I know for a fact that one of the items on the PCI list for CC transactions is 'no storage of CVV data.' If Target was indeed storing the PIN numbers, I feel like they have some real 'splainin to do about that one. However, based on the fact that they're obsessive about data mining, I wouldn't put it past them. "Why do we need to keep the PIN numbers?" "I dunno, but we can." "Okay, let's do it."
However, if the data was stolen 'in flight' as EvilSS suggests and it *is* encrypted (and based on the prevarication in which Target has engaged, I wouldn't hold my breath), it does kind of help narrow down the mechanism of the breach. It basically means they didn't crack the individual POS terminals, but some point in between the terminal and the bank. But, as I sit here and think about this, why would the POS terminals encrypt the PIN but not the CC number? This is where my lack of knowledge of the arcane world of computerized banking (and having worked in it for a brief time, I know it's full of WTF) prevents me from making any more guesses. Perhaps it's required by standard that the PIN be encrypted leaving the POS terminal. Perhaps the intercept point was between the Target and the bank, and target was sending the PINs as a hash.
Exactly how hard would be to run a attack against, say, 40 million salted hashes if you knew each of the pre-hashed values was four digit code from 0000-9999?
But the more I think about this...this means that each of the CC transactions individually leave the POS terminal, get routed through some branch office infrastructure then back to Target HQ, then onto the banking network. Way too much speculation on my part, but I'm hellishly curious to find out what actually happened.
Throw in that the industry is out there there promoting computing as a "utility" (with all of its connotations in the minds of management). They don't care what utility computing really means, what they here is "you can buy your IT just like you buy water or power." If you approach it like that, you get exactly what you get from the power or water company: poor service, unfathomable delays, sloppy work ethic, and an all around bad solution. But, the bottom line is that there's some guy in a suit telling another guy in a suit that he can replace you for pennies on the dollar.
The first time was in the fall of 2003. I was flying from IND to LAX, and realized when I got to the airport that I'd forgotten my wallet. My flight left in less than an hour, and I was over an hour from home. My timetable was tight, so I called the airline and explained my problem. The first person told me that I was screwed, but the second told me to go to the counter and ask to speak to the manager.
At the counter, they asked me some questions, and escorted me to security...right past the line of people waiting to go through with IDs. I got the "full cavity search," which really just entails the same thing you get if you're an "airline selectee" with the scarlet SSSSSS on your boarding pass. I was even pushed to the front of that line. It took about 3 minutes, and coming back from LAX to IND was even easier. It definitely took much less time than going through the regular Friday-after-Thanksgiving security hassle.
In May of this year, I went to the New Orleans JazzFest as I do every year. The last Sunday of the festival, my traveling companion and I went to a bar called Molly's somewhere on Decatur and took liberal advantage of their $5.00 Jameson shot/MGD longneck package deal. So much so that I don't remember walking back to the hotel, or the alarm clock going off, or the wake-up call (I'd try to plan for this). It wasn't until they sent one of the hotel staff to pound on the door that I realized that I was about to be late for my 6:20 AM flight (sadists). I gathered up my things, but couldn't find my ID.
Could I get lucky again?
I went to MSY and went through less hassle than I had two and a half years prior at IND or LAX. (I'm guessing this happens frequently there for some odd reason.) They didn't even escort me to the checkpoint. I was handed a boarding pass and told to explain it to the security people. Five minutes later, I was on my way to my gate and back to IND. (The night before, in my French Quarter-induced haze, I'd put my ID in a zipper pocket of my bag, and forgotten it.)
Yes, I'm white with fair hair and fair skin. Yes, I look about 12 years old. I don't know what would happen if I had dark skin and a olive complexion. I'm not sure I want to know the answer.
Two Great Tastes That Go Great Together
on
MSN Sponsors Mensa
·
· Score: 1
Microsoft and Mensa...both great at screwing otherise intelligent people out of $50 and providing little or nothing in return (give or take an order of magnitude).
Welcome to the world of delivering the papers you used to help produce.
Many of us are just one misstep from being out of a job. Swallow your hubris for a second and consider what would happen if that last backup you did didn't restore, or perhaps that last "minor mod" to the code you wrote caused a kernel panic. It's sobering.
The brutal irony is that all of the rightous indignation here isn't fueled by the inherent respect of women harbored by all of geekdom, but jealousy. The Slashdot crowd sits on their fattening rear ends, playing Evercrack and wondering why all of these beatiful, intelligent girls would want to be with Tucker Max and his ilk, because they are CLEARLY smarter, nicer, and funnier than Max.
