Snipping out the RFID chip shouldn't affect the smart card chip in any way, since they should be totally unrelated mechanisms. I could be wrong though - I haven't seen an RFID included in a modern chip card yet.
You are mistaken - the RFID chip is connected to the EMV chip - may even be the same chip nowadays. This wasn't always the case, but is now. The RFID data includes an EMV-derived authentication code like the CVV.
This had all been theoretical for me until Costco replaced my Amex card with a Visa that had PayWave (RFID). I did a LOT of reading then!
I run two e-commerce stores based on osCommerce and had this exact issue with a customer whose last name was Null. There is a common function in osCommerce (tep_not_null) trying to see if the argument is empty. One of the things it looks for is the string "null". When I discovered this, I removed that part of the test (which never made sense to me.)
Gallium Nitride transistors have a lot of nice characteristics, but low yields and high costs have slowed their introduction. Two tiny laptop chargers, the FinSix Dart and Avogy Zolt, were said to use GaN transistors. The Dart still hasn't shipped, a year past its claimed release date. The Zolt has but is apparently using older Silicon Carbide-substrate transistors instead (Also see here.) (I received my Zolt recently and it is working well.)
It won't be a surprise to anyone following this technology that it can make inverters more efficient - that's what FinSix and Avogy have been claiming/demonstrating for two years at least.
I have had one of these for a month or so now. The range is fantastic (even with 5GHz) as is the throughput, though the Ethernet bonding feature isn't useful to me.
However, I, like many other X8 users complaining in Netgear's support forum, have an ongoing issue with the WiFi in that devices still show they're connected but no data flows. And if you have a device that tries to connect to the access point, the router rejects it. Rebooting the router fixes it for a while. Netgear support has been very responsive and they've given me beta firmware, but the problem persists. It's especially aggravating for my DVR which goes back to an "unconnected" state each time this happens, meaning I have to go through its configuration again.
Netgear is sending me a replacement router to see if that helps. I hope it does, as otherwise I love this thing. I was able to disconnect a repeater I had running on the other side of the house as I didn't need it anymore.
It's great that this can be done, and all well and good. But people who criticize Linux for making you figure out how to get things to work should take note. Windows is not necessarily "it just works."
Microsoft removed the whole feature from the product. Enterprising users figured out how to add it back in, and without the need to go pull sources from github and build it yourself.
Users have found a way to install Windows Media Center on Win10. I have done this (on my mom's PC) and it works. See http://forums.mydigitallife.in...
I'd love to upgrade to Win10 on my home's primary Win7 PC, but the upgrade keeps failing and never tells me why. I tried to get help from the MS support forums, but just kept getting fed a form response with a scattershot list of things to "try". I have Win10 on several other PCs and I like it.
No., it doesn't solve anything. Trustwave will look to see who the MX is for our domain and probe it. I'd rather solve the underlying problem than hide it.
I run an e-commerce store and have to deal with PCI compliance. We don't store credit card details, but the info passes through our server. The June 30, 2016 deadline to drop TLS1.0 was a big headache, made worse by the "Trustwave" PCI checking tool (mandatory from our payment processor) failing us as of July 2015 for not dropping TLS1.0, but I could submit a remediation plan every three months to defer it.
I did a bunch of testing to see what broke if I dropped TLS1.0. On the web browser side, MSIE10 wouldn't like it, but other, reasonably current, browsers were ok. What surprised me, though, was how many email clients simply stopped communicating with our server if I turned off TLS1.0 for SMTP and IMAP. It's been hard to find details on which clients support TLS1.1 - and perhaps there's some aspect here I'm missing - but this to me is the bigger problem than the web service. (Even though we don't use email for sensitive info, if TLS1.0 was enabled on ANY port, we fail.)
I'm glad to see that this deadline was pushed back, as it was giving me heartburn.
Another Chase fan here. Just after I arrived in Ireland for a two-week vacation this past May, I get a notice from Chase that they're canceling my card due to (actual) fraud and sending me a new one. Except that I was depending on the Chase card while I was in Ireland. Their CS was extremely helpful and suggested a setup where they'd authorize card-present transactions while I was in Ireland but block others (unless I explicitly authorized them.) (And then I was embarrassed when my card was declined in Ulster, but that was my fault because I wasn't in Ireland anymore - and they had asked what other countries I would be in.)
American Express has also been good about fraud detection and alerting me instantly, though on a previous European trip I noticed a whole slew of bogus charges to my card using a number that had been canceled two cards ago. Their explanation was that if it came through a processor that had done a valid transaction before (which had been the case), they'd let it go. No big deal to get it taken care of.
