SoylentNews is people
SoylentNews
Techcrunch.com are reporting that MCX (Merchant Customer Exchange), the coalition of retailers including Walmart, Best Buy, Gap and others, who are backing a mobile payments solution CurrentC has been hacked. The data breach involves the theft of email addresses.
CurrentC are working hard to bring their own mobile payment solution to the market and recently made a number of retail chains turn off their contactless (NFC) card readers to prevent people paying with the competing Google Wallet and Apple Pay.
Are proprietary solutions becoming the new norm? Previously, all TVs could display all channels being broadcast and either cash or standard, mainstream credit cards were universally accepted but the new direction seems to be a plethora of incompatible technologies for the benefit of the vendor instead of the customer.
(Score: 0) by Anonymous Coward on Thursday October 30 2014, @01:42AM
Something tells me that they weren't using OpenBSD!
Please, people, if you're dealing with any sort of a computer system that needs any security, just use OpenBSD. It's the smartest thing to do, because OpenBSD is the securest operating system there is.
(Score: 2) by kaszz on Thursday October 30 2014, @01:51AM
Not using OpenBSD gives vulnerability karma that comes around to bite the operator ;-) no other BSD protects against the ev1lz forces?
(Score: 1, Informative) by Anonymous Coward on Thursday October 30 2014, @03:27AM
If it were me, and I were given authority over what went in, I would go with Micrium's uC/OS. While its not free software, it is supported, and the people who make it are quite open as to how it works.
I feel one of the riskiest things to do is to use proprietary stuff protected by obscurity. I cite the latest round between FTDI and Microsoft versus the blokes who trusted them as evidence as to why that business model should not be trusted. Its like buying a bridge with a little hidden lever under it, which when pulled will collapse the bridge. Only business executives, with their personal fortunes tucked safely behind hold harmless clauses, would buy into such a thing.
I am the designer, and I really feel uncomfortable designing anything into my stuff which has a back door in it. Especially ones I do not know about. The FTDI one caught me with my pants down. I did not do due diligence, I saw someone else's design in a trade magazine and designed it in from there. To me, it was just another low-level logic gate... not some remotely crashable device that just waits for a prankster to feed it a destruct code, with the resulting chaos at my expense. I will be red-faced over that one for some time now. I have stuff in the field with FTDI chips in it. I do not sleep well. I wish I had designed around an expendable download cable.
A soldered in bricked chip makes for a bricked board, and in my case, a bricked system.
We have a poll of "greatest fear" here on Soylent. One of mine is that in the event of societal breakdown, the powers that be flood the internet with destruct codes so that a lot of non-military technologies are rendered useless. The public would be subject to a mass DOS attack using the powers claimed to be used for copyright infringement. If its not our own Government issuing NSL's to do this, it will be foreign sovereigns intent on creating havoc. I simply do not believe anyone should have the power to collapse public infrastructure and property belonging to others only because he knows the code to bring it down.
Neither Microsoft nor FTDI are trustworthy, as thus shown. Unfortunately, I do not trust anyone anymore.
The only way both Microsoft and FTDI can save face in my book is to trot both the engineer who devised this, and the managers who approved it, out in the open, strip them of both job and all retirement benefits, and wash their hands of it... in public. Just as they would do to an employee if they caught him putting sugar in the gas tank of the company truck. But that's dreaming. When one gets that high in an organization, one seems to be immune from taking responsibility; someone else considers them too important. Sometimes, it seems the only answer is to ditch the entire execumanagement structure and restart the technology from the ground up with just the working class of engineers, technicians, and assemblers.
(Score: 1) by jmorris on Thursday October 30 2014, @05:04PM
This is drifting seriously offtopic but dude! Blaming Microsoft for the FTDI fiasco and demanding they throw somebody under the bus? When the story broke it wasn't even a day before they pulled the update. Remember, they operate in the closed source world where they DO NOT get to see the source of things any more than their customers do. They just saw a routine driver update from an established vendor and rolled it out. This one is all on FTDI.
(Score: 2) by tibman on Thursday October 30 2014, @05:42PM
I think you're misinformed on FTDI. If you have an actual FTDI chip then everything will work fine. If you had a counterfeit then everything would not work fine. Unless you are building devices with counterfeit chips then i think you'll be okay. If your chip sources are dodgy then you'll always have these issues. FTDI did publicly apologize. Apparently a lot of people were using fake chips.
As far as Microsoft, i'm not sure how much they play into this. They just distributed the driver. I do not like MS but other than asking them to vet every driver, i don't think there is much they can do here. Especially in this case where checking the driver which authentic hardware would have passed all tests.
Your Doomsday scenario will only affect devices and software that allows automatic external/upstream updates. Very little hardware and production machines run in this scenario. Patches are applied to test machines before a rollout. If it fails then you rollback or re-image and don't apply that patch to your production hardware/software. Some consumer hardware is managed by external companies, that would be the failure points. Things like cable-modems and cell-phones. But not things like computers, routers, traffic lights, and public infrastructure.
SN won't survive on lurkers alone. Write comments.
(Score: 2, Insightful) by dltaylor on Thursday October 30 2014, @03:47AM
A better than most (if not all) secure kernel is no protection against executives who should, but don't, go to jail when the systems are breached refusing to spend the money to secure the system, PHBs that don't have a clue about security anyway, or incompetent implementors who could not secure a web site if, literally, their lives depended on it. Of course there are the combination of the above that put the air conditioning system on the same network as the point-of-sale system and gives out privileged credentials to the HVAC maintainers (Target).