How in the hell does a brand-new out-of-the-box hard drive contain a virus? You would think the hard drive manufacturers can easily prevent this from happening during manufacturing,
I don't think the problem was the hard drive manufacturer. Hard drives are made by a small handful of large well known companies, they usually ship without a partition table and I suspect they are tested by plugging them into special test gear.
The product in question was a "Fission External 4-in-1 Hard Drive, DVD, USB and Card Reader". "Fission" are presumablly some smallish company (my googling attempts find no evidence of their existance beyond this news story) most likely located in the far east (where labour is cheap) who take the raw hard drives, load them up with an image containing a parittion table, filesystem structures and any software they want to bundle and then install them in their product.
Since ALDI claim this was "limited to a small number of the devices" I suspect the infection came during final testing when someone plugged them into an infected machine for final testing. Afaict pirate software with updates disabled is very common in the far east.
I know that Site local had been deprecated and replaced by Unique local. I wonder why they even bothered trying to guarantee the uniqueness of all such addresses worldwide since these addresseses are not supposed to be routable
Site local addresses are supposed to be routable within a site. Unique local addresses are supposed to be routable within a site and between a group of cooperating sites.
The problem with site local addresses is how do you define site. If you define it as a physical site then site local addresses are of limited utility since resources and their users often move between sites. If you define it as a whole company then you avoid that problem but create a new one, namely that companies merge. Many people here talk about the pain and horrible hacks involved when two companies that have both used 10.x.x.x have to be merged and interconnections are needed between their networks.
By including a large random number in the addresses the chance that a group of sites that need to be interconnected will have conflicting addresses is reduced to negligable levels.
I'm not getting why it's so difficult - would seem to me to read the prefix information of the router, and then see if it matches the prefix information of any of the assigned addresses. If it does, use that one.
Which would work fine if the internet was a tree but the internet is not a tree and never has been. A client on ISP A has no way of knowing whether ISB B or ISP C has a better path from their ISP.
Do you then have the option of using your own PI addresses, instead of the ISP's? How does the ISP get to use yours (which they'd have to in order to bring their service to you)? And what happens if you change ISPs - does your ISP automatically let go of it/lose it so that you can hand it to the next ISP in order to ensure that your network is online?
The same way as with V4, you advertise them to your ISPs who then advertise them to their ISPs and peers and so on. If you drop an ISP then you stop advertising it to them which causes them to stop advertising it on the internet.
They were trying to avoid giving anyone but ISPs provider independent space with the idea being that multihomed sites should just have multiple IPs on their end systems instead but as I said in practice that didn't really work out very well.
The work of those at CRU and other places have been to meticulously quality-control and analyze the raw observations down to a uniform grid (spatially and temporally).
How do we know that they did this "quality control and analysis" in a fair and unbiased manner rather than fudging it to produce the results they wanted.
mmm and 10 years old, lets take a look and compare it to what actually happened
In addition to Philips's Digital Compact Cassette (DCC), which uses PASC, a type of data compression (see "Industry Update" in April, footnote 2),
dcc never took off afaict. DAB doesn't seem to be doing that well either.
OTOH online sales of music with lossy compression have really taken off...
Even more disturbing is the prospect that data compression may be used in professional applications to make master recordings. It's conceivable that the majority of recorded music will be subject to some form of data compression in as little as ten years. Consequently, data compression is not merely a mass-market mid-fi system avoidable by the serious listener. Like it or not, we will all be subject to bit-rate–reduced digital audio.
Afaict this may have happened for a while with minidisc but more recently the trend has been towards doing everything on computers in uncompressed 24/96 or 24/192.
The large frequency-response irregularities found in car stereos, for example, could skew the spectral content of the signal, thus revealing the enormous errors hiding beneath the wanted signal. I wouldn't be surprised if there were an official mandate banning graphic equalizers on Digital Audio Broadcasting car stereos!
This fear seems to have been unfouded, the general consensus seems to be it's easier to detect lossy compression on high quality kit.
To redirect the user off a https page you have to negotiate a ssl session with them and that means you have to present a cert. If the cert doesn't match they will get a warning before receiving the redirect.
but as the GP implies none of this really matters much because most users will go to a http page first anyway.
a lot of websites get around this by denying requests to http:/// [http] for login pages and beyond
There is nothing stopping a proxy using ssl to talk to the server while using an unecrypted connection to talk to the client.
