Re: Passport Chip
Yep, it's passport number, date of birth and the expiry date of the passport.
Once you have thise details, you can access the passort via NFC to get at the biometric data.
169 posts • joined 16 Jun 2009
Yep, it's passport number, date of birth and the expiry date of the passport.
Once you have thise details, you can access the passort via NFC to get at the biometric data.
"Does this mean that if I put the number ten in a circle on the back of my getaway car, I can create a slow moving knot of traffic to delay the cars chasing me?"
I'm pretty sure that the camera in my car has reacted to those maximum speed stickers you sometimes see on the back of lorries that look like a speed limit sign.
"I assume anyone who doesn't want this just needs to cover the camera that's watching out for the signs."
.. or just not turn it on.
My car reads the road-signs and like the Volvo above, this is incredibly unreliabe as it can't tell what sign applies to you (I'm feeling slightly better that it's not just the Vauxhall system that does that).
The car also has a limiter and it is incredibly useful, especially in areas with average speed cameras. I'm glad that the sign reader and limiter haven't been linked.
"Other banking institutions across the world are also using this technology with their customers."
I've heard similar things to this from software vendors on multiple occasions.. often just before I demonstrate a whopper of asecurity flaw.
Never mind PVRs, adding a CA layer will involve having to upgrade/replace pretty much every TV.
It is back up and running now, and resolving to the same address it was last night (when it failed). However, last night there were five CNAME records in the chain :-
www.samsung.com. 0 IN CNAME www.samsung.com.edgekey.net.
www.samsung.com.edgekey.net. 2616 IN CNAME www.samsung.com.akadns.net.
www.samsung.com.akadns.net. 4 IN CNAME china-www.samsung.com.edgekey.net.
china-www.samsung.com.edgekey.net. 7998 IN CNAME china-www.samsung.com.edgekey.net.globalredir.akadns.net.
china-www.samsung.com.edgekey.net.globalredir.akadns.net. 117 IN CNAME e1722.g.akamaiedge.net.
e1722.g.akamaiedge.net. 12 IN A 188.8.131.52
Whereas this morning there are only three :-
www.samsung.com. 60 IN CNAME www.samsung.com.edgekey.net.
www.samsung.com.edgekey.net. 9367 IN CNAME www.samsung.com.edgekey.net.globalredir.akadns.net.
www.samsung.com.edgekey.net.globalredir.akadns.net. 1998 IN CNAME e1722.g.akamaiedge.net.
e1722.g.akamaiedge.net. 11 IN A 184.108.40.206
I think that's a smoking gun.
Still, it's bloody stupid having SmartHub depend on www.samsung.com or even an Internet connection - I have an app that provides nice access to content on my local media server - the missus was not happy that that was unavailable too.
That's awesome.. How did I miss that when it was broadcast?
* You authenticate using a cryptographic private key. The fingerprint just unlocks the private key on the local machine (like a screen unlock on an iPhone)
That is even worse!
For the private key to be stored securely, it must be encrypted with a key. This key needs to be provided identically each time the system decrypts the private key.
Unlike a password, each presentation of biometric data is slightly different each time the fingerprint (or whatever) is scanned. Confirmation of the print is based on a 'near enough' match of the stored biometric data (which is why you have the risk of false positives and flase negatives). Therefore the key to decrypt the private key cannot be reasonably derived from the biometric data provided at the point of 'aithentication'.
The only way I can see it working is that the key needed to decrypt the private key is actually stored on the system (presumably in some sort of obfuscated fashion) and that the software only chooses to use it to gain access to the private key after a successful biometric authentication event. It may as well be stored in the clear and hope for the best.
This article reads as though it is seen m0n0wall as a failure, or that it demonstrates a weakness in the way that open source software is developed.
Yes, the project is closing but it is clear that so many people and other software packages owe so much to m0n0. It's code base is old and had been superceded in terms of flexibility and maintainability by those who came later and built and modified what was there . And so, in time, these packages will be replaced by others building upon them.
It's not a failure, pfSense and the others are all the children of M0n0. It has gone into retirement but it's offspring have great futures ahead of them.
I'm guessing here, but I think it's more of a case of won't instead of can't and it is all down to app compatibility. Device manufacturers and therefore app developers will follow Google's releases. Third parties can develop their own new APIs or change coire functionality to their heart's content, but when Google produces their own equivalent all of that is dead work.
Therefore pretty much everyone waits for the big G and just adds niche additions or their own brand of polish.
