Essentially every "commit" operation - transfer, change limits, request card etc. "View" operations (history etc) don't require confirmation. Also, if you're making multiple transfers, there's a "basket" feature: add multiple transfers, then sign them all at once with one code.
There is still the (slim) possibility the attacker has hijacked your phone together with the browser.
Type in browser: Joe, $50, click send. Browser sends to bank: Evil, $1mln Browser sends to evilstorage: Joe, $50. Bank replies by SMS: Evil, $1mln, code 1111 Bank replies by WWW: Confirm Evil, $1mln Browser displays: Confirm Joe, $50 Phone receives: Evil, $1mln, code 1111 Phone retrieves from evilstorage: Joe, $50. Phone displays: Joe, $50, code 1111 You type: 1111 Browser sends to bank: Evil, $1mln, code 1111.
It's not impossible especially with limited smartphone "culture" of iOS+Android, although it's yet to be spotted in the wild. OTOH, attacks that hijack the browser alone exist, and often depend on the user not confirming the account number.
If the computer is compromised, what transaction is displayed on screen and what is sent out to the bank can be two entirely different things. You type your own transaction (data stored locally, not sent) and see it on the confirmation screen (data retrieved locally). You send out fraudulent transaction (data not displayed but sent) and authenticate it (in response to data received but not displayed).
The text from the bank contains some digits from target account number along with the code. This way you can verify you are sending the right message. This would require hijacking both your browser and the SMS messaging system (possibly your phone.)
If the bank attaches transaction details, this is a valid method of circumventing the OTP vulnerablity.
There are exploits in the wild that hijacked MSIE HTML rendering layer. So you want to transfer $15 to your aunt. You type in the amount, the account number, all details match. You press "send" and the trojan sends out the scammer's account number and your total balance as amount to transfer. Now the bank asks you to confirm the transfer - and the trojan displays your aunt's info you have just entered, asking for OTP code. And you sign the transfer to the thief's account with a valid OTP code.
Now the SMS will contain some digits of the account number and you can verify if it's your auntie who will receive your cash, even if your computer has been compromised.
This would not be a 1-hour online test doable anytime. Shut the reactor down primarily by allowing the rods to get exhausted. Remove spent rods and replace them with "test rods". Run tests for a couple of days or weeks. Perform servicing, upgrades, repairs and so on. Once everything is fine and dandy insert new fuel rods.
Actually, this -would- be doable without huge risk, but at some serious cost and without all the normal profit.
The gist would be to replace fuel rods with "simulator rods" that use non-radioactive, chemical energy source. You -can- produce this much energy by plain old chemistry, although over much shorter period of time (and without net energy profit, making the rods will cost much more than electricity they will produce). Some specifics of reactor, like influence of moderator on speed of reaction would be missed (say, xenon poisoning problem), but failure of any essential system would not result in radioactive leak.
Try muslim ethnic minority protests (including heavy acts of vandalism), emergency procedures interrupted by 5 o'clock tea and ecologists protesting by chaining themselves to fuel rods.
Why when I heard SONY and SOLUTION I immediately thought "They came up with a way to have people who want to play split-screen to pay for two copies of the game instead of one. Some licensing/payment/authentication scheme that enables split-screen only if both players purchased the license."
I know, I know. Don't give them ideas. I hope they don't read Slashdot.
He factored car traffic in. Considering most airports are on outskirts of the city (vs train terminals which tend to be near the center of the city), and the roads to them tend to be jammed most of the time, a 1h drive to the airport and 1h drive from the airport is a very probable estimate.
Still, AFAIR, Google takes your ad content and you don't see much about people who see it, until someone clicks through. And if you manage your sales through Google Checkout and other their helpful services, you may not even see that much, just very general statistics. OTOH, Facebook opens up a whole lot of their user data through the API.
Yes, it's a proper name of the network - like Fidonet, or Freenet. (as opposed to generic names like darknet or intranet. Ethernet, on the other hand, is a brand name.)
The basic difference between the two is how they manage harvested data.
So, you come to Google, "I have this gizmo for sale, help me sell it." and Google goes "Fine, we found 2000 customers who purchased your gizmo, ship the gizmos here and here (or let us handle it), and here's your money, after we took our cut."
So, you come to Facebook, "I have this gizmo for sale, help me sell it." and Facebook goes "Fine, pay us our cut and here's your 20000000 records of our users data, emails, phones, home addresses, we guess at least 2000 of them are bound to be willing to buy your gizmo if you market it to them."
It's definite oversimplification but it seems your data is much safer with Google than with Facebook.
never really took off, still bumps around in the night at obscure servers and disused packages. Same concept really, except they used a text editor back then. Emacs, they called it.
Another law everyone will be breaking, so when the govt wants to fuck you over, they can do it freely and legally. No, it was not your anti-government post on that board or you participating in that demonstration. We're arresting you for computer piracy, that's all.
I wonder what percentage of users will 1. ignore the legislation and keep using friend's account 2. switch to piracy, download the mp3 3. purchase a separate song for their own netflix account.
Somehow my hunch tells me "3" will not be a majority.
The problem is it's not a single leak, never was. It's thousands of tiny leaks, many of them occurring once in a blue moon. Observing and fixing them is a gargantuan task, because you have to hunt them one by one, and while killing one is quite doable, killing enough to make a difference is difficult. Also, extensions leak memory left and right, their authors don't feel obliged to fix them, and Mozilla authors can't do much about it.
Slashdot Mirror
I guess the sex offender registry should be shut down then.
Look... I still have my original Atari 65XE box. And guess the text on the box: Atari 65 XE Personal Computer.
Yay, I had a PC back then!
Essentially every "commit" operation - transfer, change limits, request card etc. "View" operations (history etc) don't require confirmation.