I pose to you:
1. Who is really smarter? You or Max? Oh, that's right, you can write 10,000 characters of obfuscated C code that compile into a perfect replica of HAL, but you haven't kissed a girl since 1994. Which skill would you rather have?
2. What did nice ever have to do with anything? The Polish were nice, circa 1939, and look what those big, bad evil Germans did.
Tucker Max has used his intelligence (and it is considerable) to figure out how the system really works. I suggest that the/. crowd stop complaining about him being a bad man and start asking themselves why that jar labeled "phone numbers of hot chicks" on the desk is empty.
This should read: "Microsoft is committed to solving the spam problem. Our new enhancments to the Internet mail protocols, MS-SMTP, will eliminate spam. (While gradually making 90% of Internet e-mail servers based on propritary "decommodified" protocols which will require Microsoft products to be transmitted, received, and relayed properly.)"
1. Auction off spectrum for "broadband use" in a "public" (open to our corporate friends who give us the larges bribes^H^H^H^H^H campaign contributions) auction. Make sure that the spectrum allocation creates exclusive territories, regardless of the technical feasability of sharing the band.
2. Allow companies to wait 5 years while small players have struggled to create a marketplace(with 802.11b for instance). (Very important to make sure that our corporate friends are assured of a user base first.)
3. Sit back and watch while large corporations use their superior (licenced) technology to kill small corporations (who have to rely on interference-prone, slower unlicenced technology). Large corporations may make an effort to offer to resale their service to other companies as not to seem anticompetitive. However, our friends will overcharge and underdeliver their wholesale product. The wholesale product will be available on paper only. No would-be compeditior will every actually be able to buy it in a timely manner.
4. Large corporations will flail about aimlessly for several years offering lousy service, and clulessly delivering their product. Meanwhile, they will operate at a loss, knowing that their other government-supported monopoly products will fuel the operation until they run all competition out of the market through (often misleading) advertising and legal maneuvering.
5. All competition in the area will be gone, allowing the large corporations to charge $69.95 a month for a 768/128 kb/sec connection which is connected to a network that is oversubscribed 500:1 while claiming that it's "20 times faster than dialup."
I think I've seen this movie before and I think it stunk the first time.
Slashdot Mirror
I know for a fact that one of the items on the PCI list for CC transactions is 'no storage of CVV data.' If Target was indeed storing the PIN numbers, I feel like they have some real 'splainin to do about that one. However, based on the fact that they're obsessive about data mining, I wouldn't put it past them. "Why do we need to keep the PIN numbers?" "I dunno, but we can." "Okay, let's do it."
However, if the data was stolen 'in flight' as EvilSS suggests and it *is* encrypted (and based on the prevarication in which Target has engaged, I wouldn't hold my breath), it does kind of help narrow down the mechanism of the breach. It basically means they didn't crack the individual POS terminals, but some point in between the terminal and the bank. But, as I sit here and think about this, why would the POS terminals encrypt the PIN but not the CC number? This is where my lack of knowledge of the arcane world of computerized banking (and having worked in it for a brief time, I know it's full of WTF) prevents me from making any more guesses. Perhaps it's required by standard that the PIN be encrypted leaving the POS terminal. Perhaps the intercept point was between the Target and the bank, and target was sending the PINs as a hash.
Exactly how hard would be to run a attack against, say, 40 million salted hashes if you knew each of the pre-hashed values was four digit code from 0000-9999?
But the more I think about this...this means that each of the CC transactions individually leave the POS terminal, get routed through some branch office infrastructure then back to Target HQ, then onto the banking network. Way too much speculation on my part, but I'm hellishly curious to find out what actually happened.
Throw in that the industry is out there there promoting computing as a "utility" (with all of its connotations in the minds of management). They don't care what utility computing really means, what they here is "you can buy your IT just like you buy water or power." If you approach it like that, you get exactly what you get from the power or water company: poor service, unfathomable delays, sloppy work ethic, and an all around bad solution. But, the bottom line is that there's some guy in a suit telling another guy in a suit that he can replace you for pennies on the dollar.
I did.
Twice.
The first time was in the fall of 2003. I was flying from IND to LAX, and realized when I got to the airport that I'd forgotten my wallet. My flight left in less than an hour, and I was over an hour from home. My timetable was tight, so I called the airline and explained my problem. The first person told me that I was screwed, but the second told me to go to the counter and ask to speak to the manager.
