesday of every month) is next week and the typical 0-day bugs that will be fixed which leads to the "bad guys" finding out what the bug was and deploying their attacks in the next few days.
This really is a notice to the IT guys and people who don't have automatic update downloads installed... nothing newsworthy or out of the normal cycle of things.
Nah, they'd slap a "30% Off! Members save even more!" sticker over that.
Rejections for losers. Stuff that doesn't matter.
Could we have a new slashdot section for this so I can filter out this crap?
I'm with Apple on this one. Does anybody think Barnes and Noble would be willing to post a sign saying your book was #38 in its category on Amazon? Do you think Best Buy will post an ad saying the censored version of your album is a Wal-Mart exclusive?
You can't expect to place ads for a competing store's award in another retail store.
True... but unless you stored specific URLs from back then, it's useless without a Google Wayback Machine.
I'm scared for all the half-lives at risk.
You want $5.5 Billion? And the stated goal is to learn about particles that don't apply to anything Newtonian? Excuse me... how do you expect to make this money back? No way I'm investing in this. Consider me "out".
Announcer: "The first Slashdotter is out. Femilab needs to raise $5.5 billion from the other Slashdotters or they leave with nothing."
Does this news mean we now only have to be half afraid that they're going to create a black hole that will destroy the Earth?
If you know somebody who has Lexis-Nexis access, the article written by the Syracuse Post-Standard is there and that article went national via the AP. Slashdot picked up that story, but trying to find something from 2002 is nearly impossible these days.
Here's the short version of the story.
The MPAA tried to hit every IT program in the nation with a "if you didn't pay for it, you stole it" presentation. Word of this spread through /., so everyone saw it coming. Nearly everybody in the class walked out when the MPAA's presenter entered the room... she wanted to cancel the presentation when they saw just me left, but I told the professor I'd demand a refund for the skipped class if he didn't present something, so the MPAA lady went through the script.
Then, it was time for questions. And I attacked the DVDCCA (DVD Copy Control Authority) by asking where they came from, who owned them, and who pays to keeps the lights on in their office. She nicely backed up in her presentation to show that they were paid for by the makers of DVD players, and they had to pay dues to this organization or you won't be able to play new DVD releases.
Mentioned this on /. and then it just happens that my school's law program was also interested in this. Here was the theory... the DVDCCA had become an illegal cartel. DVD makers were being blackmailed to maintain compatibility, but they weren't the people gaining any benefit. There they go...
And their first defense was to attack me. They tried to discredit me on /. but what they ended up doing was exposing their arguments to the world, and were being shot down by law students who knew more than me.
So their next tactic was to offer me money to go away. I had a number in my head, but it was off by more than an order of magnitude from what they offered, so no deal.
At this point, /. turned over my IP address and the university was tricked into giving away my phone number. They sent the team doing the MPAA movie downloader shakedowns to me. I was smart enough to not tell them how much I had for a long while, and then I called University Legal Services.
I was connected with law professors at the university's law school and only had to tell them what I had done privately because they had already read and interacted with me on /. and knew the public writings of themselves, other /. users, and me.
They gave me the key... tell the "collectors" after three calls that they were harassing me, then hide behind the University Legal Service's representation. They were flustered... I was basically inviting the lawsuit, and everybody involved was sure I'd win. Their handbook didn't cover that situation.
So... now they've got a problem. We were dropping the c-word ("cartel") all over /. and they had no defense because they were guilty as charged on that. For a few days, it was thought that the DVDCCA would go bankrupt leading Hollywood to have to chose between unencrypted movies, or no further releases until a legal scheme could be thought up.
Just in time... they solved their part of the puzzle. If the MPAA member studies wanted copy protection, they'd have to pay for it themselves. The DVDCCA started collecting a fee on each disc that used their technology, and argued that publishers would pass that extra dollar and change on to customers, and the $19.99 price would be replaced by $22.99 thanks to me. Um, that never happened!
So, in the end I discovered something that the MPAA didn't like, and their first reaction was to accuse me of downloading I never did. When their proof on that came up empty, they then addressed the original problem.
I don't know about UGA, but when I went to college all students were covered with free lawyers and lawyers-in-training from the law school on campus for any dispute that didn't involve the university. They helped me fight off an MPAA attack when they didn't like my posting on Slashdot.
It should be a selling point to students that they'll be okay if they just need a little help by proving they did nothing wrong. Again, what side is UGA on here?
Seems like universities don't understand who's paying the bills... this job shouldn't have existed in the first place. Nobody from the school should be in the business of making copyright accusations. That's the RIAA's job, and they're doing a heck of a job.
ACTA is basically saying "We got the DMCA in the USA, so why don't you write a similar law where you are... or we're going to raise the price of our content to the point we break your economy!"
Yep... and also with the commercial VMWare Fusion and Parallels Desktop. They had free betas when Windows 7 was in the free beta period as well.
$29 upgrade fee send you into bankruptcy? How'd you afford the $100+ for whatever version of Windows you got?