Forgot your password?
typodupeerror

Comment: Re:PCI-DSS (Score 1) 198

Self-assessment is the method used by the vast majority of small businesses, and they're often not even required to do even minimal work to get started. The acquiring bank will just set them up an account and start the ball rolling after Farmer Bob buys a cheap swipe terminal off eBay for the weekend Farmer's market and signs a couple papers. For those organizations that aren't self-assessing, they get to deal with the fact that QSAs often can't even agree on what some requirements mean in principle, let alone when applied to their specific circumstances. Show three different QSAs the same architecture and documentation, get three different reports. That ROC? That's good for toilet paper by the time the QSA pulls out of the parking lot. Don't believe me? Have a data breach and watch Visa roll in with auditors who won't leave until they find a reason to fail your compliance. That's just how the game is played.

All that said, people just declaring that they are PCI DSS compliant is actually exactly what happens. You tell the acquiring bank that you're PCI compliant (either via SAQ or QSA/ROC). If you've met certain levels of activity, the acquiring bank may pass along some paperwork regarding your audits to certain payment brands who require it. They then effectively state that your paperwork appears to be in order and begin processing your credit card transactions. At no point do they declare you PCI DSS compliant and they will most certainly toss your ass to the wolves the second there's a whiff of trouble. And even if they did say you were compliant at filing time, any QSA will tell you that any minor change, lapse, or mistake can completely alter the state of your compliance. From the PCI SSC website: "There are three steps for adhering to the PCI DSS – which is not a single event, but a continuous, ongoing process."

In other words, yesterday you might have been compliant, and tomorrow you might be compliant, but today (always of course the day of the breach), you're non-compliant.

Comment: Re:PCI-DSS (Score 1) 198

No, there's no certificate, but there is a process of documentation and testing commonly referred to as "certification" before you are allowed to process credit card transactions.

This depends entirely on the organization and their acquiring bank's requirements (ultimately the acquiring bank is the only one who matters, but most reasonably organizations develop their own process to ensure they're covered as much as possible). For many small businesses, they're often times just buying a cheap terminal and swiping away. The acquiring bank isn't pressing them for details of their security measures and they're often completely clueless about any requirements they're supposed to be meeting. They aren't bringing in a QSA. Even if they were, bring in three QSAs to any decently sized organization and get three different opinions about your scope and your compliance measures. Half the fun of PCI assessments is determining what the requirements mean, how they apply in your specific instance, and where scope ends. But the point is, there's no issuing authority to say that you're PCI compliant. There's no governing body certifying anyone. The only thing that's actually there are the contractual relationships between the merchant and the acquiring bank and the contractual relationships between the acquiring bank and the payment brands.

I work in point of sale software development and have had to help retail chains overcome problems found in their certification tests. You either don't know what you're talking about, or you're playing a pointless semantic game.

It's not a pointless semantic game because it's the unspoken risk for anyone accepting credit cards. Since there is no official PCI certification and since there is no agreement between QSAs on what the requirements mean in principle (let alone in practice in a specific organization's situation), the PCI SSC gets to stick the claim up on their website that no breach has ever occurred in a PCI-compliant vendor. Best of all, each individual payment brand actually gets to decide what requirements have to be met in which situation by which type of vendor doing what type of business at what scale and via which medium. The ambiguity and the leverage the payment brands hold allows them to arbitrarily decide who is and who isn't compliant at any given moment.

So you keep on doing your documentation and your testing processes (and you should, it's good practice), but if you think for a second your customers are somehow protected from Visa, Mastercard, etc in the event of a breach, you'd best think again. It's a shell game designed to ensure that whenever things go south, the payment brands are never the ones left holding the bag.

Comment: Re:PCI-DSS (Score 4, Interesting) 198

As an organisation accredited to be following PCI-DSS

You aren't accredited to be following PCI because nobody is. There is no certificate. There is no special seal of approval. You provided security information to your acquiring bank(s) and you were allowed to process credit card transactions. There's no such thing as certification or accreditation for PCI.

we would be crucified if the PCI auditor found us holding the PAN (the long number on the front of your credit card, PAN = primary account number) in plain text. Surely the airlines/booking agents should not be passing the PAN to anyone else if they are following PCI-DSS (which is mandatory if you want to accept card payments)?