I am currently using Blockr which works. I don't mind simple, unobtrusive ads, but filling my screen with bandwidth-sucking animations and more is just offensive.
Your super-whiz-bang method still requires a password, it seems. Without a password manager, users will still need to remember their password and many will either reuse passwords from other sites or choose simple ones. The image/caption thing you talk about is often used as an anti-phishing technique, but that's not authentication. If you're requiring the user to choose from among multiple pictures or captions, then that's effectively another one or two passwords. Yes, it will make it harder to attack YOUR site through the web interface, but doesn't itself strengthen protection of the users' passwords.
The goal for password managers is not to protect individual sites, it's to protect the users against their own misuse of passwords and reducing the risk when some site (not yours, hopefully) gets hacked and has their password database stolen. (How do you hash the passwords for your sites? Still using MD5?)
Obviously you have limited experience or familiarity with password managers. LastPass, among others, keeps your encrypted passwords "in the cloud", so that they are accessible even if your local disk "takes a dump". For LastPass, there's also a local copy of the encrypted database, and yes, I do have backups. (If you don't have backups, you have a lot more problems than losing passwords.)
Image/phrase/password verification is hardly "better" (better than what?). How many of those can you remember? If you can come up with an authentication scheme better than passwords that you can get every online service to use, then please let us know. The reality is that passwords are what we use today and password managers make them easier to use in a more secure fashion, so that one has a different, strong password for every login. Two-factor authentication is also very helpful (and I enable that where supported.)
Currently the biggest weakness of passwords, other than most people using them poorly, is sites that store passwords insecurely. This, combined with the tendency of those NOT using password managers to reuse passwords, is what leads to the majority of account hacking.
LastPass is no more proprietary than KeePass. The JavaScript implementation is visible. And while their server was hacked, the thieves got nothing of value since the contents of your "vault" never leave your computer unencrypted and LastPass doesn't have the key.
I agree with the article - blocking password managers lowers security.
Free advice is worth every cent, Steve. Wasn't that you?
Yup.
I should also have mentioned that the common language environment meant that mixed-language applications were far easier than on most other operating systems. How about mixing BASIC, RPG II, Pascal, Fortran and Ada? Easy.
I'll admit that I am biased, as a former VMS developer for DEC, but in my opinion VMS did one thing right from the start that I have not seen any other OS duplicate before or since - the Common Language Environment. VMS defined a common calling and exception handling standard that was used by all of the 20+ programming languages supported on VMS. The system services and the common run-time library were usable from all of the languages. Yes, many of the languages needed extensions to support things such as "pass by descriptor", but it was done in a consistent fashion. There was also a naming standard that separated system and user namespaces to avoid namespace collisions. This was all documented in the standard VMS manuals and was designed to be extended as needed.
This also meant that pretty much all of the system library routines were language-independent and there were large collections of these that could be called from most languages. For a long time, Windows had something close to this with the Windows API, but in recent years it's been shifting to C++ class libraries that shut out other languages.
I just finished reading an ARC (Advanced Reader Copy) of Robinson's latest novel "Aurora", not yet published, which is about a generation starship sent out to colonize a planet orbiting Tau Ceti. Mild spoiler - the colonists find it's much harder than anyone anticipated. I found it a bit of an odd take given Robinson's Mars trilogy (to be honest, I made it to about a third of the way through Blue Mars and gave up) which seemed far more optimistic. Now I know why. Unfortunately, pessimism doesn't sell as well as optimism, so I don't have great hopes for commercial success of Aurora. Oh, and if you weren't transfixed by Red/Green/Blue Mars, you probably won't care for Aurora either.
The NUC BIOS (EFI, really) defaults to having "secure boot" disabled. You can install any software you want on a NUC system. I just got one of the Core i3 Broadwell NUCs and it's delightful.
Barclay had been doing chip-and-PIN in the US, I had read that they stopped but maybe not. Chase doesn't do PINs and are proud of it. The United Nations FCU offers a chip-and-PIN Visa card - anyone can join through a rather convoluted method.
Yes, in fact they can, and this has happened in Europe. One problem with C&P is the "offline PIN" mode which doesn't exchange data with the bank. In the UK, at least, the consumer is liable for any fraud with a C&P card as it is assumed that if the PIN was entered correctly it was by the cardholder. In the US, all the card issuers assume liability for fraud, no matter what, so there is less incentive to require a PIN.
