That particular paper is well known and if you read it, the vulnerability lies with the terminal and the entering of the PIN. You still need the physical card there, which you cannot clone. If your card is stolen, online fraud is much more likely and dangerous than someone using a dodgy terminal (or a shim of some kind inserted into the terminal to perform a MITM attack).
Yes, but the point that perhaps I'm not making clear enough is that any vulnerability is due to the OLD systems, the magstripe stuff that should have been replaced years ago. The issue lies with the legacy system, not the new system.
Ah, well, see here's the thing - the USA is supposed to be moving entirely over to chip technology soon.
Of course, it isn't and nobody's in any position to move over because this takes a long time to roll out and a huge amount of the industry isn't as prepared for it as perhaps they should be.
But here's the good news! You're not liable for card fraud, the bank is. At least, the bank is for a short period of time, then that liability will switch over to the merchant because he hasn't upgraded to chip technology yet. That happens in 2015 and oh boy is it going to be a fun one to watch out for!
So anyway, getting back to my point - most of the rest of the world is already on Chip technology (known as EMV, by the way) - the US is the last of the G20 countries to move over to it. Canada did it years ago, the UK did it in the 1990's, etc.
However, as I mentioned above in the USA card fraud is already rampant, it's incredibly trivial to clone a magstripe card and there are already measures in place to fight against that (not quite as effective as moving to chip, of course, but it's there). The point is, there aren't many chip cards in the US so it isn't worth even trying to skim people's wallets for the odd one that DOES have a chip card, just so you can clone said card - it's far more efficient to tackle the magstripe swiping directly as every card has one. Then when the USA finally starts to switch to EMV and chip cards become more prevelant, the magstripe terminals will be mostly replaced and the ones that aren't - as I said earlier - you aren't liable for, the merchant is.
You cannot clone a chip card. All you can do is record a transaction and replay it. as you've stated, there's a transaction counter that goes up, so this is useless to you as a thief. Furthermore, because of the way it works, cryptograms are used to verify that said data hasn't been tampered with.
In other words, this whole story is scaremongering. You cannot do anything with this data.
Not necessarily. You said the new card was a replacement for the old card - often those replacements don't change the card number, so really all that will have changed is the expiry date and the CVV. It's possible that the online systems thought you were still using your old card and thus accepted the CVV because the "new" card had never been activated. So it's not the CVV they don't necessarily check, but rather the expiry date (Because hey it's in the future and that's good enough).
It's not ideal though, it should be much stricter than that.
Hai! "Expert" here (And by "expert" I mean I work in the industry, my company has a hand in testing everything from the cards themselves right up to the host in your Bank's basement).
Here's the deal - chip IS secure. What's more, contactless is also secure. Or rather, it's a hell of a lot more secure than the shitty magstripe you're talking about. It takes no time at all to clone a magstripe card. It can be done using a $10 reader off ebay. It's easy to do and has been a direct cause of so much fraud you wouldn't believe.
Chip cards, on the other hand, work completely differently. They use the same technology that's in the SIM card of most GSM phones, the chip isn't just a static bank of data but an actual miniature computer (likely running a cut-down version of Java). It doesn't just hand over your card details upon request, it actually uses a lot of cryptogeraphy, using public/private keypairs (Amongst other things) to ensure that no two transactions are ever the same. Cryptograms are used to ensure that data being sent and received is valid, it's impossible to change any data without breaking this. Even a compromised terminal can, at best, record an existing transaction and nothing more - it can't change amounts or anything like that without breaking it. If EITHER the card or the terminal suspects anything is up, it'll either decline or force the transaction "online" - to your bank, where they have the final say.
Contactless chip cards are nothing more than a wireless standard that compliments the above. Similar to Wi-fi versus ethernet, it's only the transmission medium that actually differs here, the same sorts of cryptograms and hashes are done here. The net result? Yes, you can skim some data using any NFC equipped smartphone, but it's useless to you because you cannot even replay a transaction because you don't have any of the private keys.
