Surprising lack of information and misinformation for a slashdot post and comments. In general, PINs are the most protected part of payment transactions. PIN encryption doesn't use bad/crackable crypto concepts like Adobe did on their passwords. And while it's Triple DES-based, its actually quite strong. All debit PINs in the US are encrypted using the same few standards: * PIN Block and PIN encrypytion: ANS X9.8 part 1 and ISO 9564. Examples: http://www.paymentsystemsblog.com/2010/03/03/pin-block-formats/ * Key management: DUKPT from Annex A of ANS X9.24 part 1. Some DUKPT details: http://en.wikipedia.org/wiki/Derived_unique_key_per_transaction
Each PIN pad is injected with a unique initial key that is a double-length Triple DES key. That initial key is derived into a key set of 21 keys that are used to derive up to 1 million future keys (the counter rules in DUKPT only let it count 1 million values). Those are all unique per device. Each transaction uses a unique future key and that is derived into a PIN encryption key to encrypt the PIN block (according to the ANSI and ISO standards).
Encryption of the PIN block is Triple DES ECB using a unique key for that transaction for that device. Breaking the encryption for that key would be a 2^112 brute force effort (no shortcuts because only one ciphertext used that key). And breaking that key will not get you any past keys and only some future keys for that device depending on where it is in the key space. In all, cracking PIN blocks coming from PIN pads is not a low hanging fruit.
PIN pads and their design has to be lab certified and signed off by the PCI Security Council. Merchants can only use PCI certified PIN devices if they take debit cards. (strangely, credit only devices are not required to be PCI certified, but they could be if they encrypt credit card data). While there are older versions of the PIN pad certification requirements, basically the PIN security is the strongest part of the certification. The lab tests for side channel attacks against PIN encryption, ensures physical security of the device, logical security of the device, that applications running on the device (if any) cannot impact/access PIN encryption, and that tampering devices causes them to erase keys. list of PCI approved PIN Transaction Security (PTS) devices: https://www.pcisecuritystandards.org/approved_companies_providers/approved_pin_transaction_security.php# PCI documents (including PIN security): https://www.pcisecuritystandards.org/security_standards/documents.php?association=PTS&document=PTS%20Program%20Guide%20FINAL%201%201#PTS%20Program%20Guide%20FINAL%201%201
Agreed that theories must be testable and falsifiable, including intelligent design or creationist ideas. And new scientific evidence should be predicted by those theories.
There is ongoing work on testable ID models and testable creation models.
Here is one such example: http://www.reasons.org/tnrtb/2008/04/21/testing-cosmic-creation-models-part-1/
Hugh Ross is one such theorist, especially in the areas of cosmology. http://en.wikipedia.org/wiki/Hugh_Ross_%28creationist%29
His theories have caused him to be criticized by both scientists and creationists.
Most of the comments (and the article) are ignoring the current state of the art and future directions in finger biometrics (notice I didn't say fingerprint).
Until recent developments with biometric spoofing, biometric sensor companies were not focused on preventing spoof attacks, gummy fingers, and other forms of compromise. But now they are. The current generation of fingerprint sensors just being deployed now are much more difficult to spoof. The next generation will be close to impossible to fool because they are collecting and matching finger data below the surface of the skin.
This means that latex/gummy fingers can be detected, dead fingers can be detected, and people with difficult fingerprints (none fingerprints or individuals with low pitch fingerprints) can be uniquely identified.
Sub-dermal structures are not "left around" and 3 dimensional structures will be extremely challenging for even an advanced attacker to duplicate. At that point attackers will find other less challenging weaknesses in the security structure.
I continue to believe that the most useful application of biometrics is in unlocking a cryptographic credential in a USB device (or smart card) format. Two-factor, security, and convienience in one device.
Some references. Unfortunately many biometric sensor vendors are not willing to tout their anti-spoofing technologies for fear of being attacked.
A friend of mine who runs SearchEngineWatch has been very interested in the meta tag lawsuits and has actually been an expert witness for Terri Welles in Playboy's meta tag lawsuit against her.
He has a very interesting page listing Meta Tag Lawsuits which summarizes some of the recent cases, whether they have been settled, and the importance of the settlement.
My understanding is that the courts have ruled that you cannot use trademarked meta tags if you are attempting to deceptive with them (see Oppedahl & Larson v. Advanced Concepts) or attempting to "hijack" another web page. But if you have a legitimate reason to be using a trademark term to properly catalog your site then its use would be legitimate.
I don't think the courts have made a definitive ruling on the legitimate use of trademarked terms in meta tags yet. But that might happen in the Terri Welles countersuit. And she did win her original case allowing her to use trademarked terms on her site. And Playboy was denied an appeal.
I'd say Pez fan sites have a legitimate reason to use the term in meta tags based on the Playboy vs. Terri Wells case. But the sad thing here is that PezCandy has a right to sue and small players without the resources to fight back will simply back down.
Hopefully we'll get a definitive ruling on this soon from somebody who can afford to fight back.
