30 posts • joined 16 Jan 2013
Re: Strong password to protect pictures of kittens.... WHY??!
...because in the real world not all websites will fit nicely into your categories and some will move from one to another depending on how they and/or your use of them changes over time.
Rather than manage this change, it's easier and more secure to have unique and strong passwords for everything. There are lots of ways to manage them now - KeePass, LastPass etc...
Re: Are they running on XP Embedded ?
They run XP Pro but under an "embedded" licence.
Re: seems like old news...
I run a number of VMs on a PCSpecialist.co.uk laptop (core-i7, SSD, 16GB although 32 is possible with other models). It's a company laptop and they normally buy Dell but as they couldn't get one with the right config (decent screen res and portability required) I got to go bespoke...
Worth a quick look when you're doing the rounds of the websites.
I couldn't find a portable (in my mind ~2kg) laptop with the right config and 32Gb RAM. They all seem to come in around 3kg.
Re: Mass Surveillance
That tangent being that they produced oil from which the aviation fuel was derived that powered the planes...
Re: Mass Surveillance
Sounds very simple and an interesting comparison drawn with Pearl Harbor. However, that was an overt act of war from a nation state so identifying those responsible was simple. I doubt it's so simple to identify the current terrorist cells in the UK and US.
Bureaucratic opportunism may have been at work but my point still holds that the elected representatives of the people should be held responsible for protecting the privacy of the people. How, is the difficult bit...
Firstly before I get instantly flamed; it'll happen anyway but let me start with this: Mass, indiscriminate, secret surveillance is bad. In my opinion (a fairly commonly held opinion) this is because of the potential for what the data collected could be used for in future. Very few people would agree that a state with such power is a good thing if they have any understanding at all of history or some current, less than benevolent regimes. I see that stance pretty much as a principle worthy of vigorous defence.
With that in mind, try putting yourself in the position of the NSA, GCHQ etc imagine there's a tool you could have that has the potential to help you identify threats to security - on some level you are going to want to have it. It's human nature to believe that you'll use that tool responsibly and for the good of your community. The best of us believe that we can be trusted but even so, you may resist that desire based on your principles. Add to that the pressure that these organisations are under to produce results and it must become very hard to defend a principle that potentially hampers your duty and is probably at odds with other principles you hold regarding protection of life. I guess the point is that I don't think it's realistic to expect these organisations to have behaved much differently. It's also very possible that they have to date, largely been using their power responsibly and for the good of the community etc. (I can feel the down votes coming but please read on...)
In my opinion, it's the responsibility of the elected government to defend such principles. Unfortunately, at this point politics is introduced so how the hell do you get a clear, sensible position on such an important issue? Imagine yourself in that situation: GCHQ etc tell you it could implement a mass surveillance program and potentially improve security. Great, but you're a good person blah blah blah and mass surveillance is against a strongly held principle blah blah blah. On the other hand, the people who elected you aren't going to be happy about being blown up. What do you do? Well you could put the responsibility onto the people and hold a referendum. Thing is, you were elected to represent the people and to make decisions for them... and besides most people don't have the information or understanding required to make a balanced decision anyway. What do you do?
Our government(s) went ahead and implemented the surveillance programs with a level of oversight. What would you have done? I think I would have done the same thing, but differently (please read on before you flame me...)
Firstly, I wouldn't have done it secretly. I would have tried to get broad, cross party agreement on how to proceed - including what oversight, checks and balances should be in place. Then I would have had all parties communicate that agreement with a common message. I recognise that in achieving this I would have to have attained god like power but part of my point is that none of this is easy for the people actually dealing with it for real.
Anyway, to continue with my plan... The oversight and control of collected data would be from an openly elected body (separate from the users of the data) who would have to publicly report every requested use of that data as well as other details such as when individuals have been identified/associated with the data (i.e. anonymity has been lost) and how many identified individuals are being routinely tracked via this data etc. Add as many measures here as needed to identify if/when the program is being used to monitor the masses rather than select individuals. I'd also have measures to identify when the data had actually done something useful like leading to conviction (none of that and it gets shut down). Naturally, on an IT level, all data that could be used to identify an individual would be encrypted and procedures would be in place to enforce the publicly communicated processes for accessing that data. There would also need to be regular IT reviews from different external companies to ensure that those procedures are properly in place and that data is secure end to end.
