I've been wondering myself - at what point do these become like DRM (i.e. pointless)?
They get harder and harder for legit users to get right, yet the Bad Guys(TM) have ways to get around them with ease. Some point they just become an annoyance and an impediment to real users but don't stop what they are supposed to. They also suffer from the same problem, providing the keys to the castle and expecting the hurdle will stop them being used.
B and C are close enough that the choice is pretty irrelevant. Also there needs to be some sort of formula to take into account that third parties (indeed the idea of third parties, as much as any one in particular) have an associated snowball effect. The more people vote for a third option, the more people think that it might just work...
The point of lying is to stop dishonest or immoral behaviour by the official.
More stuff becomes illegal every day and it's now damn easy to fall under suspicion for something.
I have stuff to hide, sure. Maybe I have a picture of my girlfriend in the shower, that's private data and not something I want those people to see (or propagate!). Legal, but private.
The US has a history of government sponsored industrial espionage. Company policy isn't going to do anything.
I don't think the two are much different. In fact the idea that anyone could stop any protest they want to, regardless of it transgressing law, is worse.
I mean, how many times have you heard anti-protest statements from people who have nationalism and patriotism so mixed up with pro-current-government that they just react against all forms of protest and mouth off about filthy hippies?
I've seen it a lot.
Some people have to have it explained to them (very, very carefully and at great length) that protest and democracy go hand in hand.
A lot of folks are too busy shouting "Fuck yeah! America/UK/Wherever rules!" to see anything but a threat to their country and themselves (well, their "tribe" they've been conned into thinking they're a part of) in any form of dissent.
"then again, you could also call on them to break up protesters outside your home or work."
And that is good why?
If you're undergoing harassment or they are causing a public nuisance then that's one thing, but being able to arbitrarily break up gatherings of people meeting to protest is not in any way good. It's very, very soviet.
Well, in my previous post I neglected the impact of things like DNS poisoning and the recent exploit. Perhaps by using a non-public server they feel an attack vector (looking for and intercepting DNS traffic) is minimised? Plus they would get to uase DNSSEC.
But from a paranoid's view of things, even if you're not under attack, if you're already proxying out of somewhere you want to be able to either do lookups at the remote (trusted) end on a server they know about, or use a trusted one in an encrypted way, so that your ISP doesn't get too good a picture of what's going on.
For a start, if all they get is endpoint information then there are times when machines run many hundreds of websites and which one you visit coulD be hard to tell, so long as you're not using the SNI extension to TLS of course...
It's a tricky area, but having control over your DNS due to insecurities and privacy concerns is certainly not a bad idea.
Same reason you switch on DNS-over-proxy in firefox. You don't have to make a connection to an actual site to get caught out, it's enough that your query goes to a third party, usually your ISP, that is required to keep and divulge records.
Much better to use your ISP as an untrusted comms link.
I'd reckon IBM and VMWare probably have that lot wrapped up already. Still, there's no reason (given current record) that you couldn't have one as well.
Think about metrics, predictable traffic and planned capacity.
Think about bringing a percentage of spare capacity online at any one time, in line with predicted peak traffic, and more as the load increases on what's there already.
HA can still be HA without needing everything on all the time.
(also, why the hell was my last post modded down as redundant?)
Yeah, fair enough, I won't dispute you'll get a little bit.
Come to think of it, my old chemistry teacher mentioned something along these lines. Something about sticking to the colourless, tasteless spirits if you wanted to avoid a hangover, because the others had longer chain organics in them that were nasty.
Not only that but it's a lighter alcohol. It's also really fucking bad for you. This is one of the reasons home spirit distillation is illegal in a lot of countries
"Dispute Resolution" They say that because it was known that mag stripe cards could be cloned the dispute process was easier. What they don't say is that EMV cards have not yet been cloned and the bank can tell if a cloned card was used with chip or stripe. So if you dispute a transaction now you have exactly the same rights as before and the bank are even more likely to know about it in advance because the only way to clone an EMV card and use it for online transactions is to clone the mag stripe. with credit cards you still have the legal requirement that you be refunded until the issuer proves it was you that was fraudulent.Verdict - bullcrap
"Point-of-Sale and ATM Linkage" Comes down to "If you have the same PIN on every card you're at risk, and people were safe before because they didn't bother to change or learn the PIN on a credit card."
