If that were only true, PCI actually states that requirement only applies when the data is sent over an OPEN or wireless networks.
I don't know many that would be using HTTP over the internet, but the clause exists to say that if you do all data must be encrypted. This is to protect against siffing and hijacking, but your broad assertion that everything needs encrypting is actualy a small corner case.
Most of these devices are not running wireless or route over the internet without some form of an encrypted tunnel(think 3DES router B2B connections) Plenty small mom and pop shops also do direct modem dial ups, but the devices effectively also encrypt the temporary pipe.
For private PCI compliant networks requirements exist to encrypt a smaller subset of data including the following; Cardholder Data defined as: (All can be stored, but the PAN must be stored in an unreadable format) - Primary Account Number (PAN - Card Holder Name - Service Code - Expiration Date
Data which Must never be stored and must always be encrypted is defined as follows:
- Full Magnetic Stripe - CAV2 - CVC2 - CVV2 - CID - PIN - PIN Block
And Lastly PCI requires operators "Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat, etc.). And have a security policy which states that "unprotected PANs are not to be sent via end-user messaging technologies." with or without encryption.
I should have been a slight bit more informative RSA is from Feb 14 to the 18th.
This was just a dry run prep. Kind of a sound test and the audience I mentioned was composed of a half dozen geeks I've known for years. A small audience and it was appropriate to be on line and get patches applied, the demo requires it.
Wrong. That fact that the zip is used to verify the transaction is utterly irrelevant to PCI. Not cool, and by that logic if the stripe, pin card number expiration and CVC were used to verify the transaction could they also be un-encrypted?
The Zip is either public or as the court ruled, non public and the customer has a right to protect his or her personal information, and how do you propose business use the Zip, which they will do and bide by the law, which they will do.
In IT, we call this an opportunity to have a mitigating control and "protect" the customers right by encrypting the data from prying eyes.
The fact that zip is a crappy piece of data to be used to do a "something you know" validation and therefore must be the authorized holder of the card seems to have gone completely unnoticed.
Forgot to mention, I was running the latest Oracle Virtual box 4.0.2 r69518. Apparently, the impact was not restricted to as as the OP implied to just VM-Ware
Here is my personal relevant experience related to the botched patch.
Booted up, let the patches roll in(First mistake), but we have policy to keep the honeypot patched you know. So nothing, no problem, did a normal and of day reboot.
On the restart before login gina was presented, I get the vile your not Genuine dialog, had to click on "correct it now" That took me to a Microsoft page stating that I should download a program and run it to perform Genuine validation. Curious, I opened the Control panel system panel and it shows "Genuine" ok.
Then, wait for it, Microsoft Security Essential icon is blood red and come to discover it had dropped the pants down around ankles and had due to the Fo Genuine violation instantly and totally been disabled.
Now I'm caught literally in public with my virtual pants down, no firewall, on a hostile network, no av, ankles getting warmer but I have to do another dammed required Genuine validation, so I download the same program and poof the moment of drama had passed.
I felt extra soiled by the humiliating experience. This all happened in-front of an audience while preparing a demo for the SFO RSA shew.
Thinking some one at Microsoft needs to use the new iPhone confession app cause they can't seem to budget for sacrifice of the requisite number of chikenz any more.
Interesting, if upheld, this could push the PCI DSS Council to add Zip to the list of non public information that must be encrypted.
And that would effectively mandates QSA's find every gas station in California in violation of the next wave of PCI DSS criteria.
The expense of coding testing, QA'ing, promoting encryption on Zip (at rest and in transmission) could be high as compared the moderate to minor risk that companies are stalking their customers using Gas Station data.
Clearly your unqualified to comment on something you no nothing about.
In the US, its the constitution Axioms which protect citizens from abusive 3rd world dictatorial abusers like the moronic employer who thought they could just suspend this ladies freedom of speech as if they were a government power. It also is the sounding board state and federal bureaucrats and the average every day citizens use in principle to prevent abuses.
It was the government which reminded the petty point haired bosses they have no standing, and you think they did it for her to be generous?
My opinion is; It should have been obvious to the pointy haired bosses they would loose the case when their lawyers explained the territory in which they found themselves was not a 3rd world country. Pointy haired bosses everywhere should know if your going to be a petty dictator, find a 3rd world country to be it in.
Hooyaaa out to the founders of the US Constitution! This is where the foundation of US freedom shines brightest.
Guess what she wrote they did not want to refute and it must not have been malicious or surely a competent lawyer would have advised them to they would have advised to bring slander libel suit before loosing the war of public opinion.