I would also pass a bill that automatically shuts the program down after x years unless that bill is re-ratified in parliament/congress before it expires. This gives the opportunity for it to be amended or ended on a regular basis. Also, the people elected to that body wouldn't be able to hold the position for more than a defined period of time. Hopefully this would help create an environment where whistle blowing is encouraged.
The elected officials running the body would also have responsibility for reviewing why data has been requested i.e. they would have access to the operationally sensitive information that led to the security services requesting the data. They would also have access to the names of those being investigated (ummm - why are we tracking a Mr Iain Thomson???).
I'm sure there are lots of other ideas out there that could build on or replace mine but it would be a step in the right direction. I recognise that we would still have mass surveillance but at least it wouldn't be secret, it wouldn't be indiscriminate, it would be demonstrably anonymous (for the masses at least) and it would be easier for the people to influence when it is stopped.
I know I've proposed that the principle is compromised (which I dislike too) and that's enough for a few down votes at least but would you still be so inflexible if you had just walked out of a tube station that had been blown up? If you would then I very much respect your stance - down vote away...
I can think of lots of other reasons for down voting this as well; after all, this is a comment on el Reg not a comprehensive political manifesto but I defy anyone to come up with something that isn't objectionable in some way. So before you down vote me or flame me, try coming up with an alternative and post that as well...
We're all IT professionals and hopefully quite intelligent... so what would you do?
Was there a second informant? It would be good dis-information for the Feds to plant.
Just a thought/question...
Since Galileo we've been limited to releasing relatively small objects (balls, feathers and hammers etc) close to large objects (earth and moon) in order to observe the effects of gravity. That these observations reveal no difference in behaviour due to the smaller objects size or mass may be a limitation of the experiment. Couldn't size or mass be a factor weighted by the relative size or mass compared to the other object(s)?
Is this one reason why they're trying to find solar system sized experiments to observe?
The Chipmunk was notable for flying backwards in higher winds. Particularly on final approach when they contacted ATC reporting a position further away than their last contact.
Re: Does the Adult pleasure category have to start to worry?
It'll never work...
This is one range where even Apple wouldn't be able to change the standard interface port to a new i-port.
I wonder if these ATMs were configured to only boot from HDD and had a BIOS password set up? If they did, then they can start looking for service engineers with extra CDs in their bags - I'd probably start there anyway...
There are better defences against this kind of attack (white listing type software) and they're already available from the ATM manufacturers. Maybe more banks will start using them but I doubt it.
At least what they steal this way comes directly from the banks and not from a customer's account.
Re: Cash only
Cash has its own arms race - counterfeit notes...
ECB rules for counterfeit notes state that they should be confiscated if they are positively identified as being counterfeit. In practice nobody wants to confiscate them because of all the hassle so they just won't accept them. I wouldn't want to try to deposit a counterfeit at a bank though. That might be testing your luck a bit too much and you might find yourself out of pocket.
Re: Captured PIN
No need to get the whole transaction.
All you need is the track2 data and the PIN. That's why ATM fraud generally consists of a skimmer/leb loop to get track2 from the mag stripe or the physical card and a camera/shoulder surfer etc to get the PIN.
That won't change until EMV is global at which point the mag stripe can be made redundant. There are already cards out there with no useful data on track2 - only problem is they can't be used in countries without EMV - like the good ol' USA.
Re: Captured PIN @Charlie Clark
EMV is something a slightly different, it's more to do with security of the card rather than the PIN. PCI has separate mandates for hardware security that are outwith EMV.
I take your point about willingness to implement security measures; the banks/retailers wont want to do it because of costs... My point is that it is possible to make a POS terminal far more secure than it currently is.
The terminal manufacturers and PCI (VISA, Mastercard et al) will make the relevant mandates eventually because it's all revenue for them from either sales of kit or certification against the mandates.
Re: Captured PIN
Keyboard overlays are already used on ATMs and I'm sure that they would be used on POS terminals as well.