Things get a little harder if the site has some pages ssl only and others avilable non-ssl only. In that case you would have to either mangle the hostname to differentiate or store a list of what protocol to use for what pages.
You may not be able to do a user agent check on the SSL request but you can probablly assume all requests from the same (local) IP came from the same device and most devices are likely to make unencrypted requests as well.
I was under the impression that while labeled as "sattelite" that the higher quality imagary on google was aerial photography and quality drops significantly when you move to an area where they only have sattelite data.
At least that is what it was like a few years back, i'm having trouble finding any such areas now (other than offshore but it's much harder to determine quality there).
So many posts like the score:5 up top are weak minds towing their party line. They can't see the writing on the wall. Thing's *have* to change. The way I see it, we have few options going forward:
-cut spending, pay down debt. escape. -raise debt ceiling, continue towards financial oblivion.
Afaict most of the US debt is denominated in US dollars so the US governement also has the option of "printing" their way out of it (either directly or by ordering the federal reserve to lend money to them at a defined rate).
There will always be people out there that want it for free. Even if the price is reasonable they still want it for free. Those people are not your customers and they never will be.
The questions are
1: how many people are there who want it for free but will pay for it if they can't pirate it in a timely manner 2: how many people who will either boycott it completely or wait for it to be in the "bargin bin" before buying because of the DRM. 3: how many people who would have waited and bought it used would buy it new if DRM is used to cut off used sales
The thing is none of these figures are easy to measure
Gradually things got sorted out, internet connections got faster, valve got more capacity online and the early problems were forgotten. Nowadays most new games requires online activation of some form and you see many people here singing steams praises.
I remember when steam first came along and that despite the negative reaction valve largely got away with it (presumablly beause peoples desire to play the games was greater than their being pissed off at what they had to accept to play them) and most of the other vendors followed with their own online activation schemes (some of which were more draconian than steam some liess).
I strongly HOPE the same doesn't happen with always online play but I wouldn't be surprised if it did. Already we see starcraft 2 where you are strongly encouraged to be always online (from what I hear you can play offline but only using a guest account whose progress is independent of your main account).
Unlike IPv4, IPv6 allows multiple addresses per interface,
True, the problem is how are clients supposed to 1: find those addresses and 2: choose which one to use.
Initially a special system of DNS records (A6) was created to try and solve this by allowing DNS servers to combine seperate prefix and suffix information but it was horriblly complex and still didn't solve the problem of how a client should figure out which address is better so it got demoted to experimental status.
ARIN at least gave up on A6 and started just allocating provider independent space to any organisation that wanted to multihome. Dunno if the other RIRs did the same.
so you can have both a PI and PA space - the latter being needed to connect to your ISP.
The whole point of getting PI addresses is so that you can advertise them on the internet. If you aren't going to advertise them on the internet you may as well just use "unique local" addresses (see below).
I'd like to understand the differences b/w the 2
There are actually 3 types of local addresses in v6
"Link local" (fe80::/10) addresses are assigned automatically and are local to the link.
"Site local" (fec0::/10) addresses were supposed to be local to a site. but they are deprecated they seemed like a good idea intitiallly but they ran into the problem that a site is a poorly defined idea and many systems have connections to multiple sites.
"Unique local" (fc00::/7) addresses are the final type. They are supposed (though this can't really be enforced) to be assigned using a large random number meaning the chance of two sites that the same computer needs to connect to or that need to be interconnected having the same addressing is minimal.
If they can't issue new ipv4, then potential customers may only have ipv6
Do you honestly belive that?
If an ISP runs out of public v4 IPs and has any sense they will do the following:
* Redeploy the v4 IPs to the most lucrative uses. * For those customers who do not pay enough to justify a dedicated public v4 IP provide some system for them to access at least the v4 web and most likely other services on the v4 internet. Most likely either NAT444 (v4 nat both in the CPE and at the ISP) or DS-lite but NAT64 and proxies are also possibilies.
I'd be very surprised if we see any major websites on v6 only or any clients without some way to access the v4 web any time soon.
They're too hard to remember as the parent points out.
Really that all depends on how the particular address is assigned. Stateless autoconfiguration tends to lead to horrible addresses but you don't have to use it.
Note that if your address has a large block of consecutive zeros you can replace them with a block of colons.
