Why would they need to steal the CEO's password, when there is any number of ways to get access. Especially as letting the CEO have admin access is highly dangerous as he keeps his excel documents in the C:\Recycler folder to save space.:)
I actually knew a secretary who did this. She used the recycle bin as a convenient place to put documents she wasn't working on but might wish to refer back to.
She wasn't the sharpest tool in the box. I had a lot of trouble getting the message across that this could be a bad idea.
There is a world of difference between printing off and taking home copies of email which you think may be useful in the future and keeping backdoors on systems so you can hack them later.
One of them is a sensible precaution. The other is a criminal offence under the Computer Misuse Act.
And if he had divorced her, there was still the possibility (however remote) that he'd get to see his kids again and there was still the possibility that he could do something else useful.
More to the point, I note that they focus on something which a lot of people people think is available to IT admins (the passwords) but no competent admin will ever ask for, store in unencrypted form or allow to cross the network unencrypted.
Perhaps they only asked at companies which have already had to hire them owing to obvious security issues?
> Most people I know who run 'stolen' software don't have the funds, are not otherwise law-breakers, > and are not aware of alternatives.
Oh bull, if they can afford the computer they could have afforded to get the OEM preload instead of the pirate version from the neighborhood
It's not the cost of Windows that's the issue.
It's all the other software you buy at the same time to go with it. Office, for instance - I understand there's a cheaper "home" version available today but until recently the UK individual price for Office was £400 per copy. You get drastic discounts (on the order of 50-75%) as soon as you start entering volume licensing agreements, but they're only open to 5 or more copies - it's easy to imagine a small business with 2 or 3 computers can't afford this.
I don't really know. I do know public education contains some of the most laughable IT staffs in existence, though.
I would take a guess that it's all about the feeling of security. Managers (or whatever government equivalent) are going to feel safer with business solutions rather than open-source alternatives because of support for bugs or other problems. If MS Word screws up, you call Microsoft. If Open Office (using it as an example) screws up, what then? There's no business guarantee that OO will respond in a timely manner to the problem.
I've worked in a school so I've got a bit of experience here.
Laughable IT staff or not (and there is a glimmer of truth in that), managers (or whoever has the role of managing IT - often a teacher) does indeed get the warm fuzzies from buying as much as possible from big companies like Microsoft.
Furthermore, there's another angle. It's fairly common to find that the companies that supply schools (and here I'm talking about primary/secondary level education in the UK) don't tend to supply many businesses and vice versa. The companies that do supply schools will tell you that this is because they specialise in education and can offer better support more appropriate for schools. Many of these companies have been supplying schools for many years and are more-or-less 100% Microsoft shops. Guess what they put in?
Anyone who's any good at IT and has worked in a school will know that this is complete bullshit and that there are dozens of small consulting companies would love to have a few school contracts and could do a perfectly good job for a lot less. However, in the valley of the blind and all that.... there are plenty of schools that believe they're getting a good deal because they don't have anyone on staff who knows enough to tell them otherwise.
Granted, you won't store as many. But unless you're prepared to bury a digital photo frame and power supply at the same time, I really don't see how you can guarantee that the media will be readable with whatever technology we're using in 25 years time.
(And the digital photo frame isn't guaranteed - who knows what state the electronics will be in in 25 years? Plenty of time capsules have been opened only to discover that they're not as waterproof as was originally thought.)
Arguing that you can download the flash file, you just can't do anything useful with it I would say definitely comes under the heading of following the letter rather than the spirit of the regulation.
The amount of money involved is into venture capital territory rather than getting the bank to loan you a few thousand dollars to start a small business.
I can't imagine that many VCs being keen to part with money for what is a much more risky business proposition than most.
Which would suggest that either they've found a VC who's not concerned about this or they're being funded by someone who wants this legal fight but and can finance it but isn't prepared to fight it themselves.
Dell? I'm sure they'd love rights to sell OEM copies of OS X.
(Before anyone points it out, I know I'm well into wild conspiracy theory territory.)
Let me tell you a little anecdote which was relayed to me by the IT manager at a previous employer.