Who says they're holding the PAN in plaintext? They can decrypt it to send it to the Feds as needed without keeping it in plaintext in their systems. The Feds have no agreement with an acquiring bank, so they don't have to worry about how they store it. Nobody can do anything to them. Any agreement the airlines have with their acquiring banks undoubtedly includes plenty of cover for Federal data reporting requirements (likely a blanket "if the Feds come calling, we're just going to give them everything"). So long as the acquiring banks have signed off on it, they're in the clear. And since all these guys would like to continue doing business in the largest economy in the world, nobody's going to say no.

Comment: NIH, or once-bitten twice-shy? (Score 1) 129

by Millennium (#47460025) Attached to: Mozilla Doubles Down on JPEG Encoding with mozjpeg 2.0

Google has deliberately killed more technologies than Microsoft ever just let wither and die, and Mozilla has been burned by this more than once. At this point, I'd say it's quite reasonable to demand that Google provide some assurances that it's not going to flake out this time.

Comment: Re:"Rare talents"?! (Score 1) 608

by Millennium (#47431125) Attached to: Normal Humans Effectively Excluded From Developing Software

If you seriously think that learning how to use a keyboard and mouse, open and close windows, download programs, and type, is "too complex", then I pity the incredibly low bar that you have set for yourself in life.

I don't. But if you seriously think that that's all there is to even rudimentary programming, then either you've forgotten far too much about your own learning experiences, or you're a prodigy (in which case you shouldn't be generalizing your experiences at all).

I don't have to reassure people that it takes too much time and energy. They convince themselves of that easily enough, and frankly, the widely-available evidence favors them quite strongly. If you want to convince them otherwise, you're going to have to prove to them that this is easy to pick up. Good luck with that. I certainly haven't managed, and I've come to a conclusion as to why I can't prove it: it's simply not true. Your arguments aren't very compelling either.

Comment: Re:yes but (Score 1) 302

by Loki_1929 (#47429365) Attached to: Wireless Contraception

Assuming I found the idea of male or female genital mutilation and "straight camps" reprehensible I absolutely would feel the same way. See below.

I was hoping one of those might strike a cord, but consider if the Federal government stated you had to directly fund the murder of children up to say 5 years of age. Since many religious people believe that the life of a child begins at conception, that's what people like the founders of Hobby Lobby believe they are being told to do: directly fund the murder of children, not with the collection of taxes that go to a general fund, but rather by paying the private business that pays the private business that murders children. I would assume you would have significant objections to being forced to pay someone to murder children, but would you do it anyway simply to comply with the law? Or would you seek to be excluded from that requirement?

If I consider cockroaches holy I still don't have the right to forbid or obstruct a fumigator from doing his job.

No you don't, but I think you have to admit that a fetus/unborn child/baby/whatever-you-want-to-call-that-thing is significantly different from a cockroach, assuming you consider human life to be more important than insect lives. If you don't, that's fine, but I don't think we can have a good discussion. Assuming that you do, I actually still agree that no one has the legal right (though I would consider moral right a tougher call) to prevent someone from having a legal abortion or to prevent a doctor who performs abortions from doing his job. However, that isn't what's being discussed here. What we're talking about is the founders of Hobby Lobby, whose religious beliefs consider abortion to be murder, being forced by their government to directly fund that practice. In essence, from the perspective of their religion, they're being forced to directly fund the murder of children. Regardless of what you or I or any of the justices of the Supreme Court believe, it's what the founders of Hobby Lobby believe and they would almost certainly have to conclude that compliance with that law would damn their immortal souls to Hell for all eternity. I think that makes it rather difficult to defend for a nation that purports to respect religious beliefs.

There are many actions I disagree with committed in my name (and with my tax money) by the federal, state and local governments in whose jurisdiction I happen to reside. The fact I don't like how my resources are being utilized does not give me the right to refuse to pay taxes, permission to disrupt law enforcement activities or anything similar.

Your tax dollars go into a general fund. From that fund, activities you disapprove of are funded. Yet that's a far cry from them forcing you to pay for those activities directly. For instance, if you believe that all wars are evil and that fighting them and killing in them is murder (the truly convicted total pacifist), you may not like that the US government buys bombs and missiles with monies collected through taxes, but they aren't telling you that you have to write a check to Lockheed for an order of 5,000lb JDAMs so they can be dropped on someone's house. In other words, there's at least some difference between being forced to pay into a fund of fungible funds which is sometimes used for things you dislike and being forced to cut a check to pay for something that directly contradicts your firmly held beliefs.

In both cases there is a law in place. In my case I have to comply or face the consequences. In HL's case, they apparently do not have to comply with some of the law because they don't like it?

