HackerTrans
トップ新着トレンドコメント過去質問紹介求人

lmilcin

no profile record

コメント

lmilcin
·5 年前·議論
Let me put my perspective on this.

The answer is both yes, and no.

Why no:

Seriously, if you need certification to put your processes in order you are in a deep shit anyway. As an organization, you should be striving to continuously learn and improve. ISO 27001 is just a standard, a minimum you should be doing anyway.

Why yes:

I think it makes sense to go over that material. A lot of that stuff makes total sense. Why learn the mistakes yourself when you can get over a lot of that stuff in one, easy to consume package? Security is a tough thing to get right, there is a lot of possibility to forget/be blind to some obvious things. While it is up to you to figure out what to do (see above) and you will be paying the price of missteps, it is always good idea to get some external validation. Especially if you are top level manager and you don't exactly know if you are getting accurate assessment of the situation from your underlings.
lmilcin
·5 年前·議論
Oh, thanks!
lmilcin
·5 年前·議論
I think it is public service to show historical events from a different perspective.

Reading about something is one thing, being able to experience as it happened, the same way most people experienced -- from media, is another.
lmilcin
·5 年前·議論
@dang, can we get the obvious spam crap removed somehow? Maybe instantly hide or at least minimize dead content?

Or maybe restrict discussion to people who get at least some karma?
lmilcin
·5 年前·議論
That is absolutely not fair.

BER-TLV is really nice protocol. I have worked with it for couple of years when I worked on an EMV application. It uses BER-TLV to communicate with the credit card but it is also very convenient format for all sorts of other uses and I would use it wherever I could. Think of it as Json but in binary form. It is not complicated and I would not even bother parsing the messages -- I could interpret hex dumps of them by sight very easily.
lmilcin
·5 年前·議論
ASN.1 is not a binary protocol. It is a language to describe messages.

Typically you create message description which is then compiled to code that can serialize/deserialize messages in BER-TLV or PER-TLV.

I know because I wrote a complete parser/serializer for BER-TLV. It is simple protocol and any security issue is in the parser/serializer and not the protocol itself. That for simple reason that the protocol is nothing more than a format to serialize/deserialize the data.
lmilcin
·5 年前·議論
I did both send mails over SMTP as well as downloading files from FTP using Telnet.
lmilcin
·5 年前·議論
Binary protocols aren't (or at least don't have to be) any more difficult and frequently are even easier to implement.

Text protocols have difficult problems like escaping or detecting the end of particular field that are frequent source of mistakes.

The issue is that many (especially scripting) languages treat binary data as second class.

The only real issue is that inspecting the binary message visually is little bit more difficult. You can usually easily tell if your data structure is broken if it is in text form. What I do is I usually have some simple converter that converts the binary message to text form and this helps me inspect the message easily.
lmilcin
·6 年前·議論
I found healthy proportion of designing your own projects, debugging/studying existing electronics and spending time on understanding theory behind what you are working on to be the best way for me.

I could never go far learning just theory because I seem to forget soon after I think I have understood it.

Studying/tinkering with existing electronics is fantastic -- there is so much knowledge in most products that I feel drunk with excitation to see how something can be implemented way better and more efficient than I thought. It is very interesting to see how different designers approach their problems and it builds my repository of solutions I can implement.

This is no proxy for actually trying to solve the problems. I think only after you have really tried to solve a problem you can actually appreciate alternative designs.

Now, rinse, lather, repeat.
lmilcin
·8 年前·議論
It's not your problem. For the transaction to take place it has to go to your bank and your bank trusts Visa/Mastercard to manage risks. You would be surprised to know most frauds are absorbed by banks. Nobody is interested in people fearing plastic because it causes people to increase very expensive debt plus additional interchange fee from every transaction.
lmilcin
·8 年前·議論
That, at least, is a problem that cab be solved by tightening security at supplier site.

The safeties are mainly to guard against the rest of the world. For example it prevents tampering in transit, or even in our own company - disgruntled employee can't do anything.

Or think for a second about the fact that we leave the device for, hopefully, entirety if its life at the client site. We had clients that were shady businesses like strip clubs that no other companies would touch with a stick.
lmilcin
·8 年前·議論
You mean like couple of well known platforms that let you reach their users and in the meantime steal, mine and monetize user information?
lmilcin
·8 年前·議論
It is called business. The company's ONLY duty is to bring profit to its investors and management is legally bound to maximise it. Now, the definition of profit may differ as well as what is profitable and what is not, but the company is legally obligated to work to bring profit and if you throw a good deal because you don't like it you better explain it to your investors.

Whether you like what your supplier does or does not is of no concern. If couple of units can be detected and written off it is treated as cost and you move on to decide if it is still profitable and whether you can get better deal somewhere else.

You let you emotions rule and it just means you are not fit for the job.
lmilcin
·8 年前·議論
You realize when we talk pins we mean authorizing your credit card chip&pin transaction? Nothing to do with your phone pin or maybe som other pins.

The pin we are talking about is what is customized on your credit card (directly in its memory) or its equivalent in your bank's HSM for the sole purpose of performing CVM step negotiated by yor card and payment terminal.
lmilcin
·8 年前·議論
English isn't my native language. Of course you are correct it is called moment of inertia.
lmilcin
·8 年前·議論
I wouldn't know. We were just buying the stuff.
lmilcin
·8 年前·議論
There were other considerations like the fact we were actually buing it from large reputable company and what happened was that some employees were doing it with no involvement of the company.

The fact is, doing any kind of hardware production in China, you have to be aware Chineese have different value system and you would not be suited doing any business if you throw tantrum at any sign of apparent dishonesty (assuming the company was involved which they could not have been as they have been the ones damaged the most).

If the company does screw you (like replacing components for something cheaper) they typically will not be thinking they are doing anything wrong. They are just testing if you notice and if you do not they will say it makes no difference for you but saves them costs.

The way to work is then verify everything and politely point it out. If you notice they will correct apparent mistake.
lmilcin
·8 年前·議論
Ah, yes, and then we would voluntarily go out of business. And the supplier will just have another customer that would not be so principled.
lmilcin
·8 年前·議論
I honestly did not know about that. I thought that if you move any mass (remove non zero mass and place it somewhere else) there must be at least one axis which you can use to detect the change in moment of inertia.
lmilcin
·8 年前·議論
Ah, you are right. English is not my native language.