When he came to the company, software quality had never been taken particularly seriously. They'd insourced IT where previously everything was handled by an outside company, presumably in the hope of getting better quality services for their money, but were seeing little benefit - mainly because the IT department was so busy implementing new features the business wanted they never had time to debug existing issues.
Helpdesk call levels were very high, the IT department wasn't particularly highly respected in the rest of the business and while the business probably did want less buggy software, they were always too busy chasing after the Next Big Feature to allow the IT department to concentrate on bugfixing.
So he went to the business (ie. the directors/senior management) and said "OK, here's a suggestion. We'll spend the next three months working on nothing but bugfixes. No new features. What glitches with the system are impacting your staff?". The business wasn't hugely keen on the idea of no new features for three months, but he was able to persuade them that the benefits of having more stable software outweighed this.
Three months later, the business was so impressed with the improvements that they asked if the IT department could spend another three months doing nothing but bugfixes.
Sometimes, the business needs a little poke from IT to understand how to get the best benefit from the IT department. Being able to recognise this and make a suitably diplomatic poke is what IT management is there for. If there isn't clear IT management in place to make such a poke - well volunteered.
Data may only be used for the specific purposes for which it was collected.
Data must not be disclosed to other parties without the consent of the individual whom it is about, unless there is legislation or other overriding legitimate reason to share the information (for example, the prevention or detection of crime). It is an offence for Other Parties to obtain this personal data without authorisation.
Individuals have a right of access to the information held about them, subject to certain exceptions (for example, information held for the prevention or detection of crime).
Personal information may be kept for no longer than is necessary.
Personal information may not be transmitted outside the EEA unless the individual whom it is about has consented or adequate protection is in place, for example by the use of a prescribed form of contract to govern the transmission of the data.
Subject to some exceptions for organisations that only do very simple processing, and for domestic use, all entities that process personal information must register with the Information Commissioner.
Entities holding personal information are required to have adequate security measures in place. Those include technical measures (such as firewalls) and organisational measures (such as staff training).
It's not clear which country the Best Western incident took place in but if the systems were hosted in the UK and they processed bookings from UK customers, it looks like a fairly cut and dried breach of that law to me.
There is, however, the minor issue that I don't think anyone's ever been successfully prosecuted for not having inadequate security systems in place...
That's because a certain amount of fraud is part of the cost of doing business. Stores occasionally take returns of goods which were perfectly OK (until the buyer got their hands on it...), insurance companies occasionally receive claims for a house where the owner perhaps might know a little more about the fire than they claim to. And banks occasionally find people trying to defraud them of money.
The nature of that fraud may or may not involve someone on the inside. Given the number of people employed by most banks, it's practically inconceivable that every single employee is 100% honest. The fraud may be a million people stealing £1 or one person stealing £1 million, but it will always be there.
Fighting that fraud costs money. If a bank calculates that a new measure to fight fraud will cost £10 million but is only expected to save £500,000 worth fraud per annum, enacting the measure makes no sense.
Replacing every customer's credit card with something akin to an RSA SecurID card would mean reworking your systems so they don't expect a single, unchanging card number to tie to the account.
It would mean working with Visa to have such a card accepted as a Visa card worldwide.
It would mean updating every merchant terminal in every merchant in the world to work with the new system.
In cases where the merchant has decided not to use terminals and instead integrate accepting cards directly with their PoS system, it would mean asking these merchants to update their system or they won't be able to accept such cards.
This would be obscenely expensive and have obscene risk because it's not an incremental change like chip & PIN was. I can't see it being even remotely practical.
I don't know, it tends to be pretty big news when someone is found innocent of a crime such as murder.
It's big news when it's a celebrity (either victim or accused, eg. OJ Simpson in the US or Jill Dando in the UK) or there was something deemed by the press as "important" (eg. a child was involved).
(2) is something that has always amazed me - why has this been left alone by anti-monopoly agencies?
Probably because the various anti-monopoly agencies are by and large more concerned if a monopoly seriously affects the consumer, and if breaking up the monopoly would be an improvement.
AFAIK, Visa and Mastercard generally have their contracts with the various banks fairly open-ended regarding how the customer is looked after and it's down to the bank to decide how much they care about their customers. The fact that in any given country, virtually every damn bank operates almost identical policies to every other bank is, I would say, of rather greater interest.
