Feeds

* Posts by Charles 9

3710 posts • joined 10 Jun 2009

Run for the tills! Malware infected Target registers, slurped 40m bank cards

Charles 9
Silver badge

Re: Who said the POS system has internet access?

"Shockingly, yes, some POS terminals have direct access to the internet, I was told for firmware upgrades and diagnostics."

Savvy firms don't allow direct upgrades and instead test the upgrades, vet them, then roll them out at their schedule through the corporate intranet. Also consider some transctions were probably done with the POS's reader rather then the PIN Pad's. If they were sniffed as well, the exploit would need to be in the POS itself, as the PIN pad wouldn't have read that data.

I'd have to pay a visit, but I think Target uses NCR brand POS systems (if not, then it's probably IBM). But the PIN pads come from a different comapny (I don't think it's Ingenico, but I suspect it's the same comapny that supplies Best Buy).

0
0
Charles 9
Silver badge

Re: back-end systems should not have Internet access.

"At least one back end system of necessity has internet access: the one that contacts the credit/debit card vendors to authorize the credit/debit transaction."

But that should be the ONLY link. Meaning you can treat it like a store-to-headquarters link. It need not be on a dedicated line, but if it's a well-defined connection, you can tightly restrict the connection with assistance from the data provider and the other end (limited access, VPN tunnels, encrypted connections, only accept outgoing initiation, etc.) to make it so that's the ONLY thing it can see.

I suspect Target and Neiman Marcus were targeted specifically because they were big retailers (as in, large gross receipts due to (the former) lots of customers or (the latter) high-ticket customers). But as you say these firms are no hayseeds, and the POS software usually undergoes vetting and testing prior to a rollout (which does not occur often--they usually only change the POS systems when they HAVE TO due to security or internal procedural updates), which means the exploit had to survive that kind of testing. Plus if the code was signed, it would need to have been altered BEFORE signing.

These along with the fact the data didn't appear to be detected en route leads me to believe the attack was very sophisticated: in fact so sophisticated as to preclude someone without intimate knowledge of the internal software and/or network. That's why I suspect an insider. I would need to know more about the respective POS systems, but for now, given that two different retailers were hit at the same time with the same MO, I hypothesize the exploit occurred at base POS code that would then be common to both retailers. So IOW, not an insider with the retailer but an insider with the POS manufacturer.

0
0
Charles 9
Silver badge

Re: Many barcode scanners allow arbitrary keypresses

True, but most of them ALSO feature a specific procedure that requires scanning not one but a SERIES of barcodes to configure them the way you want. The Symbol scanner I own (which is similar to models seen in smaller stores) can be configured to refuse to scan certain types of barcodes so that you can limit exploit avenues.

As for exploiting the POS, that depends on the system. Among the different things you can set the barcode readers to do is to emulate a serial port rather than a keyboard, meaning the POS can distinguish between them and be much less likely to be exploited through this method.

1
0
Charles 9
Silver badge

Re: Who said the POS system has internet access?

Last I checked, Target POS systems don't have readily-accessible USB ports. Indeed, if it's like most POS systems I know, the software is loaded from the back office, which in turn gets it through a corporate intranet.

Something this sophisticated on hardware that normally doesn't see the Internet points me to an inside job. It may not be with Target in this case but with the designer of the base POS software Target and other firms were using. IOW, we're talking insider hacking from pretty high up the chain.

2
1

FCC net neutrality blueprint TRASHED by US appeals court

Charles 9
Silver badge

Re: @Trevor_Pott: What have you been smoking?

I look at this this way. Capitalism is "Winner Economics": Economic Darwinism, in a sense.

It has a good side and a bad side. The good news is that high levels of competition forces firms to be lean and to woo customers. The bad news is that many firms can't keep up at this level and they start to fall away to winners, which will in turn look towards the remaining competition. IOW, it ultimately results in a few well-funded bullies who can squeeze the smaller players out and then fight amongst each other until there is "one firm to rule them all".