Hmmm.... seems like there's an obvious solution to that one... don't have all your numbers the same! They also miss out on the fact that cloned credit cards were valuable before EMV too. People are idiots, and this doesn't increase fraud. Verdict - Bullcrap
"Cross-Border Fraud",/b> They say people see the PIN more often and can then make an ATM card that will work in non-chip countries. So the problem, as ever, is the existence of insecure legacy systems. And no, fraud is not made easier, using a cloned card at an ATM in a country with no EMV capability is made easier, cross border fraud was always easy. Banks now spot this behaviour anyway by checking how close transactions are together. Verdict - bullcrap
"Fallback"
Before Chip and PIN, if a magnetic stripe could not be read, the number embossed on the front of the card was simply typed in by hand. This is called a "fallback" mode of operation.
With Chip and PIN, fraud can be perpetuated by...
Whoa there! so fraud can be perpetrated by falling back to your beloved magnetic stripe that you just didn't mention fraud was a possibility for?
Your bias is showing.
Furthermore, for as long as UK cards must work abroad with mastripe only systems, and foreign cards work in the UK, this fallback mechanism will stay in existence -- a long time!
FAIL. No it won't. The stripe contains an indicator that the card has a chip and the fallback mechanism can and will be disabled before too long. Not only that but fallback is used as an indicator of potential fraud. Verdict - bullcrap
"Offline Counterfeiting" Offline machines can't tell the cheaper, older cards from fakes.
Big fscking whoop, offline machines have a very low limit. Verdict - bullcrap
"EMV Weaknesses"
None were given.
"Middleperson Attacks"
Are extremely, overly complex, could have been done far more easily with stripes and basically require hi-tech equipment and a complicit merchant. Verdict - bullcrap
"Smartcard Attacks"
Again, none mentioned, other than costly physical attacks requiring very expensive equipment (hint, it's an electron microscope you need. Verdict - bullcrap
basically, the guy is biased against it and for no good reason. The system is not bulletproof, but it's a fuck of a lot better than what went before, especially given the major holes are due to the existence of legacy systems and legacy countries.
"points out that one CAN be defeated, and disturbingly EASILY."
where?
Show me the page. I can't find it. It says the same that I said - fallback to stripe is a major weakness (though due to be phased out) and the more modern cards do onboard crypto (dynamic authentication) whereas older ones don't.
Their "Middleperson Attack" is ludicrously complicated and requires not only a lot of coordination but specialist equipment. Whereas the similar hack for mag stripe is for them to take a copy in ten seconds and use it where they like. Then there's spome muttering about side channel attacks.
Seriously, is that all you've got for your ranting CAPITAL LETTERED assertion that it's damn easy to crack them?
"Heck, the supposedly even more secure Passport RFID was breached recently and in a way that at least the bulk of the RFID readers for it can't detect the tampering."
No, it wasn't. The elvis thing was done on a simple verification machine in an airport lobby, not a live one. Either way, that's irrelevant to the credit card question.
I've been wondering myself - at what point do these become like DRM (i.e. pointless)?
They get harder and harder for legit users to get right, yet the Bad Guys(TM) have ways to get around them with ease. Some point they just become an annoyance and an impediment to real users but don't stop what they are supposed to. They also suffer from the same problem, providing the keys to the castle and expecting the hurdle will stop them being used.
Anecdote accepted. Snappy comeback not found. And now please welcome our next guest....
SSL is the gold standard for encryption.
It's good, but I wouldn't go that far. Also, all the cool kids are calling it TLS these days.
It's used on every HTTPS website,
That's what https:/// means
it's used for SSH,
No it isn't, that's a different protocol. It's also good, but it's not the same thing.
Your weights skew things.
What if A is +10, B is -10,000 and C is -10,001?
B and C are close enough that the choice is pretty irrelevant. Also there needs to be some sort of formula to take into account that third parties (indeed the idea of third parties, as much as any one in particular) have an associated snowball effect. The more people vote for a third option, the more people think that it might just work...
But yeah, electoral reform is the real answer.