Given the worldwide acceptance of Visa/Mastercard, and the level of convenience it brings, anything which interferes with this is probably a Very Bad Thing.
Actually there's plenty. Specifically that a Linux admin has absolute control over what happens to the machine and how it happens. How is this application going to get on the machine in the first place? (As an executable file). How is it going to get executed? Especially when the "desktop environment" is a hotel reservation system...
Are you aware of Group Policy (an intrinsic part of Active Directory) which allows a Windows admin to do exactly this? You can certainly limit running executables to a number of known-good applications.
When you're putting together a system which is intended to be used by someone who will only ever be taking hotel reservations, the sensible thing to do would be to limit web access to internal websites only, block any executable email attachments on the mail server itself (both of which can be done before you even touch the desktop PC) and nail the desktop PC down such that it may only execute the application used to take reservations, a web browser set to the tightest security setting and a mail client if you accept reservations by email.
Anything less than this is inviting trouble and is a flagrant breach of the first rule of IT security - you only give people exactly what they need to do their job, nothing more.
The issue described is something which could easily have been prevented and would not have required Linux desktops in order to do so.
You could significantly reduce the risk, however, by reducing how much access each user has to various systems, firewalling between departments and blocking not just incoming traffic but also outgoing traffic at the border, only allowing known-good traffic to pass.
This exact same technique works equally well regardless of what OS you use on the desktop;)
It's easier when the relevent tools come as standard. As opposed to third party addons which may or may not actually do the job.
I'm sorry, you've lost me altogether there. You get the building blocks to set up a locked down desktop - you could use rsync to ensure that the end-user only ever ran a very locked down KDE session, for instance, and if you wanted to get clever you could write a script which speaks to a database which holds information regarding what user groups get access to what applications - but there's nothing precooked in the way that Active Directory is unless you start going down the proprietary management route.
(Disclaimer: I'm a sysadmin who deals with Windows on the desktop, allows his users to run Linux and has a server farm which is 95% Linux. I've looked at exactly this kind of thing several times in the past. You can lock down Linux and Windows desktops to a similar level, but Windows does make it rather easier unless you buy something like Novell or Canonical's management tools, which are proprietary)
There's nothing intrinsic to Linux which would prevent an application running as an unprivileged task in userland hooking into the desktop environment and passing keystrokes to an unknown outside attacker.
I grant you, this hasn't happened yet. But there's little could prevent it.
You could significantly reduce the risk, however, by reducing how much access each user has to various systems, firewalling between departments and blocking not just incoming traffic but also outgoing traffic at the border, only allowing known-good traffic to pass.
This exact same technique works equally well regardless of what OS you use on the desktop;)
...why the spokesdrones for so many major companies are allowed to spew the most outrageous bullshit ("We care about our staff"; "The privacy of our guests is our number one concern", etc.), and nobody in the mainstream press ever calls them on it.
Even politicians, for whom lying is as easy and natural as breathing, are rarely so brazenly, in-your-face dishonest.
.. get new credit cards every half year or so. You're not charged for the change, it secures any leakage you may have left behind and it ensures that data theft isn't a problem. If you think 6 months is too long (you could be travelling a lot), do it more often. And it means costs for the credit card company so maybe they start to come up with a better approach (or pass teh costs to the failing merchants, also a good incentive IMHO).
Both merchant and credit card company have only one source of income - you, the customer. If you cause their costs to go significantly up, expect them to pass these costs on to you.
Particularly when there's only Visa and Mastercard and they'll spread the cost among all the merchants.
I'd argue that you'd be better off not using cards at all and write to your issuing bank to explain why.
And the technology exists already - it's just a matter of reaching the point where fraud is more costly than fixing the problem. Not needing secure terminals could mean that point is reached a lot earlier that originally thought. We're talking months here IMHO, followed by a few years while the terminals are phased out.
I accept the technology already exists. The difficult (read: expensive) bit isn't the technology, it's every bastard card-issuing organisation and every merchant in the world integrating the technology into their existing systems.
