From bgiles at coyotesong.com Mon May 18 08:52:54 2015 From: bgiles at coyotesong.com (Bear Giles) Date: Mon, 18 May 2015 08:52:54 -0600 Subject: [lug] OT: Credit Cards w/ Chips In-Reply-To: References: <1431714977.11350.4.camel@maxwellspangler.com> <55565CFA.7000705@gmail.com> <1431753262.30690.6.camel@maxwellspangler.com> <55575954.3010206@gmail.com> <55576D09.1090408@gmail.com> Message-ID: Don't forget the legal aspect. Europe has a secure system since the banks are on the hook. The US has an insecure system since the merchants are on the hook. (iirc) We're finally changing because the laws have changed. Imagine that - change the liability and you see different behavior. But as to the broader question - we tend to think in terms of urban solutions. What do you do about the little store out in the middle of nowhere, the one where they're lucky to have low-quality voice service. The system has to work for them as well. We ran into that at the USDA - we had a web-based solution which was fine for most users but then we had to deal with border agents at the middle of nowhere in deep rural New Mexico and Arizona. They were lucky to have 2400 baud modems in the office, nothing in the field. Even urban areas aren't safe. After Sandy the telco said 'screw it, land lines are expensive to install and maintain' and put in a VOIP system for everyone. Only one problem - the credit card payment systems can't run on VOIP. The merchants couldn't process credit cards. Their solution - which is a huge violation of their contracts - is to write down the credit card information INCLUDING THE SECURITY CODE and processing the info later at a different site. You don't write down the security code. Ever. That's a good way to lose your merchant account. I don't think you can write down the full credit card number either any more - if you store it it has to be encrypted and stored to financial industry standards (read $$$). So they were risking their business, or at least $100k audits and monitoring, because their telco didn't want to replace some copper wires. On Sun, May 17, 2015 at 10:06 PM, Mike Stanczyk wrote: > > On Sat, 16 May 2015, William D. Knoche wrote: > > I don't know if there are any good papers still out there. Google search >> should provide some clues. >> > > Security Engineering V2 by Ross Anderson is available on the web at: > http://www.cl.cam.ac.uk/~rja14/book.html > > It's chock full of stories on things done right and usually wrong. > There some chip-and-pin stuff in there but I don't remember which > chapter. > > Mike > > _______________________________________________ > Web Page: http://lug.boulder.co.us > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug > Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jeffrey.haemer at gmail.com Mon May 18 10:08:03 2015 From: jeffrey.haemer at gmail.com (Jeffrey S. Haemer) Date: Mon, 18 May 2015 10:08:03 -0600 Subject: [lug] OT: Credit Cards w/ Chips In-Reply-To: References: <1431714977.11350.4.camel@maxwellspangler.com> <55565CFA.7000705@gmail.com> <1431753262.30690.6.camel@maxwellspangler.com> <55575954.3010206@gmail.com> <55576D09.1090408@gmail.com> Message-ID: Another reason Europe adopted the system it did was a lack of reliable land-lines. It was analogous to the situations Bear described. In almost every country but the US, the phone system was established and run by PTTs -- the same government bureau in charge of the post office and the telegraph. Phones long sounded little better than tin cans and string.Last time I was in Romania, the mean time to install a land-line was six months. Sergei Kuznetsov, the head of the Russian Unix Users Group at the time, told me that in Russia, it was still a year. Here, it's "Can you be at home on Tuesday, between 1 and 5 for our installer?" There, it's "Be home for our installer next May." :-) In such situations, a credit-card system that requires easily available, reliable, low-noise, phone lines is a non-starter. One reason cell adoption was so much faster in Europe than in the US was that you could get a phone right away if you could pay for it, and it would actually work. Alexandru Rotaru, who ran GURU, the Romanian Unix Users Group, always carried two. I haven't worked there for a decade or so, and things may have improved. On Mon, May 18, 2015 at 8:52 AM, Bear Giles wrote: > Don't forget the legal aspect. Europe has a secure system since the banks > are on the hook. The US has an insecure system since the merchants are on > the