* Posts by sathackr

5 publicly visible posts • joined 14 Jan 2014

Someone has fixed the ESX 'VM stun' problem

sathackr

If you're taking storage level snapshots then you aren't flushing the disk cache and your snapshots are only crash consistent.

The stun is there for a reason.

VW floats catalytic converter as fix for fibbing diesels

sathackr

Not another CC!

I own one of these. It already has 3 catalytic converters and a DPF in the exhaust [1]. I have to use special oil to make sure it doesn't clog any of the catalytic converters. They want to add a 4th? I already have to treat it with kid gloves, making sure I drive it with the right profile to clear out the DPF routinely.

[1]: http://sweet-sauer.com/2012/04/20/its-not-your-grandpas-egr-system/

Juniper's VPN security hole is proof that govt backdoors are bonkers

sathackr

Re: So, what has changed?

The way I understand it is knowing this Q value isn't the key -- it is apparently in plaintext in the code. It is that certain values of Q make decryption of the resulting output computationally cheap when a corresponding value (P?) is known,, and the speculation is the NSA specified value of Q is one of these such values.

To 'protect' against such NSA spying, Juniper chose a different value for Q than was specified by NIST. This new value of Q was changed (in 2012?) to a different value, presumably with a corresponding value known by an unknown 3rd party, thus enabling the unknown 3rd party a computationally cheap method of defeating the encryption.

Target hackers: Woohoo, we're rich! Um. Guys? Anyone know how to break bank encryption?

sathackr

Re: Er - too much information?

The actual circuit board that captures the pin is almost always a separate piece than the display that shows the advertisements and messages. The PIN is encrypted before it ever leaves that piece, even within the same enclosure. There are a very few that input the PIN on the same device (such as the Verifone MX870 and I'm not sure what protections it uses) but the vast majority are completely segregated from the other functions of the terminal.

sathackr

Re: Er - too much information?

In the US the PIN pad is required to be a separate device from the one that handles the rest of the customer interaction (mag stripe reader, total verification, signature, etc...) and it has AFAIK no input capability. Even the original encryption keys can only be entered on the pad itself. The encryption keys are stored in the PIN pad and are used to encrypt the PIN before it ever leaves the pad. Most use 3DES. I saw no indication the pads themselves were compromised which is why all they have is encrypted PIN information. The CVV2 3-digit code on the back of the card(Except American Express, it's 4 digits and on the front) is not encoded in the mag stripe, however, it along with the PIN can be picked up with a camera if there is a skimming device.

The terminal, the merchant, the pad, and the card do not know what the PIN is. Only the pad handles it unencrypted. Only after it has been decrypted by the payment processor is it verified and the valid/invalid response sent back to the device.