HackerTrans
TopNewTrendsCommentsPastAskShowJobs

lmilcin

no profile record

comments

lmilcin
·5 anni fa·discuss
Let me put my perspective on this.

The answer is both yes, and no.

Why no:

Seriously, if you need certification to put your processes in order you are in a deep shit anyway. As an organization, you should be striving to continuously learn and improve. ISO 27001 is just a standard, a minimum you should be doing anyway.

Why yes:

I think it makes sense to go over that material. A lot of that stuff makes total sense. Why learn the mistakes yourself when you can get over a lot of that stuff in one, easy to consume package? Security is a tough thing to get right, there is a lot of possibility to forget/be blind to some obvious things. While it is up to you to figure out what to do (see above) and you will be paying the price of missteps, it is always good idea to get some external validation. Especially if you are top level manager and you don't exactly know if you are getting accurate assessment of the situation from your underlings.
lmilcin
·5 anni fa·discuss
That is absolutely not fair.

BER-TLV is really nice protocol. I have worked with it for couple of years when I worked on an EMV application. It uses BER-TLV to communicate with the credit card but it is also very convenient format for all sorts of other uses and I would use it wherever I could. Think of it as Json but in binary form. It is not complicated and I would not even bother parsing the messages -- I could interpret hex dumps of them by sight very easily.
lmilcin
·5 anni fa·discuss
ASN.1 is not a binary protocol. It is a language to describe messages.

Typically you create message description which is then compiled to code that can serialize/deserialize messages in BER-TLV or PER-TLV.

I know because I wrote a complete parser/serializer for BER-TLV. It is simple protocol and any security issue is in the parser/serializer and not the protocol itself. That for simple reason that the protocol is nothing more than a format to serialize/deserialize the data.
lmilcin
·5 anni fa·discuss
I did both send mails over SMTP as well as downloading files from FTP using Telnet.
lmilcin
·5 anni fa·discuss
Binary protocols aren't (or at least don't have to be) any more difficult and frequently are even easier to implement.

Text protocols have difficult problems like escaping or detecting the end of particular field that are frequent source of mistakes.

The issue is that many (especially scripting) languages treat binary data as second class.

The only real issue is that inspecting the binary message visually is little bit more difficult. You can usually easily tell if your data structure is broken if it is in text form. What I do is I usually have some simple converter that converts the binary message to text form and this helps me inspect the message easily.
lmilcin
·6 anni fa·discuss
I found healthy proportion of designing your own projects, debugging/studying existing electronics and spending time on understanding theory behind what you are working on to be the best way for me.

I could never go far learning just theory because I seem to forget soon after I think I have understood it.

Studying/tinkering with existing electronics is fantastic -- there is so much knowledge in most products that I feel drunk with excitation to see how something can be implemented way better and more efficient than I thought. It is very interesting to see how different designers approach their problems and it builds my repository of solutions I can implement.

This is no proxy for actually trying to solve the problems. I think only after you have really tried to solve a problem you can actually appreciate alternative designs.

Now, rinse, lather, repeat.
lmilcin
·8 anni fa·discuss
It's not your problem. For the transaction to take place it has to go to your bank and your bank trusts Visa/Mastercard to manage risks. You would be surprised to know most frauds are absorbed by banks. Nobody is interested in people fearing plastic because it causes people to increase very expensive debt plus additional interchange fee from every transaction.
lmilcin
·8 anni fa·discuss
That, at least, is a problem that cab be solved by tightening security at supplier site.

The safeties are mainly to guard against the rest of the world. For example it prevents tampering in transit, or even in our own company - disgruntled employee can't do anything.

Or think for a second about the fact that we leave the device for, hopefully, entirety if its life at the client site. We had clients that were shady businesses like strip clubs that no other companies would touch with a stick.
lmilcin
·8 anni fa·discuss
You mean like couple of well known platforms that let you reach their users and in the meantime steal, mine and monetize user information?
lmilcin
·8 anni fa·discuss
It is called business. The company's ONLY duty is to bring profit to its investors and management is legally bound to maximise it. Now, the definition of profit may differ as well as what is profitable and what is not, but the company is legally obligated to work to bring profit and if you throw a good deal because you don't like it you better explain it to your investors.