I think the closest analogue to how capitalism operates is an open poker tournament. Everyone buys in with the same amount of cash. Gradually, players fall away and the winners take their proceeds. Eventually, you end up with big chip holders who can bully the table around. And eventually, one player emerges as the winner.

Sure, you can sometimes disrupt the market if you're lucky (like undercutting the market or flopping quads), but if a firm is big enough, they can withstand such a disruption and wear you out (winning an all-in bet with quads doesn't mean much if you're at a 1-to-8 disadvantage against your opponent--you need several breaks to turn the tables, and odds are against you there).

3
2

Oh those crazy Frenchies! Parisian cabbies smash up Uber-booked rival ride

Charles 9
Silver badge

Re: circumventing the heavily regulated systems

We're going into another legal gray area here. The cabbies have a point. Cab licenses and permits help enforce standards of service. In general, cabs needs to be clean and well-maintained, drivers fit, properly licensed and trained, and fares assessed fairly and clearly posted. Service should be prompt, swift, and direct within reason and non-discriminatory.

Now, if the regulations raise other issues apart from the above, that's a matter to be argued on its own.

If Uber and the like provide an alternate means to obtain a ride, that is one thing. But should Uber be subject to the same regulations as those for traditional taxi services? The argument CAN be made in that regard, and a serious discussion needs to be made regarding how to proceed.

As for the cab companies themselves, I suppose rivalry prevents them pooling their resources, but I wonder if a few of the savvier companies have considered fighting fire with fire: using the Web and/or smartphones to provide an interactive portal for their services. One could use their smartphone location to page a cab. Perhaps inputting a destination can help in estimating a fare total, giving the customer time to get the appropriate cash if needed. Once the cab is selected, its location and current status can be pinged back to the prospective customer, letting them know with at least a little precision when to expect their ride. It would be a way to add value to the service and distinguish themselves from the Uber rides.

10
2

Don't panic! Japan to send nuke fuel rod into MELTDOWN in Fukushima probe

Charles 9
Silver badge

Re: On the Plus Side...

I take it you don't live near Cornwall. Last I checked, people living there get more radiation on a daily basis than anyone's getting in California. And that radiation is literally coming out of the ground in Cornwall because of the granite sitting there. Indeed, any natural source of granite is going to have elevated radiation (Did you know granite can naturally contain trace amounts of uranium which can in turn decay into radon?). That includes Colorado and parts of New England.

0
0
Charles 9
Silver badge

Re: What Could Possibly Go Wrong?

Chernobyl was the result of mismanagement combined with a very risky experiment. Fukushima was victim of both mismanagement and a once-in-a-millennium disaster. TMI, OTOH, wasn't exactly a catastrophe. Indeed, the safety features built into American reactors worked as planned and contained the mess with only a brief release of radiation, and the no-mans-land is confined to the immediate vicinity of that reactor. And note, these were all OLD reactor designs. Has anyone seen a Gen III reactor go bad? And let's not forget there are Gen IV designs out there designed to fail gracefully (or simply be impossible to fail, period).

0
0
Charles 9
Silver badge

Re: All of this is totallly unnecessary...

If the technology already exists, why isn't anyone (not even a private enterprise) independently developing it?

Anyway, the way the website is designed makes me wonder if this is a propaganda site. I'd be interested in some independent verification of the site, its goals, and its projects. Most of my research into the Keshe Foundation tells me it is of dubious trustworthiness.

IOW, I'll believe it when I actually see it working.

0
0
Charles 9
Silver badge

Re: Expensive Renewables

Despite centrally generated and despatched power being the potentially cleanest, safest, cheapest, most reliable solution we have for electricity.

EXCEPT that central power distribution has been proven to introduce single points of failure that result in failure cascades. Ask anyone who has lived in the Northeastern United States in the last half-century. They've had TWO failure cascades in that timeframe, NEITHER of which were precipitated by anything one would call catastrophic; they simply cascaded into that condition.

0
0
Charles 9
Silver badge

Re: Technical question

Slight explanation:

Critical mass is dependent on a number of things: mass, shape, purity, temperature, surroundings.

