Couple that with the fact that Sony screwed up the crypto massively and in the last week all the keys have been found to allow signing, then it's just a matter of time before unofficial signed pkg's are ready.
Hell, that's how the custom firmware can be installed - it's signed with one of the recently discovered keys.
Firstly, governments have also poisoned waterways and land with industrial pollutants. Secondly, what's the death toll for on-the-job safety issues in the whole of history, do you truly, HONESTLY think it even remotely approaches the death toll from the government death and destruction?
You'll notice my post doesn't mention governments at all.
on the job deaths were always attempted to be minimized
ROFL. Read about the industrial revolution sometime.
they were by accident not on purpose.
First sensible thing you've had to say...
Fourth, in most cases that dangerous work was voluntary (and where it wasn't, government was usually involved).
Yes, voluntary, with the simple alternative of starving to death of one chooses not to work there!!
Fifth, corporations were at least improving lives in other ways
By the knock on effects of lining the pockets of the owners at the expense of the lives of many workers, sure. And in the democratic world the government also improves lives in a myriad of ways.
Maybe I'm "retarded" but I suggest you re-evaluate whether the facts truly fit your worldview.
What do you know of my worldview from that one post? Fuck all, that's what.
You're retarded because you slam governments for heinous crimes and then say that corporations have done nothing worse (!!) than a little fraud here and there. You clearly have no idea of history and the battles that the people (in the form of government control) have won against abusive business practices which caused death, dismemberment, poverty and misery. Is it as bad as the worst abuses of (usually but not always non-democratic) government? Hell no, but to brush away the history of employment rights in the west (and to ignore child labour etc in other parts of the world) is ignorant in the extreme.
You know what's dangerous? unequal distribution of power, be it in the form of government, the imbalance of power between a company and its workers, or any other forms. Why? Because some humans are scumbags and will harm others for their own gain, out of fear or even just out of spite. Whether it's a politician or a CEO I don't give a rats arse.
"What's your list for corporations? Microsoft 'cut off Netscape's air supply'? Enron cooked the books? Cigarette companies had advertisements showing doctors smoking. Companies often lobby for regulation that protects their markets."
Umm, are you retarded?
Corps have poisoned waterways and land with industrial pollutants, destroyed lives and killed people through abusive business practice. And this is before we look back at times when they were unregulated and workers were expected to work unreasonable hours in dangerous conditions for very little pay, often getting maimed or killed by the machinery they were supposed to work with, with no recompense for themselves or their families. Or getting cancer, emphysema or a million and one other 'occupational hazards'
The airlines have been feeding us this line for at least two decades now (that's just how long I've been flying reasonably regularly.
You can show it's crap by taking your own food along, it tastes fine, as does the stuff in business class. I'm not just making it up about the tiny budget, you know. That is the reason it tastes like cheap cardboard, it is cheap cardboard.
I wish they wouldn't compete for that one dollar. Mostly because of the food.
I fairly regularly fly long-haul and the food is awful on pretty much every airline these days. I have found out why - in order to keep prices low in economy class they allocate a budget of around $1 - $1.50 per passenger per meal. $1. One frickin' dollar. PLEASE put another 10 bucks on my ticket price so that when it comes to the two meals on that transatlantic flight I don't have to feel like I'm eating plastic! Please! I promise I'll choose you over your 10-dollar cheaper competitor.
The bread is like polystyrene foam, the meat in the main dish is shapeless and texture-less, the salad limp and insubstantial and the dessert... unless it's a small portion of a premium product who are providing it free to the airline for promotional reasons, it may as well be made entirely of crude-oil derived polymers. The ingredient list in a typical airline dessert is like a who's who of preservatives and bulking agents.
My wife has all my passwords: email, login, local admin, server roots, domain, banking logins, etc, etc. I gave them to her especially BECAUSE I trust her.
Did you do that because you wanted to or because she asked and made it into a trust issue?
I have no regrets, I had no bad experiences and I think hallucinogens should be legal.
The "you'll look back and facepalm" comment was because what I was replying to sounded exactly like all the pseudo-profound stuff that myself and others used to spout, so stereotypical but seemingly so important.
I think it's interesting to see how minds react to chemical adulterants.
I think most of the insights gained are the sort of thing that seems significant at the time and turns out meaningless later, like dreams. And I also think that in general the idea of opening your mind with hallucinogens is subjective. Of course you could say it's subjective in its very nature, but I mean subjective in that it feels or seems like something has happened when really it hasn't.
