Please create an account to participate in the Slashdot moderation system


Forgot your password?
Slashdot Deals: Deal of the Day - Pay What You Want for the Learn to Code Bundle, includes AngularJS, Python, HTML5, Ruby, and more. ×

Comment Re:Holy crap ... (Score 1) 63

The security difference between chip-and-signature and chip-and-PIN matters in only one case, and that is if your physical card is stolen from your wallet. Skimmers, data breaches, shoulder-surfing, all the hacking attacks won't yield the secret key inside the chip, preventing it from being counterfeited. If you don't like the security of your chip-and-signature card because you're afraid your card might be stolen, ask your bank to issue you a chip-and-PIN card instead. If your bank won't, there are plenty of other banks who will, and who will be grateful for your business.

Visa and the retailers originally figured U.S. customers would prefer chip-and-signature because it makes selling things "easy". But that's a pretty stupid attitude, because lots of people (including you and me) are wary about identity theft. Customers need to complain to their banks so that they learn we'd rather have PINs than signatures.

Overall credit card security will still remain terrible for a long time to come because static mag stripes still exist, and online card-not-present transactions still use static authentication data like CVV2 codes. What really needs to happen to actually improve security is that mag stripes and static numbers like CVV2 need to be flat-out outlawed. The recent "liability shift" is the opening salvo in the conversion, but we're probably still a decade away from actual security.

Comment Re:Works for me (Score 1) 136

Manufacturers have long made custom versions of products for specific store chains, and not just TV sets. Pots and pans, clothing, furniture, most products are available to any store that's willing to pay for them. Some stores (like Walmart) have a specific price point, so the manufacturers produce a model without the chrome-plated knobs, the low contrast screens, and use only the cheapest cloned capacitors and dubious quality power supplies.

There's a lot of marketing power in it, too. Not only do they get to offer big TVs for ridiculously low prices, it's also safe to tout benefits like a "150% price match guarantee", when they have the exclusive contract to sell that exact model.

Comment Re:What's Unusual? (Score 1) 91

This new piece of malware shows sophistication of design, but that's not unheard of. Older malware was often customized by compile time switches and definitions; this just abstracts some of that away.

Many people (i.e. journalists and managers) think of malware authors as pimple-faced script kiddies hacking in their mothers' basements. They think that large, well-designed projects require teams of skilled developers who would only do so for a fat paycheck.

What's happened now is that vulnerabilities are so profitable that the threat landscape is no longer the exclusive domain of the single hacker - criminal gangs want a piece of it. They can afford to pay team salaries to engineer a solution.

And malware authors have learned to avoid the biggest risks of getting caught. In the old days a virus writer would also be the distributor. Modern authors get paid by selling their exploit code, along with customization and support contracts, to gangs of attackers. The attackers take on the risks, the developers collect fat checks. In some cases of vertical attacks (ATM skimmers for example), the "owner" of the malware uses cryptography to encrypt the skimmed data, preventing the low-level attackers from profiting from the stolen data. The profits go to the top first, and the paychecks cascade down (assuming honor among thieves.)

So what's newsworthy here is that they believe this malware to be further evidence of a new breed of well organized criminal software developers.

Comment Re:Awww (Score 3, Interesting) 93

Because neonicotinoids are among the safest overall pesticides that have ever been developed. They very effectively target insects, but have very minor effects on mammals. The LD50 of Safari is over 2000 mg/kg of body weight in rats. They're rated category III by the EPA, which means 'slightly toxic and/or slightly irritating.'

The big problem is with bees. Neonics are supposedly 150X more lethal to bees than to any other insect genera.

The EU has already banned neonics (possibly because population density is higher and bees may be more shared than in the US); the US is dragging their feet.

Comment Re:Translation : (Score 1) 93

Actually, they've known for several years that minute quantities of neonicotinoids cause bees to 'dance' incorrectly; where the dance no longer correctly directs other bees to their discovery of nectar. The loss of food may be partly responsible for Colony Collapse Disorder. It's not surprising that this would also lead to reduced pollination.

Comment Re:The thing about the "bombing ISIS positions"... (Score 1) 488

I can think of two plausible but simplistic explanations, there are no doubt more.

First, they may have been waiting for better timing. Once you drop a bomb on a building, the scum-lickers learn they've been exposed and will not return. So they want to bomb the building when it contains one or more high value targets. Knowing when a high value target is inside requires you to have an intel source observing the building (or the target) at the same time the target is in the building and you have assets in position to level it. That doesn't happen very often. But due to the attack they have to respond quickly, so they are sending a different message by killing a bunch of low value targets in a lot of locations.

