Differences

This shows you the differences between two versions of the page.

--- ci2010:team2_bruce_schneier [2010/02/14 16:26]
lstarret
+++ ci2010:team2_bruce_schneier [2010/02/27 15:11] (current)
lstarret
@@ Line 1: / Line 1: @@
-====Security Guru - Bruce Schneier====
+=====Bruce Schneier - Security Guru=====
+[[ci2010:team2|Back to Main]]
 //Bruce Schneier is a well respected author and critic on topics of security. His primary research and writings are on the topic of cryptology, but he is considered a "guru" of security in general.// [[http://www.schneier.com/about.html|Click Here]] //for Bruce's full bio page.//
-**Schneier's Blog** - [[http://www.schneier.com|Here]] is Schneier's full blog
+**Schneier's Blog** - [[http://www.schneier.com|Here]] is Schneier's full blog (Seriously interesting and updated almost daily. If you have even the slightest interest in security, I would bookmark this one.)
 Bruce Schneier's personal blog contains a myriad of articles pertaining to current security issues. Articles vary from internet security issues such as fraud and theft, to topics of airport security and other physical security issues (keys, safes, etc.)
@@ Line 17: / Line 19: @@
 [[http://www.schneier.com/blog/archives/2010/02/man-in-the-midd_1.html|Full Article]]
-//Researchers found a way to exploit credit cards. Their system allows them to use stolen credit cards without knowing the PIN! This article demonstrates the importance of researches actually BREAKING security protocols on purpose as if they were criminals themselves. Notice the way the researches recorded the exploit on camera for all to see//:
+//Researchers (Computer Scientists, in fact) from Cambridge University found a way to exploit credit cards. Their system allows them to use stolen credit cards without knowing the PIN! This article demonstrates the importance of researches actually BREAKING security protocols on purpose as if they were criminals themselves. These researchers did just that by recording the exploit on camera for all to see//:
-**"...We did so, on camera, using various journalists' cards. The transactions went through fine and the receipts say "Verified by PIN."** The following [[http://www.bbc.co.uk/blogs/newsnight/susanwatts/2010/02/new_flaws_in_chip_and_pin_syst.html|video]] (exploit: 2:01 - 3:30) shows the exploit in action. Note that these guys prove that they can break the system forcing banks and card issuers to fix the problem, but since this aired on BBC (as opposed to a privately hosted internet video), the exact details could not be divulged.
+**"...We did so, on camera, using various journalists' cards. The transactions went through fine and the receipts say "Verified by PIN."** The following [[http://www.bbc.co.uk/blogs/newsnight/susanwatts/2010/02/new_flaws_in_chip_and_pin_syst.html|video]] (exploit: 2:01 - 3:30) shows the exploit in action. You may notice that this version was done by BBC, and at some point they say something like "We obviously don't want to give out too much detail..." Well, maybe not on TV, but the effectiveness of this method for improving security (that is, hacking then publicizing the hack) requires full disclosure. So here it is, folks: the [[http://www.cl.cam.ac.uk/research/security/banking/nopin/oakland10chipbroken.pdf|thesis paper]] entitled "Chip and PIN is Broken" published by the researchers from Cambridge themselves. Happy hacking!
 //Now read the following response to this article (as posted on Schneier's blog)://
@@ Line 30: / Line 31: @@
-//If you didn't watch the whole// [[http://www.bbc.co.uk/blogs/newsnight/susanwatts/2010/02/new_flaws_in_chip_and_pin_syst.html|video]] //the first time, I recommend doing so. Take special notice of when interviewees answer questions such as: Did the banks know/suspect this attack already? Has this exploit already been used by criminals? Were the banks able to [and if so why didn't they] prevent this attack? What must the banks do now?//
+//If you didn't watch the whole// [[http://www.bbc.co.uk/blogs/newsnight/susanwatts/2010/02/new_flaws_in_chip_and_pin_syst.html|video]] //the first time, I recommend doing so. Take special notice of the answers interviewees offer to questions such as: Did the banks know of/suspect this attack already? Has this exploit already been used by criminals? Were the banks able to [and if so why didn't they] prevent this attack? What must the banks do now?//
-In short, banks/card issues may realize that there is a gaping hole in swipe-card security, but the amount of money it would cost to fix the problem may be monstrous, and they would rather deal with a few people who have had large sums of money stolen due to this exploit than plug the hole. However, when researches **purposefully break the system** and then **make the hack public**, suddenly the banks are **forced to fix the exploit**, because the weak spot is no longer a secret known to few. The result? **The world becomes just a little bit more secure.**
+In short, banks/card issues may (although not necessarily) have realized that there is a gaping hole in swipe-card security, but the amount of money necessary to fix the problem could potentially be monstrous, and, if it's cheaper for them, banks may rather simply deal with a few people who have had large sums of money stolen due to this exploit than plug the hole. However, when researches **purposefully break the system** and then **make the hack public**, suddenly the banks are **forced to fix the exploit**, because the weak spot is no longer a secret known to few. The result? **The world becomes just a little bit more secure.**

Computer Science for Education

User Tools

Site Tools

Differences

Page Tools