"At the STM, the information is combined into a format called a PIN block, scrambled, then passed along the network. The intermediate steps are called switches, and these are rarely owned by the cardholder's bank. So at each step, the PIN block is unscrambled and rescrambled with a new key i a machine called a hardware security module (HSM). It's at these intermediate points where hackers could trick the machines into divulging PINs, Israeli researchers say."
Actually a UK security researcher published a method of getting the HSM to divulge the master key. These are delivered to the bank and require two people to enter unique keys to program for use. The method involved successively entering these keys the results from which the master key can be deduced. The original URL seems to have disappeared.
On another note, does anyone remember when phantom withdrawals were a regular occurrence here in the UK. Well later on it was discovered that the staff at the card issuing facility had discovered a way of producing ATM cards with the same three PINs. They then sold on the PINs to the criminal fraternity. That URL has also disappeared.
The use of smartcards won't make a difference as the authorization code still has to travel across the network. As this article points out it is this security system that is open to being hacked. As such all pins, data are exposed.
"a fundamental weakness in the system that banks use to keep debit card PIN codes secret while they are transported across bank networks"
It strikes me that thay attempted a roll out of a Linux desktop solution with no previous experience. They would have been occupied in bringing in an experienced company to do the job.
"half-a-million-pound cost of designing and implementing the system cost more than the estimated cost for a Windows XP installation"
What were they implimenting on the Suse desktop that required spending half a million pounds.
"usability problems with the original Gnome interface.. staff ripped out Gnome and replaced it with KDE"
Like what, Gnome is specifically designed to provide a rich user interface. Either of them can be replaced by a Windows look alike.
"For instance, existing Windows 3.1 public terminals used a program called Deepfreeze that rebooted the system at the end of each session, something that had to be re-engineered for Linux"
He's kidding, put a line in.bash_logout 'shutdown -r 0 now' and that's it. And besides which, why do you need to reboot at logout.
"Staff also found that the OS was storing information about the contents of public users' removable media, and for privacy purposes had to develop a script to delete this information"
Like where and how, Linux mostly uses/tmp to store temp files all you have to do is add another line to.bash_logout 'find/tmp/ -user $user -exec rm -r {} \;'. Or else put/tmp in a ramdisk and flush it to logout.
Declare the Geneva Convention obsolete. Bug the UN. Split NATO. Overthrow a stable military dictatorship and disband the Army the now unemployed members of which will go on to form the future insurgent organisations . Watch the country descend into total civil war, a magnet for every disaffected youth in the middle east. Watch helplessly as the country is infiltrated by insurgents from Iran, Siria and Jordan. Then announce victory and withdraw. Repeat same in Afghanistan. Give legal sanction to torture. Declare victory for democracy.
Well, that's curious as he is the root cause of your 'stituation'
DT: Did the patent review turn up any possible violations of Microsoft patents in the Linux source code? We absolutely have made no admissions of any infringements, period, from our point of view. No admissions.
RH: I'm not sure that's the same thing as saying no possible violations have turned up. We did not do a full review as part of the process. [Microsoft] may have; we did not. I think your question was based on an assumption that we did a deep review, and we didn't.
Didn't you even ask him what specifically they discovered in Linux that was violating their patents. They do have a Linux Lab after all and have been pouring over the code for years.
DT: Aside from the open letter in response to Ballmer's comments that you posted on your Web site, did you get on the phone with Ballmer and ask him what was going on?
RH: Yes, we did have that communication. I would tell you that Microsoft -- Steve and [general counsel] Brad [Smith] and Bob [Muglia] -- have been very supportive and understanding of our situation. At the executive level, they've been operating very genuinely -- I have to give them full credit for that.
What did you talk about. What did you ask him. What didn't you ask him and why not.
1. Start a security consulting firm
2. Request 0 day vulnerabilities from everyone for an event
3. Get threatened with litigation
4. Cancel Event
"[We] do not credit security researchers who disclose the existence of vulnerabilities before a fix is available. We consider such practices, including disclosing "zero day" exploits, to be irresponsible as they can result in needlessly exposing customers to risk of attack ", Eric Maurice
"Oracle might have caught a break with Cerrudo but the upcoming release of a hacking handbook by database security guru David Litchfield.. titled The Oracle Hacker's Handbook.. promises an in depth examination of all the techniques and tools that hackers use to break into Oracle database servers"
"This one makes it seem like there is one tech advisor to MA, and that they're an MS Lobbyist. What we actually find out by reading the rest"
The headline is completely and fully accurate. As you pointed out, the rest of the article fills in the details. But even one anti ODF lobbyist on the group is bad.