Legally, it has nothing toi do with what type of transaction (in the UK where I did my EMV stuff). In law the CC company is a party to the debt and therefore responsible for it (for some reason). Therefore (and I really don't know how this follows, but IANAL) they have to give the money back the moment you challenge it, regardless of circumstance.
They then investigate with the help of the authorities and if they can prove it was you then you get charged with fraud (well, maybe, it's possible, I've never seen it happen but I wasn't involved in that side). What constitutes 'proof' is likely difficult and it would help to have a copy of the research these guys did if it come to that, just in case.
Anyway, the liability is still with the CC issuer, so long as they can't prove you acted in bad faith.
It's a few years since I worked with EMV, but IIRC the terminal and the card send a cryptogram to the bank on transactions over the floor limit. These should contain the methods that each think was used for authorisation. Sounds like the banks don't check for irt being consistent, at present.
It moves the liability for fraudulent non-PIN transactions to the merchant. They still have to (by law) refund anything you claim as fraud and then investigate.
Institute checks at the acquiring or issuing bank that make sure the card and the terminal agree that it was a PIN transaction, that would seem to be an obvious one. And comparatively easy.
Failing that, remove the signature verification auth method from cards, can be done via an update delivered during any transaction. Or make all PIN transactions over the floor limit the 'online PIN verification' type.
EMV has problems by the looks of it, if you have a sophisticated MITM machine, but it wouldn't take much to fix the problem with this attack.
That said, the banks still shouldn't be suppressing the research.
If revolution really takes hold in the US you'll want to get out, fast. The weak will hand over their power, possessions and freedoms to those they see as strong and who promise to lead them.
The US south would become theocratic, the North and coastal regions, who knows. But if the people depose the current government structure, don't think for a second a better one will come into place without years of strife and bloodshed.
Firstly, with access to machines a remote vulnerability in the OS becomes a major concern. Now there has to some sort malware, trojan or social attack. Millions more machines can get pwned without an intermediary firewall.
Secondly, nobody is sacrificing anything. Anything at all. There is no server that my mother wants to run. Gamers are a minority on the net and amongst them those that even know what a dedicated server is are a much smaller minority. VOIP with SIP is an even more niche case.
Default deny is the only sensible option when the internet is like the wild west. You would throw out an important security measure that can be given to the less savvy, for no gain for them at all.
But if they only have one IP address and NAT, how can they fix it with multiple people wanting the same services really? Thats still an argument AGAINST nat.
Very few people, as a percentage, care about running one service, let alone multiple copies in a single house. If you do you are likely an enthusiast and enthusiast ISPs have been handing out multiple IPs for ages in a lot of places.
Your main argument is pro NAT, as I've said before ipv6 with firewall is far better but still not suited to everyone.
No, you said the default deny was barely better and argued against home hardware coming with that preconfigured.
The real solution of course is if you care about security, get someone who knows what they are doing. NOTHING will fix this but that. Even with NAT devices will still get owned by noobs.
And yet 99% of the public don't know a thing about security and their router has kept them safe from remote exploits anyway. Strange.
"It would still be limited, but at the device not the network router/firewall. Nothing is stopping devices from rejecting any packet that has not come from the local subnet if the owner wishes. Which makes perfect sense for such devices."
I'll say it again - good luck with that. Devices are not well configured and their software stacks bulletproof by default. Multiplying the points of failure in a given house is a surefire recipe for failure. Hell, only the other day we had an article on here about the potential for network attached TVs to get pwned as they run a small networking OS.
"Anything that I don't want to be accessible just drops the packets if they aren't from the local subnet.
I haven't found that config item on my tv yet.
You want to lock down the network for everyone,
I think it would be wiser to just lock down what you attach to the network in small network situations,
And you'd be wrong, because these devices ship with a million and one vulnerabilities built in that a firewall can prevent, and the lack of a firewall presents ZERO compelling use cases to the average home user.
Every modern device either has a stateful firewall built into the IP stack anyway, or just ignores any packets it isn't expecting anyway.
Which is not the same as saying that it doesn't open ports for all sorts of reasons that expose vulnerabilities to the world.
You seem to envisage a world in which device security is perfect, and large network admins have mysterious reasons for locking things down and only allowing services they know about, and that for some reason doesn't apply elsewhere.
Let me sum it up - many devices are riddled with security holes. This is not going to change. Putting these devices directly on the net just so you can ping them is never going to be a good idea.
They have a default deny policy. And why do you think they have it? Because MOST hosts do not need to use server ports visible to the whole internet, which is true wherever you are.