There are plenty of cases where you don't have to comply with the law. For instance, it's against the law to kill another human being. However, if that human being is trying to seriously harm you and you have no other choice to avoid that serious harm, you're exempted from the consequences of violating that law due to the circumstances. Intent is a huge component of criminal law. In many cases, a lack of intent can be a defense against criminal charges. In many of those cases where exemptions are carved out for circumstances, the beliefs of the individual and the reasonableness of those beliefs are a key factor. In this case, the founders of Hobby Lobby have beliefs that compliance with this law would constitute violation of core religious doctrine. In other words, they believed that directly funding these particular forms of birth control would damn them to Hell for financing the murder of children. Further, the other 16 methods of birth control were apparently not an issue for them, meaning they were seeking to follow the law right up to the point where it would result in eternal damnation. That's a far cry from simply declaring that one isn't going to follow the law because one dislikes it. This is a very specific, narrowly tailored exemption carved out for a relatively small group of individuals based upon an apparently reasonable religious belief.

While I understand that HL was able to summon the money and political clout to push the issue clear through the Supreme Court for an exception, I remain unconvinced that what occurred here was just/right even though it's clearly legal.

I think that what they were seeking was completely reasonable. Out of 20 birth control methods looked at, they found four methods with specific characteristics which heavily conflicted with their firmly held religious beliefs. They didn't seek exemption from the entire law or the womens' health aspects of the law or even the birth control aspects of the law. Rather, they were seeking to not have to directly fund a very small number of specific things that they believed constitute murder. Worse, that they believed constitute the murder of defenseless babies. I think if you ask 1000 people whether the Federal government can legally force someone to fund the murder of young children, at least 995 of them would say no. At that point, all that's left is to ask whether it's reasonable - based on their religious beliefs - for the Hobby Lobby founders to believe that's what's required of them if they have to fund those few specific methods.

SCOTUS found that it was reasonable for them to believe that and that as such, they had grounds to object. Further, the SCOTUS found that because there were so many alternatives for those affected by that coverage gap, the actual impact of such an exemption would be pretty limited. With those two things in mind, it became rather simple to decide that forcing a person to directly fund what they believe is the murder of small children, when not forcing them to do so has little impact on any else's rights or interests, just doesn't make sense. Thus, carving out a religiously based exemption was the best result. I think that's a perfectly sensible way for the SCOTUS to act.

OT: Thank you for your considered statements, reasonable tone and for not trying to turn this into a flame war.

Certainly, as I said, I'm definitely not emotionally invested in this case beyond looking for consistency and reasonableness. I really don't think this case would make any headlines if it weren't tied to the President and the ACA. I don't particularly like the legislation, but that's because I think it was poorly constructed and will bring loads of unintended consequences without actually making a significant enough impact in fixing problems like healthcare costs. Religious issues like what we're seeing in this case are just the beginning. This thing is going to slowly churn new exemptions (mostly administrative) and other changes constantly over the next decade until it's every bit as complicated as the current tax code. I think the law should be simple enough that one person can completely understand it and comply with it at all times. Our own government can't even tell us how many (just the number) of laws there are at the Federal level (seriously, the Library of Congress did a whole blog posting about this subject), let alone explain what all those laws are and how one would comply with them. That doesn't even touch all the laws in every state, county, city, township, etc. All that does is breed disrespect for the law and for the government making those laws.

Comment: Re:What might have happened. (Score 1) 205

>up and thought 2-digit years would be enough,

When economists actually looked at the *data* for the "Y2K problem," they found that it would have cost, in discounted real dollars, three times as much to prevent the problem as it would have to avoid . . .

doc hawk, economist

Comment: Re:Technically, it's not a "draft notice" (Score 1) 205

My Uncle looked at his draft number, and enlisted (more control over assignment).

He was right.

My grandmother forwarded his induction notice to him in Viet Nam.

He had the cook lay down, poured catchup over his head[1], and stood with his foot on the cook--and sent the picture back, from Viet Nam, to the draft board.

hawk

[1] Kind of silly to worry about color for a B&W picture . . .

Comment: Re:"Rare talents"?! (Score 1) 608

by Millennium (#47428677) Attached to: Normal Humans Effectively Excluded From Developing Software

Actually, my next step is to claim that your two steps are already too complex. Not because people are stupid, but because these two steps require a greater investment of time and energy than most people can realistically be expected to make. The moment you mentioned taking a class, you had already failed.