At the counter, they asked me some questions, and escorted me to security...right past the line of people waiting to go through with IDs. I got the "full cavity search," which really just entails the same thing you get if you're an "airline selectee" with the scarlet SSSSSS on your boarding pass. I was even pushed to the front of that line. It took about 3 minutes, and coming back from LAX to IND was even easier. It definitely took much less time than going through the regular Friday-after-Thanksgiving security hassle.
In May of this year, I went to the New Orleans JazzFest as I do every year. The last Sunday of the festival, my traveling companion and I went to a bar called Molly's somewhere on Decatur and took liberal advantage of their $5.00 Jameson shot/MGD longneck package deal. So much so that I don't remember walking back to the hotel, or the alarm clock going off, or the wake-up call (I'd try to plan for this). It wasn't until they sent one of the hotel staff to pound on the door that I realized that I was about to be late for my 6:20 AM flight (sadists). I gathered up my things, but couldn't find my ID.
Could I get lucky again?
I went to MSY and went through less hassle than I had two and a half years prior at IND or LAX. (I'm guessing this happens frequently there for some odd reason.) They didn't even escort me to the checkpoint. I was handed a boarding pass and told to explain it to the security people. Five minutes later, I was on my way to my gate and back to IND. (The night before, in my French Quarter-induced haze, I'd put my ID in a zipper pocket of my bag, and forgotten it.)
Yes, I'm white with fair hair and fair skin. Yes, I look about 12 years old. I don't know what would happen if I had dark skin and a olive complexion. I'm not sure I want to know the answer.
Microsoft and Mensa...both great at screwing otherise intelligent people out of $50 and providing little or nothing in return (give or take an order of magnitude).
Welcome to the world of delivering the papers you used to help produce.
Many of us are just one misstep from being out of a job. Swallow your hubris for a second and consider what would happen if that last backup you did didn't restore, or perhaps that last "minor mod" to the code you wrote caused a kernel panic. It's sobering.
The brutal irony is that all of the rightous indignation here isn't fueled by the inherent respect of women harbored by all of geekdom, but jealousy. The Slashdot crowd sits on their fattening rear ends, playing Evercrack and wondering why all of these beatiful, intelligent girls would want to be with Tucker Max and his ilk, because they are CLEARLY smarter, nicer, and funnier than Max.
/. crowd stop complaining about him being a bad man and start asking themselves why that jar labeled "phone numbers of hot chicks" on the desk is empty.
I pose to you:
1. Who is really smarter? You or Max? Oh, that's right, you can write 10,000 characters of obfuscated C code that compile into a perfect replica of HAL, but you haven't kissed a girl since 1994. Which skill would you rather have?
2. What did nice ever have to do with anything? The Polish were nice, circa 1939, and look what those big, bad evil Germans did.
Tucker Max has used his intelligence (and it is considerable) to figure out how the system really works. I suggest that the
This should read: "Microsoft is committed to solving the spam problem. Our new enhancments to the Internet mail protocols, MS-SMTP, will eliminate spam. (While gradually making 90% of Internet e-mail servers based on propritary "decommodified" protocols which will require Microsoft products to be transmitted, received, and relayed properly.)"
1. Auction off spectrum for "broadband use" in a "public" (open to our corporate friends who give us the larges bribes^H^H^H^H^H campaign contributions) auction. Make sure that the spectrum allocation creates exclusive territories, regardless of the technical feasability of sharing the band.
2. Allow companies to wait 5 years while small players have struggled to create a marketplace(with 802.11b for instance). (Very important to make sure that our corporate friends are assured of a user base first.)
3. Sit back and watch while large corporations use their superior (licenced) technology to kill small corporations (who have to rely on interference-prone, slower unlicenced technology). Large corporations may make an effort to offer to resale their service to other companies as not to seem anticompetitive. However, our friends will overcharge and underdeliver their wholesale product. The wholesale product will be available on paper only. No would-be compeditior will every actually be able to buy it in a timely manner.
4. Large corporations will flail about aimlessly for several years offering lousy service, and clulessly delivering their product. Meanwhile, they will operate at a loss, knowing that their other government-supported monopoly products will fuel the operation until they run all competition out of the market through (often misleading) advertising and legal maneuvering.
5. All competition in the area will be gone, allowing the large corporations to charge $69.95 a month for a 768/128 kb/sec connection which is connected to a network that is oversubscribed 500:1 while claiming that it's "20 times faster than dialup."
I think I've seen this movie before and I think it stunk the first time.
a perfect example of the genes that code for human arrogance. Thanks Dr. Frankens...I mean Venter!