NAT or no NAT, the idea of letting home computers and other devices on the net without a firewall that stops anything and everything incoming unless the user sets it up differently, is just common sense and good practice.
Guess you've never seen a complete household with several voip phones before, or a household full of twenty-something males that play computer games.
They tend to know how to configure a router and therefore will have no problem changing the default-deny firewall setup they got from their ISP or vendor to something that suits them.
Of course personally i'd go with the view of having things work as default instead of killing functionality. Since if the functionality is dead from the start how can they utilize it if they don't know about it?
They don't know or care about it anyway. It's more important for Joe underachiever to be able to use the web in relative safety than it is that he be able to find some cool new software and start using it, turning his machine into a server, without any idea what it does.
What you are proposing is trying to protect people from themselves.
Absolutely. Most people are idiots. Even more so when you bring computers into the equation.
All you wind up doing is putting people in a padded room, not surprisingly most people don't like it when they realize they've been limited by these things
Most of them will never know or care.
whereas globally routable addresses with an outgoing only firewall is slightly better, still useless for many but at least those who know what they are doing can fix it. But why should people have to deal with broken connectivity from the get go.
Because it's not broken for >90% of their use cases and it protects their badly configured, unpatched machine from being port scanned and pwned.
You will never have security with users that don't know anything about what they are doing combined with a lack of oversight by anyone competent. To think otherwise is pointless.
But we can help them, can't we? We can remind them to install anti-virus, we can block people from remotely probing their machine, we can stop them exposing services to the entire world unless they know what they're doing. Or is all of this pointless in your mind?
Your view of security seems to be, fuck the users needs, lets make this secure!
And your view of security seems to be "fuck the users needs, if they can't configure a firewall they a shouldn't be on the net and deserve to get pwned".
and taking that to it's extreme you're better off just removing net access entirely.
You're an idiot.
You're a complete moron if you think that most consumer (not to mention business) machines should have anything like complete exposure to the internet.
In your head is it only NAT that's to "blame" for keeping machines from being directly and completely exposed to the net?
Have you ever considered what happens in companies that have a class A address space? Do you think even 1% of the machines IBM owns are publicly accessible? Hell no they aren't. They may have a 'real' address but there's no way for any access to occur that's not exactly the same as if it was through a NAT.
Hell, a well set up corporate network will have segments that can't even address each other due to security-related partitioning.
You are free to make your mobile phone, television, NAS and other devices first-class internet citizens. You're going to get pwned. Meanwhile my mother's Win XP machine is safely behind a NAT, and she can go about her business without risk of some shithead using this week's remote access exploit to re-purpose her machine into a Tor node, a porn hub or a spam proxy.
Slashdot Mirror
Couple that with the fact that Sony screwed up the crypto massively and in the last week all the keys have been found to allow signing, then it's just a matter of time before unofficial signed pkg's are ready.
Hell, that's how the custom firmware can be installed - it's signed with one of the recently discovered keys.
Well there's the thing here - he's released tools to make custom firmware out of Sony's official firmware, so he seems to be safe on that count.
DMCA OTOH, yes, that's the next problem.
You'll notice my post doesn't mention governments at all.
ROFL. Read about the industrial revolution sometime.
First sensible thing you've had to say...
Yes, voluntary, with the simple alternative of starving to death of one chooses not to work there!!
By the knock on effects of lining the pockets of the owners at the expense of the lives of many workers, sure. And in the democratic world the government also improves lives in a myriad of ways.
What do you know of my worldview from that one post? Fuck all, that's what.
You're retarded because you slam governments for heinous crimes and then say that corporations have done nothing worse (!!) than a little fraud here and there. You clearly have no idea of history and the battles that the people (in the form of government control) have won against abusive business practices which caused death, dismemberment, poverty and misery. Is it as bad as the worst abuses of (usually but not always non-democratic) government? Hell no, but to brush away the history of employment rights in the west (and to ignore child labour etc in other parts of the world) is ignorant in the extreme.
You know what's dangerous? unequal distribution of power, be it in the form of government, the imbalance of power between a company and its workers, or any other forms. Why? Because some humans are scumbags and will harm others for their own gain, out of fear or even just out of spite. Whether it's a politician or a CEO I don't give a rats arse.
"What's your list for corporations? Microsoft 'cut off Netscape's air supply'? Enron cooked the books? Cigarette companies had advertisements showing doctors smoking. Companies often lobby for regulation that protects their markets."
Umm, are you retarded?