Yes, you can use the information to clone the magstripe on a card - the card gives you enough information in the clear to do this, but you'll find that the magstripe is largely useless to you as it's only used as a fallback. These days, even magstripe transactions are used "online" - that is, the terminal WILL contact the host to veryify it, a side effect of the rampant card fraud that goes on. The host will question why a chip-enabled terminal is doing magstripe with a card it knows is chip-enabled. The result? Transaction voided. Terminal prompts you to use the chip, because the terminal knows there's nothing wrong.
As for online shops - those shops that DON'T ask for the CVN are liable for the fraud, so few are left out there that don't. What's more, most cards these days have a secure online payment page requiring you to type in a password before continuing.
Sum total? This is a non-issue, there is nothing new in this article and anything else you hear is scaremongering. You cannot clone a chip card, it's physically impossible.
I'm curious about how much of that 100w the spec mandates is required. I can see people going out and buying USB3 addin cards and wondering why they need to plug in 2 or 3 molex connectors into it.
The SuperSpeed spec requires that devices specifically request the increase in power, in order to remain backwards compatible with older USB specs. In other words, you'd have to wiggle that cable pretty damn particularly in order for it to happen.
Thank you. We've been happily married for a couple of years now. We're also a polyamorous couple, so while you might think is an "extreme" level of communication is actually healthy as you can never have too much communication in a relationship like ours.
I'm not saying I agree or disagree with it, but if I'm honest, I don't see what harm could come from having additional statistics on a student's progress. Hell, extrapolate this further, imagine if you had a statistical breakdown of attendance, course competition (i.e. reading the materials, handing in assignments, etc.), attention span in lectures and so on - imagine you could measure every little detail. If students score highly in those stats, but still fail, it's a simple enough conclusion - the professor has failed. Likewise, if they score lowly in the stats and fail, the professor can be sure he's not at fault.
I would guess that this will be mostly used to protect the professor's back. So what if a student doesn't read the material, when it comes down to it and the student scores poorly on an exam, the professor can bring up their statistics and point out that it's the student's fault, not theirs.
As much as possible, yes, with allowing for some variation. If I know something will take an additional 30s, I'll mention it (I'll say two and a half minutes rather than 2, 3 or 5 minutes). That's not to say I don't use "fuzzy" time at all, sometimes all I can do is offer a range ("It'll be between 10 and 15minutes") or a ballpark ("About 20mins, give or take") but depending on the situation, I may keep them more up to date.
I realise this isn't particularly normal behaviour either, my wife has told me off for telling her that the train is running 3mins late ("I don't care unless you're running massively late"). However, upon thinking about it, it's not just time that I do this with, it's a lot of things. When I'm programming, I will comment to be as exact as possible in what it is I'm doing, or at least attempting to do. When people make an ambiguous statement, I will immediately ask for clarification. Sometimes my wife will ask me to pass her a particular bathroom product and she might say "pass me the blue one" but what she calls blue, I might call purple - rather than just passing her that one, I'll ask her to clarify ("The one next to the toothpaste?"). I much prefer to be absolutely sure I'm on the same page as everyone than just assume things.
I would say that I was one of those people that grew up fully exposed to "digital clocks". My first watch was a digital watch (I guess I was about 6 or 7?), that good ol' casio model that everyone knows. If I wasn't wearing it and I wanted to know the time, I would check one of the many digital clocks around the house - the VCR, Teletext, the Stereo, rather than any of the analogue wall clocks. Even today, I've moved on from plastic watches (at least until my Pebble arrives) to "proper" watches with metal straps, but I still have a digital watch (Which are surprisingly hard to find, most tend to be plastic).