Talk about profound and poor legal decisions on the part of the pointy haired boss & lawyers.
Bingo, your right on the money. One has to wonder how that conversation went.
I picture a guy raising his ringer twirling it around his goatee saying "Sure no user would expect a full featured motherboard, and we predict demand will be even Higher the next cycle when its made whole, besides we all know consumers have the attention span of the common Afghan sand flea!"
* Create millions of new jobs by building out the capacity to generate up to 22 percent of our electricity from wind. And adding to that with additional solar generation capacity;
* Building a 21st century backbone electrical transmission grid;
* Providing incentives for homeowners and the owners of commercial buildings to upgrade their insulation and other energy saving options; and
* Using America's natural gas to replace imported oil as a transportation fuel in addition to its other uses in power generation, chemicals, etc.
While dependence on foreign oil is a critical concern, it is not a problem that can be solved in isolation. We have to think about energy as a whole, and that begins by considering our energy alternatives and thinking about how we will fuel our world in the next 10 to 20 years and beyond.
So, one has to wonder how does pending 50 million $ I'm with the government, and I'm here to help plan contrast and qualitatively learn from the 80 Million spend on the private sector T. Boone Pickens 80 million dollar plan.
And where was the press when Mr. Boon Pickens was spending and promoting is 80 million dollar effort, Oh I forgot they were/removed obvious remark/. Hey, but they did report $80 Million the loss Here http://www.msnbc.msn.com/id/40612094/ns/business-oil_and_energy/
Now don't mod me down for point out how history repeats. Its just sad how politics colors engineering, and renewable energy is a learnable technology, I'm just not sure anyone's trying to learn.
I remember my first computer, came with binders of documentation on just how to switch IPL the system, and at the time, we thought the boot sector was Bloatware.
Now have a nice day and get off my lawn before its nuked from Or**Carrier Lost**
We don't need them to evaluate or run code. The first thing I do on any PDF reader, is turn OFF java script support. No reason the average user will ever ever ever need it.
Feature bloat, small corporate interests which damage non corporate general use. Laziness to make a separate safer user version and costs of splitting the source trunk into many trees.
The reason to sand box over validating all inputs is simple. The golden code syndrome. Programmers with inflated egos and the PM's which deflect crap away from them both of which just get enraged at the mere mention that their golden code or golden boy/girl might have written buffer overflows, supported design with trust model violations, or just plain ignored input validation.
As for the user, they need to understand that if they don't want to be hacked, never install a PDF reader on the same machine that runs email and never do banking on a machine you also browse with or read email on.
Mod the parent up. The droid permission feature should render in plain text to the user, all data it wants to access on the device before it accesses it. And not a vague black box functional description of the data, but the actual data rendered in plain text.
Hmm With who is the data actually share with is a large un answered permission question isn't it. Would you be just as happy to share your data with some ISP where the registrant was from Nigeria, or with a Chinese server farm or an Intellus Spokio database? So then the next question is What are they going to do with the data and why do they need it. I don't seem to ever have seen the permission system have a Programmers justification for requested data section.
What would you do if one of your kids friends asked to go through your financial records, sleep over and borrow the car for a road trip, would you be so flippant about saying sure, here you go?
All my points above point out that the Droid permission feature set as currently implemented is really just about shifting blame to the user from the Platform.
A more detailed analysis of the application, who will use the data, what for and most importantly setting an expiration for "The user data" after it leaves the mobile device is needed. Clearly no one can say what is or is not dont with the data once it's sent. The whole Droid platform is devoid of software or designs to receive and manage the user data in a permitted data center according to the stipulations of the user.
Meaning the first time you let an app have your data, you may be deeply screwed and have no way to know for years how much you will play for using any app on the platform.
Slashdot Mirror
If that were only true,
PCI actually states that requirement only applies when the data is sent over an OPEN or wireless networks.
I don't know many that would be using HTTP over the internet, but the clause exists to say that if you do all data must be encrypted. This is to protect against siffing and hijacking, but your broad assertion that everything needs encrypting is actualy a small corner case.
Most of these devices are not running wireless or route over the internet without some form of an encrypted tunnel(think 3DES router B2B connections)
Plenty small mom and pop shops also do direct modem dial ups, but the devices effectively also encrypt the temporary pipe.