IMO the two biggest problems with IPV6 are
1: the transistion mechanisms were tacked on after the fact rather than being a core part of the spec. 2: the only transition mechanism that works behind NAT does so by fighting the NAT rather than working with the NAT. This means it enables end to end connectivity but it also makes it unnessacerally complex and fragile
I have heard that a lot of the noise from the 360 is actually DVD drive noise not fan noise. If you are not already doing so consider installing games to the hard drive to avoid this.
The zelda games are "story games" so if you like the stories and the gameplay you are going to want the new console so you can get the next story in the series. Sure you can replay them but playing through a story you've played before is IMO not as enjoyable as playing a fresh one.
Why? DVCS systems are great for bazaar style open source projects like linux but I don't think they are appropriate for every case. At least with hg anyone who wants to work on the code has to download the entire history of the entire repositry. That is fine if the codebase is relatively small and the users can find a fast connection for initial checkout. Not so great if you are trying to track the complete history of a large project including all the tooling needed to successfully build it.
AFAIK, all freight trains use diesel-electric propulsion. I don't know for sure, but I would imagine that the power demands of a freight locomotive would be too high for the type of electrification you see on light-rail or the European-style passenger rail systems.
I've definately seen electric locomotives runnining off the 25KV overhead lines we have round here (manchester, UK) pulling freight trains. They probablly aren't as big as the american freight trains though.
No, they don't. They run on oil, just like everything else (diesel to be precise).
Afaict this varies a lot by country. In france for example the majority of railways are electrified while in germany about half are and in the UK just under a third is and afaict in the USA very few railways are electrified.
Of course oil won't just suddenly "run out". Production will decline and prices will go up as sources gradually dry up. The question is will that rise come slowly enough for society to adapt. Another major concern is that environmental damage from the fossil fuel industry is likely to increase significantly as we move from conventional oil and gas to sources like tar sands, fracking and fischer tropsch.
I doubted it until I got one. go touch the heatsink on the i3 (any modern chipset) northbridge. (do they still call them NB's? maybe not.)
There isn't really a northbridge in a LGA1156 or LGA1155 system. The main functions traditionally provided by a northbridge are the memory controller, the high speed IO (usually used for the graphics card though it doesn't technically have to be these days) and the integrated graphics (if present). With LGA1156 and LGA1155 these functions are integrated into the CPU.
The chip you are feeling is probablly the PCH which is essentially the eqivilent of a southbridge. Southbridges always ran much cooler than northbridges.
The long term bitcoin supply is basically fixed so more bitcoin users means higher value per bitcoin which means more value owned by the initial group (assuming they kept their bitcoins rather than selling them off).
Zero is nothing. In your way, you aspire for zero and in mine, I seek to avoid it.
Seeking to avoid zero has little to do with whether you have a credit card or not. You can seek to avoid zero while still having a credit card and you can be up to your neck in trivial debt* without a credit card.
Personally I have a credit card for two reasons. Firstly to segragate potentially risky (I consider any online transaction to be potentially risky) transactions from my main current account where fraudulant transactions could be either lost in the transaction volume (if they are small) or cause problems with my rent etc (if they are large). Secondly because I don't want to be stuck without a functional card (in my experiance credit/debit cards are far from 100% reliable as a means of payment even in the absense of fraudulant activity).
* I consider student loans and mortgages differently from other debt. The former because in my country you only pay it back if you are earning over a certain threshold and the interest rate is tied to be equal to the inflation rate so while it's technically a loan practically speaking it's more like a tax on graduates. The later because if you weren't paying a mortgage you would probablly be paying rent instead and if your income stream dried up you are likely to be screwed either way.
The merchants share a bit of the responsibility, they should probablly be paying more attention to security but there is only so much they can reasonablly do within the bounds of a broken system where code numbers with the power to drain your account are submitted from insecure terminals* over a poorly secured** network connnection (or worse submitted by phone over a completely unecrypted phone line to whatever memeber of staff happens to answer).
IMO where real attention is needed is the credit card companies to replace the fundamentally broken system with something better. Sadly because afaict the credit card companies have pushed the cost off onto the merchants who end up accepting stolen codes there is little incentive for the banks to do that.
As for the criminals themselves they should of course be punished. Other peoples negligence does not absolve them of the crime.
* AKA normal desktop PCs ** The CA system used by browsers to avoid MITM attacks is fundamentally only as secure as the least secure CA
Slashdot Mirror
How in the hell does a brand-new out-of-the-box hard drive contain a virus? You would think the hard drive manufacturers can easily prevent this from happening during manufacturing,
I don't think the problem was the hard drive manufacturer. Hard drives are made by a small handful of large well known companies, they usually ship without a partition table and I suspect they are tested by plugging them into special test gear.