I'm not saying it can't happen but any true fork has to have enough traction to make it worthwhile. For example, ISTR that initially Ubuntu followed Debian releases and Mint now seems to be emerging from under Ubuntu's release shadow.
Whoever did the testing (if any) was probably only engaged to look at the underlying Of layer and not the application itself. Or expected to test the system without being permitted to actually log in to the application.
I am faced with this quite often and am amazed by some customers' opposition to me doing the job properly.
It is basically impossible to guarantee no disruption or outages in even the most tightly controlled and planned test, never mind exercises like this. You can not do things that are likely to result in an outage, but that's as far as you can go. You simply don't know how everything is going to react to anything.
I have shut down a manufacturing production line with no more than a TCP portscan so I know of what I speak.
It was possible to get the instant video service running on other android devices. They published the application via their own store a number of months ago. It was a pain to set up but it did work on my Nexus 10.
Just tried it again last night and it no longer works (may have had something to do with the Lollipop upgrade).
"However, they also included a hill-start setup whereby you could just use the throttle (and clutch if manual) to set off. Once the car realise you were setting off (putting enough torque down to the wheels) the handbrake released."
Yep. Vauxhall / Opel cars operate exactly the same. Whoever sold the car to voland's right hand obviously didn't explain that method of releasing the brake - the dealer that sold my car didn't show the other way to me. The car will do both though I've yet to see a use case for the 'manual' method.
I've had it for over six months now and have never rolled back on a hill start. That said, not having direct control of the brake feels strange and I still don't really trust it so hill starts are scary.
"If nothing else there's at least a large market of Linux enthusiasts clamouring for a Linux-based [mobile] device."
Whilst they haven't yet produced the tablet, Jolla produced a phone based on Salilfish last year.. and don't forget the venerable N900 and lesser-spotted N9. Going further back, the 770, N800 and N810
'True' (not Android) Linux mobile devices hit the shelves a long time ago.
There are other ways of raising awareness than going full apocalypse scare tactics as a thinly obfuscated attempt to sell software that won't actually fix the problem.
A single http request with a specially crafted cookie from a Web browser with an extension to allow modification of cookies is a far cry from a single packet sent by a normal Web browser. Checkpoint know the difference and have made that statement to confuse and terrify those who don't.
It's difficult enough to get people to take security seriously without this sort of marketing shenanigans.
I'm not just singling out checkpoint here, there are many others who have also done this sort of thing.
I really hate this sort of shit. Is this an actual issue or a marketing piece?
If it is a real technical announcement, what does this mean :-
"All an attacker needs in order to exploit Misfortune Cookie is to send a single packet to your public IP address. No hacking tools required, just a simple modern browser."
Other than (maybe) some relatively complex code with websockets, I'm not sure how to make my browser output a single packet. Such bullshit can only harm any real warning of a real issue.
"The fact that they are not being openly addressed shows me that people who understand don't care and people who care don't understand."
Not quite. Often the people with authority don't understand / care. I can't think of a more fruitlessly stressful job than ISO. So many are given the responsibility but not the necessary authority.
I can't remember what variant of card is in my bank card, but a number of the newer mifare chips have the ability to emulate a classic but without the (same) flaws.
"I'm not sure where you are banking. I have multiple US and UK bank accounts and precisely NONE of them have the security of my paypal, apple, or Microsoft accounts (i.e. dual factor)."
Barclays and Natwest (at least) use 2FA with tokens generated by the chip on your debit card. The Barclays variant (I've not used the NatWest one) authenticate access to the account and at the transaction level (the first time you send money to a recipient).
"Is the token thingy in the same wallet as the credit/debit card?"
Probably, but that isn't an issue as you need to input your card PIN each time you use it (like you do in a physical shop).
AFAIK, all those calculator things use the standard EMV (Euro?? Mastercard Visa) authentication package that is embedded in the chip on your bank card. As such they are pretty interchangeable - at the ery least I can log into my Barclays account using a NatWest device.
It's not too difficult to get a couple of the things (hint: most banks will send you a new one if it gets lost or breaks) and at work, all you need is to get one to share between a small group of trusted people.
It can be made relatively painless really easily too, perhaps you force authentication one (a year?) for each individual combination of retailer and delivery address.
Yep, it doesn't matter what biometric is used or even if it is impossible to fool the reader. Biometric authentication is fundamentally the same as any other form..
During enrolment, the authentication server collects data about your authenticator. This may be your password (hash) a seed for a 2FA token, X.509 public key or the base sample data for the biometric (etc. etc.)