The article you linked to is informative, but as the US transitions to EMV, it will become harder for thieves to use magstripe cards.
As I noted earlier, the biggest benefit of EMV, with or without PIN, is that merchants and payment processors aren't holding on to vast quantities of card numbers, and card skimming becomes far more difficult.
Chip yes, PIN, no. In the US, "Chip-and-signature" is what we get, with extremely rare exceptions. It is more secure than the magstripe to stop massive hacks such as Home Depot and Target, but does nothing to stop stolen card fraud. Note that if your card does not support chip-and-PIN (it can support it even if it's not the default, but US banks aren't doing this), then you can't use the card at many automated kiosks (train stations, etc.) outside the US.
I disagree with the summary that contactless goes along with the chip - it doesn't. There are some banks offering contactless payment cards, but this is not common right now.
I agree 100% with Okian Warrior here - I'd do without rather than buy service from Comcast. I have the FairPoint fiber service that used to be FiOS and it works well, but if it's not already run on your street you'll never get it. For TV go satellite - I use DirecTV.
One, hopefully temporary, hitch is that Fairpoint workers have been on strike for several weeks, slowing down installs and repairs.
Really, FairPoint nowadays isn't a bad company to do business with. They're focused on staying in business and aren't interested in meddling with your Internet content.
This is not new for Verizon at all - they have been shedding their landline and FiOS business for years. Back in 2007 they abandoned Maine, New Hampshire and Vermont, selling off the business to FairPoint Communications, a tiny North Carolina company that struggled for years to overcome billing system issues. FairPoint announced then that they would not be expanding the fiber Internet service (FiOS TV never got started here) and the service has been static since then. (On the positive side, my bill hasn't increased since 2007!)
Even in Massachusetts, where Verizon still operates FiOS TV, they announced a couple of years back that they would not expand service to more areas. This tripe about Net Neutrality is just a convenient smokescreen for what they've been planning all along.
Slashdot Mirror
Snipping out the RFID chip shouldn't affect the smart card chip in any way, since they should be totally unrelated mechanisms. I could be wrong though - I haven't seen an RFID included in a modern chip card yet.
You are mistaken - the RFID chip is connected to the EMV chip - may even be the same chip nowadays. This wasn't always the case, but is now. The RFID data includes an EMV-derived authentication code like the CVV.
This had all been theoretical for me until Costco replaced my Amex card with a Visa that had PayWave (RFID). I did a LOT of reading then!
That does very little good. The info that can be obtained with a reader is still usable for making charges to your account.
Currently I use an envelope that claims to be RFID shielding. No idea if it works or not.
I have backed on Kickstarter an interesting "jamming" solution, Vaultcard, which looks promising.
The current RFID cards - Visa PayWave is one brand - provide the "Track 2" data plus an authentication code from the EMV chip. Quite usable for fraud.
I run two e-commerce stores based on osCommerce and had this exact issue with a customer whose last name was Null. There is a common function in osCommerce (tep_not_null) trying to see if the argument is empty. One of the things it looks for is the string "null". When I discovered this, I removed that part of the test (which never made sense to me.)
Gallium Nitride transistors have a lot of nice characteristics, but low yields and high costs have slowed their introduction. Two tiny laptop chargers, the FinSix Dart and Avogy Zolt, were said to use GaN transistors. The Dart still hasn't shipped, a year past its claimed release date. The Zolt has but is apparently using older Silicon Carbide-substrate transistors instead (Also see here.) (I received my Zolt recently and it is working well.)
It won't be a surprise to anyone following this technology that it can make inverters more efficient - that's what FinSix and Avogy have been claiming/demonstrating for two years at least.
I have had one of these for a month or so now. The range is fantastic (even with 5GHz) as is the throughput, though the Ethernet bonding feature isn't useful to me.
However, I, like many other X8 users complaining in Netgear's support forum, have an ongoing issue with the WiFi in that devices still show they're connected but no data flows. And if you have a device that tries to connect to the access point, the router rejects it. Rebooting the router fixes it for a while. Netgear support has been very responsive and they've given me beta firmware, but the problem persists. It's especially aggravating for my DVR which goes back to an "unconnected" state each time this happens, meaning I have to go through its configuration again.
Netgear is sending me a replacement router to see if that helps. I hope it does, as otherwise I love this thing. I was able to disconnect a repeater I had running on the other side of the house as I didn't need it anymore.
It's great that this can be done, and all well and good. But people who criticize Linux for making you figure out how to get things to work should take note. Windows is not necessarily "it just works."