At least if there's a keyboard overlay, you have a chance to see it. That's why on ATMs they aren't as popular as covert cameras to capture the PIN.
As ever, it's move and counter move - the alternative is to give up...
Re: Captured PIN
Erm... yes you can.
If the terminal has a secure hardware encryption module which is manufactured in a secure environment and contains the manufacturers private key, then it can be identified as a genuine terminal.
The encryptor can also be used to validate any firmware updates so that it can protect itself from unauthorised updates as well as physical tampering.
I'm not going to say that someone could never find a way around tamper protection but that depends on the implementation.
PIN pads on ATMs have to accept the PIN directly into the encryptor (with tamper protection to prevent people inserting secondary key membranes between the keys and encryptor), so that a PIN is never sent over a wire in the clear and the software on the ATM never gets to see a clear PIN. Why isn't the same thing mandated on POS terminals?
OK, so your card details can be harvested but at least the PIN would be secure.
Re: What if you don't have fingerprints?
You're not supposed to lathe your fingers ;)
Is it wise to have a failsafe system using the same battery pack as the primary ignition system?
Do you really think they sit there looking at your emails in Outlook or do you think they maybe scan the content of the message in raw format then laugh at the people 'hiding' messages in white on white?
I hope you were being ironic/sarcastic. If not, you should maybe cast your natural eye for security over your new 'much better' system once more - just to make sure it's not got any tiny flaws...
I was going to put a pedant comment in about the incorrect quote but it turns out I can't be much of a pedant 'cause I can't really be arsed.
Re: What? No Velocity check?
Lee, almost all ATM transactions are online at least to the acquirer system (which may be permitted to carry out stand in processing if the card issuers systems are unavailable). Normal operation is that every transaction will be routed to the card issuer for authorisation before any money is dispensed apart from said stand in scenarios.
I don't rule out the possibility of some deployments of ATMs allowing offline transactions but they should be limited to processing 'on us' transactions (for cards issued by the ATM deployer). They certainly shouldn't be authorising international cards offline. Having said that, these were pre-paid travel cards so the rules set for them can be different from normal credit/debit cards.
AC is right that complex fraud checks aren't done before the transaction completes so there is a window there, but basic velocity checks can and should be done before authorisation.
Re: What? No Velocity check?
OK, not all transaction processors have a dedicated fraud detection/prevention system so I'll accept that I should have written "should" rather than "would".
Beer, because this is too much like the day job so I'm off for the weekend!
Re: What? No Velocity check?
That's not what a velocity check is. A velocity check would simply be something like a daily withdrawal amount limit or a limit on the number of transactions a card can perform in a set time etc.
Analysing the location of transactions on a per card basis and then applying fraud checking rules would be the job of a dedicated fraud prevention system, not done by the transaction processing system - it has enough to do without running complex algorithms to identify fraud.
Also, in the article it says that their systems may have been compromised so these velocity checks may have been disabled.
Re: AV is a malicious Peril
When will I be able to block posters on The Reg?
Re: New Carriers Defensive Weapons
I think it's the frigates that carry the anti-anti-ship weapons, not the destroyers.
I've read the Reg articles on the carrier, catapult, F-35B/C debacle and they're very persuasive; the selection of the F-35C seems like a no-brainer.
Is it really that simple? Is there really no other case for the F-35B other than the stated cost of installing catapults in the carriers? If there is a case, it should be presented in these articles so that we have a more balanced/interesting article to read.
Re: "power backup systems"
A 1100 hp gas turbine powers *all* of the control surfaces?
'A', as in one? What's the MTBF for a gas turbine engine and does the 787 have a redundant system for backup? Surely it must have...
Re: Banks willing to stump up the cash?
I don't think they were bailed out by UK taxpayers. Unless RBC a typo and is Scottish, not Canadian...
- NASA boffin: RIDDLE of odd BULGE FOUND on MOON is SOLVED
- SOULLESS machine-intelligence ROBOT cars to hit Blighty in 2015
- BuzzGasm! Thirteen Astonishing True Facts You Never Knew About SCREWS
- Worstall on Wednesday YES, iPhones ARE getting slower with each new release of iOS
- Microsoft's Euro cloud darkens: Redmond must let feds into foreign servers