"bit overkill. Check to see where they're [URLs] going first"
How do you tell from viewing the URL that microsoft.com isn't the same as microsoft.com.some.unicode.characters.com.
"don't open unexpected attachments seems more correct than not opening any attachments"
How can you tell unexpected attachments if it comes from a known address and without opening it.
"how frequently is a Mac targeted in preference to a Windows system?"
It's not a matter of frequency, the underlying OS is more secure. The fact is that spam is promulgated by vast networks of compromised Windows computer.
"most people don't use their computers in a hermetically sealed room with no connection to the outside world whatsoever..."
Is it technically possible to design a 'computer' that don't get viruses/hacked by opening an email attachment or clicking on a web URL, that a user without a degree in computer security can use.
Re:We wouldn't be having this problem if...(Score:5, Insightful)
"Nat Friedman: We're paying for the promise that Microsoft made to our customers not to sue them.."
What authority do you have to make such a decision on behalf of your 'customers'. Does a Novell customer somehow enter into an agreement with Microsoft merely by using SuSE code. Does a Novell customer want to have any contractual association with Microsoft. I ask this as a SuSE user.
I can see what MS have got out of the agreement, you've handed MS ammunition in there FUD war against Open Source. I can't for the life of me see what Novell get out of it. Personally I haven't decided to switch, I'm going to wait and see.
Do all those compromised Windows machines in use as spambot networks have anyting to do with the current spam infestation and not some people in developing countries.
"Firefox.. it deletes files when they are dragged into the browser window . IE won't even allow you to do the dragging"
Here on FF 2.0 it does no such thing, just opens up in a window, does not delete.
"if you are getting messages from your Yahoo groups by e-mail on your gmail account, the Yahoo ads are overlaying the text. IE does not do that"
I don't understand, does yahoo include adverts in the email. Here on FF 2.0 I have no such problem. I don't even see the adverts in Yahoo as I have adblock enabled.
"I can easily foresee that if this will continue I am going to consider switching to some other browser. Any recommendations?"
Yea, go back to IE7, all the rest are written by sandle wearing, long hair communist hippies..
What's this going to do for security. Didn't we have phishing attacks receintly that consisted of unicode characters being inserted into e+bay.com for instance that didn't get displayed. the domain e+bay.com being different than ebay.com.
"A domain name is a unique address that allows people to access a website, for example, smh.com.au"
No,a domain name is a sequence of characters mapped to an IP address. It was designed so as you won't have to remember 66.35.250.150 instead of slashdot.org. This wasn't a problem while the original Internet consisted of just four computers. DNS was never designed to provide identity. There was also the case of a stock trader hacking a DNS server and redirecting traffic from a legitimate finantial site to his own where he had duplicated the real site only with bogus information.
"He said that this could create problems where, for example, a character in Urdu looks identical to one in Arabic"
It sure could. How about totally replacing DNS with a system of online identities.
"I used a couple of the Linux machines in their main library, and they were rubbish compared to the Windows ones. I think whoever set it up hadn't bothered using the machines themselves! They even had US keyboard layout set, did they just plough through the setup wizards clicking Yes to everything??"
What version Of Linux, what did Windows offer that wasn't available on the nix ones. What applicatins were on offer on both. How did you get access to both desktops. Did you have to login or use a ticket allocated from the frontdesk. Did anyone offer to change the US keyboard.
What learning curve. This is for library access so I assume they mean web browsing and word processing. What training do you need to use Firefox as against Iexpolorer. I do know of at least one library that has gone the Open Office route on Windows with no complaints. To say Windows is cheaper than Open Source is to use different mathematical functions than the rest of us.
Slashdot Mirror
This was stored as an image for some reason
a cking_bankc.html
"At the STM, the information is combined into a format called a PIN block, scrambled, then passed along the network. The intermediate steps are called switches, and these are rarely owned by the cardholder's bank. So at each step, the PIN block is unscrambled and rescrambled with a new key i a machine called a hardware security module (HSM). It's at these intermediate points where hackers could trick the machines into divulging PINs, Israeli researchers say."
Actually a UK security researcher published a method of getting the HSM to divulge the master key. These are delivered to the bank and require two people to enter unique keys to program for use. The method involved successively entering these keys the results from which the master key can be deduced. The original URL seems to have disappeared.
http://www.schneier.com/blog/archives/2006/11/att
On another note, does anyone remember when phantom withdrawals were a regular occurrence here in the UK. Well later on it was discovered that the staff at the card issuing facility had discovered a way of producing ATM cards with the same three PINs. They then sold on the PINs to the criminal fraternity. That URL has also disappeared.