People sometimes asked me if I didn't know how to read analogue clocks, but I did, it's not hard. However, the reason I preferred the digital clocks was that I could read them a lot faster than analogue ones. Perhaps that's just down to a lack of experience with them, but nonetheless a quick glance at my wrist and I would know exactly what time it was. This is important, as although I could glance at an analogue watch and immediately know roughly what time it was, it took too long to figure out what time it was down to the second and I'm pedantic enough to want to know that every time I check the time. To me, there is a world of difference between it being 12:53 and 1 second and 12:53 and 59 seconds.
Even today, when someone asks me what time it is, I rarely give a fuzzy time but prefer to be exact - "It's Twelve Fifty-Three", I would say, rather than Five-to-one. I don't like rough estimates, I don't like saying "this will take about 15mins" if I know it'll take exactly 13 mins. If I'm running late, I will quickly calculate roughly how late I'm going to be, to the best of my ability (sometimes you're running late in such a way that it throws you off completely and you simply can't estimate it - traffic jams, for one). If I need to be somewhere at 14:15 but I'm running 7 minutes late, I will say "I'll be there at about 22 minutes past" rather than saying "I'll be 10mins late" or, heaven forbid, lying and saying I'd be 5mins late. I have absolutely no trouble working out the difference between two digital times, but if you showed me to analogue clocks, it'd take me a good few mins to work out the time difference there. To me, digital is just simple mathematics, it's the "fuzzyness" of analogue that I find slow.
I have always been like this and as far as I'm aware, I'm not autistic or anything like that. I'm just odd, I guess.
From some googling, this seems to be an issue specific to the RT-N53, lots of people having issues even on the stock firmware. Some have had success, though - http://www.thedartboard.net/forum/showthread.php?t=957 I'm not really sure where the blame lies for this, though. Is it Asus? Their own firmware seems fine. Is it the 3rd party firmwares? They're the ones with the issue but then again is it due to what they have to work with?
I can't speak for the 53, but my own 66 has had no issues at all and there's more than a few firmwares out there. I'm guessing it's just a more popular router in general.
As far as I know, that's more or less what Asus does. I have an RT-N66U and it's an absolute dream box. It's based on one of the open source firmwares (I can't remember which one though, DD-WRT, OpenWRT or Tomato), Asus releases the source code to the firmware and you don't have to do anything fancy to install a custom variant of it, just upgrade your firmware manually like you would on any other router except pick the custom firmware file.
Bernstein demonstrated that when the same message is encrypted enough times--about a billion--comparing the ciphertext can allow the message to be deciphered. While that sounds impractical, Bernstein argued it can be achieved with a compromised website, a malicious ad or a hijacked router.
The researcher himself has stated that you need to compromise the website. I suppose you're correct in that if you select a well known piece of data, you could be in there, but it must be more complicated than that. I would guess that you can't compare fragments of a message but rather the entire message is required, so you need to capture it all.
I'm still not sure how gmail is in any way vulnerable here? From the summary alone, it implies that you need to compromise something else to be able to inject data that's repeated a billion times. Given that gmail doesn't use a 3rd party ad service, it suggests that you'd need to compromise Google one way or another. Either that or the machine itself, in which case a keylogger would be much more effective, or the person's router, in which case there are still other easier attacks.
I could be wrong and it probably depends on the SSD itself. A lot of SSD's these days have a reserved area that's used when cells start to die (Which is why you'll see SSDs with say 120GB of storage instead of 128GB). They all attempt to evenly write over all of the cells as well, instead of just hammering a select few. Of course you're probably right about when the SSD itself is nearly full but as far as I'm aware, ultimately what starts to happen is either the space decreases slowly over time or the SSD just plain refuses to write any more data (locked to read-only). I've never seen an SSD fail like this before so I can't comment. I've only ever seem them fail outright, usually due to the controller doing something it shouldn't be doing.
Slashdot Mirror
That particular paper is well known and if you read it, the vulnerability lies with the terminal and the entering of the PIN. You still need the physical card there, which you cannot clone. If your card is stolen, online fraud is much more likely and dangerous than someone using a dodgy terminal (or a shim of some kind inserted into the terminal to perform a MITM attack).
