Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Comment Re:Finally (Score 1) 353

You can usually install another radio into a car, FWIW. You don't need to get a completely new car.

Do you still drive a car from the 90s? You would lose a lot of functionality in a modern car by attempting to replace the radio system. Shit my car is 14 years old and the radio is a headless box that provides power in, audio out, and a wiring loom to the CANbus that integrates with the dash, steering buttons, console display, central buttons, GPS system, etc.

You do realize that there are CANBUS adapters for every single car on the market, right? At least, the ones in the US market. Plus who the hell wants their car stereo communicating with the other devices on the CANBUS? That's just poor security right there just so that you can do things like turn the stereo off when the car is off and the door opens.

Comment Re:Finally (Score 1) 353

You can usually install another radio into a car, FWIW. You don't need to get a completely new car.

You can always install another radio into a car. But it might not integrate with any of the things in the car, and it might not even fit into the dash these days.

There are adapters for all that fancy shiz that you'd probably actually care about. Just go to crutchfield and check for yourself. All those stereos integrate with the CANBUS these days (which is really stupid to do from a security standpoint, BTW), and there are adapters which allow after market devices to communicate on the bus.

Comment Re: How to copy? (Score 1) 168

> Cloners have been available in the US for these cards for years

Prove this statement because it smells like bullshit to me.

Point me towards a cloner (or even an article that describes how to) for chip & pin cards or stfu with your hyperbolic bullshit. HINT: incorrect implementations of emv. (ie: using non-random UN's) aren't clones.

Again, we don't have chip and pin in the USA. We have chip and LOL. It's a farce. Cloners have been available for years.

Can you point us to a resource that shows that you can clone a chip for online processing? To my knowledge, you cannot. Since the US has a floor limit of $0, all transactions go online and you cannot use a cloned card. Not to mention that Chip + PIN is completely possible in the US, and is expected to roll out in the next year or two. In my experience, it's actually the US based credit card processors that don't want to support PIN right now, and not the issuing banks.

Comment Re:That's going to be tought to prosecute (Score 2) 369

The statement he has no First Amendment right because he is not a US citizen is an embarrassing statement by a US official.

If they want to try him in the US then they must do so in accordance with US law. The first amendment would protect him in a US trial on US soil whether he is a citizen or not. This is why they really try to avoid criminal proceedings against the prisoners at Gitmo.

Comment Re: How to copy? (Score 3, Informative) 168

And the American regulation requires that the chipped card checks the bank balance and do all the handshakes between multiple networks in real time before it allows the transaction to take place, hence the extra delay.

That is not typically the reason for the delay. The fact of the matter is that the US region required online processing for EMV because at least 90% of the transactions in the US were already online only. There are some significant attacks against offline EMV that are entirely mitigated by online processing. There are no known attacks on Online EMV with card present. Even without a PIN, you cannot duplicate someone's card or skim it. You can steal someone's card and use it, but you cannot create a cloned copy of the card and use it.

The problem in the US is entirely with poor implementations. The most inexpensive terminals manually check a list of supported brands against the card's brand(s) one at a time. The brands have IDs that can be incredibly specific. A lot of the processors I've worked with want to manually add each and every ID to their configuration basically saying "I support North American MasterCard. I support Australian MasterCard. I support European MasterCard..." for basically every region in the world when they could just say "I support MasterCards of all types." So the card terminal sits there for a solid 10- 20 seconds just going through its list asking the card "Are you this brand?" Literally. Regulations in the US require you to support "US Common Debit" if you're going to allow debit transactions. There is literally one additional ID that is required to be supported in the US versus other regions. Furthermore, you'll find that transactions go online and receive approval in Europe somewhere on the order of 70+% percent of the time and are still faster than US transactions. I'm working on a project right now for a company halfway across the world from me and, when I have control of the terminal flow, I can run through the entire process from the US, 8000 miles, back to the US for issuer authorization, then back that 8000 miles to the processor and back to me in about 300-400ms. With a processor who lives in the same city, I can complete a transaction in 100-200ms on a slow day.