The use of smartcards won't make a difference as the authorization code still has to travel across the network. As this article points out it is this security system that is open to being hacked. As such all pins, data are exposed.
"a fundamental weakness in the system that banks use to keep debit card PIN codes secret while they are transported across bank networks"
was Re:Not possible with smart cards
"I use Gnome, but it sure has usability issues"
...
What specific usability issues would the average user have in Browsing, Emailing and Wordprocessing ? was Re:I hope the Gnome folks read this bit
"no Linux desktops have yet been installed"
.. staff ripped out Gnome and replaced it with KDE"
.bash_logout 'shutdown -r 0 now' and that's it. And besides which, why do you need to reboot at logout.
/tmp to store temp files all you have to do is add another line to .bash_logout 'find /tmp/ -user $user -exec rm -r {} \;'. Or else put /tmp in a ramdisk and flush it to logout.
It strikes me that thay attempted a roll out of a Linux desktop solution with no previous experience. They would have been occupied in bringing in an experienced company to do the job.
"half-a-million-pound cost of designing and implementing the system cost more than the estimated cost for a Windows XP installation"
What were they implimenting on the Suse desktop that required spending half a million pounds.
"usability problems with the original Gnome interface
Like what, Gnome is specifically designed to provide a rich user interface. Either of them can be replaced by a Windows look alike.
"For instance, existing Windows 3.1 public terminals used a program called Deepfreeze that rebooted the system at the end of each session, something that had to be re-engineered for Linux"
He's kidding, put a line in
"Staff also found that the OS was storing information about the contents of public users' removable media, and for privacy purposes had to develop a script to delete this information"
Like where and how, Linux mostly uses
Declare the Geneva Convention obsolete. Bug the UN. Split NATO. Overthrow a stable military dictatorship and disband the Army the now unemployed members of which will go on to form the future insurgent organisations . Watch the country descend into total civil war, a magnet for every disaffected youth in the middle east. Watch helplessly as the country is infiltrated by insurgents from Iran, Siria and Jordan. Then announce victory and withdraw. Repeat same in Afghanistan. Give legal sanction to torture. Declare victory for democracy.
i entType=Printable, 1157547,00.html
http://www.kron.com/global/story.asp?s=1962000&Cl
http://politics.guardian.co.uk/iraq/story/0,12956
http://fpc.state.gov/fpc/8688.htm
Didn't you even ask him what specifically they discovered in Linux that was violating their patents. They do have a Linux Lab after all and have been pouring over the code for years.
What did you talk about. What did you ask him. What didn't you ask him and why not.
1. Start a security consulting firm
.. titled The Oracle Hacker's Handbook .. promises an in depth examination of all the techniques and tools that hackers use to break into Oracle database servers"
2. Request 0 day vulnerabilities from everyone for an event
3. Get threatened with litigation
4. Cancel Event
"[We] do not credit security researchers who disclose the existence of vulnerabilities before a fix is available. We consider such practices, including disclosing "zero day" exploits, to be irresponsible as they can result in needlessly exposing customers to risk of attack ", Eric Maurice
"Oracle might have caught a break with Cerrudo but the upcoming release of a hacking handbook by database security guru David Litchfield
"If you take away one of the tools of his control, perhaps you weaken the cohesion of his leadership"
..
Yea, if we take away his iPod, plasma television and Segway he'll totally lose it
"This one makes it seem like there is one tech advisor to MA, and that they're an MS Lobbyist. What we actually find out by reading the rest"
The headline is completely and fully accurate. As you pointed out, the rest of the article fills in the details. But even one anti ODF lobbyist on the group is bad.
was Misleading Headline (Score:1)
"creation of an administrative authority empowered with the ability to prohibit the publication of free software accessing protected works"
"What does the new French copyright bill do ?"
"bit overkill. Check to see where they're [URLs] going first"
How do you tell from viewing the URL that microsoft.com isn't the same as microsoft.com.some.unicode.characters.com.
"don't open unexpected attachments seems more correct than not opening any attachments"
How can you tell unexpected attachments if it comes from a known address and without opening it.
"how frequently is a Mac targeted in preference to a Windows system?"
It's not a matter of frequency, the underlying OS is more secure. The fact is that spam is promulgated by vast networks of compromised Windows computer.
"most people don't use their computers in a hermetically sealed room with no connection to the outside world whatsoever..."
Is it technically possible to design a 'computer' that don't get viruses/hacked by opening an email attachment or clicking on a web URL, that a user without a degree in computer security can use.
Re:We wouldn't be having this problem if...(Score:5, Insightful)
"lets say the article is right does it matter?"
It does in that people will be wary of doing online commerce and that will hit the bottom line.
