Thanks, glad it's helpful
Thanks, glad it's helpful
Credit card transactions are fairly well documented (I'm a big fan of DUKPT myself and that is decently documented). However the process used to generate the account and CVC2 numbers themselves is obscure and proprietary to each bank. Most banks do not have the expertise or will to properly perform this function. They count on malicious actors not looking too hard at how they do things.
Unfortunately for the banks once you figure out how to generate these numbers you have broken the primary security used to prevent the public at large from using any given key (card no's) against a very public lock (merchant website). 2FA goes a long way to prevent this!!!
Processors, banks and merchants all have the ability to mitigate this risk by putting in additional controls (geo-location, address, shopping patterns etc.) These all help reduce the risk of a given transaction. However they must balance out approving most (probably legitimate) transactions against an acceptable level of fraud. They must also balance out the overhead involved in reviewing and approving transactions.
The result is the continued use of a system that is fundamentally broken. You will see this type of fraud increase significantly until the whole system is re-engineered.
Every company chooses their own method of generation for this code. Some vendors use weak encryption, some might use strong encryption, some don't use encryption at all, and some issue the codes in batches. It really all comes down to the company, their risk policies and their expertise. That's why large card dumps are risky, they provide material that can be used to look for patterns. It's a bit scary how many companies have told me they secure their product with base64.
For a lot of us, it was poisoned to death at least 10 years ago. And we said so at the time, and no one cared.
A cataclysmic one, for which the whole world will pay dearly.
Speaking of "truth", please explain how you know the future.
Like I'm going to go "have a reasonable discussion with someone I don't agree with".
How would anyone know whether they disagreed with you? A "reasonable discussion" requires explanations of your thoughts. A list of half-articulated observations isn't something people can "reasonably" discuss.
I'm sure some people will react and emote with you though. And congratulate themselves for being righteous because
Agreed, Chip and pin is better, however it is also broken. The whole thing needs rebuilt.
2 factor should
And keep a copy of your stuff on hand before you get fired.
If you were doing it at work on company systems it's probably not "your stuff" anyway, it's probably small utilities he used to make his job easier. If you want to do something for yourself do it on your own time on your own machine, don't use any company resources and try not to do anything that would make them question your loyalty to your day job. Being a consultant or contractor is fine because everyone knows that. Being an employee with a secret double agenda is not.
It would depend on how well the prison is ran.
Often the jails are just filled with drug offenders. Not the harden criminals. For a nerd it would be like being at high school again.
However many IT Guys are just as big and tough as any other person who goes into prison. This is 2016 not the 1980's Revenge of the Nerds movies.
Somebody still owns that ISP's assets. Two things, though...
1) Good luck getting $26K from an inmate - at a buck or two a day, twenty-six grand will take a lot longer than two years, and
Assuming he had zero assets before the trial. Any down payment on a mortgage, a car in good shape and you're pretty close.
2) If the courts determined that he only did $26,000.00 worth of damage, I'm guessing this ISP was probably already circling the bowl. After all, if he was solely responsible for breaking this ISP, one would expect a far higher award for damages, regardless of (1), above.
Probably. It could also be that it was easy to prove he did at least $26k worth of damage, he has no more assets and the trustee wants the bankruptcy settled and think the practical value of a higher judgement is zero. Except for when the RIAA/MPAA/BSA want big numbers for PR reasons, they're often willing to settle for what you have.
Well it was done on the guys personal time. It may had made sense to not to try to get too greedy. If he needed to hire an outside contractor to do the work, over $100.00 is not unreasonable. However most companies who have to do the random residential fix, usually tries to cut them some slack and do the work at cost, as to not garner bad reviews.
Now this is actually a tricky concept. The GNU People think software should be owned by anyone with. While most companies who make their money writing software wants controls on what is happening so they can support and make money off it.
Then you get to the problem where these systems are all hooked up to a network and are communicating with other systems. Where we need to be sure that we get constant updates to these systems otherwise we will be part of a problem of creating more insecure networks and makes it easier for malware and hacks to become really common.
You could use the same argument that is used for Vaccines, that you should be forced to update as to help keep the overall network secure and operational. However unlike vaccines, there are good reasons to not upgrading. Mostly due to backwards compatibility issues that occur, and for the case of going from Windows 7 to Windows 10 switching to an interface that is dramatically different and not necessarily optimized for your work.
If we were to own our software again... We will need to be responsible for any problems that we may cause to the outside public. And most people are just not savvy enough to do this.
Never fear, Mark Zuckerburg is working on it now! Soon all those propaganda stories will be replaced with paid advertisements.
Ahh yes. "My side is sensible. The other side is extreme/insane/[insert slur here]." That's some well-reasoned analysis there.
Does your side actually do things to help the people whose votes you want? Maybe telling them to vote for you because you helped them might work better than telling them to vote for you because otherwise you'll call them names.
And of course voters in LA don't count.
True. And the cost/arrest concept is broken too. Would the arrests have been made anyway? Could they have been made another way?
When people have a tool they use it, whether it is the use-case that was supposed to justify the purchase -- and that can be a good thing (because the widget is earning its keep) or a bad thing (using a tool that's overkill, to expensive to operate, or counterproductive). The real question is what did they specifically buy this for? If the cost justification was that it was going to allow them to make x arrests per year, it's probably a failure. If the cost justification is some other kind of scenario that doesn't necessarily happen every year (e.g. the Beltway Sniper), then the question is whether they're using this thing reasonably.
Veni, Vidi, VISA: I came, I saw, I did a little shopping.