When I say that, I'm obviously excluding transactions that require prompts, but one where I have the terminal flow set to run the transaction from end to end the instant the card is inserted into the terminal with no further human interaction required.

As opposed to Europe, where the European chipped card could work in a place with no phone reception and no network access, the balance would be kept on the card, and the balance would later be reconciled in a central ledger at the end of the day, or at the end of the week (I'm not sure which). But this of course made the card super fast to use.

They have not done this in Europe or anywhere else in a long time. I think the last card issued that behaved in this way was around 2007. Some of them haven't expired in their countries of origin and you still have to support this capability in some regions, but it's being phased out. You cannot trust a balance from an offline transaction. The terminals all have a transaction ceiling which, when hit, a transaction is forced to be processed online. In the US that limit, from a liability standpoint, is $0. For most European merchants, they use somewhere on the order of 20-40 pounds/euros/whatever. Basically a high enough limit that you can recharge your metro card. That limit is also based on the type of merchant as well. The majority of card fraud occurs at gas stations and the industry has completely different rules for unattended gas pumps.

And also, some chipped cards are allowed to be used without the pin, because not everything on a chipped card is encrypted, and that's ok for some businesses because they'll limit the amount of the transaction when the pin is not used

This is only sort of true. If the terminal supports offline or online PIN verification then you cannot bypass the PIN in any region unless that region specifically allows it. From what I can see with just a brief glance it looks like you can only bypass PIN in Australia, Japan, India, and Russia. Anywhere else MUST validate the PIN if the terminal supports it. The data embedded into the transaction also tells the Issuing Bank that the PIN was bypassed and that can affect liability, unless the Issuing Bank approves the transaction online.

Comment Re:What about Chip and PIN in the US? (Score 1) 85

Here we are in the US with chip and signature, much less chip and biometrics. And not all all retailers have chip readers, including Costco, at least the one I shop at. My one man barber shop has a chip reader POS terminal. And what about using stolen cards with on line retailers before the owner knows about the theft? I'm not sure how the interface would work.

Blame your bank for the lack of PIN on your card. My debit card has chip + PIN here in the US. I have a bunch of credit card terminals on my desk and can do online PIN, offline PIN with CDA, offline PIN with SDA, and unencrypted offline PIN just fine with my card. There's no technical reason it can't be done here in the US. It is purely a business decision. All ATMs are supposed to be chip capable by about October 2017, so perhaps they'll start adding PINs then.

Comment Re:Cyrpto (Score 1) 85

They do in countries with modern payment systems.

It's called "EMV" or "Chip+Pin". There's also "paypass" and "paywave" - aka NFC.

I can't swipe my card in a local terminal even if I wanted to. There is data in the magstrip that says the terminal must use the chip if it can. There are no terminals that can't in NZ anymore.

The service code in the track 2 data indicates that the card is EMV capable. You could easily rewrite the service code but the issuing bank would see that if the transaction were to go online. Most transactions are online these days and online processing is technically a requirement in the US, though you can approve offline at your own risk. You can also do some attacks with the chip itself when they're used offline as well, but they're trickier. The Information Security Group of the University College of London have more information about the different types of offline attacks one can run.

Comment Re:News for nerds? (Score 1) 338

More like news for people who aren't paying attention.

The administration is way behind on filling much more important positions than this. Last month suddenly reversed themselves on the US attorneys staying on until there are replacements... fine, but as of today there aren't any nominees for any of the 93 prosecutor positions, because they haven't filled the undersecretary level positions that do that. Justice is also missing a number of key appointees for national security positions.

There's the same story at state, where over half of the high level appointees have yet to be named, including officials to oversee the Middle East or nuclear anti-proliferation.

The confusing situation with the USS Vinson might well have something to do with the fact that a number of important second and third tier DoD positions haven't been filled, and the same at the Executive Office of the President. A lot of what those people a teir or two below the top do is make sure the right hand knows what the left is doing.

Cybersecurity is an important issue, but the administration doesn't have the people in place to set up and run such a team yet.