"so far as i know, neither I, nor any member of my family, nor anyone i know, has actually been seriously hurt by malware"
You must be the only one on the planet then.br>
"as we know, the whole id theft thing is a media exaggeration"
"An Emmy-winning film producer whose life was disrupted after hackers stole her Social Security number"
was Re:does it matter
"Q. What, exactly, is Novell paying for?"
.."
"Nat Friedman: We're paying for the promise that Microsoft made to our customers not to sue them
What authority do you have to make such a decision on behalf of your 'customers'. Does a Novell customer somehow enter into an agreement with Microsoft merely by using SuSE code. Does a Novell customer want to have any contractual association with Microsoft. I ask this as a SuSE user.
I can see what MS have got out of the agreement, you've handed MS ammunition in there FUD war against Open Source. I can't for the life of me see what Novell get out of it. Personally I haven't decided to switch, I'm going to wait and see.
"In Thailand, Microsoft was the first corporation to be nominated for a royal decoration award from the king"
What possibly could a software vendor teach educators about education .
SCO: there is line by line copying of SCO code in Linux.
IBM: what source code.
SCO: we aren't saying and besides which you deleted the evidence.
Do all those compromised Windows machines in use as spambot networks have anyting to do with the current spam infestation and not some people in developing countries.
"Whether or not the documents have accomplished that task will not be known for several months yet"
By which time Vista will be in the market, making it difficult to recall if MS is found to be still in breech of the ruling.
When ever FF is talked about, at least once mention the memory leak problem .. :)
.. 300MB RAM, FF = 52MB.
"he has a machine with "only" 512 MB of RAM. What did Firefox do? According to Task Manager, it was consuming 1896 MB of RAM"
I have never experienced the fabled FF memory problem
was You're lucky. (Score:5, memory leak fud)
"Firefox .. it deletes files when they are dragged into the browser window . IE won't even allow you to do the dragging"
..
Here on FF 2.0 it does no such thing, just opens up in a window, does not delete.
"if you are getting messages from your Yahoo groups by e-mail on your gmail account, the Yahoo ads are overlaying the text. IE does not do that"
I don't understand, does yahoo include adverts in the email. Here on FF 2.0 I have no such problem. I don't even see the adverts in Yahoo as I have adblock enabled.
"I can easily foresee that if this will continue I am going to consider switching to some other browser. Any recommendations?"
Yea, go back to IE7, all the rest are written by sandle wearing, long hair communist hippies
was Re:FF problems
Why don't Larry ellison imdemnify people against lost revenue because of bugs in Oracle?
What's this going to do for security. Didn't we have phishing attacks receintly that consisted of unicode characters being inserted into e+bay.com for instance that didn't get displayed. the domain e+bay.com being different than ebay.com.
"A domain name is a unique address that allows people to access a website, for example, smh.com.au"
No,a domain name is a sequence of characters mapped to an IP address. It was designed so as you won't have to remember 66.35.250.150 instead of slashdot.org. This wasn't a problem while the original Internet consisted of just four computers. DNS was never designed to provide identity. There was also the case of a stock trader hacking a DNS server and redirecting traffic from a legitimate finantial site to his own where he had duplicated the real site only with bogus information.
"He said that this could create problems where, for example, a character in Urdu looks identical to one in Arabic"
It sure could. How about totally replacing DNS with a system of online identities.
"You sir, are a shining example of what police SHOULD be. I hope the vast majority are like you"
Assuming it is a real police
"nobody went as far as saying the officers should be fired"
The officers concerned should be fired. Tazers should only be used if their lives are being threatened.
"the proliferation of camera phones is damaging law enforcement and something needs to be done about that..."
No, it's the over reaction of police such as in the above incident that is damaging law enforcement.
was Re:police POV
"I used a couple of the Linux machines in their main library, and they were rubbish compared to the Windows ones. I think whoever set it up hadn't bothered using the machines themselves! They even had US keyboard layout set, did they just plough through the setup wizards clicking Yes to everything??"
What version Of Linux, what did Windows offer that wasn't available on the nix ones. What applicatins were on offer on both. How did you get access to both desktops. Did you have to login or use a ticket allocated from the frontdesk. Did anyone offer to change the US keyboard.
What learning curve. This is for library access so I assume they mean web browsing and word processing. What training do you need to use Firefox as against Iexpolorer. I do know of at least one library that has gone the Open Office route on Windows with no complaints. To say Windows is cheaper than Open Source is to use different mathematical functions than the rest of us.
Re:Initial training?
Unit cost for a Linux desktop = £2,5000
.. :)
Unit cost for a Windows desktop = £2,433.00
Where did the money go