Many issuers will impose fines against merchants if the merchant suffered data breaches and was not PCI compliant. These are not always minimal. Some issuers put this into merchant contracts.
As of last week, my work no longer accepts incoming connections via SSL or TLS 1.0. SSL was disabled early in the year, and TLS 1.0 recently.
A few of our larger clients were caught off guard, and took a few sleepless days/nights to fix, though we had been warning them for 18 months. We still get connections, which are refused, and their support teams notified.
This is really not so simple for some, as they have old, brittle systems. But must be done. The PCI cabal is failing here, but that's their model - too little too late, unless it generates revenue.
U.S. acquirers chose to implement chip+signature in the U.S. first, planning to to chip+PIN 'later'.
After a noticeable flurry of on time implementations, adoption in the U.S. seems to have halted to deal with the holiday shopping season. Hopefully this picks up in February.
Wal Mart for instance dips (shorthand for accepting EMV) and doesn't need a sig for smaller purchases. Same for Target. Fry's supermarkets also, I believe.
You think the intent is to shift liability to card holders? Wrong. Merchants are captive. Card holders can change brands, go to prepaid, or go to cash. Online merchants fear this the most, since issuers that try to shift liability to card holders risk those card holders going to cash (yeah, some will), and well no one pays cash for Amazon goods.
If you've managed or freaky or dealt with complex systems, you know that software upgrades are often troublesome. Outright failures, bricked devices, lost functionality or configurations, intermittent problems, new bugs or interfaces, any or all these are a risk.
Don't overthink this, and don't bother to conflate naivete with malice.
Despite multiple code reviews, it's probably insanely easy to slip in code that isn't reviewed for functionality or compliance. If they use Git or something similar, compromises there lead to the same thing.
Demanding a line by line code review doubles the work, but for that level of network hardware is probably essential now. Bad actors will make every effort to inject their backdoors into production code, and I suspect this was an inside job.
I also would not discount the possibility that this was someone's clever idea of some diagnostics to help them. Doubt they will take credit for this.
At work I am seeing a change in our development to apply the Agile processes to not only coding and design, but also testing and deployment. This has led to a team relying on unit testing, and failing to do functional testing on the product - with predictably disastrous results. This Juniper problem has heightened my interest in application security, and this will only lead to more testing, longer sprints, and longer development cycles. None of which will get traction with management unless someone takes an interest in the security risk.
But at work our security team defaults to assuming threats come from both within and without the corporate infrastructure. Rightly so. We see risks of data loss and unauthorized access equally inside and outside, and so we must also monitor all traffic, and they do identify and fingerprint all apps. Our most recent debacle involved an internal app. This data should never be sent outside the corporate network unless via VPN to an authorized device.
Juniper deserves some credit for finding this, though the time interval for reviewing code will probably need to be shorter. Overall, if I were still in infrastructure management, I would be less than thrilled about a firmware patch - I never trust those.
"1. The plastic-cladding on later Smith Corona typewriters take so long to remove (to reach the guts of the typewriter to do the actual servicing) that it raises the repair costs to the point of making repair uneconomical these days."
Baloney. I could strip a Smith-Corona Coronamatic (like a Coronet or any of the Sears versions) in 10 minutes, ready for the solvent bath, if needed. But these never needed that. I expect now they are getting dry enough a naphtha clean and oil dip would be first, though the power rollers are no doubt as hard as a rock now. Selectrics can be lubed without a dip, and those covers are off like a prom dress. Standards and manuals we usually dipped with some covers on. Wrinkle coats we would not dip, but enamels no problem. Your shop is shining you on, or they are not very good at getting the covers off.
"2. The most common way that typewriters get damaged is by kids randomly hitting keys and bending the rods and levers inside the typewriters"
Of course anti-missile defenses are somewhat more sophisticated than terminal defenses such as Phalanx. Already ships are prepared for multiple attacks, wavehopping, ballistic, shore-to-ship, a-s, any intentional attack would likely involve multiple methods and vectors.
