The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it’s doing a chip-and-signature transaction while the terminal thinks it’s chip-and-PIN.
Short version: of course you need salt, but the real goal is to make brute-forcing infeasible. The best way to accomplish that task is to make your hash function as slow as possible, and able to be slowed even further to compensate for advances in hardware.
Officers involved in the APEC security operation revealed last night that police manning CBD roadblocks are frequently not told whether motorcades coming toward them are legitimate.
"We're amazed at the lack of communication that allowed this to happen but how are they to know whether a motorcade is legitimate when they're not supposed to stop them and nothing is broadcast over the (police) radio," an officer said.
Also: Bruce Schneier link roundup.
It's troubling that the camera serial number is in the metadata at all.
After the quality of the last couple of books, I thought that spoilers, even fake ones, couldn't possibly make my expectations for this one any lower. I was wrong.
The recently publicized terrorist plot to blow up John F. Kennedy International Airport, like so many of the terrorist plots over the past few years, is a study in alarmism and incompetence: on the part of the terrorists, our government and the press. [...]
I don't think these nut jobs, with their movie-plot threats, even deserve the moniker "terrorist." But in this country, while you have to be competent to pull off a terrorist attack, you don't have to be competent to cause terror. All you need to do is start plotting an attack and -- regardless of whether or not you have a viable plan, weapons or even the faintest clue -- the media will aid you in terrorizing the entire population.
The most ridiculous JFK Airport-related story goes to the New York Daily News, with its interview with a waitress who served Defreitas salmon; the front-page headline blared, "Evil Ate at Table Eight."
Even under the best of circumstances, these are difficult prosecutions. Arresting people before they've carried out their plans means trying to prove intent, which rapidly slips into the province of thought crime. Regularly the prosecution uses obtuse religious literature in the defendants' homes to prove what they believe, and this can result in courtroom debates on Islamic theology. And then there's the issue of demonstrating a connection between a book on a shelf and an idea in the defendant's head, as if your reading of this article -- or purchasing of my book -- proves that you agree with everything I say. (The Atlantic recently published a fascinating article on this.)
For the record, I've kept my copy of Sayings of the Ayatollah Khomeini for the perversely specific details of the appropriate action in the case of, for example, a man molesting a camel. (It must be slaughtered, but a mule treated likewise may be sold.)
In the latest evolution of vulnerability discovery, a company called Intellectual Weapons is offering to work with researchers to develop fixes for security vulnerabilities and then patent those fixes.
Probably FUD, but still: if we needed any more evidence that software patents were a bad idea...
This is antiforensics. It is more than technology. It is an approach to criminal hacking that can be summed up like this: Make it hard for them to find you and impossible for them to prove they found you. ...
Issues apparently include:
And various Unix flavours have similar default behaviour?!
That's the term for a Wi-Fi access point that appears to be a legitimate one offered on the premises, but actually has been set up by a hacker to eavesdrop on wireless communications among Internet surfers.
Fascinating, like a security book by Malcolm Gladwell or Steven Levitt.
Great article by Bruce Schneier on the recent election problems in Florida. Don't miss the sequel; it's got details of half a dozen more specific cases of real-world failure.
More and more, web app security looks like a house of cards.