Slashdot videos: Now with more Slashdot!

"In Soviet Russia, 3D printers print you!"
Turns out that's the headline, not the punchline.

Nobody took computer security seriously back in 2001. Things have changed a lot since then. For example, if you were to contact that same bank with the same information today, they would likely know better and would now contact the FBI and have you arrested on charges of violating the Computer Fraud and Abuse Act.

Actually, contacting the FBI might not be a bad choice for the story submitter. They would probably be very interested in working with that bank to shut this problem down quickly.

OH MY GOD, THE HYPERBOLIC FUEL IS SO UNSTABLE! It will lead to the explosions of every satellite in orbit! And it's so acidic it will eat through the fuel tanks, dripping killer toxic acid rain onto every surface on earth!! The world will end!

Or, perhaps, your device auto-corrected hypergolic, which is to say a chemical combination that self-ignites when the two substances are brought into contact with each other?

That's the change: they've come to the realization that they can't lock developers down to anything, at least not like they used to. I think it's long past due, but that's from an outsider's perspective where it's easier to see the whole landscape, not just focus what goes on in Redmond.

Microsoft is a very different company than they were under Gates or the Sweat-hog. They long ago figured out that their cash cows were kind of fragile, and they more recently figured out that they alienated a lot of developers. They are now trying to find ways to woo developers to any of their product families, not just to Windows. And they've done some great work on a lot of software engineering fronts, including secure development, powerful tools, integrations, and are even dabbling in open source,

My point was that DDT was the first large scale agricultural pesticide that was engineered specifically to be less toxic to humans. You could use cyanide gas on a field, but your farm hands or animals would die if they wandered into the cloud. That meant a farmer wouldn't apply those kinds of poisons except in severe infestations.

DDT made the application and use of pesticides measurably safer, and led the way to routine applications of pesticides on all kinds of crops. Today's pesticides can be deployed on a schedule as a preventative measure to ensure reliable crop yields, and not just applied on an as-needed basis. For that matter, GMO crops are now engineered to express all kinds of toxins throughout the plants, with the plants' own cells serving as microscopic pesticide factories from germination through harvest.

As I recall, the agricultural pesticide industry was initially derived from the chemical weapons industry, not the other way around. Poisons had been known for centuries, but weren't widely applied as they were toxic to both humans and pests. Large scale agricultural applications of pesticides began with DDT, which wasn't developed until 1939.

The second you approve of a policy that restricts action X based on moral grounds, you have defined a vulnerability that a less ethical enemy will exploit.

Furthermore, when you're in a war, it's chaos. Bad stuff happens. Collateral damage happens. You certainly don't plan to inflict 1000 civilian casualties, but you can predict that in a city of 1 million people undergoing an all out conflagration, there will statistically be civilians killed, displaced, wounded, orphaned, starving, etc. You don't stop a war just because you're better at math.

War also isn't the first choice of a rational society. Diplomacy, negotiations, sanctions, pressure, demonstrations, all these kinds of activities are intended to solve the problem before it degenerates into war. But there is always another side, and if it degenerates to war, it's because at least one side was acting in bad faith. ISIL isn't even acting as a rational society. They don't negotiate - they enter an area, kidnap and rape the girls and take them forcibly as wives, and kill, conscript, or indenture the males. They use civilians as human shields, betting that an opposing force won't bomb their headquarters if they have them located in a schoolhouse full of children.

An outside society can do two things: allow the continued expansion of slavery and genocide, or attempt to stop it. If non-military resolutions fail, what would you have them do? "Sorry, you can't fight those insurgents because they duct-tape kidnapped children to the front of their vehicles." "Right, we'll just let them continue on their homicidal path because we can't place those children at risk."

It's not like anyone in the West wants civilian casualties. The moral high ground may not be perfect, and it may not be absolutely 100% civilian casualty free, but you can't claim a millimeter of moral high ground if you let the atrocities continue unchecked.

Chillax. It's just a reference to the plot of a science fiction movie that's quite popular with nerds.

What if a drug to control aggression was developed and it was introduced into the atmosphere? It would impact everyone equally, with no opt-out.

I can't see a downside.

This problem was addressed in v4.3 of the protocol. Also note that this particular problem only enabled theft from the store by a dishonest customer, but it does not enable the large scale skimming or cloning attacks that have been the subject of headline news.