Arguably this should have been done when Chip & PIN was introduced - but that would have been rather more complicated both for issuing banks and for customers. Chip & PIN was a relatively cheap, simple solution which introduces true two-factor authentication AND (this bit's important) pushes liability onto the cardholder. Fraudulent chip & PIN transactions are assumed to be the cardholder's fault for telling someone else their PIN and it's the cardholder who has to prove otherwise.
The Sunday Herald article is amazingly unclear about the scope of this breach. Which hotels are affected? The article says all "continental hotels". Does that, from a British Newspaper, mean european continental hotels only?
I imagine it refers to the part of the company which is referred to as Best Western Continental.
If the GPL was written in English instead of legalese, I think there would be less confusion.
The folks who should be concerned with the GPL are technical folks; not lawyers.
Compared to most EULAs I've read (and yes I do read them, part of my job is to ensure my employer complies with licensing requirements), the GPL is a shining beacon of clarity. Version 3 is rather less clear than 2, but nevertheless both are quite readable.
I suspect the confusion comes from two places:
1. People who don't know anything about software development and think it all sounds terribly awkward to follow.
2. People who have never read any sort of EULA in their lives, GPL included, and go purely on the basis of hearsay.
in reality it's much harder to fight as a terrorist because the collateral damage turns the population against you.
Not if you're careful where you attack. But it works best if the people you disagree with are from another country.
The terrorist argues "Group X are infringing upon us, we've tried asking nicely, let's try blowing them up" and then goes to the country where Group X lives and starts exploding things.
The government of the affected country goes into the country where they think the terrorist originated from. Of course, the government doesn't have the remotest clue who or what they're looking for, but they feel they have to do something. The collateral damage comes when the government just starts mindlessly victimising some group thinking they're responsible for the earlier attack (whether or not that's true is neither here nor there - just because the majority of the IRA were catholics doesn't mean the majority of catholics were members of the IRA, for instance). Note that this attack doesn't have to be limited to killing; internment also counts.
The friends and family of the people who were attacked by the government which stormed in now start to think "Hey, maybe those terrorist people have a point." Congratulations, you've now got three terrorists where previously you had one.
Why would they need to steal the CEO's password, when there is any number of ways to get access. Especially as letting the CEO have admin access is highly dangerous as he keeps his excel documents in the C:\Recycler folder to save space .:)
I actually knew a secretary who did this. She used the recycle bin as a convenient place to put documents she wasn't working on but might wish to refer back to.
She wasn't the sharpest tool in the box. I had a lot of trouble getting the message across that this could be a bad idea.
There is a world of difference between printing off and taking home copies of email which you think may be useful in the future and keeping backdoors on systems so you can hack them later.
One of them is a sensible precaution. The other is a criminal offence under the Computer Misuse Act.
And if he had divorced her, there was still the possibility (however remote) that he'd get to see his kids again and there was still the possibility that he could do something else useful.
I agree.
More to the point, I note that they focus on something which a lot of people people think is available to IT admins (the passwords) but no competent admin will ever ask for, store in unencrypted form or allow to cross the network unencrypted.
Perhaps they only asked at companies which have already had to hire them owing to obvious security issues?
I was under the impression that the OLPC project was meant for third-world countries.
In any case, who said anything about the US? Quebec is in Canada and I'm in the UK.
> Most people I know who run 'stolen' software don't have the funds, are not otherwise law-breakers,
> and are not aware of alternatives.
Oh bull, if they can afford the computer they could have afforded to get the OEM preload instead of the pirate version from the neighborhood
It's not the cost of Windows that's the issue.
It's all the other software you buy at the same time to go with it. Office, for instance - I understand there's a cheaper "home" version available today but until recently the UK individual price for Office was £400 per copy. You get drastic discounts (on the order of 50-75%) as soon as you start entering volume licensing agreements, but they're only open to 5 or more copies - it's easy to imagine a small business with 2 or 3 computers can't afford this.
I don't really know. I do know public education contains some of the most laughable IT staffs in existence, though.
I would take a guess that it's all about the feeling of security. Managers (or whatever government equivalent) are going to feel safer with business solutions rather than open-source alternatives because of support for bugs or other problems. If MS Word screws up, you call Microsoft. If Open Office (using it as an example) screws up, what then? There's no business guarantee that OO will respond in a timely manner to the problem.