The product in question was a "Fission External 4-in-1 Hard Drive, DVD, USB and Card Reader". "Fission" are presumablly some smallish company (my googling attempts find no evidence of their existance beyond this news story) most likely located in the far east (where labour is cheap) who take the raw hard drives, load them up with an image containing a parittion table, filesystem structures and any software they want to bundle and then install them in their product.
Since ALDI claim this was "limited to a small number of the devices" I suspect the infection came during final testing when someone plugged them into an infected machine for final testing. Afaict pirate software with updates disabled is very common in the far east.
I know that Site local had been deprecated and replaced by Unique local. I wonder why they even bothered trying to guarantee the uniqueness of all such addresses worldwide since these addresseses are not supposed to be routable
Site local addresses are supposed to be routable within a site. Unique local addresses are supposed to be routable within a site and between a group of cooperating sites.
The problem with site local addresses is how do you define site. If you define it as a physical site then site local addresses are of limited utility since resources and their users often move between sites. If you define it as a whole company then you avoid that problem but create a new one, namely that companies merge. Many people here talk about the pain and horrible hacks involved when two companies that have both used 10.x.x.x have to be merged and interconnections are needed between their networks.
By including a large random number in the addresses the chance that a group of sites that need to be interconnected will have conflicting addresses is reduced to negligable levels.
I'm not getting why it's so difficult - would seem to me to read the prefix information of the router, and then see if it matches the prefix information of any of the assigned addresses. If it does, use that one.
Which would work fine if the internet was a tree but the internet is not a tree and never has been. A client on ISP A has no way of knowing whether ISB B or ISP C has a better path from their ISP.
Do you then have the option of using your own PI addresses, instead of the ISP's? How does the ISP get to use yours (which they'd have to in order to bring their service to you)? And what happens if you change ISPs - does your ISP automatically let go of it/lose it so that you can hand it to the next ISP in order to ensure that your network is online?
The same way as with V4, you advertise them to your ISPs who then advertise them to their ISPs and peers and so on. If you drop an ISP then you stop advertising it to them which causes them to stop advertising it on the internet.
They were trying to avoid giving anyone but ISPs provider independent space with the idea being that multihomed sites should just have multiple IPs on their end systems instead but as I said in practice that didn't really work out very well.
The work of those at CRU and other places have been to meticulously quality-control and analyze the raw observations down to a uniform grid (spatially and temporally).
How do we know that they did this "quality control and analysis" in a fair and unbiased manner rather than fudging it to produce the results they wanted.
mmm and 10 years old, lets take a look and compare it to what actually happened
In addition to Philips's Digital Compact Cassette (DCC), which uses PASC, a type of data compression (see "Industry Update" in April, footnote 2),
dcc never took off afaict. DAB doesn't seem to be doing that well either.
OTOH online sales of music with lossy compression have really taken off...
Even more disturbing is the prospect that data compression may be used in professional applications to make master recordings. It's conceivable that the majority of recorded music will be subject to some form of data compression in as little as ten years. Consequently, data compression is not merely a mass-market mid-fi system avoidable by the serious listener. Like it or not, we will all be subject to bit-rate–reduced digital audio.
Afaict this may have happened for a while with minidisc but more recently the trend has been towards doing everything on computers in uncompressed 24/96 or 24/192.
The large frequency-response irregularities found in car stereos, for example, could skew the spectral content of the signal, thus revealing the enormous errors hiding beneath the wanted signal. I wouldn't be surprised if there were an official mandate banning graphic equalizers on Digital Audio Broadcasting car stereos!
This fear seems to have been unfouded, the general consensus seems to be it's easier to detect lossy compression on high quality kit.
To redirect the user off a https page you have to negotiate a ssl session with them and that means you have to present a cert. If the cert doesn't match they will get a warning before receiving the redirect.
but as the GP implies none of this really matters much because most users will go to a http page first anyway.
a lot of websites get around this by denying requests to http:/// [http] for login pages and beyond
There is nothing stopping a proxy using ssl to talk to the server while using an unecrypted connection to talk to the client.
Things get a little harder if the site has some pages ssl only and others avilable non-ssl only. In that case you would have to either mangle the hostname to differentiate or store a list of what protocol to use for what pages.
You may not be able to do a user agent check on the SSL request but you can probablly assume all requests from the same (local) IP came from the same device and most devices are likely to make unencrypted requests as well.