He could probably get appointments made if he actually took the job seriously. I'd liken his choices with the Pope saying to all of the cardinals that he'd like the freaking Anti-Christ to be the Papal Nuncio or something like that. All of his sensible appointments went through rather quickly. The rest have been delayed as long as humanly possible.

Comment Re:It'll get better, maybe someday (Score 2) 442

Pretty sure my parent company still outsources to all of them. I hate making large broad statements, but I've never yet met one I was impressed by. Seems to whole business model for outsourcing revolves around everything being so cheap you can rebuild it 5x and still come out ahead on direct project costs. As for impacting the business with garbage software, that doesn't cost anything, right?

I think when these companies initially court you, they typically have some very talented people help make the sell. These people can talk the talk and walk the walk. Once there is ink on paper, even before the signature dries, they're off to the next sale.

Comment Re:Good luck with that! (Score 1) 132

Good luck with this policy. At best a few sailors or marines will be busted each year for their stupidity, but the vast majority of incidents will never see any enforcement.

I've never been in the armed services but I was under the impression that one of the most important rules for those in authority was do not give orders that one knows will not be followed. Issuing orders that won't be followed helps destroy one's own authority.

I dated a Navy JAG for a bit and they actually love these kinds of orders from Sec Navy. Well, commanding officers do. It's a great way to get rid of someone you don't like because it's easy to selectively enforce the rule. Not only that, but when it comes time to prosecute, the JAGs often request a reduction in sentence or charges and the commanding officer for the unit in question is able to accept the reduction, or not, based on whether they want that person to be able to stay inside of the command. There are, of course, risks to the commanding officer if they choose to keep someone who later causes problems, but most of the time it's the officers or enlisted people that they want out of the Navy that have these charges brought against them to begin with.

Comment Re:Release for real? (Score 1) 94

Or just create a big hype and discontinue the thing when they will have sold 5000 boxes as they did with the NES Classic? Damn you Nintendo. I never buy anything else from you.

My inside sources suggest they'll make exactly 21 units - 1 will be a test unit. They'll hype it for a few months and then give everyone the middle finger and suggest they make a RetroPi instead.

Comment Re:Recycle! (Score 1) 129

They're not a couple escaped helium ballons from for birthday trapped on your ceiling waiting to be grabbed, they're flying about faster than bullets in differing and often completely opposing orbits and there is no Neo from the Matrix around to wave his hand and make them all magically stop for you.

We've had our eye on you. We thought you might be the one, but we can see that you're not ready yet.

Comment Re:Aaaand.... (Score 1) 227

Yes, let us only do constructive things 24/7/365, not relax ever!

Perhaps our anonymous friend does not find TV to be very relaxing. I don't find it to be especially interesting, most of the time. Typically I watch TV when I am not feeling well enough to go do something more interesting. It's better than laying there and doing nothing, and if I fall asleep, I don't feel like I missed anything.

Comment Re:You try to force me to watch something and BYE! (Score 2) 227

>"If a show is available on-demand, viewers won't be able to skip ads, even if they recorded the episode on DVR."

And this is why streaming usually fails, because it puts the user out of control. It doesn't matter the who or why- broadcasters, content providers, streaming service, if they are going to FORCE the customer to view ANYTHING- be it ads, previews, trailers, "infomercials", public service announcements, then we have moved backwards. Streaming gives them that power, and it is often irresistible- something they don't have over DVR's.

Technology has released me from being forced to watch commercials for 20 years and I am not about to start now (VCR then TiVo then added Netflix streaming). I am amazed that people will PAY for services that force them to watch what they don't want. Even if the content is "free", there is a large segment of the market who is like me, and if that contains forced anything, we reject it.

Forced ads are a dinosaur that needs to become and stay extinct.

This is why I will not watch a DVD, whether I rent it or buy it. I rip it and stream it to my device and, if necessary, delete it when I am done. When you pop the DVD/Blu-ray into the drive they try to force you to watch trailers and other adverts, FBI warnings, and other BS that I have no interest in being forced to see.

Slashdot Top Deals

Mathemeticians stand on each other's shoulders while computer scientists stand on each other's toes. -- Richard Hamming