Applying heat makes the atoms absorb the heat. You learn in physics that when atoms get hot, they get more energetic and move around faster. In other words, heating radioactive metal makes it more active, reducing the critical mass.

1
1

Hackers slurp credit card details from US luxury retailer Neiman Marcus

Charles 9
Silver badge

What normally happens is that the POS units link to a back-office server for that store, which in turn is connected to the company headquarters or some midway point, depending on the scales involved. And it's headquarters that also tells the back-office machines who to contact on the corporate net in regards to credit card transactions and so on (if they don't route the transactions themselves, another possibility).

AFAIK, these all run on closed networks (most of the ones I've seen use Class 1 10.x.x.x private net addresses).

0
0
Charles 9
Silver badge

Re: Encryption?

"Wish I could remember where I read the details, but the point of attack was the interface between two sets of exchanges. Both individual links were secure end to end, and they thought the transfer between the two was good as well. It sounded like the breach was both novel and clever. Although this is the first article I've seen confirming it was the POS system and not the back end db that was cracked. I was suspicious about that because of the too careful wording they were using to describe the breach and the ranged time period."

If the exploit was made in the POS system, then that smacks of an inside job of some sophistication. Based on what I know of modern retail POS systems, they're (a) trade secrets with tons of secret sauce, (b) rolled out in very controlled and restricted ways to minimize disruptions, and (c) deployed on a closed intranet.

Therefore, to get an exploit onto a modern POS system would involve (a) Tampering with a very secret program code (How many people have code access for the POS system?) (b) Slipping the exploit into a scheduled software rollout, passing any testing that would've occurred before then, and (c) Either bridge the intranet with the Internet or extract the siphoned details locally in some other manner.

I don't think any outsider could achieve a feat of the scale we're talking about.

I suspect PCI will have to look into reducing the trust level of the POS system as a result of this. Based on what I've read, the standards as they are mean the POS can obtain the card data unencrypted, and that may have to change. Newer equipment may mandate the use of encrypting magstripe readers and the use of PKI where not even the store knows the decryption key (IOW, only the payment processor would be able to receive the magstripe data). This may also be considered as Chip-and-PIN is considered for American rollout (because despite its increased security, it has been shown to have holes that can be exploited at the POS level as well).

0
0
Charles 9
Silver badge

Re: Encryption?

I'm wondering about this, too, since IIRC PCI-DSS standards require end-to-end encryption using the clearinghouse's Triple-DES key, which not even the store is supposed to be able to decrypt.

1
0

Apple-hungry thieves defy sinking New York City crime stats

Charles 9
Silver badge

Re: Basically the fault of the mobile providers

Blacklists aren't synchronized between countries, meaning any blacklisted phone can just be fenced overseas.

Now, in a related thread, someone postulated that the thefts were incidental to general assaults: intended to deny the victim quick access to 911. I have to ask. How many of these crimes can be conclusively shown to be targeting the phone specifically and not as a denial of access against another crime?

3
0

AT&T's sponsored data plan: Who, us, violating net neutrality?

Charles 9
Silver badge

Some apps are UNAVOIDABLY data-heavy due to the type of data they do. Media-heavy apps like Pandora, YouTube, and Skype will always be towards the top of the list simply because it takes serious data to pump sound and video.

0
0
Charles 9
Silver badge

Except toll-free numbers are provider-agnostic. If you're going to do this for wireless, allow ALL providers to bill, not just AT&T.

0
0
Charles 9
Silver badge

Re: Not sure

Last I checked, most cell phone plans treat any number within the country the same: including "toll-free" numbers because it's the AIRTIME you're paying for: not the call. Any US cellco worth its salt treats a call to Seattle the same a a call to Miami in terms of costs and so on, so "toll-free" numbers are rather moot here: a number is a number is a number for a cell phone.

2
0

FCC honcho: Shifting our crusty phone network to IP packets starts now

Charles 9
Silver badge

Re: In an all-IP network, a packet is a packet is a packet.