I was under the impression that while labeled as "sattelite" that the higher quality imagary on google was aerial photography and quality drops significantly when you move to an area where they only have sattelite data.
At least that is what it was like a few years back, i'm having trouble finding any such areas now (other than offshore but it's much harder to determine quality there).
So many posts like the score:5 up top are weak minds towing their party line. They can't see the writing on the wall. Thing's *have* to change. The way I see it, we have few options going forward:
-cut spending, pay down debt. escape.
-raise debt ceiling, continue towards financial oblivion.
Afaict most of the US debt is denominated in US dollars so the US governement also has the option of "printing" their way out of it (either directly or by ordering the federal reserve to lend money to them at a defined rate).
There will always be people out there that want it for free. Even if the price is reasonable they still want it for free. Those people are not your customers and they never will be.
The questions are
1: how many people are there who want it for free but will pay for it if they can't pirate it in a timely manner
2: how many people who will either boycott it completely or wait for it to be in the "bargin bin" before buying because of the DRM.
3: how many people who would have waited and bought it used would buy it new if DRM is used to cut off used sales
The thing is none of these figures are easy to measure
Steam had problems in it's early days too see for example http://games.slashdot.org/story/04/11/17/1758231/Steam-Registration-Servers-Overloaded and there were many complaints about large slow updates (which IIRC were forced in the early days).
Gradually things got sorted out, internet connections got faster, valve got more capacity online and the early problems were forgotten. Nowadays most new games requires online activation of some form and you see many people here singing steams praises.
I remember when steam first came along and that despite the negative reaction valve largely got away with it (presumablly beause peoples desire to play the games was greater than their being pissed off at what they had to accept to play them) and most of the other vendors followed with their own online activation schemes (some of which were more draconian than steam some liess).
I strongly HOPE the same doesn't happen with always online play but I wouldn't be surprised if it did. Already we see starcraft 2 where you are strongly encouraged to be always online (from what I hear you can play offline but only using a guest account whose progress is independent of your main account).
Unlike IPv4, IPv6 allows multiple addresses per interface,
True, the problem is how are clients supposed to 1: find those addresses and 2: choose which one to use.
Initially a special system of DNS records (A6) was created to try and solve this by allowing DNS servers to combine seperate prefix and suffix information but it was horriblly complex and still didn't solve the problem of how a client should figure out which address is better so it got demoted to experimental status.
ARIN at least gave up on A6 and started just allocating provider independent space to any organisation that wanted to multihome. Dunno if the other RIRs did the same.
so you can have both a PI and PA space - the latter being needed to connect to your ISP.
The whole point of getting PI addresses is so that you can advertise them on the internet. If you aren't going to advertise them on the internet you may as well just use "unique local" addresses (see below).
I'd like to understand the differences b/w the 2
There are actually 3 types of local addresses in v6
"Link local" (fe80::/10) addresses are assigned automatically and are local to the link.
"Site local" (fec0::/10) addresses were supposed to be local to a site. but they are deprecated they seemed like a good idea intitiallly but they ran into the problem that a site is a poorly defined idea and many systems have connections to multiple sites.
"Unique local" (fc00::/7) addresses are the final type. They are supposed (though this can't really be enforced) to be assigned using a large random number meaning the chance of two sites that the same computer needs to connect to or that need to be interconnected having the same addressing is minimal.
If they can't issue new ipv4, then potential customers may only have ipv6
Do you honestly belive that?
If an ISP runs out of public v4 IPs and has any sense they will do the following:
* Redeploy the v4 IPs to the most lucrative uses.
* For those customers who do not pay enough to justify a dedicated public v4 IP provide some system for them to access at least the v4 web and most likely other services on the v4 internet. Most likely either NAT444 (v4 nat both in the CPE and at the ISP) or DS-lite but NAT64 and proxies are also possibilies.
I'd be very surprised if we see any major websites on v6 only or any clients without some way to access the v4 web any time soon.
They're too hard to remember as the parent points out.
Really that all depends on how the particular address is assigned. Stateless autoconfiguration tends to lead to horrible addresses but you don't have to use it.
Note that if your address has a large block of consecutive zeros you can replace them with a block of colons.
IMO the two biggest problems with IPV6 are
1: the transistion mechanisms were tacked on after the fact rather than being a core part of the spec.
