Yes, that _particular_ card was cloned wholesale due to that implementation. Others are also being cloned. Look at http://www.digitaljournal.com/... .
I'm afraid it's unrealistic to say they're "almost impossible to clone". The Prilex malware seems to be this year's most broadly supported cloning technology, and it may be reparable. But I don't think you can point to a single year since the development of "chip and pin" technology that didn't have a widespread cloning story.
If I may disagree, Google has very little commercial reason to love censorship. Their business is based on a very wide ranging consumption of eveyr type of data possible, so that Google can monitor _that_ and assemble the most desired information to provide people. Their popular services are based on being able to handle any question for anyone at all. They're been forced to put some limits on that information, by copyright and security laws, but they seem compelled to do this, not _eager_ to do this.
Google has shown that they're willing to make compromises with repressive governments: In China, they compete with Baidu, which is far more cooperative with censorship. But what strikes at Google's business models is the _anonymization_ of requests. Their targeted advertising and targeted searching is some of the most effective in the world. An anti-censorship tools that anonymizes and conceals the _requests_ for data, and the data harvested by and lingered over by clients, could interfere profoundly with Google's main businesses.
As best I can tell, Google rejected this privacy enhancing application to cooperate with the Chinese government, and to help protect the gathering of client data by online businesses. Other governments also object to privacy applications, but China is the largest growing market. Google has to compete with companies like Baidu who are far more cooperative with the Chinese government to grow in Asia, especially in China.
> idiots use enterprise NAT and it is a pain in the ass, every single goddamn day.
So is the endless scanning and attacks on exposed IP addresses. So is the endless firewall tuning and maintenance to support a sophisticated internal network that presumes that every IP address will e exposed and services activated without having to get permission and put it through the NAT gateway. The working assumptions for NAT, that all incoming traffic is absolutely forbidden unless both the NAT port forwarding is active *and* the clients configured to seek out the desinated alternative port, is one of the most effective throttles I've ever seen. Like a spam filter, it's not perfect, but it helps reduce the work to something tractable. NAT is more like a hood above your car engine. It's there 24x7 keeping out debris, even if it's in your way sometimes.
If I may, I'll lay out the IPv6/NAT link. the shrinking, almost empty pool of IPv4 addresses have many, even most, IPv4 users compelled to use NAT. IPv6 was designed to expand the pool of addresses, to enable every device in the world to be able to see every other device with a unique IP address. That is what I find is breaking privacy.
CPR is not used for mycoardial infarction. The heart stopping, such as from atrial tachycardia, is treatable with CPU. CPR is quite dangerous, it tends to break ribs and is not that efficient. The mortality rate for CPR is also quite high: if you ever perform CPR in the field, it's important not to blame yourself personally if it fails, even if you made small mistakes. Only roughly 1/3 of CPR patients survive.
Myocardial Infarctions are tissue death in the heart, caused by a blockage. They're typically painful because muscle tissue in the heart is _dying_. Many people have survived numerous small infarctions. ECG's, however, electro cardiograms, where electrodes are placed on the chest and a few elsewhere on the body to monitor heart activity, does involve at least opening up the shirt and exposing the chest.
Also, many patients are quite frightened in the emergency room. I can easily picture a frightened, older female patient, who grew up more than 50 years ago, being less frightened and less reluctant to share their full medical information with a male physician, and their family or caregivers less able to communicate with a male physician.
There have been some such projects, especially libreboot. The program has produced good quality working BIOS's over the years. Sadly, it's also suffered some unnecessary political turmoil due to its lead developer making some unfounded accusations of transgender discrimination. This was covered here, https://yro.slashdot.org/story...
I've certainly used "NAT traversal", port forwarding, proxies, and the like. I am experienced, even expert, in precisely how the limited resources of a small exposed address space can be worked around. The point I've tried to make is that the exposure of publicly accessible IP addresses of every device in the world for which IPv6 was designed is, itself, a profound security hazard and for most environments undesirable. Yes, one can install and maintain gateways nad firewalls, but the enforced gateway of NAT is itself an elementary and _enforceable_ line of household and business network defense. It's enforced because the household and small business connectivity network vendors are not _providing_ routers capable of running IPv6 internally. They simply don't bother.