hook. (iirc) > > We're finally changing because the laws have changed. Imagine that - > change the liability and you see different behavior. > > But as to the broader question - we tend to think in terms of urban > solutions. What do you do about the little store out in the middle of > nowhere, the one where they're lucky to have low-quality voice service. The > system has to work for them as well. We ran into that at the USDA - we had > a web-based solution which was fine for most users but then we had to deal > with border agents at the middle of nowhere in deep rural New Mexico and > Arizona. They were lucky to have 2400 baud modems in the office, nothing in > the field. > > Even urban areas aren't safe. After Sandy the telco said 'screw it, land > lines are expensive to install and maintain' and put in a VOIP system for > everyone. Only one problem - the credit card payment systems can't run on > VOIP. The merchants couldn't process credit cards. Their solution - which > is a huge violation of their contracts - is to write down the credit card > information INCLUDING THE SECURITY CODE and processing the info later at a > different site. You don't write down the security code. Ever. That's a good > way to lose your merchant account. I don't think you can write down the > full credit card number either any more - if you store it it has to be > encrypted and stored to financial industry standards (read $$$). So they > were risking their business, or at least $100k audits and monitoring, > because their telco didn't want to replace some copper wires. > > On Sun, May 17, 2015 at 10:06 PM, Mike Stanczyk > wrote: > >> >> On Sat, 16 May 2015, William D. Knoche wrote: >> >> I don't know if there are any good papers still out there. Google search >>> should provide some clues. >>> >> >> Security Engineering V2 by Ross Anderson is available on the web at: >> http://www.cl.cam.ac.uk/~rja14/book.html >> >> It's chock full of stories on things done right and usually wrong. >> There some chip-and-pin stuff in there but I don't remember which >> chapter. >> >> Mike >> >> _______________________________________________ >> Web Page: http://lug.boulder.co.us >> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug >> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety >> > > > _______________________________________________ > Web Page: http://lug.boulder.co.us > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug > Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety > -- Jeffrey Haemer 720-837-8908 [cell], http://seejeffrun.blogspot.com [blog], http://www.youtube.com/user/goyishekop [vlog] *????????? ??? ??? ????? ????? ??????.* -------------- next part -------------- An HTML attachment was scrubbed... URL: From bgiles at coyotesong.com Mon May 18 12:13:55 2015 From: bgiles at coyotesong.com (Bear Giles) Date: Mon, 18 May 2015 12:13:55 -0600 Subject: [lug] OT: Credit Cards w/ Chips In-Reply-To: References: <1431714977.11350.4.camel@maxwellspangler.com> <55565CFA.7000705@gmail.com> <1431753262.30690.6.camel@maxwellspangler.com> <55575954.3010206@gmail.com> <55576D09.1090408@gmail.com>

Message-ID: What about western Europe though? Then there's the poor guy in Washington state. He repeatedly asked but Comcast (?) and the telco if he could get broadband at the location where he was building a house. He was reportedly told it would not be a problem. Then he moved in and after months of runarounds both told him that they would not offer service to him. It wasn't a case where they were willing to provide service if he absorbed the cost of running a wire to his place. They flat-out said they would not provide service. Last I heard he was going to sell the house but who would buy it knowing that they couldn't get service? (There's no defense for lying to him but apparently he needed high bandwidth and low latency, something he can't get with satellites or the other usual alternatives.) On Mon, May 18, 2015 at 10:08 AM, Jeffrey S. Haemer < jeffrey.haemer at gmail.com> wrote: > Another reason Europe adopted the system it did was a lack of reliable > land-lines. It was analogous to the situations Bear described. > > In almost every country but the US, the phone system was established and > run by PTTs -- the same government bureau in charge of the post office and > the telegraph. Phones long sounded little better than tin cans and > string.Last time I was in Romania, the mean time to install a land-line was > six months. Sergei