Slashdot Mirror
Surprising lack of information and misinformation for a slashdot post and comments. In general, PINs are the most protected part of payment transactions. PIN encryption doesn't use bad/crackable crypto concepts like Adobe did on their passwords. And while it's Triple DES-based, its actually quite strong. All debit PINs in the US are encrypted using the same few standards:
* PIN Block and PIN encrypytion: ANS X9.8 part 1 and ISO 9564. Examples: http://www.paymentsystemsblog.com/2010/03/03/pin-block-formats/
* Key management: DUKPT from Annex A of ANS X9.24 part 1. Some DUKPT details: http://en.wikipedia.org/wiki/Derived_unique_key_per_transaction
Each PIN pad is injected with a unique initial key that is a double-length Triple DES key. That initial key is derived into a key set of 21 keys that are used to derive up to 1 million future keys (the counter rules in DUKPT only let it count 1 million values). Those are all unique per device. Each transaction uses a unique future key and that is derived into a PIN encryption key to encrypt the PIN block (according to the ANSI and ISO standards).
Encryption of the PIN block is Triple DES ECB using a unique key for that transaction for that device. Breaking the encryption for that key would be a 2^112 brute force effort (no shortcuts because only one ciphertext used that key). And breaking that key will not get you any past keys and only some future keys for that device depending on where it is in the key space. In all, cracking PIN blocks coming from PIN pads is not a low hanging fruit.
PIN pads and their design has to be lab certified and signed off by the PCI Security Council. Merchants can only use PCI certified PIN devices if they take debit cards. (strangely, credit only devices are not required to be PCI certified, but they could be if they encrypt credit card data). While there are older versions of the PIN pad certification requirements, basically the PIN security is the strongest part of the certification. The lab tests for side channel attacks against PIN encryption, ensures physical security of the device, logical security of the device, that applications running on the device (if any) cannot impact/access PIN encryption, and that tampering devices causes them to erase keys.
list of PCI approved PIN Transaction Security (PTS) devices: https://www.pcisecuritystandards.org/approved_companies_providers/approved_pin_transaction_security.php#
PCI documents (including PIN security): https://www.pcisecuritystandards.org/security_standards/documents.php?association=PTS&document=PTS%20Program%20Guide%20FINAL%201%201#PTS%20Program%20Guide%20FINAL%201%201
Agreed that theories must be testable and falsifiable, including intelligent design or creationist ideas. And new scientific evidence should be predicted by those theories.
There is ongoing work on testable ID models and testable creation models.
Here is one such example:
http://www.reasons.org/tnrtb/2008/04/21/testing-cosmic-creation-models-part-1/
Hugh Ross is one such theorist, especially in the areas of cosmology.
http://en.wikipedia.org/wiki/Hugh_Ross_%28creationist%29
His theories have caused him to be criticized by both scientists and creationists.
Most of the comments (and the article) are ignoring the current state of the art and future directions in finger biometrics (notice I didn't say fingerprint).
Until recent developments with biometric spoofing, biometric sensor companies were not focused on preventing spoof attacks, gummy fingers, and other forms of compromise. But now they are. The current generation of fingerprint sensors just being deployed now are much more difficult to spoof. The next generation will be close to impossible to fool because they are collecting and matching finger data below the surface of the skin.
This means that latex/gummy fingers can be detected, dead fingers can be detected, and people with difficult fingerprints (none fingerprints or individuals with low pitch fingerprints) can be uniquely identified.
Sub-dermal structures are not "left around" and 3 dimensional structures will be extremely challenging for even an advanced attacker to duplicate. At that point attackers will find other less challenging weaknesses in the security structure.
I continue to believe that the most useful application of biometrics is in unlocking a cryptographic credential in a USB device (or smart card) format. Two-factor, security, and convienience in one device.
Some references. Unfortunately many biometric sensor vendors are not willing to tout their anti-spoofing technologies for fear of being attacked.
Authentec's True Print technology
http://www.authentec.com/technology.cfm
Lumidigm's multispectral imaging (MSI)
http://www.lumidigm.com/antispoof.html
A friend of mine who runs SearchEngineWatch has been very interested in the meta tag lawsuits and has actually been an expert witness for Terri Welles in Playboy's meta tag lawsuit against her.
He has a very interesting page listing Meta Tag Lawsuits which summarizes some of the recent cases, whether they have been settled, and the importance of the settlement.
My understanding is that the courts have ruled that you cannot use trademarked meta tags if you are attempting to deceptive with them (see Oppedahl & Larson v. Advanced Concepts) or attempting to "hijack" another web page. But if you have a legitimate reason to be using a trademark term to properly catalog your site then its use would be legitimate.
I don't think the courts have made a definitive ruling on the legitimate use of trademarked terms in meta tags yet. But that might happen in the Terri Welles countersuit. And she did win her original case allowing her to use trademarked terms on her site. And Playboy was denied an appeal.
I'd say Pez fan sites have a legitimate reason to use the term in meta tags based on the Playboy vs. Terri Wells case. But the sad thing here is that PezCandy has a right to sue and small players without the resources to fight back will simply back down.
Hopefully we'll get a definitive ruling on this soon from somebody who can afford to fight back.
Joachim