I have. For home addresses, many vendor provide IPv4 and Pv6, and both addresses are NAT'ed. precisely to avoid people hosting traffic with public IP addresses. But many, and this includes large vendors like Verizon and Comcast, have used NAT addresses themselves for the exposed home IP addresses. They do not _want_ to expose the IP addresses of people's home routers unless they are paif for it, because it encourages them to set up their home addresses as publicly exposed services. And that leads to some startling bandwidth costs for _uploaded_ traffic. As times ahve changed, more vendors have provided IPv6 for various reasons. But the home devices, the cable routers are _never_ set up to expose the home devices on IPv6. The same is true for business routers. I know of a single corporation I've dealt with in the last few decades that used exposed IP addresses for their internal networks, and that was because they owned a/8 IPv4 address space.
My work has involved many customers and partners with thousands of hosts in their networks. Internal business networks without NAT is _not_ common, and the enforced policies of service exposure necessary for NAT are always a critical aspect of firewall and router configuration.
In theory, networking is best when it is entirely exposed and valid. I'm afraid that in the real world, it is constantly being adjusted and tuned, locally optimized for both cost savings and security. NAT is _supposed_ to break networking, to prevent reaching into an internal network from outside without specific designated service by the NAT gateway owner.
> The addresses used by IPv6 privacy extensions rotate more rapidly than IPv4 DHCP4,
I'm sad to say "so what"? The addresses are not exposed through random network scans. They're exposed by traffic sniffing, and logs collected on remote services. And the attackers do not care, and the home or small business user typically has no interest, nor capacity in skills, to enable the IPv6 "stateless addresses" And I'm afraid the addresses are not, by any means, "stateless"
Small internal networks can use ".localdomain" or ".example.com" to run their own internal domains. It's certainly better than trying to outguess the constantly growing number of top level domains to avoid accidentally using one and having wildcard DNS associated with it take over the addresses you expect to reach.
Oh, my, yes, I can picture many such scenarios. I've used several of them. They mostly involve bulky storage that would have been vastly more expensive, or a much larger power drain, than an inexpensive and compact single spinning drive in a USB case. It's unlikely to be a performance improvement. but depending on the application, there are times I was not concerned about that. The biggest reason to do it was physical security: the drive can be easily removed and locked in a fire safe or a vault when not live.
I'm assuming, from the tone of your comments, that this was not the case in your workplace. But I must admit that sometimes people do quite stupid sounding things for very good reasons. Might any good reason have applied here?
I'm afraid that a security extension that no one bothers to use cannot be counted is irrelevant to network planning. No network I've encountered since the invention of IPv6 has activated those extensions. Most of them who've bothered with IPv6 have run it in parallel with IPv4 on their externally exposed addresses. And _none_ have discarded their IPv4 exposed NAT addresses in favor of IPv6.
Whether NAT was "an awful solution", it has been effective and remains effective. I'm afraid that the underlying logical premise of IPv6, that every device should be addressable from every other device, was undesirable and flawed from its conception. Most devices on the Internet _should not_ be accessible from most other devices, and there has been no concrete reason to make them accessible. It's why most home routers simply use NAT, as do most corporate, educational, and public wifi networks. Though it is theoretically inelegant compared to IPv6, NAT on IPv4 takes less work to set up and is thus the standard worldwide.
Because they can tap the requests on the DNS resolvers and resell it. Verisign did something commercially similar by putting a wildcard at *.com instead of returning an "invalid address" response.
Please tell me that this will break internal DNS for non-existent top level domains. I've recently encountered several business partners who insisted on inventing their own internal top level domains, and simply accepting that there is no HTTPS signatory for those top level domains.
It's a harsh statement, but the published goals of IPv6 are for every device to have a unique, stable IP address. This destroys even the slight anonymity currently afforded by NAT. It is one of the reasons many companies _refuse_ to switch to IPv6, even though one can do NAT over IPv6. The relatively small allocated Pv4 address space demands the use of NAT almost everywhere, and blurs the source of client connections.
Are they publishing the latest backdoors, the new ones installed by their patch for the _last_ set of backdoors?
I'm sorry to see them failing this way, because they have a long history of robust equipment. But I'm afraid that Cisco has made the "put in new backdoors with each release" mistake too many times to think it is anything other than malice. I'm afraid that they are deliberately cooperating with security agencies who've been caught too often performing unconstitutional and even criminal monitoring of entirely innocent traffic with no criminal or national security reason to do so.
Even if not a deliberate fraud, accidental explosions can be turned into causes for war.