Kuznetsov, the head of the Russian Unix Users Group at > the time, told me that in Russia, it was still a year. Here, it's "Can you > be at home on Tuesday, between 1 and 5 for our installer?" There, it's "Be > home for our installer next May." :-) > > In such situations, a credit-card system that requires easily available, > reliable, low-noise, phone lines is a non-starter. > > One reason cell adoption was so much faster in Europe than in the US was > that you could get a phone right away if you could pay for it, and it would > actually work. Alexandru Rotaru, who ran GURU, the Romanian Unix Users > Group, always carried two. > > I haven't worked there for a decade or so, and things may have improved. > > On Mon, May 18, 2015 at 8:52 AM, Bear Giles wrote: > >> Don't forget the legal aspect. Europe has a secure system since the banks >> are on the hook. The US has an insecure system since the merchants are on >> the hook. (iirc) >> >> We're finally changing because the laws have changed. Imagine that - >> change the liability and you see different behavior. >> >> But as to the broader question - we tend to think in terms of urban >> solutions. What do you do about the little store out in the middle of >> nowhere, the one where they're lucky to have low-quality voice service. The >> system has to work for them as well. We ran into that at the USDA - we had >> a web-based solution which was fine for most users but then we had to deal >> with border agents at the middle of nowhere in deep rural New Mexico and >> Arizona. They were lucky to have 2400 baud modems in the office, nothing in >> the field. >> >> Even urban areas aren't safe. After Sandy the telco said 'screw it, land >> lines are expensive to install and maintain' and put in a VOIP system for >> everyone. Only one problem - the credit card payment systems can't run on >> VOIP. The merchants couldn't process credit cards. Their solution - which >> is a huge violation of their contracts - is to write down the credit card >> information INCLUDING THE SECURITY CODE and processing the info later at a >> different site. You don't write down the security code. Ever. That's a good >> way to lose your merchant account. I don't think you can write down the >> full credit card number either any more - if you store it it has to be >> encrypted and stored to financial industry standards (read $$$). So they >> were risking their business, or at least $100k audits and monitoring, >> because their telco didn't want to replace some copper wires. >> >> On Sun, May 17, 2015 at 10:06 PM, Mike Stanczyk >> wrote: >> >>> >>> On Sat, 16 May 2015, William D. Knoche wrote: >>> >>> I don't know if there are any good papers still out there. Google >>>> search should provide some clues. >>>> >>> >>> Security Engineering V2 by Ross Anderson is available on the web at: >>> http://www.cl.cam.ac.uk/~rja14/book.html >>> >>> It's chock full of stories on things done right and usually wrong. >>> There some chip-and-pin stuff in there but I don't remember which >>> chapter. >>> >>> Mike >>> >>> _______________________________________________ >>> Web Page: http://lug.boulder.co.us >>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug >>> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety >>> >> >> >> _______________________________________________ >> Web Page: http://lug.boulder.co.us >> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug >> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety >> > > > > -- > Jeffrey Haemer > 720-837-8908 [cell], http://seejeffrun.blogspot.com [blog], > http://www.youtube.com/user/goyishekop [vlog] > *????????? ??? ??? ????? ????? ??????.* > > _______________________________________________ > Web Page: http://lug.boulder.co.us > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug > Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety > -------------- next part -------------- An HTML attachment was scrubbed... URL: From davide.del.vento at gmail.com Mon May 18 12:14:43 2015 From: davide.del.vento at gmail.com (Davide Del Vento) Date: Mon, 18 May 2015 12:14:43 -0600 Subject: [lug] SEA conference In-Reply-To: References: Message-ID: https://www2.cisl.ucar.edu/2015-sea-conference-focuses-python (news report about the event) https://sea.ucar.edu/conference/2015/program (some videos and some material from the tutorials is available) On Fri, Mar 6, 2015 at 2:24 PM, Davide Del Vento wrote: > Folks, > You may be interested in this conference > https://sea.ucar.edu/conference/2015 which I have the honor to > organize. As you can see registration is a bargain (it includes foods > and coffee). > Hope to see you there, > Davide From jeffrey.haemer at gmail.com Mon May 18 13:59:54 2015 From: jeffrey.haemer at gmail.com (Jeffrey S. Haemer) Date: Mon, 18 May 2015 13:59:54 -0600 Subject: [lug] OT: Credit Cards w/ Chips In-Reply-To: References: <1431714977.11350.4.camel@maxwellspangler.com> <55565CFA.7000705@gmail.com> <1431753262.30690.6.camel@maxwellspangler.com> <55575954.3010206@gmail.com> <55576D09.1090408@gmail.com>