A fake card can't lie about the PIN because it doesn't have the key needed to sign the packets the card sends to the merchant's terminal. The merchant terminal has a bunch of certificates in it and authenticates the messages coming from the card. In this specific attack, Ross' team discovered the message that said "Transaction Approved!" coming from the card in an offline sale was unsigned, so they had their tampered card send the same unsigned "Transaction Approved!" message at the right time in the protocol. The change to V4.3 (or was it 4.2?) fixed this problem, so it should not be an issue for the US market.

Ross likes to get EMV flaws in the news. While this benefits us all in that the protocol's security is tightened each time a flaw is uncovered, poor news reporting and the claims repeated by ignorant people (and fomented by organizations who don't want to see EMV succeed) are causing counterproductive hysteria. On one hand, EMV is a complex mess that was made worse by all the compromises stuffed in there by competing interests (banks, card associations, terminal manufacturers, card manufacturers, merchants, and payment processors), but on the other hand it's converged onto a remarkably secure solution to a problem that has plagued the industry for over 20 years.

The real crime here is that all the competing interests have resulted in foot-dragging by all the players who see changing over to EMV as too expensive, too hard, too risky; worse are the disruptive elements delivered by those who see EMV as a threat to their current business model. For example, EMV yields a system so secure the merchant's terminals are no longer the weak link, so why should merchants pay for expensive secure terminals? This makes companies like VeriFone nervous, because they'll soon be trying to peddle devices that only serve to secure the merchant's interest, not the cardholders or the banks. The PCI assessors are also finding ways to whip up hysteria and make bank now, because EMV will ultimately render their services unnecessary, too. Meanwhile, the completely non-secured mag stripes continue to deliver fraud around the globe, and the fraud won't stop until the mag stripes are dead and buried.

Chip and PIN is now relatively secure. The cases that Ross Anderson has exploited generally don't scale beyond a single hacked card. The notable exception was a particularly crappy ATM, with a non-random random number generator. But hacks on the scale of Home Depot and Target will not be possible on EMV transactions. (Card-Not-Present transactions, such as any online transactions, will continue to be at risk).

Apple jumped on this as a ploy to get customers before EMV completely locked them out of the payment market. EMV is going to render a lot of crappy, insecure technologies obsolete (things like Coin, LoopPay, NFC, and many of the smartphone based "wallet" apps.) But Apple is making their bank on the iPhone 6, and their loyal customers always forgive them for just about anything.

American customers aren't going to like the weird way EMV works, because it will be different and slow, and they don't like change. They will have to learn to put their cards in the reader when the cashier hits total, and keep them in there until the payment is complete; and I bet many of them will forget their cards in the readers a time or two. But at least the transactions will be secure, and they won't have to worry if the waiter is skimming their card, or if there's a data breach at the store.

Online is a completely different unsolved problem, as are recurring payments, and other card-not-present transactions. There are niche technological solutions, but none that are widespread.

True. Lead poisoning is well understood, and has been for thousands of years. However, uranium toxicity has never been responsible for a single recorded death of a human. Ingested uranium was even used in the treatment of diabetes before the discovery of insulin.

And why is that a problem? Ultimately the data comes from somewhere, so the more I understand about the source, the better I understand the results. How many studies on climate change were funded by the NSF? The U.S. Army? NOAA? Some land grant university? A private university? Were they funded by Greenpeace? Were they funded by the American Coalition for Clean Coal? Follow the money. If the source of the study's funding comes from someone vested in the outcome, and those results don't fall in the same direction as the other studies, it's not particularly trustworthy.

Rather than belabor my methodology, consider the alternative and look at how the typical person evaluates a topic like climate change: they saw it on Fox News, they saw it in the Huffington Post, they saw it on MSNBC, or they heard it on NPR. Maybe they saw it on Jon Stewart or Stephen Colbert. Or maybe they got it from their boss, or their preacher, or their social club. Maybe they heard it from their favorite politician, or a sports figure, or some random actress. Now look at who has a financial interest in how climate data is perceived by the public: oil, gas, and coal companies. Is it easier for them to manipulate the data, the studies, the politicians, or the media? Is there a reason they won't try to manipulate all of the above, when the difference could mean trillions of dollars over time?

How would you suggest I get better, more relevant, more trustworthy data than looking at the studies? I may put up a weather station and track temperatures over time, but that only tells me about weather, not climate. I'm not going to Antarctica to drill for ice cores myself, or dig up geological strata to look for evidence of palm fronds in the fossil record. And I'm certainly not going to have 100,000 children so I can track the efficacy of their vaccinations. I have to trust others, so I do what I can with what I can learn.