The point of lying is to stop dishonest or immoral behaviour by the official.
More stuff becomes illegal every day and it's now damn easy to fall under suspicion for something.
I have stuff to hide, sure. Maybe I have a picture of my girlfriend in the shower, that's private data and not something I want those people to see (or propagate!). Legal, but private.
The US has a history of government sponsored industrial espionage. Company policy isn't going to do anything.
Fair enough, but my view is government restriction of protest is a terrible idea. Allowing the general public to do the same is even worse.
Neither is good. In that we agree, I think :)
I don't think the two are much different. In fact the idea that anyone could stop any protest they want to, regardless of it transgressing law, is worse.
I mean, how many times have you heard anti-protest statements from people who have nationalism and patriotism so mixed up with pro-current-government that they just react against all forms of protest and mouth off about filthy hippies?
I've seen it a lot.
Some people have to have it explained to them (very, very carefully and at great length) that protest and democracy go hand in hand.
A lot of folks are too busy shouting "Fuck yeah! America/UK/Wherever rules!" to see anything but a threat to their country and themselves (well, their "tribe" they've been conned into thinking they're a part of) in any form of dissent.
"then again, you could also call on them to break up protesters outside your home or work."
And that is good why?
If you're undergoing harassment or they are causing a public nuisance then that's one thing, but being able to arbitrarily break up gatherings of people meeting to protest is not in any way good. It's very, very soviet.
Well, in my previous post I neglected the impact of things like DNS poisoning and the recent exploit. Perhaps by using a non-public server they feel an attack vector (looking for and intercepting DNS traffic) is minimised? Plus they would get to uase DNSSEC.
But from a paranoid's view of things, even if you're not under attack, if you're already proxying out of somewhere you want to be able to either do lookups at the remote (trusted) end on a server they know about, or use a trusted one in an encrypted way, so that your ISP doesn't get too good a picture of what's going on.
For a start, if all they get is endpoint information then there are times when machines run many hundreds of websites and which one you visit coulD be hard to tell, so long as you're not using the SNI extension to TLS of course...
It's a tricky area, but having control over your DNS due to insecurities and privacy concerns is certainly not a bad idea.
Is it not incredibly obvious?
Same reason you switch on DNS-over-proxy in firefox. You don't have to make a connection to an actual site to get caught out, it's enough that your query goes to a third party, usually your ISP, that is required to keep and divulge records.
Much better to use your ISP as an untrusted comms link.
But what I'm referring to are those times when traffic exceeds predictions.
In which case you haven't got the capacity in the first place!
1. Think big
2. Always.
I'd reckon IBM and VMWare probably have that lot wrapped up already. Still, there's no reason (given current record) that you couldn't have one as well.
Think past "HA" for a second.
Think about metrics, predictable traffic and planned capacity.
Think about bringing a percentage of spare capacity online at any one time, in line with predicted peak traffic, and more as the load increases on what's there already.
HA can still be HA without needing everything on all the time.
(also, why the hell was my last post modded down as redundant?)
That depends if your system has been tuned to boot in 5 seconds.
Or if it can return from suspend-to-ram nice and quick.
It's also to stop tire lock and skidding, which could end up with the car anywhere from on the other side of the road to in a tree.
Personally I'm a geek and I've not even moved from Xandros. It works fine, boots in about 10 seconds and does all the browsy/mail stuff I want.
Frankly, the problem is probably that an Atom processor just won't run Word/Photoshop...
And average Joe doesn't need to spend any time at all installing ubuntu, he just needs to learn the firefox icon. Or to click "Internet"
Care to back up your assertion?
I work for a place where platform choice is left to the individual, and linux is one of the choices.
Office compatibility is one of the major reasons people stick with windows. That and IT departments not having experience with anything else.
Yeah, a quick google around revealed a few things, some on chips I couldn't find info for. There's also the Elonex One which is damn cheap.
When I said I'd be tempted I meant if I hadn't just bought an Eee 901 :)
There was one reviewed on the register a little while ago. Was a really cheap netbook with a decent battery life but "Oh Noes!" it ran linux on MIPS.
I'd be tempted. Debian would run fine on there.
Yeah, fair enough, I won't dispute you'll get a little bit.