Message-ID: Yep. Western Europe, too. Even England, which was the best off, didn't privatize until the mid 80's. I no longer remember the details, but there were elaborate schemes before that in which private companies made money by trunking calls from one place in England to another through New York, because anything routed through the US was cheaper. The employees were government employees, too, so Lily Tomlin made fun of Ma Bell operators but even our regulated monopoly was a delight by comparison to a government bureaucracy. My mother said that the first time she got connected to a wrong number in Germany, she called the operator and explained what had happened. The operator said, "I did *not* give you a wrong number," yanked our plug, and wouldn't permit us any phone calls for the rest of the day. :-) When we were living in Spain, the common phone conversation initiator was a loud, "Oiga? Oiga? Digame?" ("Hear me? Hear me? Say something?") I'm sure things have improved all over Europe, but a lot of that is because the governments don't own the cell providers. Most folks here have had decent phone service their whole lives and only know it wasn't always that way intellectually. My grandparents' phone number was "1." They had the first phone in Haynesville, LA. Here, when I moved out near Erie, in the mid-70's, we had to use an operator to make local calls. On Mon, May 18, 2015 at 12:13 PM, Bear Giles wrote: > What about western Europe though? > > Then there's the poor guy in Washington state. He repeatedly asked but > Comcast (?) and the telco if he could get broadband at the location where > he was building a house. He was reportedly told it would not be a problem. > > Then he moved in and after months of runarounds both told him that they > would not offer service to him. It wasn't a case where they were willing to > provide service if he absorbed the cost of running a wire to his place. > They flat-out said they would not provide service. > > Last I heard he was going to sell the house but who would buy it knowing > that they couldn't get service? > > (There's no defense for lying to him but apparently he needed high > bandwidth and low latency, something he can't get with satellites or the > other usual alternatives.) > > On Mon, May 18, 2015 at 10:08 AM, Jeffrey S. Haemer < > jeffrey.haemer at gmail.com> wrote: > >> Another reason Europe adopted the system it did was a lack of reliable >> land-lines. It was analogous to the situations Bear described. >> >> In almost every country but the US, the phone system was established and >> run by PTTs -- the same government bureau in charge of the post office and >> the telegraph. Phones long sounded little better than tin cans and >> string.Last time I was in Romania, the mean time to install a land-line was >> six months. Sergei Kuznetsov, the head of the Russian Unix Users Group at >> the time, told me that in Russia, it was still a year. Here, it's "Can you >> be at home on Tuesday, between 1 and 5 for our installer?" There, it's "Be >> home for our installer next May." :-) >> >> In such situations, a credit-card system that requires easily available, >> reliable, low-noise, phone lines is a non-starter. >> >> One reason cell adoption was so much faster in Europe than in the US was >> that you could get a phone right away if you could pay for it, and it would >> actually work. Alexandru Rotaru, who ran GURU, the Romanian Unix Users >> Group, always carried two. >> >> I haven't worked there for a decade or so, and things may have improved. >> >> On Mon, May 18, 2015 at 8:52 AM, Bear Giles >> wrote: >> >>> Don't forget the legal aspect. Europe has a secure system since the >>> banks are on the hook. The US has an insecure system since the merchants >>> are on the hook. (iirc) >>> >>> We're finally changing because the laws have changed. Imagine that - >>> change the liability and you see different behavior. >>> >>> But