Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?

Comment Re:PCI in California (Score 1) 461

If that were only true,
PCI actually states that requirement only applies when the data is sent over an OPEN or wireless networks.

I don't know many that would be using HTTP over the internet, but the clause exists to say that if you do all data must be encrypted. This is to protect against siffing and hijacking, but your broad assertion that everything needs encrypting is actualy a small corner case.

Most of these devices are not running wireless or route over the internet without some form of an encrypted tunnel(think 3DES router B2B connections)
Plenty small mom and pop shops also do direct modem dial ups, but the devices effectively also encrypt the temporary pipe.

For private PCI compliant networks requirements exist to encrypt a smaller subset of data including the following;
Cardholder Data defined as: (All can be stored, but the PAN must be stored in an unreadable format)
- Primary Account Number (PAN
- Card Holder Name
- Service Code
- Expiration Date

Data which Must never be stored and must always be encrypted is defined as follows:
  - Full Magnetic Stripe
- CAV2
- CVC2
- CVV2
- PIN Block

And Lastly
PCI requires operators "Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat, etc.).
And have a security policy which states that "unprotected PANs are not to be sent via end-user messaging technologies." with or without encryption.

See Pages 8, 35, 36, PCI 2010 version 2.0 at

Comment Re:Impacted here, it Invalidated Genuine status (Score 1) 80

I should have been a slight bit more informative RSA is from Feb 14 to the 18th.

This was just a dry run prep. Kind of a sound test and the audience I mentioned was composed of a half dozen geeks I've known for years. A small audience and it was appropriate to be on line and get patches applied, the demo requires it.

At presentation time, I'll be host only.

Comment Re:PCI in California (Score 1) 461

That fact that the zip is used to verify the transaction is utterly irrelevant to PCI. Not cool, and by that logic if the stripe, pin card number expiration and CVC were used to verify the transaction could they also be un-encrypted?

The Zip is either public or as the court ruled, non public and the customer has a right to protect his or her personal information, and how do you propose business use the Zip, which they will do and bide by the law, which they will do.

In IT, we call this an opportunity to have a mitigating control and "protect" the customers right by encrypting the data from prying eyes.

The fact that zip is a crappy piece of data to be used to do a "something you know" validation and therefore must be the authorized holder of the card seems to have gone completely unnoticed.

Comment Impacted here, it Invalidated Genuine status (Score 0) 80

Here is my personal relevant experience related to the botched patch.

Booted up, let the patches roll in(First mistake), but we have policy to keep the honeypot patched you know.
So nothing, no problem, did a normal and of day reboot.

On the restart before login gina was presented, I get the vile your not Genuine dialog, had to click on "correct it now"
That took me to a Microsoft page stating that I should download a program and run it to perform Genuine validation.
Curious, I opened the Control panel system panel and it shows "Genuine" ok.

Then, wait for it, Microsoft Security Essential icon is blood red and come to discover it had dropped the pants down around ankles and had due to the Fo Genuine violation instantly and totally been disabled.

Now I'm caught literally in public with my virtual pants down, no firewall, on a hostile network, no av, ankles getting warmer but I have to do another dammed required Genuine validation, so I download the same program and poof the moment of drama had passed.

I felt extra soiled by the humiliating experience. This all happened in-front of an audience while preparing a demo for the SFO RSA shew.

Thinking some one at Microsoft needs to use the new iPhone confession app cause they can't seem to budget for sacrifice of the requisite number of chikenz any more.

Comment You forgot to mention the 3rd party in US politics (Score 1) 84

The extremist in the media in collaboration with sheep voters, progressive socialist unions new world order folks.

Some seem to think the 3rd party is an expedient low effort choice, all it requires is absolute commitment to apathy.

These people are not free, they vote as a mindless block and cripple any real democratic debate.

Comment PCI in California (Score 2) 461

Interesting, if upheld, this could push the PCI DSS Council to add Zip to the list of non public information that must be encrypted.

And that would effectively mandates QSA's find every gas station in California in violation of the next wave of PCI DSS criteria.

The expense of coding testing, QA'ing, promoting encryption on Zip (at rest and in transmission) could be high as compared the moderate to minor risk that companies are stalking their customers using Gas Station data.

Submission + - Advise for rmissionary medical aviator safety (

WarmNoodles writes: Gone missing on February 16, 2009 Bob Norton and his wife Neiba were serving as medical aviation missionaries in the jungles of Venezuela. On this particular morning Bob and Neiba had a full plane load. A school teacher, Gladys, along with four Indigenous Indians and full tanks of gas. To say that he was loaded heavy would be correct. Over capacity on people in a four seat Cessna 182? Yes. Over capacity on weight? Possibly. Typical flight for a jungle pilot? Absolutely!

Flash forward to today;
Gary Lewis who flies for AMA — Guayana (and a very good friend of Bob Norton) has just purchased a new plane to use for his missionary medical aviation work there in Guayana. Let's put our heads together and give him our best advice on equipment to make this plane as safe as possible (i.e. 406 ELT w/GPS, PLB, emergency equipment, tools to carry, survival gear, etc.). We would also like to begin putting together a aviation safety plan with guidelines, procedures and policies intended to keep him safe as a bush pilot (i.e. acceptable flight conditions, flight limitations, emergency procedures, flight plan recommendations, documentation, communications recording, etc). This may take some time, but if we can get the ideas flowing in, we can compile and begin sending him drafts of the plan for his input and responses. We would like for him to be set up as an example to the other AMA sites (Bolivia, Philippines, South Africa) so that perhaps the entire organization can become a safer operation. Please post you thoughts and suggestions.


Submission + - Kinect Revolutionizing Robotics (

HizookRobotics writes: The Bilibot Project, an open-source robot platform based on Microsoft's Kinect, was just announced today by MIT researcher Garratt Gallagher on Bilibot is just the first in what will likely be a torrent of robots (both hobbyist and professional) utilizing the Kinect. This sentiment was echoed in an essay by Fred Nikgohar, CEO of RoboDynamics, who believes we've reached a watershed moment in robotics enabled by cheap 3D sensing. While much of the attention for the Kinect has focused on video gaming, perhaps robotics will be its greatest beneficiary.

Submission + - Openleaks Founder Sabotaged Wikileaks (

SETIGuy writes: Former Wikileaks programmer Daniel Domscheit-Berg admits in his book that he sabotaged Wikileaks in a manner that threatens the anonymity of leakers. Since leaving Wikileaks, Domschiet-Berg has become one of the cofounders of Openleaks. This raises the question, if you had material to leak, would you trust it to someone who has already jeopardized the anonymity of leakers at a site where he worked?

Submission + - Google brings Design-By-Contract to Java (

angry tapir writes: Google is developing a set of extensions for Java that should aid in better securing Java programs against buffer overflow attacks. Google has announced that it open sourced a project that its engineers were working on to add a new functionality into Java called Contracts, or Design-By-Contract (DBC).

Slashdot Top Deals

The finest eloquence is that which gets things done.