Just curious. If fiber between datacenters isn't so expensive, why do I keep hearing about lots of "cold fiber"?

0
0
Charles 9
Silver badge

Re: In an all-IP network, a packet is a packet is a packet.

Trouble is, I don't think you CAN set the parameters rationally. The big reason is that some packets will always try to cheat: disguising themselves as higher-profile packets or using encrypted channels where their identity is obscured. So in other words, the moment you try to set a limit, the packet cheaters will tailor themselves to the loophole and ram through it like a runaway lorry.

0
0
Charles 9
Silver badge

Re: Power supply

Well, to each his own. Some people prefer the short, sharp shock while others are more comfortable easing in with the slow, deliberate approach.

Another thought arises. If the new IP phone world does use IPv6, there is a strong likelihood that it would be very easy to break the current paradigm of all the phones in a site be bonded to the same line and number. With IPv6 phones, each one could be individually addressable. However, while possible, it may not be desired, so a provision may be needed that allows someone to link phones together so they may act much like the old-style phones. It would be more complicated than this, for sure, since the old style also allowed for such things as easy passover from one phone to the next as well as conference calling/eavesdropping using another phone on the same circuit, you get the point. This is one of those significant changes that would need to be negotiated very carefully, as this kind of transition can get particularly jarring.

0
0
Charles 9
Silver badge

Re: Power supply

"In theory, wireline telephone numbers have been disconnected from geography since 1997 when local number portability was mandated."

Yes, but what about the area codes as well? I'm talking about telephone numbers that can follow a person on a global scale. After all, one VOIP packet is not so different from the next. Cell phones come closest now, but due to the network structure, there's the matter of roaming. Perhaps I think a bit too ambitiously since even IPv6 relies on the address to facilitate routing, but something of the sort could at least be looked at.

1
0
Charles 9
Silver badge

Re: Power supply

Perhaps that's one of the things that should be brought up: power failover.

If we look at this from the angle of, "We need to update the telephone system. What should we be doing?" I say let give them all the input we can.

- As you mentioned, POTS provides its own DC power which allow phones to operate without need for mains. Perhaps something like this should be preserved.

- How will a switch to IP telephone affect telephone access: numbers, area codes, exchanges, and zoning? Will they be preserved or change to reflect a larger potential access pool? If telephone access need not be tied to geography anymore, could any telephone number, not just a cell number, be portable from place to place?

- While on the subject of fax machines, many consumer and enterprise devices interact with POTS systems, typically by way of an analog modem (faxes use modems, too, just to a different signal spec). Since retrofitting to an all-IP system may be cost-prohibitive, an assurance that analog modems can transit safely could be in order at least in the short term.

- Which version of IP will the new system use? More than likely IPv6 since it would be a relatively clean slate and provide much more room for growth. If all new telephone devices were to be aligned to a single 64-bit network prefix, that still leaves an umpteen number of possible numbers for each device (based on my rough math, about 10,000,000 entries for a population approaching 10 billion). We can figure out the organization as we go, but there's plenty of leeway for it.

- Someone mentioned security in communications vs. government oversight. I don't know if one can make a guaranteed secure communication between Alice and Bob that's proof against Mallory or Gene MITM'ing it. However, we can perhaps at least establish a system by which the average conversation, so far as it is aware, cannot be idly picked out of the air by way of a system like TLS (perhaps in an improved or modified form) to handshake an encrypted link between the parties. My concern about this, however, is that any security protocol weakens over time, and this would create the occasional problem of updating/upgrading devices so as to replace protocols as they age.

That's all off the top of my head. But let's look at this more constructively. If we're going to establish a new telephone system, instead of complaining about conspiracies and the like, why don't we voice constructive comments and so on and and at least try to tell them what we actually want? Whether or not they listen is perhaps beyond us, but at least we'll have honestly voiced ourselves.

3
0

Target's database raided, 70 MILLION US shoppers at risk of ID theft

Charles 9
Silver badge

Re: unencrypted!