"Remember" the Maine" was a political response to an apparently accidental explosion on the USS Maine that helped trigger the Spanish Amercican War. The Reichstag fire in 1933 was used by the Nazi party to blame the Communist party in Germany, a vital part of their rise to power. The history of the modern Middle East is filled with the political results of bombings and _accusations_ of bombings and murders, some of them entirely fake.
There is a famous quote about this from Vince Lombard: "Only perfect practice makes perfect" Flawed practice reinforces the flaws. And learning entirely on one's own is likely to re-inforce beginner's flaws without some competent feedback to guide the work and correct them.
This is not to denigrate the self-taught, or the genuinely interested student of a field. But some help learning to do tasks well can be critical to do robust, effective work.
That approach can actually be useful for security and storage migration reasons. Keeping dedicated storage _out_ of the back end storage arrays, transferable as a physical device that can be used without the the rest of the virtualized storage, can have its uses.That used to be a critical piece of some software licensing, especially when the software vendor embedded DRM in a physical USB device. It's been years since I saw that done: I do believe that vendor went out of business.
I'm afraid that your analysis is unjustifiably optimistic. The Wikipedia article is surprisingly good, and cites the actual regulations at https://en.wikipedia.org/wiki/.... When the regulations were found unconstitution, they were transferred, wholesale to the Department of Commerce. Free use of cryptography is trapped in the awkward struggle between business and free speech lobbyists who want to use and export robust cryptography, and the law enforcement and intelligence agencies that want only encryption that they can intercept easily.
This has been tested in court, with the Anarchist's Cookbook and when Analog magazine published rough designs for an atomic bomb in the 1970's. I remember both when they were first printed, and the furor surrounding them.
I'm afraid that we cannot. It's still restricted for export, and attempts to provide it in hardware or software, without escrow keys or backdoors available to government request without due process, will lead to no export permits for this and other goods from your company. I'm afraid that these policies are at the core of Cisco's security practices, which have been repeatedly exposed as containing back doors for government monitoring. The practice is described in Tom's Hardware, at https://www.tomshardware.com/n...
Slashdot Mirror
Yes, that _particular_ card was cloned wholesale due to that implementation. Others are also being cloned. Look at http://www.digitaljournal.com/... .
I'm afraid it's unrealistic to say they're "almost impossible to clone". The Prilex malware seems to be this year's most broadly supported cloning technology, and it may be reparable. But I don't think you can point to a single year since the development of "chip and pin" technology that didn't have a widespread cloning story.
If I may say, "nonsense". See the many articles on the whilesale replication of "pin" cards, such as https://www.scmagazine.com/evo... .
If I may disagree, Google has very little commercial reason to love censorship. Their business is based on a very wide ranging consumption of eveyr type of data possible, so that Google can monitor _that_ and assemble the most desired information to provide people. Their popular services are based on being able to handle any question for anyone at all. They're been forced to put some limits on that information, by copyright and security laws, but they seem compelled to do this, not _eager_ to do this.
Google has shown that they're willing to make compromises with repressive governments: In China, they compete with Baidu, which is far more cooperative with censorship. But what strikes at Google's business models is the _anonymization_ of requests. Their targeted advertising and targeted searching is some of the most effective in the world. An anti-censorship tools that anonymizes and conceals the _requests_ for data, and the data harvested by and lingered over by clients, could interfere profoundly with Google's main businesses.
Some teachers have cooperated with students who wished to attend class naked. One teacher that I know actually demanded it for a visual arts courese.
https://www.youtube.com/watch?...
As best I can tell, Google rejected this privacy enhancing application to cooperate with the Chinese government, and to help protect the gathering of client data by online businesses. Other governments also object to privacy applications, but China is the largest growing market. Google has to compete with companies like Baidu who are far more cooperative with the Chinese government to grow in Asia, especially in China.
> idiots use enterprise NAT and it is a pain in the ass, every single goddamn day.
So is the endless scanning and attacks on exposed IP addresses. So is the endless firewall tuning and maintenance to support a sophisticated internal network that presumes that every IP address will e exposed and services activated without having to get permission and put it through the NAT gateway. The working assumptions for NAT, that all incoming traffic is absolutely forbidden unless both the NAT port forwarding is active *and* the clients configured to seek out the desinated alternative port, is one of the most effective throttles I've ever seen. Like a spam filter, it's not perfect, but it helps reduce the work to something tractable. NAT is more like a hood above your car engine. It's there 24x7 keeping out debris, even if it's in your way sometimes.