The other simplistic explanation is intel gathering. Getting a spy into their organization is not easy. If you bomb a building, you are revealing to the enemy that at least one of the people who knows about the building is a spy; or that you have the capability of intercepting some kind of traffic. To preserve the secrecy of the ULTRA program that decrypted German Enigma traffic, Britain developed an elaborate process for destroying U-boats in WWII. They couldn't just fly to the location of the submarine and drop depth charges as that risked revealing the Allies ability to decrypt communications; instead, they scheduled weather-reporting planes to fly more missions in certain sectors; these weather planes would then "get lucky" and report the U-boat's position to the destroyers. Similarly, France may not want to reveal that they're triangulating cell traffic, or tapping certain phone lines, or monitoring PlayStation Call-Of-Duty chat rooms.

Either way, France is trading potential future intel gathering capabilities to send a message today that says "you are not invincible, you are not right, you are not just, you are only vermin to be exterminated." They can rebuild their intel network later.

Comment Re:if they really want revenge (Score 1) 488

Ignoring the restrictions is useful, but it provides the enemy with justification. "You say you live by this rule, but you ignore it. Therefore, we're every bit as good as you are, or you're every bit as bad as us."

Thus, black ops and deniability. Who knows; maybe Anonymous is so full of FBI moles that this is actually a government backed attack?

Comment Re:Barcode scanner = keyboard (Score 1) 79

The problem is that scanners support multiple communications protocols so they can be sold to a wide variety of clients, and the scanners' configurations can be changed via barcode without first asking for permission.

Your attacker can see that you're using a DS-6878 scanner with a USB cable, so he opens his phone's browser to this page of the manual, and displays the barcode to configure a North American keyboard. Once scanned, as far as Windows knows someone just plugged in a new USB HID Keyboard device. None of the old configuration settings matter any more, and your bulletproof application may not even be notified that its scanner has been hijacked.

He then scans a few more configuration codes so that he knows his codes will be properly effective, perhaps something like Send Barcodes with Unknown Characters (page 67), and finally a control sequence to open a URL to Pwnage ensues.

Comment Re:Use Windows 10 (Score 1) 197

One problem with this solution is there are still some Windows native apps that are pixel-based instead of percent or resolution based. We have a 15.6" laptop with a 3840x2160 screen, and have encountered a couple of apps that now display in impossible-to-use resolutions.

For example, QuickBooks displays a page of instructions in a tiny window that I can literally cover with my thumbnail. The minimize/restore/close icons at the upper right corner of each window are less than 1mm high, and very difficult for my wife to click on with the trackpad. Their official "fix"? Crank the resolution of the screen down to 1024x768, and learn Ctrl-F4 and Alt-F4! So because they don't know how to code, its their users' fault for buying a nice screen. If this was the only dumb-ass arrogant thing Intuit ever did, I could forgive them for not catching up to 2003 usability standards, but it's far from their first episode of "all you damn customers suck." I need a new bookkeeping package from someone who is not Intuit.

Comment Innocent? (Score 2, Interesting) 108

"this attack crosses the crucial line between research and endangering innocent users." Since many of the 'endangered users' were then charged with various crimes, are they innocent?

If a student doctor treats a patient with a gunshot wound, they are still obligated to report the wound to the police. Is the student not learning, and if so, is that materially any different than what the Tor researchers were doing? The gunshot victim may be innocent, or may have been taking part in a crime, but that doesn't change the doctor's obligation.

Or if a Law Enforcement student is participating in a community event and witnesses a crime, we don't raise a red flag if they apprehend the suspect.

The circumstances all seem pretty similar to me.

Comment Re:clueless about waterfall (Score 1) 305

The note resting thing here is that this seems like a reasonable place to use waterfall. Didgitize a bunch of forms that haven't changed in forever. Perfect. The requirements are fixed. They should be easy to understand. You can break the requirements down so you come up with a design for both the back and front end that works for every form/section/ question. Finally you code that up.

Done properly it could be modestly more efficient than agile for this type of project.

Comment Re:I expect these in my next job interview but ... (Score 4, Insightful) 208

If the interviewer is worth their salt the idea usually isn't to see if you can get to the best possible, most efficient manner, but rather to see how you approach the problem. Do you solve the actual problem, are you good at understanding the implication of your design (figuring out what is slow or less than optimal about it, understanding the impact of set size on an performance). How do you approach optimizing the function you have created, are you stuck in one mindset or are you willing to pull back and try an entirely different approach to get a better result.

Some jobs require this kind of coding but you are right, most of the time you don't have to have the optimal solution, readability matters as well, usually more than ideal performance. Often that will come up as part of the discussion but for a lot of these problems, efficient solutions are often just as readable as the naive ones.

Comment How to tell if you may have MDM (Score 5, Informative) 123

On your iPhone, go into Settings / General, select Profile, then look at the profiles that have been added. A stock iPhone has none. If you have an ISP who adds a cert that allows you to connect to their hotspots, you may see that here. If you have installed your company's MDM, perhaps a product like AirWatch, that will show up here. If you see something you don't recognize, that's when you need to do some research.

Inside the profile you can view the certs it installed. A WiFi cert will list what it can do: be wary if it includes a proxy.

Why did the Roman Empire collapse? What is the Latin for office automation?