Yes, but the point that perhaps I'm not making clear enough is that any vulnerability is due to the OLD systems, the magstripe stuff that should have been replaced years ago. The issue lies with the legacy system, not the new system.
That's what the 3-digits on the back of the card are for. They are NOT stored on the magstripe in any way.
Ah, well, see here's the thing - the USA is supposed to be moving entirely over to chip technology soon.
Of course, it isn't and nobody's in any position to move over because this takes a long time to roll out and a huge amount of the industry isn't as prepared for it as perhaps they should be.
But here's the good news! You're not liable for card fraud, the bank is. At least, the bank is for a short period of time, then that liability will switch over to the merchant because he hasn't upgraded to chip technology yet. That happens in 2015 and oh boy is it going to be a fun one to watch out for!
So anyway, getting back to my point - most of the rest of the world is already on Chip technology (known as EMV, by the way) - the US is the last of the G20 countries to move over to it. Canada did it years ago, the UK did it in the 1990's, etc.
However, as I mentioned above in the USA card fraud is already rampant, it's incredibly trivial to clone a magstripe card and there are already measures in place to fight against that (not quite as effective as moving to chip, of course, but it's there). The point is, there aren't many chip cards in the US so it isn't worth even trying to skim people's wallets for the odd one that DOES have a chip card, just so you can clone said card - it's far more efficient to tackle the magstripe swiping directly as every card has one. Then when the USA finally starts to switch to EMV and chip cards become more prevelant, the magstripe terminals will be mostly replaced and the ones that aren't - as I said earlier - you aren't liable for, the merchant is.
You cannot clone a chip card. All you can do is record a transaction and replay it. as you've stated, there's a transaction counter that goes up, so this is useless to you as a thief. Furthermore, because of the way it works, cryptograms are used to verify that said data hasn't been tampered with.
In other words, this whole story is scaremongering. You cannot do anything with this data.
I don't think you know how NFC works. Tell me, how is this extended antenna going to power the card?
Not necessarily. You said the new card was a replacement for the old card - often those replacements don't change the card number, so really all that will have changed is the expiry date and the CVV. It's possible that the online systems thought you were still using your old card and thus accepted the CVV because the "new" card had never been activated. So it's not the CVV they don't necessarily check, but rather the expiry date (Because hey it's in the future and that's good enough).
It's not ideal though, it should be much stricter than that.
Hai! "Expert" here (And by "expert" I mean I work in the industry, my company has a hand in testing everything from the cards themselves right up to the host in your Bank's basement).
Here's the deal - chip IS secure. What's more, contactless is also secure. Or rather, it's a hell of a lot more secure than the shitty magstripe you're talking about. It takes no time at all to clone a magstripe card. It can be done using a $10 reader off ebay. It's easy to do and has been a direct cause of so much fraud you wouldn't believe.
Chip cards, on the other hand, work completely differently. They use the same technology that's in the SIM card of most GSM phones, the chip isn't just a static bank of data but an actual miniature computer (likely running a cut-down version of Java). It doesn't just hand over your card details upon request, it actually uses a lot of cryptogeraphy, using public/private keypairs (Amongst other things) to ensure that no two transactions are ever the same. Cryptograms are used to ensure that data being sent and received is valid, it's impossible to change any data without breaking this. Even a compromised terminal can, at best, record an existing transaction and nothing more - it can't change amounts or anything like that without breaking it. If EITHER the card or the terminal suspects anything is up, it'll either decline or force the transaction "online" - to your bank, where they have the final say.
Contactless chip cards are nothing more than a wireless standard that compliments the above. Similar to Wi-fi versus ethernet, it's only the transmission medium that actually differs here, the same sorts of cryptograms and hashes are done here. The net result? Yes, you can skim some data using any NFC equipped smartphone, but it's useless to you because you cannot even replay a transaction because you don't have any of the private keys.