I've worked in a school so I've got a bit of experience here.
Laughable IT staff or not (and there is a glimmer of truth in that), managers (or whoever has the role of managing IT - often a teacher) does indeed get the warm fuzzies from buying as much as possible from big companies like Microsoft.
Furthermore, there's another angle. It's fairly common to find that the companies that supply schools (and here I'm talking about primary/secondary level education in the UK) don't tend to supply many businesses and vice versa. The companies that do supply schools will tell you that this is because they specialise in education and can offer better support more appropriate for schools. Many of these companies have been supplying schools for many years and are more-or-less 100% Microsoft shops. Guess what they put in?
Anyone who's any good at IT and has worked in a school will know that this is complete bullshit and that there are dozens of small consulting companies would love to have a few school contracts and could do a perfectly good job for a lot less. However, in the valley of the blind and all that.... there are plenty of schools that believe they're getting a good deal because they don't have anyone on staff who knows enough to tell them otherwise.
Print them.
Granted, you won't store as many. But unless you're prepared to bury a digital photo frame and power supply at the same time, I really don't see how you can guarantee that the media will be readable with whatever technology we're using in 25 years time.
(And the digital photo frame isn't guaranteed - who knows what state the electronics will be in in 25 years? Plenty of time capsules have been opened only to discover that they're not as waterproof as was originally thought.)
Arguing that you can download the flash file, you just can't do anything useful with it I would say definitely comes under the heading of following the letter rather than the spirit of the regulation.
I was wondering that one.
The amount of money involved is into venture capital territory rather than getting the bank to loan you a few thousand dollars to start a small business.
I can't imagine that many VCs being keen to part with money for what is a much more risky business proposition than most.
Which would suggest that either they've found a VC who's not concerned about this or they're being funded by someone who wants this legal fight but and can finance it but isn't prepared to fight it themselves.
Dell? I'm sure they'd love rights to sell OEM copies of OS X.
(Before anyone points it out, I know I'm well into wild conspiracy theory territory.)
Let me tell you a little anecdote which was relayed to me by the IT manager at a previous employer.
When he came to the company, software quality had never been taken particularly seriously. They'd insourced IT where previously everything was handled by an outside company, presumably in the hope of getting better quality services for their money, but were seeing little benefit - mainly because the IT department was so busy implementing new features the business wanted they never had time to debug existing issues.
Helpdesk call levels were very high, the IT department wasn't particularly highly respected in the rest of the business and while the business probably did want less buggy software, they were always too busy chasing after the Next Big Feature to allow the IT department to concentrate on bugfixing.
So he went to the business (ie. the directors/senior management) and said "OK, here's a suggestion. We'll spend the next three months working on nothing but bugfixes. No new features. What glitches with the system are impacting your staff?". The business wasn't hugely keen on the idea of no new features for three months, but he was able to persuade them that the benefits of having more stable software outweighed this.
Three months later, the business was so impressed with the improvements that they asked if the IT department could spend another three months doing nothing but bugfixes.
Sometimes, the business needs a little poke from IT to understand how to get the best benefit from the IT department. Being able to recognise this and make a suitably diplomatic poke is what IT management is there for. If there isn't clear IT management in place to make such a poke - well volunteered.
It's almost as bad as going to the bathroom during commercials when you're watching tv!
If the advertisers prefer, I guess I could pee in a bottle and post it to them.
In the UK (and, I believe, Europe), anyway.
The Data Protection Act briefly states:
It's not clear which country the Best Western incident took place in but if the systems were hosted in the UK and they processed bookings from UK customers, it looks like a fairly cut and dried breach of that law to me.
There is, however, the minor issue that I don't think anyone's ever been successfully prosecuted for not having inadequate security systems in place...
That's because a certain amount of fraud is part of the cost of doing business. Stores occasionally take returns of goods which were perfectly OK (until the buyer got their hands on it...), insurance companies occasionally receive claims for a house where the owner perhaps might know a little more about the fire than they claim to. And banks occasionally find people trying to defraud them of money.
The nature of that fraud may or may not involve someone on the inside. Given the number of people employed by most banks, it's practically inconceivable that every single employee is 100% honest. The fraud may be a million people stealing £1 or one person stealing £1 million, but it will always be there.