Comment: Re:"Rare talents"?! (Score 1) 608

by Millennium (#47423603) Attached to: Normal Humans Effectively Excluded From Developing Software

You seem to imply that programming is, at its core, a relatively small set of simple and easily-grasped concepts, but I can't say I've ever found compelling evidence that this is actually the case. Could you please list these basic skills that are so easy to master? I'm afraid I have to ask for a thorough list.

Comment: "Should" programming really be easy? (Score 1) 608

by Millennium (#47416595) Attached to: Normal Humans Effectively Excluded From Developing Software

I'm not interested in excluding people from programming. However, there seems to be an underlying assumption from many of the coding-for-all types that programming "should" be much easier than it currently is. I'm putting "should" in quotes here because when many people see that word, they start thinking in ideological or moral terms. That's not my intended meaning. I'm talking about the logistics of programming: specifically, the idea that we have unnecessarily heaped huge amounts of complexity on top of something that is actually quite simple.

In order to open up programming to the masses, it must necessarily be simple and easily-grasped at its core. This is not because most people are stupid, but because most people cannot afford to spend a great deal of time and energy learning the concepts behind it. As currently understood, programming requires a large investment of these things, and most programmers today, by far, are people who have made that investment.

Can that time investment be reduced? To some degree, it probably can. But there are limits to how far something can be reduced, and I'm not convinced that programming can be reduced to a degree that would bring it to the masses. My reasoning for this is that I'm not convinced that the core concepts are as simple and easily-grasped as they're often made out to be. They seem simple to me nowadays -almost second nature, in fact- but I've been programming for years, I studied for years before that, and things didn't really start to click until I was a few years into my studies. Even nowadays, I still get moments where something suddenly clicks and my skills take a noticeable leap forward. This is not a hallmark of a simple field.

I believe that most of the people who set out to "simplify programming" are not too different from me. They might have learned certain concepts at different rates, but the things that seem simple to them now did not seem so simple when they first began. This is, I propose, because they aren't simple.

I am not "elite." All I did was allocate my time a little differently, and in ways that not everyone realistically can. I don't begrudge them this, because a lot of them allocated their time in ways that I couldn't, especially not after I made my choice. I respect and appreciate the skills they have that I don't, and I don't think I'm out of line in asking for the reverse. What makes this state of affairs unacceptable?

Comment: Re:yes but (Score 1) 302

by Loki_1929 (#47413201) Attached to: Wireless Contraception

What an interesting perspective. Pray tell, once the baby is born, but still attached via the umbilical cord, is it still a parasite you can destroy at will? I don't actually care one way or another about abortion, but I do care about consistency. From a medical standpoint, there are some specific events such as fertilization, implantation, birth, etc which could be used as a basis for drawing the line between a non-human thing (which one might describe - as you did - as a "parasite") and a human being. Thus far, the only group that seems to define that line at a medically objective point are the religious crowd (who use fertilization as their starting point). Again, consistency.

Comment: Re:yes but...yes in fact. (Score 1) 302

by Loki_1929 (#47413183) Attached to: Wireless Contraception

Why are certain beliefs privileged?

Because the people who founded this country came here seeking relief from religious oppression. Thus, when they created their own government (the one we have today), they ensured that the highest law of the land specifically restrained the government from doing to future generations what the Crown had done to them. If you don't think religious beliefs deserve special consideration, feel free to propose an amendment to the US Constitution stating so.

Could a non-religious person decide they "believed" in not providing certain healthcare to their employees and just let the government pick up the bill instead?

That would be a more challenging case to prove. The benefit of belonging to a popular religious group is that the tenants are widely known. As such, one must only then demonstrate that one actually belongs to that group (and even so, only minimally; stating as much without evidence to the contrary would typically be enough) to gain protection from government policy, law, or action which would violate that group's religious beliefs. In the Hobby Lobby case, there were 4 specific methods of birth control out of 20 which the owners maintained violated their core beliefs. In essence, they viewed those 4 specific methods as murder, but raised no objection to the other 16. The SCOTUS found those beliefs to be sincere and reasonable, and found that there was no interest at stake compelling enough to override the protections afforded to the owners of Hobby Lobby by the US Constitution. This was found in no small part due to the multitude of other options available for those seeking to attain the goals of the underlying legislation.

It's actually a pretty mundane case and shouldn't get people this riled up, but it does because the ACA and the President are attached to it. If this case involved any other law but the President's signature legislation, nobody but SCOTUS buffs would have heard a word about it.

Optimization hinders evolution.

Working...