Yes, you can use the information to clone the magstripe on a card - the card gives you enough information in the clear to do this, but you'll find that the magstripe is largely useless to you as it's only used as a fallback. These days, even magstripe transactions are used "online" - that is, the terminal WILL contact the host to veryify it, a side effect of the rampant card fraud that goes on. The host will question why a chip-enabled terminal is doing magstripe with a card it knows is chip-enabled. The result? Transaction voided. Terminal prompts you to use the chip, because the terminal knows there's nothing wrong.
As for online shops - those shops that DON'T ask for the CVN are liable for the fraud, so few are left out there that don't. What's more, most cards these days have a secure online payment page requiring you to type in a password before continuing.
Sum total? This is a non-issue, there is nothing new in this article and anything else you hear is scaremongering. You cannot clone a chip card, it's physically impossible.
For more information, Wikipedia has a statement regarding MariaDB: http://en.wikipedia.org/wiki/MariaDB
I'm curious about how much of that 100w the spec mandates is required. I can see people going out and buying USB3 addin cards and wondering why they need to plug in 2 or 3 molex connectors into it.
The SuperSpeed spec requires that devices specifically request the increase in power, in order to remain backwards compatible with older USB specs. In other words, you'd have to wiggle that cable pretty damn particularly in order for it to happen.
Thank you. We've been happily married for a couple of years now. We're also a polyamorous couple, so while you might think is an "extreme" level of communication is actually healthy as you can never have too much communication in a relationship like ours.
Once you're done here, would you mind doing an AMA on Reddit? Their mobile interface is a lot nicer.
I'm not saying I agree or disagree with it, but if I'm honest, I don't see what harm could come from having additional statistics on a student's progress. Hell, extrapolate this further, imagine if you had a statistical breakdown of attendance, course competition (i.e. reading the materials, handing in assignments, etc.), attention span in lectures and so on - imagine you could measure every little detail. If students score highly in those stats, but still fail, it's a simple enough conclusion - the professor has failed. Likewise, if they score lowly in the stats and fail, the professor can be sure he's not at fault.
I would guess that this will be mostly used to protect the professor's back. So what if a student doesn't read the material, when it comes down to it and the student scores poorly on an exam, the professor can bring up their statistics and point out that it's the student's fault, not theirs.
As much as possible, yes, with allowing for some variation. If I know something will take an additional 30s, I'll mention it (I'll say two and a half minutes rather than 2, 3 or 5 minutes). That's not to say I don't use "fuzzy" time at all, sometimes all I can do is offer a range ("It'll be between 10 and 15minutes") or a ballpark ("About 20mins, give or take") but depending on the situation, I may keep them more up to date.
I realise this isn't particularly normal behaviour either, my wife has told me off for telling her that the train is running 3mins late ("I don't care unless you're running massively late"). However, upon thinking about it, it's not just time that I do this with, it's a lot of things. When I'm programming, I will comment to be as exact as possible in what it is I'm doing, or at least attempting to do. When people make an ambiguous statement, I will immediately ask for clarification. Sometimes my wife will ask me to pass her a particular bathroom product and she might say "pass me the blue one" but what she calls blue, I might call purple - rather than just passing her that one, I'll ask her to clarify ("The one next to the toothpaste?"). I much prefer to be absolutely sure I'm on the same page as everyone than just assume things.
I would say that I was one of those people that grew up fully exposed to "digital clocks". My first watch was a digital watch (I guess I was about 6 or 7?), that good ol' casio model that everyone knows. If I wasn't wearing it and I wanted to know the time, I would check one of the many digital clocks around the house - the VCR, Teletext, the Stereo, rather than any of the analogue wall clocks. Even today, I've moved on from plastic watches (at least until my Pebble arrives) to "proper" watches with metal straps, but I still have a digital watch (Which are surprisingly hard to find, most tend to be plastic).
