Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×

Comment Sympathy, but no go (Score 5, Insightful) 187

As someone who has to support legacy systems, there is nothing more I would like to see old embedded systems die (and in some cases, incinerated and the embers crushed into the ground).

But we have to be realistic.

The main effort in systems like SCADA is the commissioning time required. You cannot just rip out a system, plug in a new box and expect everything to work as before.

Secondly who pays for this? The customer will not be happy if we say every 5 years we say you have to close your factory down for 2 weeks while we rip out all your old boxes and replace with new ones.

Finally what is the guarantee that the new box has not introduced a new security hole?

The real solution is the segmentation of the security and application code. Use Trusted boot technologies to verify the running code and ring fence the code with your security management application. Then if a new threat is introduced you only need to update the security app, leaving the hardware and application untouched.

Unfortunately at present industrial application either have no security or are very closely coupled meaning that updates are difficult and costly.

Comment Re:Bluestacks? (Score 1) 66

The chip is specifically for security. It runs a embedded secure environment that the main processor can use to verify executables before they are run. It has nothing to do with android apart from the fact the same technology can be used to secure mobile devices(stop your phone being rooted etc)

Being part of the main processor means it should be harder to break into unlike the intel TPM solution which requires a separate off-chip device

Comment Re:Sounds like my old comp-sci professor. (Score 1) 237

Sounds more like a loss of faith rather than a language problem. I have sympathy, but if you are not an expert in a domain, whenever a problem arises the 1st reaction is to go back to safe ground.

Unfortunately while all programmers know imperative languages, few are taught functional techniques when first programming. Until that happens it is unlikely that functional languages will ever be much more than a sideshow despite there obvious advantages because there are very few problem domains that can only be solved in functional languages.

Comment Re:Stil waiting. (Score 1) 94

I would recommend the particle at the end of the universe by Sean Carroll.
It covers a lot of the same material as the comic but in more detail and also puts it in historical context.

The only bad thing about it is that when you realise that what we call matter is nothing more than the manipulation of energy fields it do end up worrying about your personal concept of reality.

Comment Re: The day before Fukashima happened (Score 5, Insightful) 166

There are well defined techniques for measuring the probability of events happening in industrial safety. Safety Integrity Levels or SIL are used to categorize the possibility of a life threatening event occurring.

The problem is how low a risk do you need and how much will it cost you to get there. Fukashima would probably not have happened if the sea wall had been higher, but the designers had to make the judgement that it was not worth the millions of cost required to build a bigger wall compared to risk of it being breached. Unfortunately decisions like that in hindsight always look flawed.,

Comment Re:I guess they have never heard of two factor aut (Score 1) 731


The point is that yes you can get the pin. But without the physical card it is useless because you need both to complete a transaction.

If your card was skimmed the more likely explanation was that the magnetic strip was skimmed and then used at a place that did not use chip and pin verification. Until we can remove the mag strip this will happen.

Places like the States resisting going to chip+pin means that the rest of use are paying

Comment Re:It's about time. (Score 1) 731

One rule - YOU NEVER GIVE YOUR PIN OVER THE PHONE. or in fact any personal details. especially if they ring you.

Web and Phone verification is different. Web can be via CVS number at the back of the card plus previously defined password. Some companies provide a one time key system. Over the phone is more difficult. Again they ask you part of a password such as the 3 and 7th letter or ring/text back to your mobile phone

The important point in this is that the Pin itself is useless without the card. Unlike magnetic strips there has never been any example of a chip being skimmed and duplicated. Unfortunately cards still retain magnetic strips so that they will work in places like the states. This means cards can still be skimmed, copied and used. but if the card is skimmed in Europe and then used in the States it is is pretty easy to prove that it was not you.

Card security is like any other security. It is as strong as the weakest link. Unfortunately that is the USA at present

Slashdot Top Deals

Nothing will ever be attempted if all possible objections must be first overcome. -- Dr. Johnson