Corps have poisoned waterways and land with industrial pollutants, destroyed lives and killed people through abusive business practice. And this is before we look back at times when they were unregulated and workers were expected to work unreasonable hours in dangerous conditions for very little pay, often getting maimed or killed by the machinery they were supposed to work with, with no recompense for themselves or their families. Or getting cancer, emphysema or a million and one other 'occupational hazards'
Recent research?
Don't make me laugh!
The airlines have been feeding us this line for at least two decades now (that's just how long I've been flying reasonably regularly.
You can show it's crap by taking your own food along, it tastes fine, as does the stuff in business class. I'm not just making it up about the tiny budget, you know. That is the reason it tastes like cheap cardboard, it is cheap cardboard.
I wish they wouldn't compete for that one dollar. Mostly because of the food.
I fairly regularly fly long-haul and the food is awful on pretty much every airline these days. I have found out why - in order to keep prices low in economy class they allocate a budget of around $1 - $1.50 per passenger per meal. $1. One frickin' dollar. PLEASE put another 10 bucks on my ticket price so that when it comes to the two meals on that transatlantic flight I don't have to feel like I'm eating plastic! Please! I promise I'll choose you over your 10-dollar cheaper competitor.
The bread is like polystyrene foam, the meat in the main dish is shapeless and texture-less, the salad limp and insubstantial and the dessert... unless it's a small portion of a premium product who are providing it free to the airline for promotional reasons, it may as well be made entirely of crude-oil derived polymers. The ingredient list in a typical airline dessert is like a who's who of preservatives and bulking agents.
I hate that.
All my friends who have iPods are on their 3rd, 4th or even 5th by now. It's not clear that the old oneas break, but they do keep buying new ones.
Whereas I still have my Archos Gmini xs202 20GB from 2005...
38 The younger daughter also had a son, and she named him Ben-Ammi[h]; he is the father of the Ammonites[i] of today.
See, incest does lead to deformity.
I did not know that's where ammonites came from.
Yes, how about you all fuck off and die, the world would be a better place.
No, really, it would, how the fuck do these people sleep at night?
???
How does that come up in conversation?
"Here, have my mail password"
or
"I need to know your mail password, if you don't give it to me you don't trust me"
Because the latter is not a sign of trust, but the opposite.
Did you do that because you wanted to or because she asked and made it into a trust issue?
I have no regrets, I had no bad experiences and I think hallucinogens should be legal.
The "you'll look back and facepalm" comment was because what I was replying to sounded exactly like all the pseudo-profound stuff that myself and others used to spout, so stereotypical but seemingly so important.
In the end it really isn't.
Trust is not needing that password.
Lack of trust is asking for it.
End of.
Not sure what I would do in that situation.
I think it's interesting to see how minds react to chemical adulterants.
I think most of the insights gained are the sort of thing that seems significant at the time and turns out meaningless later, like dreams. And I also think that in general the idea of opening your mind with hallucinogens is subjective. Of course you could say it's subjective in its very nature, but I mean subjective in that it feels or seems like something has happened when really it hasn't.
No regrets, but I don't buy the hype,
In five years, when you're bored of LSD and the long term effects have gone, you'll read this back and *facepalm*.
Believe one who knows.
Legally, it has nothing toi do with what type of transaction (in the UK where I did my EMV stuff). In law the CC company is a party to the debt and therefore responsible for it (for some reason). Therefore (and I really don't know how this follows, but IANAL) they have to give the money back the moment you challenge it, regardless of circumstance.
They then investigate with the help of the authorities and if they can prove it was you then you get charged with fraud (well, maybe, it's possible, I've never seen it happen but I wasn't involved in that side). What constitutes 'proof' is likely difficult and it would help to have a copy of the research these guys did if it come to that, just in case.
Anyway, the liability is still with the CC issuer, so long as they can't prove you acted in bad faith.
Of course PIN is verified against the card!
that's part of the point of EMV. The PIN you enter is mangled with some other data and presented to the card, which then answers yes or no.
This attack is to bypass that section, but without the bypass yes the card does verify. The server can (and should, IMHO) verify also
It's a few years since I worked with EMV, but IIRC the terminal and the card send a cryptogram to the bank on transactions over the floor limit. These should contain the methods that each think was used for authorisation. Sounds like the banks don't check for irt being consistent, at present.
That's just not true.
It moves the liability for fraudulent non-PIN transactions to the merchant. They still have to (by law) refund anything you claim as fraud and then investigate.
Institute checks at the acquiring or issuing bank that make sure the card and the terminal agree that it was a PIN transaction, that would seem to be an obvious one. And comparatively easy.