People sometimes asked me if I didn't know how to read analogue clocks, but I did, it's not hard. However, the reason I preferred the digital clocks was that I could read them a lot faster than analogue ones. Perhaps that's just down to a lack of experience with them, but nonetheless a quick glance at my wrist and I would know exactly what time it was. This is important, as although I could glance at an analogue watch and immediately know roughly what time it was, it took too long to figure out what time it was down to the second and I'm pedantic enough to want to know that every time I check the time. To me, there is a world of difference between it being 12:53 and 1 second and 12:53 and 59 seconds.
Even today, when someone asks me what time it is, I rarely give a fuzzy time but prefer to be exact - "It's Twelve Fifty-Three", I would say, rather than Five-to-one. I don't like rough estimates, I don't like saying "this will take about 15mins" if I know it'll take exactly 13 mins. If I'm running late, I will quickly calculate roughly how late I'm going to be, to the best of my ability (sometimes you're running late in such a way that it throws you off completely and you simply can't estimate it - traffic jams, for one). If I need to be somewhere at 14:15 but I'm running 7 minutes late, I will say "I'll be there at about 22 minutes past" rather than saying "I'll be 10mins late" or, heaven forbid, lying and saying I'd be 5mins late. I have absolutely no trouble working out the difference between two digital times, but if you showed me to analogue clocks, it'd take me a good few mins to work out the time difference there. To me, digital is just simple mathematics, it's the "fuzzyness" of analogue that I find slow.
I have always been like this and as far as I'm aware, I'm not autistic or anything like that. I'm just odd, I guess.
Or maybe it's because of the exact reason stated in the summary - Sony didn't want to pay them enough money.
From some googling, this seems to be an issue specific to the RT-N53, lots of people having issues even on the stock firmware. Some have had success, though - http://www.thedartboard.net/forum/showthread.php?t=957
I'm not really sure where the blame lies for this, though. Is it Asus? Their own firmware seems fine. Is it the 3rd party firmwares? They're the ones with the issue but then again is it due to what they have to work with?
I can't speak for the 53, but my own 66 has had no issues at all and there's more than a few firmwares out there. I'm guessing it's just a more popular router in general.
That's great, but the OP was asking about why most vendors don't do this. He wasn't talking about people in china.
As far as I know, that's more or less what Asus does. I have an RT-N66U and it's an absolute dream box. It's based on one of the open source firmwares (I can't remember which one though, DD-WRT, OpenWRT or Tomato), Asus releases the source code to the firmware and you don't have to do anything fancy to install a custom variant of it, just upgrade your firmware manually like you would on any other router except pick the custom firmware file.
I'm referring to the summary itself:
The researcher himself has stated that you need to compromise the website. I suppose you're correct in that if you select a well known piece of data, you could be in there, but it must be more complicated than that. I would guess that you can't compare fragments of a message but rather the entire message is required, so you need to capture it all.
I'm still not sure how gmail is in any way vulnerable here? From the summary alone, it implies that you need to compromise something else to be able to inject data that's repeated a billion times. Given that gmail doesn't use a 3rd party ad service, it suggests that you'd need to compromise Google one way or another. Either that or the machine itself, in which case a keylogger would be much more effective, or the person's router, in which case there are still other easier attacks.
Appropriate username is appropriate.
I could be wrong and it probably depends on the SSD itself. A lot of SSD's these days have a reserved area that's used when cells start to die (Which is why you'll see SSDs with say 120GB of storage instead of 128GB). They all attempt to evenly write over all of the cells as well, instead of just hammering a select few. Of course you're probably right about when the SSD itself is nearly full but as far as I'm aware, ultimately what starts to happen is either the space decreases slowly over time or the SSD just plain refuses to write any more data (locked to read-only). I've never seen an SSD fail like this before so I can't comment. I've only ever seem them fail outright, usually due to the controller doing something it shouldn't be doing.