During authentication, credential data is collected from the user. This could be input via a keyboard, smartcard reader or some weird and wonderfulscanning device. This data is now a normal bob of data. It may be processed by the client before being sent to the authentication server for processing.
The server compares what it is given by the client to what it has got stored in some fashion. This comparison will result in either a positive or negative result. The authentication server doesn't give a damn about your fingerprint, iris scan or anal probe results, all it needs is a blob of data. If you can supply some data that it can match and inject it into the right place in the communications channel, the server will accept it.
That's why on many Windows networks if you have a password hash, it matters not that you don't know the password or if you have a 2FA token seed and the generation alorithm, you don't need the original token. if you have enough information about a biometric credential and the system in use, you don't need the actual body part and just bypass the scanner hardware.
In the password or 2FA examples, you can revoke the credential and issue a new one. Short of forced surgery, there is simply no way of doing this with biometrics.
"Holding your cell phone visible giving the driver hands free driving"
Did they really mean that?
Considering the number of servers out there still supporting Ssl version 2, I can see this being an issue for a long time.
The high-street retailers are more of a victim of parking fees and restrictions. They (generally) don't want or enforce them and it's their customers who have the option of going elsewhere.
I've never heard of Code Club or the lady in question before, but I must applaud her stance on not sacrificing her principals.
There are quite a few significant issues with ssh version 1 (the protocol, not any particular implementation), yet you still see it available all over the shop.
That is the thing they are meaning. By all means stay away from the bleeding edge, but also stay away from the bloody and broken obsolete stuff too.
Not really, transmission implies that you have the information in question and are sending it somewhere. Even if you have made a request for the transmission to be made, you are still only receiving it.
I was asked to look at some of the back-end systems for this kind of stuff for a council a few years back. The issues I saw were very scary (even if I weren't under NDA I still wouldn't say as you'd think I'd made it up) and needless to say I chickened out of trying to actually experiment with anything. You can imagine the thoughts running through my head as I joined the massive trafic-jam on the way home. (I later found that it wasn't actually anything to do with me)
I remember finding similar issues on clients' machines years ago. Though this was unsecured PCAnywhere sessions on dial-up connections.
I followed the link about Zotac's upcoming steam box. Full, glitzy press release oh! and product details ...
ZOTAC Previews ZBOX Steam Machine
Intel Core processor (TBA)
NVIDIA GeForce GTX graphics processor (TBA)
Other details TBA
Final naming TBA
All-black 3rd Generation ZBOX chassis
Steam Controller bundled
Coming 2H 2014
I found that complaining about the (beta) installation process of an OS that is still in beta, and is targeted for self install only by people comfortable building their own rig from scratch, or bought pre-installed on a system to be a little disingenuous.
There is no hard 'artificial' expiration feature.However, there is an internal counter that is incremented every time the device is plugged in. This counter serves as part of the authentication mechanism to prevent replay (and provide some protection from pre-play) attacks. That counter is a 16bit word. Yubico say that this will his corresponds to about 25 tokens every day for 7 years or 5 tokens every day for 35 years.
You can replace the secret key on a Yubikey but I'm not sure if this resets that counter or not.
I really like Yubikey. Effective and nice and cheap. So cheap that it's feasible to use for your home system security. Each key costs about £25 and that's it. No licensing fees for authentication software, 'agents' or ongoing support fees.
As they supply a preconfigured freeradius virtual appliance, you can (with a bit of work - no more than any other 2FA system) use it with almost anything.
I've just found you can do this with practically any computer or laptop!
All you need is an uber dangerous hacker tool called a 'boot disk' and you can load your own software onto the computer without loggingin in!!!
Remember, these are real computers with important things like accounts, porn and world of warcraft characters stored on them.
But, shh, keep it to yourselves guys, I might present this at next year's defcon.
But seriously, this actually makes it more likely that I will buy one. I was interested in Nest when it first came out but was instantly turned off by it's reliance on 'the cloud'. If I can mod the software on these to only talk to my servers, I could be interested.
I like home automation, as long as all that data stays within my security domain.
"Except you shouldn't expect a warning of FIRE coming from the radio."
He clearly didn't realise that the message was from the radio. Many modern cars have a multifunctional display in the middle of the dashboard. Trip computer, door ajar warnings, parking sensor warnings and audio information etc. etc. all share the same space, with whatever is selected (or deemed more approriate by the car) shown at any one time.