Come to think of it, my old chemistry teacher mentioned something along these lines. Something about sticking to the colourless, tasteless spirits if you wanted to avoid a hangover, because the others had longer chain organics in them that were nasty.
Yeah, and there's that whole "Roadrunner" thing, fastest supercomputer in the world. And IBM sell Cell bladeservers...
If you get methanol you're doing it wrong.
Not only that but it's a lighter alcohol. It's also really fucking bad for you. This is one of the reasons home spirit distillation is illegal in a lot of countries
In fact, that site's full of crap.
"Dispute Resolution"
They say that because it was known that mag stripe cards could be cloned the dispute process was easier. What they don't say is that EMV cards have not yet been cloned and the bank can tell if a cloned card was used with chip or stripe. So if you dispute a transaction now you have exactly the same rights as before and the bank are even more likely to know about it in advance because the only way to clone an EMV card and use it for online transactions is to clone the mag stripe. with credit cards you still have the legal requirement that you be refunded until the issuer proves it was you that was fraudulent.Verdict - bullcrap
"Point-of-Sale and ATM Linkage"
Comes down to "If you have the same PIN on every card you're at risk, and people were safe before because they didn't bother to change or learn the PIN on a credit card."
Hmmm.... seems like there's an obvious solution to that one... don't have all your numbers the same! They also miss out on the fact that cloned credit cards were valuable before EMV too. People are idiots, and this doesn't increase fraud. Verdict - Bullcrap
"Cross-Border Fraud",/b>
They say people see the PIN more often and can then make an ATM card that will work in non-chip countries. So the problem, as ever, is the existence of insecure legacy systems. And no, fraud is not made easier, using a cloned card at an ATM in a country with no EMV capability is made easier, cross border fraud was always easy. Banks now spot this behaviour anyway by checking how close transactions are together. Verdict - bullcrap
"Fallback"
Before Chip and PIN, if a magnetic stripe could not be read, the number embossed on the front of the card was simply typed in by hand. This is called a "fallback" mode of operation.
With Chip and PIN, fraud can be perpetuated by...
Whoa there! so fraud can be perpetrated by falling back to your beloved magnetic stripe that you just didn't mention fraud was a possibility for?
Your bias is showing.
Furthermore, for as long as UK cards must work abroad with mastripe only systems, and foreign cards work in the UK, this fallback mechanism will stay in existence -- a long time!
FAIL. No it won't. The stripe contains an indicator that the card has a chip and the fallback mechanism can and will be disabled before too long. Not only that but fallback is used as an indicator of potential fraud. Verdict - bullcrap
"Offline Counterfeiting"
Offline machines can't tell the cheaper, older cards from fakes.
Big fscking whoop, offline machines have a very low limit. Verdict - bullcrap
"EMV Weaknesses"
None were given.
"Middleperson Attacks"
Are extremely, overly complex, could have been done far more easily with stripes and basically require hi-tech equipment and a complicit merchant. Verdict - bullcrap
"Smartcard Attacks"
Again, none mentioned, other than costly physical attacks requiring very expensive equipment (hint, it's an electron microscope you need. Verdict - bullcrap
basically, the guy is biased against it and for no good reason. The system is not bulletproof, but it's a fuck of a lot better than what went before, especially given the major holes are due to the existence of legacy systems and legacy countries.
"points out that one CAN be defeated, and disturbingly EASILY."
where?
Show me the page. I can't find it. It says the same that I said - fallback to stripe is a major weakness (though due to be phased out) and the more modern cards do onboard crypto (dynamic authentication) whereas older ones don't.
Their "Middleperson Attack" is ludicrously complicated and requires not only a lot of coordination but specialist equipment. Whereas the similar hack for mag stripe is for them to take a copy in ten seconds and use it where they like. Then there's spome muttering about side channel attacks.
Seriously, is that all you've got for your ranting CAPITAL LETTERED assertion that it's damn easy to crack them?
"Heck, the supposedly even more secure Passport RFID was breached recently and in a way that at least the bulk of the RFID readers for it can't detect the tampering."
No, it wasn't. The elvis thing was done on a simple verification machine in an airport lobby, not a live one.
Either way, that's irrelevant to the credit card question.