Whether you like what your supplier does or does not is of no concern. If couple of units can be detected and written off it is treated as cost and you move on to decide if it is still profitable and whether you can get better deal somewhere else.

You let you emotions rule and it just means you are not fit for the job.
lmilcin
·8 anni fa·discuss
You realize when we talk pins we mean authorizing your credit card chip&pin transaction? Nothing to do with your phone pin or maybe som other pins.

The pin we are talking about is what is customized on your credit card (directly in its memory) or its equivalent in your bank's HSM for the sole purpose of performing CVM step negotiated by yor card and payment terminal.
lmilcin
·8 anni fa·discuss
English isn't my native language. Of course you are correct it is called moment of inertia.
lmilcin
·8 anni fa·discuss
I wouldn't know. We were just buying the stuff.
lmilcin
·8 anni fa·discuss
There were other considerations like the fact we were actually buing it from large reputable company and what happened was that some employees were doing it with no involvement of the company.

The fact is, doing any kind of hardware production in China, you have to be aware Chineese have different value system and you would not be suited doing any business if you throw tantrum at any sign of apparent dishonesty (assuming the company was involved which they could not have been as they have been the ones damaged the most).

If the company does screw you (like replacing components for something cheaper) they typically will not be thinking they are doing anything wrong. They are just testing if you notice and if you do not they will say it makes no difference for you but saves them costs.

The way to work is then verify everything and politely point it out. If you notice they will correct apparent mistake.
lmilcin
·8 anni fa·discuss
Ah, yes, and then we would voluntarily go out of business. And the supplier will just have another customer that would not be so principled.
lmilcin
·8 anni fa·discuss
I honestly did not know about that. I thought that if you move any mass (remove non zero mass and place it somewhere else) there must be at least one axis which you can use to detect the change in moment of inertia.
lmilcin
·8 anni fa·discuss
Ah, you are right. English is not my native language.
lmilcin
·8 anni fa·discuss
I have few more stories like the time when I closed the HSM rack door a bit too energetically and caused outage to entire company as we had to bring in third security officer to re-initialize it.

We also had special screens created for all cameras in the datacenter to block view on the HSM racks.

The biggest issue was, just before end-to-end test we figured out we forgot one of critical procedures (it was establishing authenticity of the HSM used) and we had to scramble to get new HSM and to re-establish all cryptographic material (so new storage keys, etc.)
lmilcin
·8 anni fa·discuss
We had MasterCard end-to-end test auditor on site. This is the first time ever you get to do a transaction with real transaction system with real credit card.

Due to requirements we opted to have the only large meeting room to have outside our secure zone. This created an issue as we had no network access from there and in the end we decided to use slow GPRS terminal for the test.

The end-to-end test starts with offline transactions which by their very nature are quite fast (it is negotiated between terminal and card).

But then we went to online transaction and it finished instantly too.

The auditor, bewildered, proclaimed the test failed as he assumed it was incorrectly processed offline instead of going online. But then I pointed out to the printout to show ARQC (basically says it was certified online).

Now, the real discussion started. The terminal was very slow taking quite few seconds to establish GPRS and then even more for the SSL handshake so the auditor said it was not possible to make it work.

How it worked was that I have completely gutted OpenSSL and had entire cryptographic state stored locally (safely, using internal HSM) so the SSL session could be optimistically re-established without another handshake even after TCP connection was closed. The first message the terminal sends is already encrypted transaction message, there is no SSL handshake. I wrote an application to terminate the connection in our data center so that it stored the states of each connection in the database. The entire handshake was only done if the first message could not be decrypted successfully.

The operating system was single-threaded with no multitasking of any kind. This meant that all applications on this device did their operations sequentially. Send network message, print something, display something, etc.

I wrote a cooperative multitasking functionality into the application (using coroutines) so that it could work on multiple tasks at the same time (like talking to network and printing).

I then have segregated all data on the printouts so that it can start printing without having to already have response from network. Hopefully if everything went right, the response would come before it even came to that place on the printout effectively looking as if it was done in zero time.
lmilcin
·8 anni fa·discuss
That's not correct.

HSMs are required so that the company does not need to have PIN codes exposed anywhere. Not having PINs or full credit card data makes your life easier as there is nothing to steal from you in the first place.

If your company stored PIN codes it means you were in breach of the contract and it had to lie to the auditors to pass the certification.