Microsoft removed the whole feature from the product. Enterprising users figured out how to add it back in, and without the need to go pull sources from github and build it yourself.
Users have found a way to install Windows Media Center on Win10. I have done this (on my mom's PC) and it works. See http://forums.mydigitallife.in...
I'd love to upgrade to Win10 on my home's primary Win7 PC, but the upgrade keeps failing and never tells me why. I tried to get help from the MS support forums, but just kept getting fed a form response with a scattershot list of things to "try". I have Win10 on several other PCs and I like it.
No., it doesn't solve anything. Trustwave will look to see who the MX is for our domain and probe it. I'd rather solve the underlying problem than hide it.
I run an e-commerce store and have to deal with PCI compliance. We don't store credit card details, but the info passes through our server. The June 30, 2016 deadline to drop TLS1.0 was a big headache, made worse by the "Trustwave" PCI checking tool (mandatory from our payment processor) failing us as of July 2015 for not dropping TLS1.0, but I could submit a remediation plan every three months to defer it.
I did a bunch of testing to see what broke if I dropped TLS1.0. On the web browser side, MSIE10 wouldn't like it, but other, reasonably current, browsers were ok. What surprised me, though, was how many email clients simply stopped communicating with our server if I turned off TLS1.0 for SMTP and IMAP. It's been hard to find details on which clients support TLS1.1 - and perhaps there's some aspect here I'm missing - but this to me is the bigger problem than the web service. (Even though we don't use email for sensitive info, if TLS1.0 was enabled on ANY port, we fail.)
I'm glad to see that this deadline was pushed back, as it was giving me heartburn.
Another Chase fan here. Just after I arrived in Ireland for a two-week vacation this past May, I get a notice from Chase that they're canceling my card due to (actual) fraud and sending me a new one. Except that I was depending on the Chase card while I was in Ireland. Their CS was extremely helpful and suggested a setup where they'd authorize card-present transactions while I was in Ireland but block others (unless I explicitly authorized them.) (And then I was embarrassed when my card was declined in Ulster, but that was my fault because I wasn't in Ireland anymore - and they had asked what other countries I would be in.)
American Express has also been good about fraud detection and alerting me instantly, though on a previous European trip I noticed a whole slew of bogus charges to my card using a number that had been canceled two cards ago. Their explanation was that if it came through a processor that had done a valid transaction before (which had been the case), they'd let it go. No big deal to get it taken care of.
I am currently using Blockr which works. I don't mind simple, unobtrusive ads, but filling my screen with bandwidth-sucking animations and more is just offensive.
See http://www.imore.com/how-to-ge...
n00bs, eh? I've been in the software business for almost 40 years, you young whippersnapper.
I suggest you study texts on encryption, and maybe read the technical details of how a good cloud-based password manager like LastPass actually works. https://lastpass.com/whylastpa... https://lastpass.com/support.p...
Your super-whiz-bang method still requires a password, it seems. Without a password manager, users will still need to remember their password and many will either reuse passwords from other sites or choose simple ones. The image/caption thing you talk about is often used as an anti-phishing technique, but that's not authentication. If you're requiring the user to choose from among multiple pictures or captions, then that's effectively another one or two passwords. Yes, it will make it harder to attack YOUR site through the web interface, but doesn't itself strengthen protection of the users' passwords.
The goal for password managers is not to protect individual sites, it's to protect the users against their own misuse of passwords and reducing the risk when some site (not yours, hopefully) gets hacked and has their password database stolen. (How do you hash the passwords for your sites? Still using MD5?)
Obviously you have limited experience or familiarity with password managers. LastPass, among others, keeps your encrypted passwords "in the cloud", so that they are accessible even if your local disk "takes a dump". For LastPass, there's also a local copy of the encrypted database, and yes, I do have backups. (If you don't have backups, you have a lot more problems than losing passwords.)
Image/phrase/password verification is hardly "better" (better than what?). How many of those can you remember? If you can come up with an authentication scheme better than passwords that you can get every online service to use, then please let us know. The reality is that passwords are what we use today and password managers make them easier to use in a more secure fashion, so that one has a different, strong password for every login. Two-factor authentication is also very helpful (and I enable that where supported.)
Currently the biggest weakness of passwords, other than most people using them poorly, is sites that store passwords insecurely. This, combined with the tendency of those NOT using password managers to reuse passwords, is what leads to the majority of account hacking.
LastPass is no more proprietary than KeePass. The JavaScript implementation is visible. And while their server was hacked, the thieves got nothing of value since the contents of your "vault" never leave your computer unencrypted and LastPass doesn't have the key.