If I may, I'll lay out the IPv6/NAT link. the shrinking, almost empty pool of IPv4 addresses have many, even most, IPv4 users compelled to use NAT. IPv6 was designed to expand the pool of addresses, to enable every device in the world to be able to see every other device with a unique IP address. That is what I find is breaking privacy.
CPR is not used for mycoardial infarction. The heart stopping, such as from atrial tachycardia, is treatable with CPU. CPR is quite dangerous, it tends to break ribs and is not that efficient. The mortality rate for CPR is also quite high: if you ever perform CPR in the field, it's important not to blame yourself personally if it fails, even if you made small mistakes. Only roughly 1/3 of CPR patients survive.
Myocardial Infarctions are tissue death in the heart, caused by a blockage. They're typically painful because muscle tissue in the heart is _dying_. Many people have survived numerous small infarctions. ECG's, however, electro cardiograms, where electrodes are placed on the chest and a few elsewhere on the body to monitor heart activity, does involve at least opening up the shirt and exposing the chest.
Also, many patients are quite frightened in the emergency room. I can easily picture a frightened, older female patient, who grew up more than 50 years ago, being less frightened and less reluctant to share their full medical information with a male physician, and their family or caregivers less able to communicate with a male physician.
There have been some such projects, especially libreboot. The program has produced good quality working BIOS's over the years. Sadly, it's also suffered some unnecessary political turmoil due to its lead developer making some unfounded accusations of transgender discrimination. This was covered here, https://yro.slashdot.org/story...
I've certainly used "NAT traversal", port forwarding, proxies, and the like. I am experienced, even expert, in precisely how the limited resources of a small exposed address space can be worked around. The point I've tried to make is that the exposure of publicly accessible IP addresses of every device in the world for which IPv6 was designed is, itself, a profound security hazard and for most environments undesirable. Yes, one can install and maintain gateways nad firewalls, but the enforced gateway of NAT is itself an elementary and _enforceable_ line of household and business network defense. It's enforced because the household and small business connectivity network vendors are not _providing_ routers capable of running IPv6 internally. They simply don't bother.
> You obviously have never used IPv6 from an ISP.
I have. For home addresses, many vendor provide IPv4 and Pv6, and both addresses are NAT'ed. precisely to avoid people hosting traffic with public IP addresses. But many, and this includes large vendors like Verizon and Comcast, have used NAT addresses themselves for the exposed home IP addresses. They do not _want_ to expose the IP addresses of people's home routers unless they are paif for it, because it encourages them to set up their home addresses as publicly exposed services. And that leads to some startling bandwidth costs for _uploaded_ traffic. As times ahve changed, more vendors have provided IPv6 for various reasons. But the home devices, the cable routers are _never_ set up to expose the home devices on IPv6. The same is true for business routers. I know of a single corporation I've dealt with in the last few decades that used exposed IP addresses for their internal networks, and that was because they owned a /8 IPv4 address space.
My work has involved many customers and partners with thousands of hosts in their networks. Internal business networks without NAT is _not_ common, and the enforced policies of service exposure necessary for NAT are always a critical aspect of firewall and router configuration.
In theory, networking is best when it is entirely exposed and valid. I'm afraid that in the real world, it is constantly being adjusted and tuned, locally optimized for both cost savings and security. NAT is _supposed_ to break networking, to prevent reaching into an internal network from outside without specific designated service by the NAT gateway owner.
> The addresses used by IPv6 privacy extensions rotate more rapidly than IPv4 DHCP4,
I'm sad to say "so what"? The addresses are not exposed through random network scans. They're exposed by traffic sniffing, and logs collected on remote services. And the attackers do not care, and the home or small business user typically has no interest, nor capacity in skills, to enable the IPv6 "stateless addresses" And I'm afraid the addresses are not, by any means, "stateless"
Small internal networks can use ".localdomain" or ".example.com" to run their own internal domains. It's certainly better than trying to outguess the constantly growing number of top level domains to avoid accidentally using one and having wildcard DNS associated with it take over the addresses you expect to reach.
Oh, my, yes, I can picture many such scenarios. I've used several of them. They mostly involve bulky storage that would have been vastly more expensive, or a much larger power drain, than an inexpensive and compact single spinning drive in a USB case. It's unlikely to be a performance improvement. but depending on the application, there are times I was not concerned about that. The biggest reason to do it was physical security: the drive can be easily removed and locked in a fire safe or a vault when not live.