as to the broader question - we tend to think in terms of urban >>> solutions. What do you do about the little store out in the middle of >>> nowhere, the one where they're lucky to have low-quality voice service. The >>> system has to work for them as well. We ran into that at the USDA - we had >>> a web-based solution which was fine for most users but then we had to deal >>> with border agents at the middle of nowhere in deep rural New Mexico and >>> Arizona. They were lucky to have 2400 baud modems in the office, nothing in >>> the field. >>> >>> Even urban areas aren't safe. After Sandy the telco said 'screw it, land >>> lines are expensive to install and maintain' and put in a VOIP system for >>> everyone. Only one problem - the credit card payment systems can't run on >>> VOIP. The merchants couldn't process credit cards. Their solution - which >>> is a huge violation of their contracts - is to write down the credit card >>> information INCLUDING THE SECURITY CODE and processing the info later at a >>> different site. You don't write down the security code. Ever. That's a good >>> way to lose your merchant account. I don't think you can write down the >>> full credit card number either any more - if you store it it has to be >>> encrypted and stored to financial industry standards (read $$$). So they >>> were risking their business, or at least $100k audits and monitoring, >>> because their telco didn't want to replace some copper wires. >>> >>> On Sun, May 17, 2015 at 10:06 PM, Mike Stanczyk >>> wrote: >>> >>>> >>>> On Sat, 16 May 2015, William D. Knoche wrote: >>>> >>>> I don't know if there are any good papers still out there. Google >>>>> search should provide some clues. >>>>> >>>> >>>> Security Engineering V2 by Ross Anderson is available on the web at: >>>> http://www.cl.cam.ac.uk/~rja14/book.html >>>> >>>> It's chock full of stories on things done right and usually wrong. >>>> There some chip-and-pin stuff in there but I don't remember which >>>> chapter. >>>> >>>> Mike >>>> >>>> _______________________________________________ >>>> Web Page: http://lug.boulder.co.us >>>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug >>>> Join us on IRC: irc.hackingsociety.org port=6667 >>>> channel=#hackingsociety >>>> >>> >>> >>> _______________________________________________ >>> Web Page: http://lug.boulder.co.us >>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug >>> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety >>> >> >> >> >> -- >> Jeffrey Haemer >> 720-837-8908 [cell], http://seejeffrun.blogspot.com [blog], >> http://www.youtube.com/user/goyishekop [vlog] >> *????????? ??? ??? ????? ????? ??????.* >> >> _______________________________________________ >> Web Page: http://lug.boulder.co.us >> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug >> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety >> > > > _______________________________________________ > Web Page: http://lug.boulder.co.us > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug > Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety > -- Jeffrey Haemer 720-837-8908 [cell], http://seejeffrun.blogspot.com [blog], http://www.youtube.com/user/goyishekop [vlog] *????????? ??? ??? ????? ????? ??????.* -------------- next part -------------- An HTML attachment was scrubbed... URL: From davide.del.vento at gmail.com Mon May 18 15:27:13 2015 From: davide.del.vento at gmail.com (Davide Del Vento) Date: Mon, 18 May 2015 15:27:13 -0600 Subject: [lug] landline phones in Europe (was Re: OT: Credit Cards w/ Chips) Message-ID: Here are my memories of Italy (always formally western Europe, however with many gov't run businesses that I suspect some of you would call it socialist, if not communist, maybe even now that the most egregious ones have been dismantled :-) In the late 70s (before I was too little to remember) and in the 80s, landline phone calls were actually quite good, qualitatively speaking. Moreover, local calls for a long time were charged just a single "token" (100 liras + VAT, or about $0.05 + taxes), regardless of duration. Long distance were charged more, probably too much, but I did not have persons to call at a long distance, so I don't remember the details. My parents did and they did not complain about anything, other than sometimes the price (but there was really no comparison for a similar service, so it's hard to argue it was too much, and how much of it was paid by the taxes? I dunno and don't care to research) In