Fighting that fraud costs money. If a bank calculates that a new measure to fight fraud will cost £10 million but is only expected to save £500,000 worth fraud per annum, enacting the measure makes no sense.
Replacing every customer's credit card with something akin to an RSA SecurID card would mean reworking your systems so they don't expect a single, unchanging card number to tie to the account.
It would mean working with Visa to have such a card accepted as a Visa card worldwide.
It would mean updating every merchant terminal in every merchant in the world to work with the new system.
In cases where the merchant has decided not to use terminals and instead integrate accepting cards directly with their PoS system, it would mean asking these merchants to update their system or they won't be able to accept such cards.
This would be obscenely expensive and have obscene risk because it's not an incremental change like chip & PIN was. I can't see it being even remotely practical.
Oh I so wish I had moderator points for your wit.
I do.
Oh damn.
I don't know, it tends to be pretty big news when someone is found innocent of a crime such as murder.
It's big news when it's a celebrity (either victim or accused, eg. OJ Simpson in the US or Jill Dando in the UK) or there was something deemed by the press as "important" (eg. a child was involved).
Otherwise, it certainly isn't big news.
(2) is something that has always amazed me - why has this been left alone by anti-monopoly agencies?
Probably because the various anti-monopoly agencies are by and large more concerned if a monopoly seriously affects the consumer, and if breaking up the monopoly would be an improvement.
AFAIK, Visa and Mastercard generally have their contracts with the various banks fairly open-ended regarding how the customer is looked after and it's down to the bank to decide how much they care about their customers. The fact that in any given country, virtually every damn bank operates almost identical policies to every other bank is, I would say, of rather greater interest.
Given the worldwide acceptance of Visa/Mastercard, and the level of convenience it brings, anything which interferes with this is probably a Very Bad Thing.
Actually there's plenty. Specifically that a Linux admin has absolute control over what happens to the machine and how it happens.
How is this application going to get on the machine in the first place? (As an executable file). How is it going to get executed? Especially when the "desktop environment" is a hotel reservation system...
Are you aware of Group Policy (an intrinsic part of Active Directory) which allows a Windows admin to do exactly this? You can certainly limit running executables to a number of known-good applications.
When you're putting together a system which is intended to be used by someone who will only ever be taking hotel reservations, the sensible thing to do would be to limit web access to internal websites only, block any executable email attachments on the mail server itself (both of which can be done before you even touch the desktop PC) and nail the desktop PC down such that it may only execute the application used to take reservations, a web browser set to the tightest security setting and a mail client if you accept reservations by email.
Anything less than this is inviting trouble and is a flagrant breach of the first rule of IT security - you only give people exactly what they need to do their job, nothing more.
The issue described is something which could easily have been prevented and would not have required Linux desktops in order to do so.
You could significantly reduce the risk, however, by reducing how much access each user has to various systems, firewalling between departments and blocking not just incoming traffic but also outgoing traffic at the border, only allowing known-good traffic to pass.
This exact same technique works equally well regardless of what OS you use on the desktop ;)
It's easier when the relevent tools come as standard. As opposed to third party addons which may or may not actually do the job.
I'm sorry, you've lost me altogether there. You get the building blocks to set up a locked down desktop - you could use rsync to ensure that the end-user only ever ran a very locked down KDE session, for instance, and if you wanted to get clever you could write a script which speaks to a database which holds information regarding what user groups get access to what applications - but there's nothing precooked in the way that Active Directory is unless you start going down the proprietary management route.
(Disclaimer: I'm a sysadmin who deals with Windows on the desktop, allows his users to run Linux and has a server farm which is 95% Linux. I've looked at exactly this kind of thing several times in the past. You can lock down Linux and Windows desktops to a similar level, but Windows does make it rather easier unless you buy something like Novell or Canonical's management tools, which are proprietary)
There's nothing intrinsic to Linux which would prevent an application running as an unprivileged task in userland hooking into the desktop environment and passing keystrokes to an unknown outside attacker.
I grant you, this hasn't happened yet. But there's little could prevent it.
