Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Comment Re:Re-what? (Score 1) 139

"Chip-and-pin is no more secure than magswipes, it contains the same data"

Just a point of fact: the above is 100% false. The EMV transaction includes some info, but less than the full magstripe, so it cannot be used to make a "Target" style fake magstripe card. This is why all the Target style breaches have been in the pre-EMV USA.

Comment Re:Aren't these already compromised cards? (Score 1) 269

You are half right and half wrong.

1. For the "card present" case, like swiping or using your Google Wallet or Apple Pay in person, the BANK pays for the fraud (so long as the merchant has the right equipment, saves the signatures etc. etc. .. not hard).

2. For the "card not present" case, like I go to the merchant web site, type in my number etc. etc.. If there's fraud in that case, the MERCHANT eats the cost.

What this tells you is that for card-present case, the banks have a pretty good tech stack, so they are not super worried, and they lose very little money (i.e. they are able to decline the bad purchases before they go through). The card not present, case is much more iffy, and the banks shift the costs onto the merchant, and the merchant can make up their own policies about which transactions are worth the risk.

Comment Re:Man In The Browser Attack (Score 1) 121

Ah, thanks. From a quick read of the doc, it is focused on the MITM case. My read of the quote below is that the MITB case is, in fact, not solved. +1 for being honest and transparent. Still, it's progress for one common class of attacks (like say your government feeding you a fake gmail page). It would probably be better in their docs if they used the "MITB" terminology (hey, it has its own wikipedia page!) to be super clear about what is and is not solved. Ultimately, the MITB solution dongle will probably need a little display on it, as outlined above.

9. Client Malware Interactions with U2F Devices As long as U2F devices can be accessed directly from user space on the client OS, it is possible for malware to create a keypair using a fake origin and exercise the U2F device. The U2F device will not be able to distinguish 'good' client software from 'bad' client software. On a similar note, it is possible for malware to relay requests from Client machine #1 to a U2F device attached to client machine #2 if the malware is running on both machines. This is conceptually no different from a shared communication channel between the Client machine (in this case #1) and the U2F device (which happens to be on machine #2). It is not in scope to protect against this situation. Protection against malware becomes more possible if the U2F client is built into the OS system layer as opposed to running in user space. The OS can obtain exclusive access to U2F devices and enforce methods to ensure origin matches.

Comment Re:Man In The Browser Attack (Score 1) 121

Well I watched some low-content video, and it mentions the MITM case (I called it MITB, but whatever). However, there was zero actual information. I guess one way it could work is that the key and have a shared secret, and this is used to bring up a channel between google and the key, and that channel can be secure even if the bad guy controls the browser. But then how is the browser UI resistant against the MITB attack, since obviously the browser is running outside of the key, and outside the keygoogle secure channel. I'm quite curious what they've done there. Hey Google -- let's have the reassuring video for the normals. But put in 10 more hours to publish the 2 page whitepaper on how this thing actually works against MITB the slashdot/hackernews folks please.

Comment Man In The Browser Attack (Score 3, Interesting) 121

It's great the Google is trying to advance this. The attack to worry about is "Man In the Browser" MITB

MITB is the difficult case, and the way that bank accounts get emptied. The bad guy has malware on the victim computer, and the malware puts up web pages, and of course it can just lie about the url bar. So then the bad guy puts up the fake bank web site, and the victim type in the 2-factor code or whatever, and now the bad guy has it. Obviously Google knows about the MITB case. Does this thing have some sort of MITB mitigation? I'm guessing it does something. Hey Google, what do you say?

The classical solution to MITB is that the little key has its own display, so it can show "Confirm transfer $4500 to account 3456" - showing the correct info to the "victim" even if their laptop is compromised. Basically, keeping the usb key itself from getting malware is feasible, while keeping the laptop or whatever clean is not.

Comment Sys Comp Design - Cirguit Gear (Score 1) 172

Check out the circuit-gear units. The new "mini" is just $99 I have the previous generation unit. I've enjoyed it for just hacking around, and it's great for demos, since the computer it's hooked up to can be projected. The GUI software for it is open-source, so that's neat.

Comment Re:And this is impressive why? (Score 5, Informative) 114

Are you kidding? Persona solves a whole raft of super common problems
  • -Say for example site you post on is hacked. With Persona the bad guys don't get anything. There is no password stored on It's more akin to certs. That alone will eliminate a whole class of internet disasters that we read about every week on slashdot.
  • -I don't want to make up yet another stupid username/password recovery question for every site. Now I can just use one of the Persona identities I already have, and I'm done. I also trust Mozilla or Google a lot more to be on top of security than
  • -Unlike, say, facebook connect, this is a federated standard, not dependent on any org. You can run your own identity-provider if you like, not that most people would care to.

Comment Warning: toolbar (Score 1) 183

Note that addition to using a new numbering scheme, each critical Java security update attempts to install the toolbar, even if upon the initial install you unchecked the checkbox. The latest browser versions include measures to foil the attempted install of the, so tech-savvy people tend to be unaware of how bad and intrusive the toolbar is. It mucks up all search results with complete garbage. (details here)

So basically the tech naive types get this thing installed and it thoroughly messes up their internet experience, but they are not sure how it happened... thanks Oracle! I cannot think of a better way of getting nobody to use Java.

I would like Java to thrive and compete with other languages, so I'm trying to make sure Oracle to get all the bad press it deserves for this abusive practice. Heh, every time there's a Java story, I try to post a reminder for people to be super careful when applying Java updates. Posting this warning repeatedly I think means I've satisfied one of the three tests for becoming a certified Internet Crazy Person. I just need to figure out what the other two are and I'm all set!

Comment Warning: toolbar (Score 5, Informative) 211

Suppose that when you first run the java installer, it asks you if you wan to install the toolbar, naturally you select No Malware button, and everything installs nicely. Now later on, for each security update that comes along, there's a nice Install Important Update button .. and what do you suppose that does? It installs the toolbar! I know Oracle is supposed to be aggressive with their practices, but I cannot believe they abuse security updates this way to get a few pennies out of which is basically a search-result-spam engine.

The reason you have not heard about this more, is that Macs and Firefox/Chrome (not sure about IE) resist the installer, so you just don't see it, but the crappy Oracle behavior is in fact going on each time. The result is that naive users are getting this toxic thing installed and it really messes up their whole internet experience.

Hey Oracle: you're pissing away tons of Java goodwill in exchange for pennies form the spammers. Who on the heck thought that was a good trade? Like what techie who learns of this behavior is ever going to install Java anywhere? Aren't you trying to make JavaFX into a real client thing?

See for lots of details on how the installer tries to trick the users and hide itself. It's kind of interesting arms race between the spamming toolbar and the browser vendors.

Comment Warning: Oracle installs toolbar (Score 5, Informative) 165

Warning: the Java installer will install the toolbar if you click the "yes, please just install my security update" button, even for the original install you declined the toolbar -- really an obnoxious abuse of updates. Here is a very interesting analysis of the whole back and forth between the installer and the browsers trying to keep junk out. Interesting tidbit: apparently the installer sleeps for 10 minutes, so if you try to "remove" right afterwards, it's not there yet. This is on Windows, not sure across all platforms. Oracle taking this little tiny income stream from in exchange for screwing over tons of users and admins seems like a big mistake by Oracle, and would just sort of bug me if I were an engineer at Oracle spending all this time trying to make Java better.

Slashdot Top Deals

All science is either physics or stamp collecting. -- Ernest Rutherford