Carriers rely on a significant defensive perimeter, support and shield ships, and of course air cover, all of which are intended to deal with different threats. In an all out warfare scenario, carriers are important targets, and if the adversary has capable submarines, these are likely the most lethal. Yes, we shadow each other's subs, and in an all-out scenario I suspect tactical nukes are authorized, which makes a mess of carrier defenses. But that's probably an escalation force. Holes in the carrier will do fine.
Destroyers also have support fleets, plenty of defense. I miss the BBs. Those could take a licking. Kinda expensive to float. Imagine modernizing those, adding cruise missile projectiles, something they could carry a hundred or so of, heck just retrofit standard munitions with fins and GPS...
But the modern Navy needs to be less labor-intensive, even faster on the water, and of course more fully integrated into the battlefield. So we get Zumwalts.
Modulating your response is rarely helpful. With the bully, once you've given up on avoidance, the authorities, and reasoning, snack them hard. Or you continue to get abused.
In war, conventional war, you would if course focus on combatants, overwhelming force, quick resolution if possible.
In unconventional war, where combatants mix with civilians and disguise their identity, you have no such luxury. Starving them off their weapons sounds good until they start making them in kitchens. Starving them literally means starving their civilian shields.
Fortunately ISIL is becoming a well organized state-like entity. We could starve it's revenue, oil for instance, and see how many of its fighters flee. But our president is reluctant to do so. And given time, Iran may get access to enough funds to bankroll ISIL and deny that option.
So many people who find gains to deny the option of warfare in this modern world, while our enemies do not. Are they hopeful or oblivious?
Slashdot Mirror
Yup. You're correct.
One cannot 'disparage' themselves?
The Law, in this instance and others, is an ass.
Many issuers will impose fines against merchants if the merchant suffered data breaches and was not PCI compliant. These are not always minimal. Some issuers put this into merchant contracts.
It is not always without costs to the merchant.
She was reporting on you.
As of last week, my work no longer accepts incoming connections via SSL or TLS 1.0. SSL was disabled early in the year, and TLS 1.0 recently.
A few of our larger clients were caught off guard, and took a few sleepless days/nights to fix, though we had been warning them for 18 months. We still get connections, which are refused, and their support teams notified.
This is really not so simple for some, as they have old, brittle systems. But must be done. The PCI cabal is failing here, but that's their model - too little too late, unless it generates revenue.
U.S. acquirers chose to implement chip+signature in the U.S. first, planning to to chip+PIN 'later'.
After a noticeable flurry of on time implementations, adoption in the U.S. seems to have halted to deal with the holiday shopping season. Hopefully this picks up in February.
Wal Mart for instance dips (shorthand for accepting EMV) and doesn't need a sig for smaller purchases. Same for Target. Fry's supermarkets also, I believe.
"an attempt to shove liability onto merchants"
FTFY
You think the intent is to shift liability to card holders? Wrong. Merchants are captive. Card holders can change brands, go to prepaid, or go to cash. Online merchants fear this the most, since issuers that try to shift liability to card holders risk those card holders going to cash (yeah, some will), and well no one pays cash for Amazon goods.
If you've managed or freaky or dealt with complex systems, you know that software upgrades are often troublesome. Outright failures, bricked devices, lost functionality or configurations, intermittent problems, new bugs or interfaces, any or all these are a risk.
Don't overthink this, and don't bother to conflate naivete with malice.
Despite multiple code reviews, it's probably insanely easy to slip in code that isn't reviewed for functionality or compliance. If they use Git or something similar, compromises there lead to the same thing.
Demanding a line by line code review doubles the work, but for that level of network hardware is probably essential now. Bad actors will make every effort to inject their backdoors into production code, and I suspect this was an inside job.
I also would not discount the possibility that this was someone's clever idea of some diagnostics to help them. Doubt they will take credit for this.
At work I am seeing a change in our development to apply the Agile processes to not only coding and design, but also testing and deployment. This has led to a team relying on unit testing, and failing to do functional testing on the product - with predictably disastrous results. This Juniper problem has heightened my interest in application security, and this will only lead to more testing, longer sprints, and longer development cycles. None of which will get traction with management unless someone takes an interest in the security risk.