the early 90s, the price structure changed substantially, in preparation of privatization and in response to the spreading of BBS first and dial-up internet later (local calls were charged by time, instead of a token fee). At that time I started caring about long distance calls too, and even if I don't remember the price from the top of my head (learning new facts is easier for youngster), it was quite high, compared to what happened a few years later. In fact, allowing private actors into the field in the late 90s did bring the price down quite substantially, but qualitatively speaking (both for voice and for modem connections) I did not notice any difference whatsoever, other than the steady improvements in computer's modem speeds (when I bought new modem models -- hard for me to tell if the newer model would have been equally better on previous years' lines and switchers) I never spoke to an operator in my life and the first phone call that I dialed myself was probaly around 1979. FWIW, in Italy, cellular telephony also started as a gov't monopoly in 1990, and has been such for more than half a decade before being opened to the private sector (with just a single private company, competing against the "government") in the late 90s. According to wikipedia.it, it wasn't until 1997 that the competition was able to get a decent enough number of customer to be called business. On Mon, May 18, 2015 at 1:59 PM, Jeffrey S. Haemer wrote: > Yep. Western Europe, too. > > Even England, which was the best off, didn't privatize until the mid 80's. I > no longer remember the details, but there were elaborate schemes before that > in which private companies made money by trunking calls from one place in > England to another through New York, because anything routed through the US > was cheaper. > > The employees were government employees, too, so Lily Tomlin made fun of Ma > Bell operators but even our regulated monopoly was a delight by comparison > to a government bureaucracy. My mother said that the first time she got > connected to a wrong number in Germany, she called the operator and > explained what had happened. The operator said, "I did not give you a wrong > number," yanked our plug, and wouldn't permit us any phone calls for the > rest of the day. :-) > > When we were living in Spain, the common phone conversation initiator was a > loud, "Oiga? Oiga? Digame?" ("Hear me? Hear me? Say something?") I'm sure > things have improved all over Europe, but a lot of that is because the > governments don't own the cell providers. > > Most folks here have had decent phone service their whole lives and only > know it wasn't always that way intellectually. My grandparents' phone number > was "1." They had the first phone in Haynesville, LA. Here, when I moved out > near Erie, in the mid-70's, we had to use an operator to make local calls. > > On Mon, May 18, 2015 at 12:13 PM, Bear Giles wrote: >> >> What about western Europe though? >> >> Then there's the poor guy in Washington state. He repeatedly asked but >> Comcast (?) and the telco if he could get broadband at the location where he >> was building a house. He was reportedly told it would not be a problem. >> >> Then he moved in and after months of runarounds both told him that they >> would not offer service to him. It wasn't a case where they were willing to >> provide service if he absorbed the cost of running a wire to his place. They >> flat-out said they would not provide service. >> >> Last I heard he was going to sell the house but who would buy it knowing >> that they couldn't get service? >> >> (There's no defense for lying to him but apparently he needed high >> bandwidth and low latency, something he can't get with satellites or the >> other usual alternatives.) >> >> On Mon, May 18, 2015 at 10:08 AM, Jeffrey S. Haemer >> wrote: >>> >>> Another reason Europe adopted the system it did was a lack of reliable >>> land-lines. It was analogous to the situations Bear described. >>> >>> In almost every country but the US, the phone system was established and >>> run by PTTs -- the same government bureau in charge of the post office and >>> the telegraph. Phones long sounded little better than tin cans and >>> string.Last time I was in Romania, the mean time to install a land-line was >>> six months. Sergei Kuznetsov, the head of the Russian Unix Users Group at >>> the time, told me that in Russia, it was still a year. Here, it's "Can you >>> be at home on Tuesday, between 1 and 