That's what I was thinking, based on PCI-DSS rules. From the PIN Pad, the card number should be encrypted by a key provided by the clearinghouse so that no one in between can intercept it. Unless Target is ITSELF a clearinghouse.

0
0

Judge orders Yelp.com to unmask anonymous critics who tore into biz

Charles 9
Silver badge

Re: No right of anonymity

And if the complaint is legitimate AND there is a threat of retaliation? That's why the anonymous comment is normally protected speech: to allow for such whistleblowing.

1
0

Anatomy of a 22-year-old X Window bug: Get root with newly uncovered flaw

Charles 9
Silver badge

Re: Careful

Can any user other than root get to-the-metal access (since many modern X systems can use hardware-assisted rendering and need to-the-metal access for performance reasons)?

0
0
Charles 9
Silver badge

Re: Dangerous Arguments

The point is that it becomes a Catch-22. In order to make the X server do what you want, you have to gain the same escalations this exploit is supposedly able to provide. To paraphrase Spike Milligan, you'd be trying to open the box with the crowbar you'll find inside.

Unless you're saying there's a way to insert the malformed BDF AND force the font refresh without any prior privilege escalation or user takeover?

0
0
Charles 9
Silver badge

Re: When any C/C++ code includes "goto" you know it sucks...

OK, how about this? Only one additional nesting level and a slight inefficiency, but would this do?

int foo(void) {

int rc = EXIT_SUCCESS;

/* Not the most efficient, but this is the time/space tradeoff. */

X* x = malloc(sizeof(*x)));

Y* y = malloc(sizeof(*y)));

Z* z = malloc(sizeof(*Z)));

/* To proceed, none of the three can be null. */

if ((x != NULL) && (y != NULL) && (z != NULL)) {

if ((rc = do_sth(x,y,z)) != EXIT_SUCCESS) {

/* Everything works. Do whatever else here */

}

}

else {

rc = EXIT_FAILURE;

}

/* Do the cleanup here regardless of result */

/* Franlkly, I'm of a mind to do an inline or macro here. */

if (z != NULL) free(z);

if (y != NULL) free(y);

if (y != NULL) free(x);

return rc;

}

1
0

Take off, nuke 'em from orbit: Kill patent trolls NOW, says FTC bigwig

Charles 9
Silver badge

Re: Patents that simply "Lurk"

You can fix that simply by shortening the terms of such patents. The problem is that in the tech world, product lifecycles are very short, so patents in that field should reflect that. If you knew the patent you got expires in just a couple years, you can't hibernate it. You have to either snap now or lose your asset. Furthermore, you better have a clear-cut case in order to avoid having lengthy court proceedings drag you past the expiration date.

0
0
Charles 9
Silver badge

Re: sorted

OK, how do you stop big companies that can bully both the plaintiff AND the courts? Remember, the little guy can't get the hotshot lawyers who are masters at legalese.

0
0
Charles 9
Silver badge

Re: Only one option really...

Why not? If you were the first to something, why not get rewarded for it? I'm just saying that the reward needs to be scaled to its pertinent industry and product lifecycle, which would likely limit an algorithmic patent to just a few years. Also recall, once the algorithm patent expires, it's public domain and open to everyone.

0
0
Charles 9
Silver badge

Re: Only one option really...

But there's no time limit on a trademark. Trademarks are PERMANENT. Furthermore, to qualify for a trademark, the company must ACTIVELY use them as an identifying mark of their business (example: the Coca-Cola bottle shape, the UPS logo and color scheme).

0
0
Charles 9
Silver badge

Re: Nice thought, logical ideology, BUT...

Didn't they already pass a law that says that shell companies holding patents must disclose its owners, meaning they have the power to look under the shells?

0
0
Charles 9
Silver badge

Re: Only one option really...

No need to stop them altogether. In fact, I would be more in favor of speeding them up: nonphysical patents can still be allowed, but on a MUCH shorter timeframe: say, three years, long enough to present products using them for a cycle, but then it's not only fair game but open to the public. That's one overlooked aspect of patents--once they expire, they become public domain. So instead of being covered up as trade secrets (because they can't be patented), anyone can take advantage of them after a REASONABLE period.

Because in the end, the problem with software patents has not really been that they're nonphysical but that they last too long relative to their product lifecycles.

18
0

Snowden docs: NSA building encryption-cracking quantum computer

Charles 9
Silver badge

Re: Rubbish

You forget the data store in Utah that will hold historical data as well. Even if you switch cryptosystems, there's still all the OLD stuff that used the old systems. Maybe they can be used as an inroad to cryptoanalyze the new stuff, maybe they'll just use it as evidence to nail the spies and so on. Point is, it's not just PRESENT data that's vulnerable, but PAST data, too.

0
0

Connecting Gmail to Google+ is SENSELESS, says Digg founder

Charles 9
Silver badge

Re: No forcing google+

They ALSO force you into Google+ if you wish to comment on Android apps. This can be important if you've found a very good or very bad app and wish to make your opinion known.

2
0

T-Mobile US: AT&T's mobe buyout deal is so 'desperate', we'll do it too

Charles 9
Silver badge

Re: Not enough

T-Mobile comes the closest in that regard, mainly by disconnecting the phone installment plan from the service contract. They've also historically been the friendliest when it comes to unlocking and bringing your own phone. Their big problem until recently was spectrum, but with US LTE spectrum settling, it's less of an issue (AT&T and T-Mobile LTE phones tend to support both bands XVII and IV, respectively, meaning you can switch between them without losing LTE coverage).

0
0
Charles 9
Silver badge

Re: villandra

There's also the matter that the announcements are coming during the 2014 CES, which is being held right now in America.

Anyway, I'm thinking of moving back to T-Mo myself (currently on an MVNO). It's hard to beat true Visual Voicemail (which no MVNO to my knowledge does), plus there's the benefit of WiFi Calling (Which provides more ways to make calls. Some of the places I go have hotspots but block cell signals). Thing is, it would mean a modest price increase, so I'm waiting to see if they sweeten the deal a little first.

0
0

Haters of lurid supershow CES: The consumer tech market is still SHRINKING

Charles 9
Silver badge

Re: Misunderestimated Market

"It doesn't make any sense, but Humans rarely do. It certainly isn't something you can plot on a bubble chart (I hate bubble charts) or begin to quantify. It's pure emotional reaction and you can't account for that. Why do you think there are so many products in every category? It sure as fuck isn't about giving the consumer choice. It's throwing everything imaginable at the consumer and trusting in the laws of probabilities that something will stick, eventually."

Thing is, in making so many models, you have to pay for their manufacture. Meaning you're taking a gamble, plus with so many models you run the risk of overextending: making stuff that's not likely to sell and end up getting eaten. Also, things like TVs are tough to make good margins on, especially in a market like this with stiff competition.

As for myself, I seem to be in the minority, as I actually did the research when I bought my last TV (replaced a dying set). Once I decided on a size, I played the field, checked out the different manufacturers, different tiers of features, and so on. I also chose to wait. As it turns out, timing helps when it comes to TVs. It's best to buy a TV around February or March, the end of the model year. At that point, stores need to mark down older TVs to get them out to make room for new ones. This means plenty of bargains, and I eventually made my purchase then: a nice TV I had studied thoroughly.

I suppose there are different levels of X for "I want X". Some like me just say, "I want an X" and work from there; others say, "I want X, Y, Z right now!" I admit sometimes to being tempted by emotion and so on, but perhaps there's a Vulcan streak in me in that I've found myself needing to justify the purchase AND do so with a decent amount of reason; I've actually been able to curb my instincts and walk away from more then a few buys: usually because I learn something that allows me to go, "On second thought..."

0
0
Charles 9
Silver badge

"4k TVA look absolutely gorgeous so I'd say they are very welcome. The only reason I'd pass on one now is the lack of content that really takes advantage of it."

The trouble is, based on what we've been hearing from the content providers, they've gone into full paranoia mode for 4K content. They want to make sure there's no chance in at least five years or so that anyone can rip 4K content from their media. Sounds to me like they'll develop and patent proprietary everything to cover their bases. Unique media and player devices, new protocols and cabling designs, probably even new TV designs equipped with end-to-end cryptosystems, probably even suicide hardware at the display end to prevent wiretapping. And they've already said flat out, ABSOLUTELY NO general purpose hardware will be allowed anywhere near them.

IOW, if you want to play 4K, it'll be by their rules; otherwise, you go home.

0
0
Charles 9
Silver badge

But one could say the same thing about HDTV vs. SDTV. Is it the high resolutions selling TVs these days or the slimmer designs?

For now, my view is that UHD/4K/whatever sets just aren't needed in the consumer market. I mean, just how high a resolution do you need? Where I see things like this being adopted more is in the professional market, where the tech can be enlarged and be used more for presentations.

0
0

Block The Pirate Bay? Arrr, me hearties, new P2P client could sink that plan

Charles 9
Silver badge

Re: It's a question of trust -- @ DrXym

"Of course, another option is for them to switch to another revenue stream, e.g. a bitcoin micropayment and no ads, but presumably it would still suffer many of the same issues and more besides."

You realize they ALREADY accept donations in both Bitcoin and Litecoin.

0
0
Charles 9
Silver badge

But at the same token, how do you target something that's outside legal jurisdiction but is still dangerous (say, a malware site)? Especially when it's being housed by what could be considered a "hostile" power?

0
2
Charles 9
Silver badge

I think the approach is more analogous to Bitcoin than to Freenet. The idea seems to be that everyone syncs up their copy of the torrent list with everyone else. Much like Bitcoin's ledger.

0
0
Charles 9
Silver badge

Re: The problem with this

Well, for P2P DNS solutions like yacy and Namecoin are already popping up.

0
0

Gorilla Glass fights dirty, dirty germs with antimicrobial coating

Charles 9
Silver badge

"And all that would be mostly useless, because we already have one of the best microbial barriers : our skin."

The gloves I can see barring the fact they can cover up cuts through which microbes can directly invade the blood). But wouldn't the fact that orifices provides paths past the skin tell us we should still do masks? Or are they moot by the fact they can slip through gaps and still get in?

0
0
Charles 9
Silver badge

Re: Might be useful

Silver has similar antimicrobial properties. Makes me wonder which one is better (copper or silver) when put head to head.

0
0

'BILLION-YEAR DISK' to help FUTURE LIFEFORMS study us

Charles 9
Silver badge

Re: Additional test results

How stable are oxide crystals? Might they also have properties that would make them unsuitable for a protective layer (for example, you wouldn't want to use quartz since it's piezoelectric--a chance current or lightning bolt could make it crush anything it contained)? Plus, what about their hardness? At 8.5 on the Mohs scale, Silicon Nitride is no slouch (To compare, Quartz is a 7).

0
0

Hacker backdoors Linksys, Netgear, Cisco and other routers

Charles 9
Silver badge

Re: Simple solution

"The private key has to be present on the system that's getting the HTTPS requests to be able to authenticate the public key in the router. The next time there's a vulnerability found in the web server software being used, hackers will grab the private key."

Such a server wouldn't have to be sophisticated. Such a setup I would hope to make as simple as possible to limit possible avenues. For example, if I could, I wouldn't use SQL in it. Also, perhaps you can run the process through a closed cryptosystem such that the web server never knows the key but shuttles data through a black box (which the server, and thus the malware) can't otherwise reach.

That just leaves session hijacking, but we're seeing ways to mitigate that.

0
0
Charles 9
Silver badge

Re: ISP backdoors

"A savvy user would give them the reply they expect. ;-)"

Savviness won't help you if you don't know what they're expecting. Besides, depending on the design, there may not be a way to feed the connection false information (if, for example, it triggers a hardware-based check or requests encoded or obfuscated data to test for altered firmware).

0
0