I agree with the article - blocking password managers lowers security.
Free advice is worth every cent, Steve. Wasn't that you?
Yup.
I should also have mentioned that the common language environment meant that mixed-language applications were far easier than on most other operating systems. How about mixing BASIC, RPG II, Pascal, Fortran and Ada? Easy.
I'll admit that I am biased, as a former VMS developer for DEC, but in my opinion VMS did one thing right from the start that I have not seen any other OS duplicate before or since - the Common Language Environment. VMS defined a common calling and exception handling standard that was used by all of the 20+ programming languages supported on VMS. The system services and the common run-time library were usable from all of the languages. Yes, many of the languages needed extensions to support things such as "pass by descriptor", but it was done in a consistent fashion. There was also a naming standard that separated system and user namespaces to avoid namespace collisions. This was all documented in the standard VMS manuals and was designed to be extended as needed.
This also meant that pretty much all of the system library routines were language-independent and there were large collections of these that could be called from most languages. For a long time, Windows had something close to this with the Windows API, but in recent years it's been shifting to C++ class libraries that shut out other languages.
I just finished reading an ARC (Advanced Reader Copy) of Robinson's latest novel "Aurora", not yet published, which is about a generation starship sent out to colonize a planet orbiting Tau Ceti. Mild spoiler - the colonists find it's much harder than anyone anticipated. I found it a bit of an odd take given Robinson's Mars trilogy (to be honest, I made it to about a third of the way through Blue Mars and gave up) which seemed far more optimistic. Now I know why. Unfortunately, pessimism doesn't sell as well as optimism, so I don't have great hopes for commercial success of Aurora. Oh, and if you weren't transfixed by Red/Green/Blue Mars, you probably won't care for Aurora either.
The NUC BIOS (EFI, really) defaults to having "secure boot" disabled. You can install any software you want on a NUC system. I just got one of the Core i3 Broadwell NUCs and it's delightful.
Barclay had been doing chip-and-PIN in the US, I had read that they stopped but maybe not. Chase doesn't do PINs and are proud of it. The United Nations FCU offers a chip-and-PIN Visa card - anyone can join through a rather convoluted method.
Yes, in fact they can, and this has happened in Europe. One problem with C&P is the "offline PIN" mode which doesn't exchange data with the bank. In the UK, at least, the consumer is liable for any fraud with a C&P card as it is assumed that if the PIN was entered correctly it was by the cardholder. In the US, all the card issuers assume liability for fraud, no matter what, so there is less incentive to require a PIN.
The article you linked to is informative, but as the US transitions to EMV, it will become harder for thieves to use magstripe cards.
As I noted earlier, the biggest benefit of EMV, with or without PIN, is that merchants and payment processors aren't holding on to vast quantities of card numbers, and card skimming becomes far more difficult.
Chip yes, PIN, no. In the US, "Chip-and-signature" is what we get, with extremely rare exceptions. It is more secure than the magstripe to stop massive hacks such as Home Depot and Target, but does nothing to stop stolen card fraud. Note that if your card does not support chip-and-PIN (it can support it even if it's not the default, but US banks aren't doing this), then you can't use the card at many automated kiosks (train stations, etc.) outside the US.
I disagree with the summary that contactless goes along with the chip - it doesn't. There are some banks offering contactless payment cards, but this is not common right now.
I agree 100% with Okian Warrior here - I'd do without rather than buy service from Comcast. I have the FairPoint fiber service that used to be FiOS and it works well, but if it's not already run on your street you'll never get it. For TV go satellite - I use DirecTV.
One, hopefully temporary, hitch is that Fairpoint workers have been on strike for several weeks, slowing down installs and repairs.
Really, FairPoint nowadays isn't a bad company to do business with. They're focused on staying in business and aren't interested in meddling with your Internet content.
This is not new for Verizon at all - they have been shedding their landline and FiOS business for years. Back in 2007 they abandoned Maine, New Hampshire and Vermont, selling off the business to FairPoint Communications, a tiny North Carolina company that struggled for years to overcome billing system issues. FairPoint announced then that they would not be expanding the fiber Internet service (FiOS TV never got started here) and the service has been static since then. (On the positive side, my bill hasn't increased since 2007!)
Even in Massachusetts, where Verizon still operates FiOS TV, they announced a couple of years back that they would not expand service to more areas. This tripe about Net Neutrality is just a convenient smokescreen for what they've been planning all along.