You could significantly reduce the risk, however, by reducing how much access each user has to various systems, firewalling between departments and blocking not just incoming traffic but also outgoing traffic at the border, only allowing known-good traffic to pass.
This exact same technique works equally well regardless of what OS you use on the desktop ;)
...why the spokesdrones for so many major companies are allowed to spew the most outrageous bullshit ("We care about our staff"; "The privacy of our guests is our number one concern", etc.), and nobody in the mainstream press ever calls them on it.
Even politicians, for whom lying is as easy and natural as breathing, are rarely so brazenly, in-your-face dishonest.
The world needs more Jeremy Paxmans (Paxmen?):
http://www.youtube.com/watch?v=BklT7Qy07Is
http://www.youtube.com/watch?v=vRRYDVaXdaA
http://www.youtube.com/watch?v=4aiHbUplz3k
.. get new credit cards every half year or so. You're not charged for the change, it secures any leakage you may have left behind and it ensures that data theft isn't a problem. If you think 6 months is too long (you could be travelling a lot), do it more often. And it means costs for the credit card company so maybe they start to come up with a better approach (or pass teh costs to the failing merchants, also a good incentive IMHO).
Both merchant and credit card company have only one source of income - you, the customer. If you cause their costs to go significantly up, expect them to pass these costs on to you.
Particularly when there's only Visa and Mastercard and they'll spread the cost among all the merchants.
I'd argue that you'd be better off not using cards at all and write to your issuing bank to explain why.
And the technology exists already - it's just a matter of reaching the point where fraud is more costly than fixing the problem. Not needing secure terminals could mean that point is reached a lot earlier that originally thought. We're talking months here IMHO, followed by a few years while the terminals are phased out.
I accept the technology already exists. The difficult (read: expensive) bit isn't the technology, it's every bastard card-issuing organisation and every merchant in the world integrating the technology into their existing systems.
Arguably this should have been done when Chip & PIN was introduced - but that would have been rather more complicated both for issuing banks and for customers. Chip & PIN was a relatively cheap, simple solution which introduces true two-factor authentication AND (this bit's important) pushes liability onto the cardholder. Fraudulent chip & PIN transactions are assumed to be the cardholder's fault for telling someone else their PIN and it's the cardholder who has to prove otherwise.
The Sunday Herald article is amazingly unclear about the scope of this
breach. Which hotels are affected? The article says all "continental
hotels". Does that, from a British Newspaper, mean european
continental hotels only?
I imagine it refers to the part of the company which is referred to as Best Western Continental.
If the GPL was written in English instead of legalese, I think there would be less confusion.
The folks who should be concerned with the GPL are technical folks; not lawyers.
Compared to most EULAs I've read (and yes I do read them, part of my job is to ensure my employer complies with licensing requirements), the GPL is a shining beacon of clarity. Version 3 is rather less clear than 2, but nevertheless both are quite readable.
I suspect the confusion comes from two places:
1. People who don't know anything about software development and think it all sounds terribly awkward to follow.
2. People who have never read any sort of EULA in their lives, GPL included, and go purely on the basis of hearsay.
in reality it's much harder to fight as a terrorist because the collateral damage turns the population against you.
Not if you're careful where you attack. But it works best if the people you disagree with are from another country.
The terrorist argues "Group X are infringing upon us, we've tried asking nicely, let's try blowing them up" and then goes to the country where Group X lives and starts exploding things.
The government of the affected country goes into the country where they think the terrorist originated from. Of course, the government doesn't have the remotest clue who or what they're looking for, but they feel they have to do something. The collateral damage comes when the government just starts mindlessly victimising some group thinking they're responsible for the earlier attack (whether or not that's true is neither here nor there - just because the majority of the IRA were catholics doesn't mean the majority of catholics were members of the IRA, for instance). Note that this attack doesn't have to be limited to killing; internment also counts.
The friends and family of the people who were attacked by the government which stormed in now start to think "Hey, maybe those terrorist people have a point." Congratulations, you've now got three terrorists where previously you had one.
It will still be slower for sustained transfers than Firewire 400.
The most important part, did they finally make it non CPU intensive?
I doubt it. In order to do that, you'd have to move work out of drivers and into silicon, which is quite a bit more expensive.