Yeah, because I'm sure that the engineering costs are small in order to build a new system and win 2-3 years of "opaqueness" until everybody gets accustomed to systemd.
I'm I the only one that has noticed that:
1. The official site has nothing about it
2. Broadcom has nothing on their site about a BCM2836
3. On the register photo, there is no RAM on the PI (it should be on top of the processor)
and many many more little things
Having read the original "census", it was a cool hack and no harm was done, nothing more. I'm pretty sure he/they didn't go for vigorous scientific process when this was done.
From the disclosure:
The difference is that OpenSSL provides a way to explicitly reseed the PRNG by calling RAND_poll. LibreSSL, unfortunately, has turned RAND_poll into a no-op (lines 77-81). fork_rand calls RAND_poll after forking, as do all my OpenSSL-using programs in production, which is why fork_rand is safe under OpenSSL but not LibreSSL.
The disclosure is very well written, says exactly why this is a big problem and proposes a very implementable solution that would fix it. Nevertheless, the dev decided to try to dismiss the disclosure, called his daddy (de Raadt) and they both threw a tantrum, and fixed it in a way that is questionable (an update on the disclosure raises some good questions on why it is questionable)
Btw, forgetting about ssl for a minute (open/libressl are crypto libraries, not ssl libraries), a PRNG is either secure or it is not. There is no "kinda" secure in most user scenarios etc.
the PIN vs signature subject (the cardholder verification methods) has more to do with who pays when the fraud happens. Signature is by far easier to use, and this is the reason why in europe it is usual for good customers (cards with expensive subscription fees etc.) to get chip and signature and low end cc and debit cards get chip and pin.
To me the problem is not the PIN, but the magstripe itself, which for europe is kept there for legacy reasons (and at this point, yes I am looking at you US...). If the magstripe was completely disabled then there would be no way to skim the card because you would lose one of the 2 required pieces of information (PAN/CVV).
The second problem is that even with the PAN/PIN, the card should be useless but again there are 2 problems.
1. is again legacy reasons. You steal the PAN, write it in a new card, enter the stolen PIN, bob's your uncle. This should not be possible if the cards where full EMV as the card itself is authenticated against Visa/Master PKI.
2. Internet purchases! Now this is a biggie. You don't want to inconvenience anyone so you keep it as easy as possible. No card authentication, no cardholder authentication. Everything goes. To me this problem can be best tackled with one time passwords/tokens generated by a smartcard.
As you understand this is not a technical problem - and I can assure you that the technology exists and it is solid, but an adoption problem and a backwards compatibility problem.
btw: Come on, you can't read Bruce Schneier and at the same time write the PIN on the back of the card. This is like writing your password on a postit and stick it on the screen. Sure, it's annoying but have some standards!
I don't have experience with the american market so your mile may vary. Having said that:
The terminals are usually sold by vendors that develop the software too. If a bank decides not to work with the vendor in order to develop the software (as in testing environments, proper specifications etc.) then you simply can't use a specific terminal device (reader if you like) with a specific bank/acquirer. As you understand this has to do more with business matters/politics, but nevertheless it is true.
Now the chip and pin/EMV vs magstripe only, if the bank doesn't support it, it is end of story which the OP mentioned. The specifications/requirements are simply too different.
Interestingly enough, EMV (c&p) cards work like this. However the card and the cardholder are both authenticated - either PIN or signature.
If someone steals your card, deactivate your card.
Ok, isn't it a bit stupid to design a system that can be circumvented by someone stealing your card? And no card deactivation for sure doesn't solve the problem
Not really. Chip might be kinda easy to read using commodity hardware, but pin entry must be done through a PCI certified device (as in, lots of money for certification, passed on to you, the consumer)
Because bitcoin is totally fraud-proof.
The wire protocols are de-facto standarized up to a point (ISO-8583 or vendor specific protocols) and the rest are application specific. Interestingly, wire protocols are one of the things that PCI has never touched.
The full PAN can and must be read from an EMV card. (EMV specifications, book 3, Mandatory data objects). Actually both the authentication and the card PAN are sent to the issuer.
Completely generic? Ummmm no. They are C programmable embedded devices which are usually developed according to the acquiring bank's specifications.
So, you are saying that 14.04 is broken because of a bug that was not present in the final release but in the beta?