But at work our security team defaults to assuming threats come from both within and without the corporate infrastructure. Rightly so. We see risks of data loss and unauthorized access equally inside and outside, and so we must also monitor all traffic, and they do identify and fingerprint all apps. Our most recent debacle involved an internal app. This data should never be sent outside the corporate network unless via VPN to an authorized device.
Juniper deserves some credit for finding this, though the time interval for reviewing code will probably need to be shorter. Overall, if I were still in infrastructure management, I would be less than thrilled about a firmware patch - I never trust those.
"1. The plastic-cladding on later Smith Corona typewriters take so long to remove (to reach the guts of the typewriter to do the actual servicing) that it raises the repair costs to the point of making repair uneconomical these days."
Baloney. I could strip a Smith-Corona Coronamatic (like a Coronet or any of the Sears versions) in 10 minutes, ready for the solvent bath, if needed. But these never needed that. I expect now they are getting dry enough a naphtha clean and oil dip would be first, though the power rollers are no doubt as hard as a rock now. Selectrics can be lubed without a dip, and those covers are off like a prom dress. Standards and manuals we usually dipped with some covers on. Wrinkle coats we would not dip, but enamels no problem. Your shop is shining you on, or they are not very good at getting the covers off.
"2. The most common way that typewriters get damaged is by kids randomly hitting keys and bending the rods and levers inside the typewriters"
Damage, yes, but that's not office use.
So you didn't read up on BIW. Figures.
Of course anti-missile defenses are somewhat more sophisticated than terminal defenses such as Phalanx. Already ships are prepared for multiple attacks, wavehopping, ballistic, shore-to-ship, a-s, any intentional attack would likely involve multiple methods and vectors.
Carriers rely on a significant defensive perimeter, support and shield ships, and of course air cover, all of which are intended to deal with different threats. In an all out warfare scenario, carriers are important targets, and if the adversary has capable submarines, these are likely the most lethal. Yes, we shadow each other's subs, and in an all-out scenario I suspect tactical nukes are authorized, which makes a mess of carrier defenses. But that's probably an escalation force. Holes in the carrier will do fine.
Destroyers also have support fleets, plenty of defense. I miss the BBs. Those could take a licking. Kinda expensive to float. Imagine modernizing those, adding cruise missile projectiles, something they could carry a hundred or so of, heck just retrofit standard munitions with fins and GPS...
But the modern Navy needs to be less labor-intensive, even faster on the water, and of course more fully integrated into the battlefield. So we get Zumwalts.
Oh, and 'more ammo' means 'longer belts'.
Visualize more than one Phalanx on each side of the ship...
And visualize more ammo...
Wonder how DIVADS would work against the swarm. Small=vulnerable.
Taken.
We mothballed the BBs, anything-in-range-killers, and they could have missles also.
Not so smart. One of those would be useful.
You may want to read up on BIW..
Go find it yersef.
No other nation is building these sorts of ships any faster, except the Chinese...
Guess why...
It's a well-developed argument for a Syrian...
Shades have solar arrays on the sun-facing side.
Now to get all that sweet, sweet power down here...
That's almost funny.
Yeah, autocorrect is a marvel.
Modulating your response is rarely helpful. With the bully, once you've given up on avoidance, the authorities, and reasoning, snack them hard. Or you continue to get abused.
In war, conventional war, you would if course focus on combatants, overwhelming force, quick resolution if possible.
In unconventional war, where combatants mix with civilians and disguise their identity, you have no such luxury. Starving them off their weapons sounds good until they start making them in kitchens. Starving them literally means starving their civilian shields.
Fortunately ISIL is becoming a well organized state-like entity. We could starve it's revenue, oil for instance, and see how many of its fighters flee. But our president is reluctant to do so. And given time, Iran may get access to enough funds to bankroll ISIL and deny that option.
So many people who find gains to deny the option of warfare in this modern world, while our enemies do not. Are they hopeful or oblivious?
You are at war with people who are at war with you.
Did the school bully ever ask you if you wanted to be bullied? Did the drunk in the bar ever ask if you'd like to be beaten up, please sir?
Seriously, if a group picks you as their enemy, it doesn't matter of they are a nation-state.
Korea? The Philippines?
There are places people get paid to level up your pathetic pud. Note all they need is a security clearance.