I'm assuming, from the tone of your comments, that this was not the case in your workplace. But I must admit that sometimes people do quite stupid sounding things for very good reasons. Might any good reason have applied here?
I'm afraid that a security extension that no one bothers to use cannot be counted is irrelevant to network planning. No network I've encountered since the invention of IPv6 has activated those extensions. Most of them who've bothered with IPv6 have run it in parallel with IPv4 on their externally exposed addresses. And _none_ have discarded their IPv4 exposed NAT addresses in favor of IPv6.
Whether NAT was "an awful solution", it has been effective and remains effective. I'm afraid that the underlying logical premise of IPv6, that every device should be addressable from every other device, was undesirable and flawed from its conception. Most devices on the Internet _should not_ be accessible from most other devices, and there has been no concrete reason to make them accessible. It's why most home routers simply use NAT, as do most corporate, educational, and public wifi networks. Though it is theoretically inelegant compared to IPv6, NAT on IPv4 takes less work to set up and is thus the standard worldwide.
Because they can tap the requests on the DNS resolvers and resell it. Verisign did something commercially similar by putting a wildcard at *.com instead of returning an "invalid address" response.
Please tell me that this will break internal DNS for non-existent top level domains. I've recently encountered several business partners who insisted on inventing their own internal top level domains, and simply accepting that there is no HTTPS signatory for those top level domains.
It's a harsh statement, but the published goals of IPv6 are for every device to have a unique, stable IP address. This destroys even the slight anonymity currently afforded by NAT. It is one of the reasons many companies _refuse_ to switch to IPv6, even though one can do NAT over IPv6. The relatively small allocated Pv4 address space demands the use of NAT almost everywhere, and blurs the source of client connections.
Also, put any RFID tagged cards or passports in Faraday cage pouches.
Are they publishing the latest backdoors, the new ones installed by their patch for the _last_ set of backdoors?
I'm sorry to see them failing this way, because they have a long history of robust equipment. But I'm afraid that Cisco has made the "put in new backdoors with each release" mistake too many times to think it is anything other than malice. I'm afraid that they are deliberately cooperating with security agencies who've been caught too often performing unconstitutional and even criminal monitoring of entirely innocent traffic with no criminal or national security reason to do so.
Even if not a deliberate fraud, accidental explosions can be turned into causes for war.
"Remember" the Maine" was a political response to an apparently accidental explosion on the USS Maine that helped trigger the Spanish Amercican War. The Reichstag fire in 1933 was used by the Nazi party to blame the Communist party in Germany, a vital part of their rise to power. The history of the modern Middle East is filled with the political results of bombings and _accusations_ of bombings and murders, some of them entirely fake.
There is a famous quote about this from Vince Lombard: "Only perfect practice makes perfect" Flawed practice reinforces the flaws. And learning entirely on one's own is likely to re-inforce beginner's flaws without some competent feedback to guide the work and correct them.
This is not to denigrate the self-taught, or the genuinely interested student of a field. But some help learning to do tasks well can be critical to do robust, effective work.
That approach can actually be useful for security and storage migration reasons. Keeping dedicated storage _out_ of the back end storage arrays, transferable as a physical device that can be used without the the rest of the virtualized storage, can have its uses.That used to be a critical piece of some software licensing, especially when the software vendor embedded DRM in a physical USB device. It's been years since I saw that done: I do believe that vendor went out of business.
I'm afraid that your analysis is unjustifiably optimistic. The Wikipedia article is surprisingly good, and cites the actual regulations at https://en.wikipedia.org/wiki/.... When the regulations were found unconstitution, they were transferred, wholesale to the Department of Commerce. Free use of cryptography is trapped in the awkward struggle between business and free speech lobbyists who want to use and export robust cryptography, and the law enforcement and intelligence agencies that want only encryption that they can intercept easily.
This has been tested in court, with the Anarchist's Cookbook and when Analog magazine published rough designs for an atomic bomb in the 1970's. I remember both when they were first printed, and the furor surrounding them.
> we can freely use strong encryption.
I'm afraid that we cannot. It's still restricted for export, and attempts to provide it in hardware or software, without escrow keys or backdoors available to government request without due process, will lead to no export permits for this and other goods from your company. I'm afraid that these policies are at the core of Cisco's security practices, which have been repeatedly exposed as containing back doors for government monitoring. The practice is described in Tom's Hardware, at https://www.tomshardware.com/n...