For private PCI compliant networks requirements exist to encrypt a smaller subset of data including the following;
Cardholder Data defined as: (All can be stored, but the PAN must be stored in an unreadable format)
- Primary Account Number (PAN
- Card Holder Name
- Service Code
- Expiration Date
Data which Must never be stored and must always be encrypted is defined as follows:
- Full Magnetic Stripe
- CAV2
- CVC2
- CVV2
- CID
- PIN
- PIN Block
And Lastly
PCI requires operators "Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat, etc.).
And have a security policy which states that "unprotected PANs are not to be sent via end-user messaging technologies." with or without encryption.
See Pages 8, 35, 36, PCI 2010 version 2.0 at https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
I should have been a slight bit more informative RSA is from Feb 14 to the 18th.
This was just a dry run prep. Kind of a sound test and the audience I mentioned was composed of a half dozen geeks I've known for years. A small audience and it was appropriate to be on line and get patches applied, the demo requires it.
At presentation time, I'll be host only.
Hey, don't vote for the bean just cause its Dark roasted.
Ubuntu, change you can bean in.
Wrong.
That fact that the zip is used to verify the transaction is utterly irrelevant to PCI. Not cool, and by that logic if the stripe, pin card number expiration and CVC were used to verify the transaction could they also be un-encrypted?
The Zip is either public or as the court ruled, non public and the customer has a right to protect his or her personal information, and how do you propose business use the Zip, which they will do and bide by the law, which they will do.
In IT, we call this an opportunity to have a mitigating control and "protect" the customers right by encrypting the data from prying eyes.
The fact that zip is a crappy piece of data to be used to do a "something you know" validation and therefore must be the authorized holder of the card seems to have gone completely unnoticed.
lol nice
Forgot to mention, I was running the latest Oracle Virtual box 4.0.2 r69518. Apparently, the impact was not restricted to as as the OP implied to just VM-Ware
Mod this coward up 5 points. Dammed if he doesn't look fleshy and pink.
Just wrong and so many levels.
Here is my personal relevant experience related to the botched patch.
Booted up, let the patches roll in(First mistake), but we have policy to keep the honeypot patched you know.
So nothing, no problem, did a normal and of day reboot.
On the restart before login gina was presented, I get the vile your not Genuine dialog, had to click on "correct it now"
That took me to a Microsoft page stating that I should download a program and run it to perform Genuine validation.
Curious, I opened the Control panel system panel and it shows "Genuine" ok.
Then, wait for it, Microsoft Security Essential icon is blood red and come to discover it had dropped the pants down around ankles and had due to the Fo Genuine violation instantly and totally been disabled.
Now I'm caught literally in public with my virtual pants down, no firewall, on a hostile network, no av, ankles getting warmer but I have to do another dammed required Genuine validation, so I download the same program and poof the moment of drama had passed.
I felt extra soiled by the humiliating experience. This all happened in-front of an audience while preparing a demo for the SFO RSA shew.
Thinking some one at Microsoft needs to use the new iPhone confession app cause they can't seem to budget for sacrifice of the requisite number of chikenz any more.
The extremist in the media in collaboration with sheep voters, progressive socialist unions new world order folks.
Some seem to think the 3rd party is an expedient low effort choice, all it requires is absolute commitment to apathy.
These people are not free, they vote as a mindless block and cripple any real democratic debate.
A just as relevant question is, If half the 890 *nix variants disappeared tomorrow, would anyone notice?
Interesting, if upheld, this could push the PCI DSS Council to add Zip to the list of non public information that must be encrypted.
And that would effectively mandates QSA's find every gas station in California in violation of the next wave of PCI DSS criteria.
The expense of coding testing, QA'ing, promoting encryption on Zip (at rest and in transmission) could be high as compared the moderate to minor risk that companies are stalking their customers using Gas Station data.
Clearly your unqualified to comment on something you no nothing about.
In the US, its the constitution Axioms which protect citizens from abusive 3rd world dictatorial abusers like the moronic employer who thought they could just suspend this ladies freedom of speech as if they were a government power. It also is the sounding board state and federal bureaucrats and the average every day citizens use in principle to prevent abuses.
It was the government which reminded the petty point haired bosses they have no standing, and you think they did it for her to be generous?
My opinion is;
It should have been obvious to the pointy haired bosses they would loose the case when their lawyers explained the territory in which they found themselves was not a 3rd world country. Pointy haired bosses everywhere should know if your going to be a petty dictator, find a 3rd world country to be it in.
Hooyaaa out to the founders of the US Constitution!
This is where the foundation of US freedom shines brightest.