Also, if you're making multiple transfers, there's a "basket" feature: add multiple transfers, then sign them all at once with one code.
There is still the (slim) possibility the attacker has hijacked your phone together with the browser.
Type in browser: Joe, $50, click send.
Browser sends to bank: Evil, $1mln
Browser sends to evilstorage: Joe, $50.
Bank replies by SMS: Evil, $1mln, code 1111
Bank replies by WWW: Confirm Evil, $1mln
Browser displays: Confirm Joe, $50
Phone receives: Evil, $1mln, code 1111
Phone retrieves from evilstorage: Joe, $50.
Phone displays: Joe, $50, code 1111
You type: 1111
Browser sends to bank: Evil, $1mln, code 1111.
It's not impossible especially with limited smartphone "culture" of iOS+Android, although it's yet to be spotted in the wild. OTOH, attacks that hijack the browser alone exist, and often depend on the user not confirming the account number.
If the computer is compromised, what transaction is displayed on screen and what is sent out to the bank can be two entirely different things. You type your own transaction (data stored locally, not sent) and see it on the confirmation screen (data retrieved locally). You send out fraudulent transaction (data not displayed but sent) and authenticate it (in response to data received but not displayed).
The text from the bank contains some digits from target account number along with the code. This way you can verify you are sending the right message. This would require hijacking both your browser and the SMS messaging system (possibly your phone.)
If the bank attaches transaction details, this is a valid method of circumventing the OTP vulnerablity.
There are exploits in the wild that hijacked MSIE HTML rendering layer. So you want to transfer $15 to your aunt. You type in the amount, the account number, all details match. You press "send" and the trojan sends out the scammer's account number and your total balance as amount to transfer. Now the bank asks you to confirm the transfer - and the trojan displays your aunt's info you have just entered, asking for OTP code. And you sign the transfer to the thief's account with a valid OTP code.
Now the SMS will contain some digits of the account number and you can verify if it's your auntie who will receive your cash, even if your computer has been compromised.
Or if you're feeling even more generous, and this is very common, have "forward call to the right number" on quick-dial.
This would not be a 1-hour online test doable anytime. Shut the reactor down primarily by allowing the rods to get exhausted. Remove spent rods and replace them with "test rods". Run tests for a couple of days or weeks. Perform servicing, upgrades, repairs and so on. Once everything is fine and dandy insert new fuel rods.
Actually, this -would- be doable without huge risk, but at some serious cost and without all the normal profit.
The gist would be to replace fuel rods with "simulator rods" that use non-radioactive, chemical energy source. You -can- produce this much energy by plain old chemistry, although over much shorter period of time (and without net energy profit, making the rods will cost much more than electricity they will produce). Some specifics of reactor, like influence of moderator on speed of reaction would be missed (say, xenon poisoning problem), but failure of any essential system would not result in radioactive leak.
Try muslim ethnic minority protests (including heavy acts of vandalism), emergency procedures interrupted by 5 o'clock tea and ecologists protesting by chaining themselves to fuel rods.
Why when I heard SONY and SOLUTION I immediately thought "They came up with a way to have people who want to play split-screen to pay for two copies of the game instead of one. Some licensing/payment/authentication scheme that enables split-screen only if both players purchased the license."
I know, I know. Don't give them ideas. I hope they don't read Slashdot.
He factored car traffic in. Considering most airports are on outskirts of the city (vs train terminals which tend to be near the center of the city), and the roads to them tend to be jammed most of the time, a 1h drive to the airport and 1h drive from the airport is a very probable estimate.
Still, AFAIR, Google takes your ad content and you don't see much about people who see it, until someone clicks through. And if you manage your sales through Google Checkout and other their helpful services, you may not even see that much, just very general statistics. OTOH, Facebook opens up a whole lot of their user data through the API.
Yes, it's a proper name of the network - like Fidonet, or Freenet. (as opposed to generic names like darknet or intranet. Ethernet, on the other hand, is a brand name.)
The basic difference between the two is how they manage harvested data.
So, you come to Google, "I have this gizmo for sale, help me sell it." and Google goes "Fine, we found 2000 customers who purchased your gizmo, ship the gizmos here and here (or let us handle it), and here's your money, after we took our cut."
So, you come to Facebook, "I have this gizmo for sale, help me sell it." and Facebook goes "Fine, pay us our cut and here's your 20000000 records of our users data, emails, phones, home addresses, we guess at least 2000 of them are bound to be willing to buy your gizmo if you market it to them."
It's definite oversimplification but it seems your data is much safer with Google than with Facebook.
never really took off, still bumps around in the night at obscure servers and disused packages.
Same concept really, except they used a text editor back then. Emacs, they called it.
Another law everyone will be breaking, so when the govt wants to fuck you over, they can do it freely and legally. No, it was not your anti-government post on that board or you participating in that demonstration. We're arresting you for computer piracy, that's all.
I wonder what percentage of users will
1. ignore the legislation and keep using friend's account
2. switch to piracy, download the mp3
3. purchase a separate song for their own netflix account.
Somehow my hunch tells me "3" will not be a majority.
for the good of all of us,
except the ones who are dead.
No, why? Won't you make this sacrifice? For the science?
The problem is it's not a single leak, never was. It's thousands of tiny leaks, many of them occurring once in a blue moon. Observing and fixing them is a gargantuan task, because you have to hunt them one by one, and while killing one is quite doable, killing enough to make a difference is difficult. Also, extensions leak memory left and right, their authors don't feel obliged to fix them, and Mozilla authors can't do much about it.
So did Israel just commit an act of war against Iran, by attacking its nuclear systems?
I may be mistaken but I think Portal 2 preordered from Steam was like $40, direct purchase after release $60.
Games in preorder can be good 40% cheaper than bought at release time. That alone is a good reason.