Forgot your password?
typodupeerror

Comment: Sympathy, but no go (Score 5, Insightful) 187

by gnalre (#46997515) Attached to: Do Embedded Systems Need a Time To Die?

As someone who has to support legacy systems, there is nothing more I would like to see old embedded systems die (and in some cases, incinerated and the embers crushed into the ground).

But we have to be realistic.

The main effort in systems like SCADA is the commissioning time required. You cannot just rip out a system, plug in a new box and expect everything to work as before.

Secondly who pays for this? The customer will not be happy if we say every 5 years we say you have to close your factory down for 2 weeks while we rip out all your old boxes and replace with new ones.

Finally what is the guarantee that the new box has not introduced a new security hole?

The real solution is the segmentation of the security and application code. Use Trusted boot technologies to verify the running code and ring fence the code with your security management application. Then if a new threat is introduced you only need to update the security app, leaving the hardware and application untouched.

Unfortunately at present industrial application either have no security or are very closely coupled meaning that updates are difficult and costly.

Comment: Re:Bluestacks? (Score 1) 66

The chip is specifically for security. It runs a embedded secure environment that the main processor can use to verify executables before they are run. It has nothing to do with android apart from the fact the same technology can be used to secure mobile devices(stop your phone being rooted etc)

Being part of the main processor means it should be harder to break into unlike the intel TPM solution which requires a separate off-chip device

Comment: Re:Sounds like my old comp-sci professor. (Score 1) 237

by gnalre (#46857289) Attached to: Erik Meijer: The Curse of the Excluded Middle

Sounds more like a loss of faith rather than a language problem. I have sympathy, but if you are not an expert in a domain, whenever a problem arises the 1st reaction is to go back to safe ground.

Unfortunately while all programmers know imperative languages, few are taught functional techniques when first programming. Until that happens it is unlikely that functional languages will ever be much more than a sideshow despite there obvious advantages because there are very few problem domains that can only be solved in functional languages.

Comment: Re:Stil waiting. (Score 1) 94

by gnalre (#46332531) Attached to: The Higgs Boson Re-Explained By the Mick Jagger of Physics

I would recommend the particle at the end of the universe by Sean Carroll.
It covers a lot of the same material as the comic but in more detail and also puts it in historical context.

The only bad thing about it is that when you realise that what we call matter is nothing more than the manipulation of energy fields it do end up worrying about your personal concept of reality.

Comment: Re: The day before Fukashima happened (Score 5, Insightful) 166

by gnalre (#46274193) Attached to: Why Improbable Things Really Aren't

There are well defined techniques for measuring the probability of events happening in industrial safety. Safety Integrity Levels or SIL are used to categorize the possibility of a life threatening event occurring.

The problem is how low a risk do you need and how much will it cost you to get there. Fukashima would probably not have happened if the sea wall had been higher, but the designers had to make the judgement that it was not worth the millions of cost required to build a bigger wall compared to risk of it being breached. Unfortunately decisions like that in hindsight always look flawed.,

Comment: Re:I guess they have never heard of two factor aut (Score 1) 731

by gnalre (#46218755) Attached to: Death Hovers Politely For Americans' Swipe-and-Sign Credit Cards

Sigh,

The point is that yes you can get the pin. But without the physical card it is useless because you need both to complete a transaction.

If your card was skimmed the more likely explanation was that the magnetic strip was skimmed and then used at a place that did not use chip and pin verification. Until we can remove the mag strip this will happen.

Places like the States resisting going to chip+pin means that the rest of use are paying

Comment: Re:It's about time. (Score 1) 731

by gnalre (#46218633) Attached to: Death Hovers Politely For Americans' Swipe-and-Sign Credit Cards

One rule - YOU NEVER GIVE YOUR PIN OVER THE PHONE. or in fact any personal details. especially if they ring you.

Web and Phone verification is different. Web can be via CVS number at the back of the card plus previously defined password. Some companies provide a one time key system. Over the phone is more difficult. Again they ask you part of a password such as the 3 and 7th letter or ring/text back to your mobile phone

The important point in this is that the Pin itself is useless without the card. Unlike magnetic strips there has never been any example of a chip being skimmed and duplicated. Unfortunately cards still retain magnetic strips so that they will work in places like the states. This means cards can still be skimmed, copied and used. but if the card is skimmed in Europe and then used in the States it is is pretty easy to prove that it was not you.

Card security is like any other security. It is as strong as the weakest link. Unfortunately that is the USA at present

Comment: Re:Questions (Score 2) 731

by gnalre (#46218343) Attached to: Death Hovers Politely For Americans' Swipe-and-Sign Credit Cards

If the network hardware was compromised, what would've stopped the hackers from collecting the PINs as well?

The pin is useless without the card and unlike magnetic strip cards the card cannot be easily duplicated

With this increase in security encourage hackers to go after debit cards more - which would be worse for consumers (fewer fraud protections there)?

Not if credit and debitt cards have the same chip+pin system

Will there even really be a difference between credit and debit cards anymore?

It terms of security they will be equally secure

How will this affect online transactions (especially for web developers)?

It won't. Chip and pin does not work online, so other security mechanism's have to be used such as quoting the 3 fig number on the back of the card or a extra verification step involving a password or a one time key.
This sounds like a bigger change than some people realize.

Comment: Unfortunately nothing new here (Score 2) 253

by gnalre (#46208593) Attached to: A Corporate War Against a Scientist, and How He Fought Back

This is nothing new. When big business and science collide, big business know no bounds as to what they will do to protect there profit margin

Examples include

Industry attacks against Clair Patterson from the leaded fuel industry.
The tobacco lobby against health professionals
The CFC industry against climate scientists

They continue today with attacks against climate scientists from big oil and coal concerns.

The worry is that the public seem more minded to side with the vested interests against the scientific voice and the fact that many of the attacks come from scientists working within the industry showing a severe lack of morality by the people in those areas. All industry seem to have to do is raise the spectre of potential economic harm and the public go along with them.

The world is not octal despite DEC.

Working...