Guess what she wrote they did not want to refute and it must not have been malicious or surely a competent lawyer would have advised them to they would have advised to bring slander libel suit before loosing the war of public opinion.
Talk about profound and poor legal decisions on the part of the pointy haired boss & lawyers.
Obligatory, That's what she said.
Yes because this is /. and we all have aging robotic overlords in need of a tech refresh
Bingo, your right on the money. One has to wonder how that conversation went.
I picture a guy raising his ringer twirling it around his goatee saying "Sure no user would expect a full featured motherboard, and we predict demand will be even Higher the next cycle when its made whole, besides we all know consumers have the attention span of the common Afghan sand flea!"
Well call it Profit ++, thanks Intel!
Hmm, my my, where have I heard this before?
Perhaps here? http://www.pickensplan.com/theplan/
* Create millions of new jobs by building out the capacity to generate up to 22 percent of our electricity from wind. And adding to that with additional solar generation capacity;
* Building a 21st century backbone electrical transmission grid;
* Providing incentives for homeowners and the owners of commercial buildings to upgrade their insulation and other energy saving options; and
* Using America's natural gas to replace imported oil as a transportation fuel in addition to its other uses in power generation, chemicals, etc.
While dependence on foreign oil is a critical concern, it is not a problem that can be solved in isolation. We have to think about energy as a whole, and that begins by considering our energy alternatives and thinking about how we will fuel our world in the next 10 to 20 years and beyond.
So, one has to wonder how does pending 50 million $ I'm with the government, and I'm here to help plan contrast and qualitatively learn from the 80 Million spend on the private sector T. Boone Pickens 80 million dollar plan.
And where was the press when Mr. Boon Pickens was spending and promoting is 80 million dollar effort, Oh I forgot they were /removed obvious remark/.
Hey, but they did report $80 Million the loss Here http://www.msnbc.msn.com/id/40612094/ns/business-oil_and_energy/
Now don't mod me down for point out how history repeats. Its just sad how politics colors engineering, and renewable energy is a learnable technology, I'm just not sure anyone's trying to learn.
I remember my first computer, came with binders of documentation on just how to switch IPL the system, and at the time, we thought the boot sector was Bloatware.
Now have a nice day and get off my lawn before its nuked from Or**Carrier Lost**
Your about to write "Could this mean that telepathy in some form may exist?"
How much tinfoil, been wondering if should I be feeling a draft when I walk.
Had me going right up to **carrier lost**
nice
Thinking the new yard hot commodity in addition to cigarettes will include http://www.faradaybag.com/ 's
Wonder if they are public or privately held, hehe
We don't need them to evaluate or run code. The first thing I do on any PDF reader, is turn OFF java script support. No reason the average user will ever ever ever need it.
Feature bloat, small corporate interests which damage non corporate general use. Laziness to make a separate safer user version and costs of splitting the source trunk into many trees.
The reason to sand box over validating all inputs is simple. The golden code syndrome.
Programmers with inflated egos and the PM's which deflect crap away from them both of which just get enraged at the mere mention that their golden code or golden boy/girl might have written buffer overflows, supported design with trust model violations, or just plain ignored input validation.
As for the user, they need to understand that if they don't want to be hacked, never install a PDF reader on the same machine that runs email and never do banking on a machine you also browse with or read email on.
Mod the parent up. The droid permission feature should render in plain text to the user, all data it wants to access on the device before it accesses it. And not a vague black box functional description of the data, but the actual data rendered in plain text.
Hmm With who is the data actually share with is a large un answered permission question isn't it. Would you be just as happy to share your data with some ISP where the registrant was from Nigeria, or with a Chinese server farm or an Intellus Spokio database? So then the next question is What are they going to do with the data and why do they need it. I don't seem to ever have seen the permission system have a Programmers justification for requested data section.
What would you do if one of your kids friends asked to go through your financial records, sleep over and borrow the car for a road trip, would you be so flippant about saying sure, here you go?
All my points above point out that the Droid permission feature set as currently implemented is really just about shifting blame to the user from the Platform.
A more detailed analysis of the application, who will use the data, what for and most importantly setting an expiration for "The user data" after it leaves the mobile device is needed. Clearly no one can say what is or is not dont with the data once it's sent. The whole Droid platform is devoid of software or designs to receive and manage the user data in a permitted data center according to the stipulations of the user.
Meaning the first time you let an app have your data, you may be deeply screwed and have no way to know for years how much you will play for using any app on the platform.
Right! just what the world needs, another *nix variant. Slaps forehead.