Failing that, remove the signature verification auth method from cards, can be done via an update delivered during any transaction.
Or make all PIN transactions over the floor limit the 'online PIN verification' type.
EMV has problems by the looks of it, if you have a sophisticated MITM machine, but it wouldn't take much to fix the problem with this attack.
That said, the banks still shouldn't be suppressing the research.
If revolution really takes hold in the US you'll want to get out, fast. The weak will hand over their power, possessions and freedoms to those they see as strong and who promise to lead them.
The US south would become theocratic, the North and coastal regions, who knows. But if the people depose the current government structure, don't think for a second a better one will come into place without years of strife and bloodshed.
You still don't get it do you?
Firstly, with access to machines a remote vulnerability in the OS becomes a major concern. Now there has to some sort malware, trojan or social attack. Millions more machines can get pwned without an intermediary firewall.
Secondly, nobody is sacrificing anything. Anything at all. There is no server that my mother wants to run. Gamers are a minority on the net and amongst them those that even know what a dedicated server is are a much smaller minority. VOIP with SIP is an even more niche case.
Default deny is the only sensible option when the internet is like the wild west. You would throw out an important security measure that can be given to the less savvy, for no gain for them at all.
Very few people, as a percentage, care about running one service, let alone multiple copies in a single house. If you do you are likely an enthusiast and enthusiast ISPs have been handing out multiple IPs for ages in a lot of places.
No, you said the default deny was barely better and argued against home hardware coming with that preconfigured.
And yet 99% of the public don't know a thing about security and their router has kept them safe from remote exploits anyway. Strange.
I'll say it again - good luck with that. Devices are not well configured and their software stacks bulletproof by default. Multiplying the points of failure in a given house is a surefire recipe for failure. Hell, only the other day we had an article on here about the potential for network attached TVs to get pwned as they run a small networking OS.
I haven't found that config item on my tv yet.
I think it would be wiser to just lock down what you attach to the network in small network situations,
And you'd be wrong, because these devices ship with a million and one vulnerabilities built in that a firewall can prevent, and the lack of a firewall presents ZERO compelling use cases to the average home user.
Which is not the same as saying that it doesn't open ports for all sorts of reasons that expose vulnerabilities to the world.
You seem to envisage a world in which device security is perfect, and large network admins have mysterious reasons for locking things down and only allowing services they know about, and that for some reason doesn't apply elsewhere.
Let me sum it up - many devices are riddled with security holes. This is not going to change. Putting these devices directly on the net just so you can ping them is never going to be a good idea.
They have a default deny policy. And why do you think they have it? Because MOST hosts do not need to use server ports visible to the whole internet, which is true wherever you are.
NAT or no NAT, the idea of letting home computers and other devices on the net without a firewall that stops anything and everything incoming unless the user sets it up differently, is just common sense and good practice.
They tend to know how to configure a router and therefore will have no problem changing the default-deny firewall setup they got from their ISP or vendor to something that suits them.
They don't know or care about it anyway. It's more important for Joe underachiever to be able to use the web in relative safety than it is that he be able to find some cool new software and start using it, turning his machine into a server, without any idea what it does.
Absolutely. Most people are idiots. Even more so when you bring computers into the equation.
Most of them will never know or care.
Because it's not broken for >90% of their use cases and it protects their badly configured, unpatched machine from being port scanned and pwned.
But we can help them, can't we?
We can remind them to install anti-virus, we can block people from remotely probing their machine, we can stop them exposing services to the entire world unless they know what they're doing. Or is all of this pointless in your mind?
And your view of security seems to be "fuck the users needs, if they can't configure a firewall they a shouldn't be on the net and deserve to get pwned".
You're an idiot.
You're a complete moron if you think that most consumer (not to mention business) machines should have anything like complete exposure to the internet.
In your head is it only NAT that's to "blame" for keeping machines from being directly and completely exposed to the net?
Have you ever considered what happens in companies that have a class A address space? Do you think even 1% of the machines IBM owns are publicly accessible? Hell no they aren't. They may have a 'real' address but there's no way for any access to occur that's not exactly the same as if it was through a NAT.
Hell, a well set up corporate network will have segments that can't even address each other due to security-related partitioning.
You are free to make your mobile phone, television, NAS and other devices first-class internet citizens. You're going to get pwned. Meanwhile my mother's Win XP machine is safely behind a NAT, and she can go about her business without risk of some shithead using this week's remote access exploit to re-purpose her machine into a Tor node, a porn hub or a spam proxy.