2: the only transition mechanism that works behind NAT does so by fighting the NAT rather than working with the NAT. This means it enables end to end connectivity but it also makes it unnessacerally complex and fragile
I have heard that a lot of the noise from the 360 is actually DVD drive noise not fan noise. If you are not already doing so consider installing games to the hard drive to avoid this.
Also which generation of xbox 360 do you have? (If it's a fat model you can tell by looking at the input power connector. I belive there is only one hardware revision of slim model.) Afaict both the 360 and the PS3 reduced significantly in power consumption and noise over their life cycles.
The zelda games are "story games" so if you like the stories and the gameplay you are going to want the new console so you can get the next story in the series. Sure you can replay them but playing through a story you've played before is IMO not as enjoyable as playing a fresh one.
Why? DVCS systems are great for bazaar style open source projects like linux but I don't think they are appropriate for every case. At least with hg anyone who wants to work on the code has to download the entire history of the entire repositry. That is fine if the codebase is relatively small and the users can find a fast connection for initial checkout. Not so great if you are trying to track the complete history of a large project including all the tooling needed to successfully build it.
AFAIK, all freight trains use diesel-electric propulsion. I don't know for sure, but I would imagine that the power demands of a freight locomotive would be too high for the type of electrification you see on light-rail or the European-style passenger rail systems.
I've definately seen electric locomotives runnining off the 25KV overhead lines we have round here (manchester, UK) pulling freight trains. They probablly aren't as big as the american freight trains though.
No, they don't. They run on oil, just like everything else (diesel to be precise).
Afaict this varies a lot by country. In france for example the majority of railways are electrified while in germany about half are and in the UK just under a third is and afaict in the USA very few railways are electrified.
Of course oil won't just suddenly "run out". Production will decline and prices will go up as sources gradually dry up. The question is will that rise come slowly enough for society to adapt. Another major concern is that environmental damage from the fossil fuel industry is likely to increase significantly as we move from conventional oil and gas to sources like tar sands, fracking and fischer tropsch.
I doubted it until I got one. go touch the heatsink on the i3 (any modern chipset) northbridge. (do they still call them NB's? maybe not.)
There isn't really a northbridge in a LGA1156 or LGA1155 system. The main functions traditionally provided by a northbridge are the memory controller, the high speed IO (usually used for the graphics card though it doesn't technically have to be these days) and the integrated graphics (if present). With LGA1156 and LGA1155 these functions are integrated into the CPU.
The chip you are feeling is probablly the PCH which is essentially the eqivilent of a southbridge. Southbridges always ran much cooler than northbridges.
The long term bitcoin supply is basically fixed so more bitcoin users means higher value per bitcoin which means more value owned by the initial group (assuming they kept their bitcoins rather than selling them off).
Zero is nothing. In your way, you aspire for zero and in mine, I seek to avoid it.
Seeking to avoid zero has little to do with whether you have a credit card or not. You can seek to avoid zero while still having a credit card and you can be up to your neck in trivial debt* without a credit card.
Personally I have a credit card for two reasons. Firstly to segragate potentially risky (I consider any online transaction to be potentially risky) transactions from my main current account where fraudulant transactions could be either lost in the transaction volume (if they are small) or cause problems with my rent etc (if they are large). Secondly because I don't want to be stuck without a functional card (in my experiance credit/debit cards are far from 100% reliable as a means of payment even in the absense of fraudulant activity).
* I consider student loans and mortgages differently from other debt. The former because in my country you only pay it back if you are earning over a certain threshold and the interest rate is tied to be equal to the inflation rate so while it's technically a loan practically speaking it's more like a tax on graduates. The later because if you weren't paying a mortgage you would probablly be paying rent instead and if your income stream dried up you are likely to be screwed either way.
The merchants share a bit of the responsibility, they should probablly be paying more attention to security but there is only so much they can reasonablly do within the bounds of a broken system where code numbers with the power to drain your account are submitted from insecure terminals* over a poorly secured** network connnection (or worse submitted by phone over a completely unecrypted phone line to whatever memeber of staff happens to answer).
IMO where real attention is needed is the credit card companies to replace the fundamentally broken system with something better. Sadly because afaict the credit card companies have pushed the cost off onto the merchants who end up accepting stolen codes there is little incentive for the banks to do that.
As for the criminals themselves they should of course be punished. Other peoples negligence does not absolve them of the crime.
* AKA normal desktop PCs
** The CA system used by browsers to avoid MITM attacks is fundamentally only as secure as the least secure CA