5 for our installer?" There, it's "Be >>> home for our installer next May." :-) >>> >>> In such situations, a credit-card system that requires easily available, >>> reliable, low-noise, phone lines is a non-starter. >>> >>> One reason cell adoption was so much faster in Europe than in the US was >>> that you could get a phone right away if you could pay for it, and it would >>> actually work. Alexandru Rotaru, who ran GURU, the Romanian Unix Users >>> Group, always carried two. >>> >>> I haven't worked there for a decade or so, and things may have improved. >>> >>> On Mon, May 18, 2015 at 8:52 AM, Bear Giles >>> wrote: >>>> >>>> Don't forget the legal aspect. Europe has a secure system since the >>>> banks are on the hook. The US has an insecure system since the merchants are >>>> on the hook. (iirc) >>>> >>>> We're finally changing because the laws have changed. Imagine that - >>>> change the liability and you see different behavior. >>>> >>>> But as to the broader question - we tend to think in terms of urban >>>> solutions. What do you do about the little store out in the middle of >>>> nowhere, the one where they're lucky to have low-quality voice service. The >>>> system has to work for them as well. We ran into that at the USDA - we had a >>>> web-based solution which was fine for most users but then we had to deal >>>> with border agents at the middle of nowhere in deep rural New Mexico and >>>> Arizona. They were lucky to have 2400 baud modems in the office, nothing in >>>> the field. >>>> >>>> Even urban areas aren't safe. After Sandy the telco said 'screw it, land >>>> lines are expensive to install and maintain' and put in a VOIP system for >>>> everyone. Only one problem - the credit card payment systems can't run on >>>> VOIP. The merchants couldn't process credit cards. Their solution - which is >>>> a huge violation of their contracts - is to write down the credit card >>>> information INCLUDING THE SECURITY CODE and processing the info later at a >>>> different site. You don't write down the security code. Ever. That's a good >>>> way to lose your merchant account. I don't think you can write down the full >>>> credit card number either any more - if you store it it has to be encrypted >>>> and stored to financial industry standards (read $$$). So they were risking >>>> their business, or at least $100k audits and monitoring, because their telco >>>> didn't want to replace some copper wires. >>>> >>>> On Sun, May 17, 2015 at 10:06 PM, Mike Stanczyk >>>> wrote: >>>>> >>>>> >>>>> On Sat, 16 May 2015, William D. Knoche wrote: >>>>> >>>>>> I don't know if there are any good papers still out there. Google >>>>>> search should provide some clues. >>>>> >>>>> >>>>> Security Engineering V2 by Ross Anderson is available on the web at: >>>>> http://www.cl.cam.ac.uk/~rja14/book.html >>>>> >>>>> It's chock full of stories on things done right and usually wrong. >>>>> There some chip-and-pin stuff in there but I don't remember which >>>>> chapter. >>>>> >>>>> Mike >>>>> >>>>> _______________________________________________ >>>>> Web Page: http://lug.boulder.co.us >>>>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug >>>>> Join us on IRC: irc.hackingsociety.org port=6667 >>>>> channel=#hackingsociety >>>> >>>> >>>> >>>> _______________________________________________ >>>> Web Page: http://lug.boulder.co.us >>>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug >>>> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety >>> >>> >>> >>> >>> -- >>> Jeffrey Haemer >>> 720-837-8908 [cell], http://seejeffrun.blogspot.com [blog], >>> http://www.youtube.com/user/goyishekop [vlog] >>> ????????? ??? ??? ????? ????? ??????. >>> >>> _______________________________________________ >>> Web Page: http://lug.boulder.co.us >>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug >>> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety >> >> >> >> _______________________________________________ >> Web Page: http://lug.boulder.co.us >> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug >> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety > > > > > -- > Jeffrey Haemer > 720-837-8908 [cell], http://seejeffrun.blogspot.com [blog], > http://www.youtube.com/user/goyishekop [vlog] > ????????? ??? ??? ????? ????? ??????. > > _______________________________________________ > Web Page: http://lug.boulder.co.us > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug > Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety