Links for 2015-10-21

  • How a criminal ring defeated the secure chip-and-PIN credit cards | Ars Technica

    Ingenious —

    The stolen cards were still considered evidence, so the researchers couldn’t do a full tear-down or run any tests that would alter the data on the card, so they used X-ray scans to look at where the chip cards had been tampered with. They also analyzed the way the chips distributed electricity when in use and used read-only programs to see what information the cards sent to a Point of Sale (POS) terminal. According to the paper, the fraudsters were able to perform a man-in-the-middle attack by programming a second hobbyist chip called a FUN card to accept any PIN entry, and soldering that chip onto the card’s original chip. This increased the thickness of the chip from 0.4mm to 0.7mm, “making insertion into a PoS somewhat uneasy but perfectly feasible,” the researchers write. [….] The researchers explain that a typical EMV transaction involves three steps: card authentication, cardholder verification, and then transaction authorization. During a transaction using one of the altered cards, the original chip was allowed to respond with the card authentication as normal. Then, during card holder authentication, the POS system would ask for a user’s PIN, the thief would respond with any PIN, and the FUN card would step in and send the POS the code indicating that it was ok to proceed with the transaction because the PIN checked out. During the final transaction authentication phase, the FUN card would relay the transaction data between the POS and the original chip, sending the issuing bank an authorization request cryptogram which the card issuer uses to tell the POS system whether to accept the transaction or not.

    (tags: security chip-and-pin hacking pos emv transactions credit-cards debit-cards hardware chips pin fun-cards smartcards)

  • How-to: Index Scanned PDFs at Scale Using Fewer Than 50 Lines of Code

    using Spark, Tesseract, HBase, Solr and Leptonica. Actually pretty feasible

    (tags: spark tesseract hbase solr leptonica pdfs scanning cloudera hadoop architecture)

  • Existential Consistency: Measuring and Understanding Consistency at Facebook

    The metric is termed ?(P)-consistency, and is actually very simple. A read for the same data is sent to all replicas in P, and ?(P)-consistency is defined as the frequency with which that read returns the same result from all replicas. ?(G)-consistency applies this metric globally, and ?(R)-consistency applies it within a region (cluster). Facebook have been tracking this metric in production since 2012.

    (tags: facebook eventual-consistency consistency metrics papers cap distributed-computing)

  • Holistic Configuration Management at Facebook

    How FB push config changes from Git (where it is code reviewed, version controlled, and history tracked with strong auth) to Zeus (their Zookeeper fork) and from there to live production servers.

    (tags: facebook configuration zookeeper git ops architecture)

  • Hyperscan

    a high-performance multiple regex matching library. Hyperscan uses hybrid automata techniques to allow simultaneous matching of large numbers (up to tens of thousands) of regular expressions and for the matching of regular expressions across streams of data.
    Via Tony Finch

    (tags: via:fanf regexps regex dpi hyperscan dfa nfa hybrid-automata text-matching matching text strings streams)

This entry was posted in Uncategorized. Bookmark the permalink. Both comments and trackbacks are currently closed.