There already is something similar to that bundled into Prime, the 'Kindle lending library' ("Over 500,000 Kindle titles to borrow for free"). As they are trying to strong-arm the indies into agreeing terms to be included, we can assume that the new service does not cover their entire catalogue.
So, this is even more money for similar access to an unknown, but limited selection (sorry, that will be 'selected titles') that you can't query in advance?
AFAIK, the male are uses humans.txt as a test to see if rfi is possible. Seems a bit draft and wasteful to me. Implying that Google could prevent this malware (and therefore it's all Google's fault) by changing humans.txt seems a bit disingenuous to me. The test could be easily changed to refer to any other arbitrary file.
I assure you the signal is very different. Before I could not connect to the network at all from outside the house. I was able to sit in the garden and work yesterday morning :)
I'm also a fan of Mikrotik, in fact I'd just ordered one of their boxes as a replacement AP when I had the brainwave of checking the OpenWRT compatibility. I now need to decide wether to send it back or keep it as a spare (you can never have too many spare bits of kit ;) )
I only 'discovered' OpenWRT a couple of days ago and quickly dis-proved two beliefs I had about the software, I thought it was only useful if you need extra features not included in the manufacturer's firmware and that it was only for Linksys routers. how wrong I was.
I have a new TP-Link wireless AP. This thing had a weak signal that keeps dropping out and needing a reboot. I had tried everything to make it work reliably and was on the verge of chucking it out until I noticed that OpenWRT would run on it. The difference was noticable straight away, I have a much more stable network and can now even access it from further afield than before. I honestly don't know why TP-Link bothered trying to write their own FW, just ship the thing with OpenWRT, or have the installation instrictions as the first step in the manual ;)
From what (little) I know of RenderMan, it is a rendering suite and a very flexible one. It is not a modelling or animation tool, you (can) throw the models and scenes you produce in those tools into RenderMan to get your pretty pictures.
To pick this up again from the last time this story was reported ..
Quite where can one buy a network accessible KVM device for £10??
Ebay has plenty of connector cables for (much more expensive) IPKVM switches but I have yet to see any evidence to back up this £10 claim.
"When you're dying due to shitty sales it's not the time to go cutting off sales channels of any kind"
Even if said sales channel is explicitly trying to poach your loyal customers for a competitor? It looks like if they stayed with T-M, they would have fewer customers, not more.
That's exactly why this is a mailing list rather than a website. Everyone can create an archive whereever they want. Just as the archives of the old FD list are available all over the place.
Besides, Fyodor has repeatedly proven his backbone in the face of takedown 'requests' and the like over the years.
"Finally, if going abroad give the customers an easy way to inform the bank, we are going to be in country X between Y and Z."
One of the few things that MBNA have got right is precisely this. I just drop them a text saying when , where and how long and it's all sorted.
I'm pretty sure that my card was cloned whilst I was in a UK airport when going abroad on holiday a couple of years back. The number was used several times (though I had not attempted to use it whilst away) and the anti-fraud systems kicked in really quickly. The dodgy charges were all sorted and the card cancelled within a few hours of me getting onto the hotel and there was a nice shiny new card waiting for me when I got home :)
Dunno, seems to be bash PN month at the reg.
'The crucial difference was *the Cisco router could be patched*.'
The supplied Thompson device is actually firmware upgradable, though it's a faff on to do it. I had to flash the stock manufacturer's FW onto mine to allow my firewall to do PPPoE itself. The btchered firmware it came with was truely dire.
I disagree, there has been a fair amount of good stuff on BBC Three. As well as those other examples that started on the channel Being Human and The Revolution Will Be televised spring to mind.
I don't think that there has been anything on TV recently that has called out the hipocrisy, corruption and double-dealing in the governemt and large commercial entities.
That said, they could easily fit all of thequality programmes and new experimental stuff on BBC 1 and 2 by cutting down on the number of repeats and examining the synopsis of the shows they have. If the word 'reality' appears in there, then chop the programme. Simple.
What's this got to do with WhatsApp?
Thanks for that link - most informative. A couple of things jumped out at me ...
What information will be shared? : Your NHS number and date of birth, your postcode.
Some reasons why you might choose to opt out: There is a small risk of your data being traced back to you. You cannot be sure which companies may have access to your information in the future.
So.. one item of data that uniquely identifies you and two others that, when combined can almost certainly identify you only pose a 'small rsik' of identification?? Oh, and you have no idea where this data is going to end up - who in their right mind can think that this situation is acceptable?
the fact that there is no standard, straight-forward way of opting out of this speaks volumes.