Web dev in DC http://ross.karchner.com
992 stories
·
16 followers

Hacker News

1 Comment and 2 Shares

Here’s some new JavaScript on this website. It’s the only JavaScript on most pages, which are otherwise pretty minimal.

try {
  if (document.referrer) {
    const ref = new URL(document.referrer);
    if (ref.host === 'news.ycombinator.com') {
      window.location.href = 'https://google.com/';
    }
  }
} catch (e) { }

That snippet redirects people who arrive at macwright.com from Hacker News.


If you’re lucky, you end up being good at a few things. If you’re really lucky, those are also the things you like doing. I’m good at writing articles that get upvoted and discussed on Hacker News, or news.ycombinator.com. But I don’t like it.

Writing on the internet can be a two-way thing, a learning experience guided by iteration and feedback. I’ve learned some bad habits from Hacker News. I added Caveats sections to articles to make sure that nobody would take my points too broadly. I edited away asides and comments that were fun but would make articles less focused. I came to expect pedantic, judgmental feedback on everything I wrote, regardless of what it was.

Writing for the Hacker News audience makes my writing worse.

I don’t like what Hacker News has become – or a lot of the web, for that matter. But I’m part of the discourse. I’ve written critical articles, mean tweets, silly comments, the whole lot of it. It’s impossible to separate one thing from another and neatly place blame. But it’s simple to notice a thing you want less of and turn it off.

So I can flex the freedom of an independent blog by embracing what seems good and pushing away what I don’t like. Redirecting Hacker News links away from this website makes sense to me. Traffic to this website doesn’t pay my bills. Disengaged readers just looking for a hot take don’t return to my site, or recognize me when I write something else, or write blog posts of their own and bring new creativity to the indie web.

Maybe posts will be less viral (I can hear, as I write that, someone writing “you haven’t written a hit in years, Tom!”), but writing viral posts or maximizing hits wasn’t my goal when I set out and it isn’t now.

Anyway, the RSS feed works great. The HTML site works pretty well. I tweet most new articles I write. Business as usual, just less of the orange site.

Brooklyn Skyline from Gowanus

Read the whole story
petrilli
12 days ago
reply
brilliant
Arlington, VA
rosskarchner
14 days ago
reply
DC-ish
Share this story
Delete

Say Hello to Crazy Thin ‘Deep Insert’ ATM Skimmers

1 Comment

A number of financial institutions in and around New York City are dealing with a rash of super-thin “deep insert” skimming devices designed to fit inside the mouth of an ATM’s card acceptance slot. The card skimmers are paired with tiny pinhole cameras that are cleverly disguised as part of the cash machine. Here’s a look at some of the more sophisticated deep insert skimmer technology that fraud investigators have recently found in the wild.

This ultra thin and flexible “deep insert” skimmer recently recovered from an NCR cash machine in New York is about half the height of a U.S. dime. The large yellow rectangle is a battery. Image: KrebsOnSecurity.com.

The insert skimmer pictured above is approximately .68 millimeters tall. This leaves more than enough space to accommodate most payment cards (~.54 mm) without interrupting the machine’s ability to grab and return the customer’s card. For comparison, this flexible skimmer is about half the height of a U.S. dime (1.35 mm).

These skimmers do not attempt to siphon chip-card data or transactions, but rather are after the cardholder data still stored in plain text on the magnetic stripe on the back of most payment cards issued to Americans.

Here’s what the other side of that insert skimmer looks like:

The other side of the deep insert skimmer. Image: KrebsOnSecurity.com.

The thieves who designed this skimmer were after the magnetic stripe data and the customer’s 4-digit personal identification number (PIN). With those two pieces of data, the crooks can then clone payment cards and use them to siphon money from victim accounts at other ATMs.

To steal PINs, the fraudsters in this case embedded pinhole cameras in a false panel made to fit snugly over the cash machine enclosure on one side of the PIN pad.

Pinhole cameras were hidden in these false side panels glued to one side of the ATM, and angled toward the PIN pad. Image: KrebsOnSecurity.com.

The skimming devices pictured above were pulled from a brand of ATMs made by NCR called the NCR SelfServ 84 Walk-Up. In January 2022, NCR produced a report on motorized deep insert skimmers, which offers a closer look at other insert skimmers found targeting this same line of ATMs.

Image: NCR

Here are some variations on deep insert skimmers NCR found in recent investigations:

Variations on deep insert skimmers recently found inside compromised ATMs.

The image on the left below shows another deep insert skimmer and its constituent components. The picture on the right shows a battery-operated pinhole camera hidden in a false fascia directly to the right of the ATM’s PIN pad.

Images: NCR.

The NCR report included additional photos that show how fake ATM side panels with the hidden cameras are carefully crafted to slip over top of the real ATM side panels.

Image: NCR.

Sometimes the skimmer thieves embed their pinhole spy cameras in fake panels directly above the PIN pad, as in these recent attacks targeting a similar NCR model:

Image: NCR

In the image below, the thieves hid their pinhole camera in a “consumer awareness mirror” placed directly above an ATM retrofitted with an insert skimmer:

Image: NCR

The financial institution that shared the images above said it has seen success in stopping most of these insert skimmer attacks by incorporating a solution that NCR sells called an “insert kit,” which stops current skimmer designs from locating and locking into the card reader. NCR also is conducting field trials on a “smart detect kit” that adds a standard USB camera to view the internal card reader area, and uses image recognition software to identify any fraudulent device inside the reader.

Skimming devices will continue to mature in miniaturization and stealth as long as payment cards continue to hold cardholder data in plain text on a magnetic stripe. It may seem silly that we’ve spent years rolling out more tamper- and clone-proof chip-based payment cards, only to undermine this advance in the name of backwards compatibility. However, there are a great many smaller businesses in the United States that still rely on being able to swipe the customer’s card.

Many newer ATM models, including the NCR SelfServ referenced throughout this post, now include contactless capability, meaning customers no longer need to insert their ATM card anywhere: They can instead just tap their smart card against the wireless indicator to the left of the card acceptance slot (and right below the “Use Mobile Device Here” sign on the ATM).

For simple ease-of-use reasons, this contactless feature is now increasingly prevalent at drive-thru ATMs. If your payment card supports contactless technology, you will notice a wireless signal icon printed somewhere on the card — most likely on the back. ATMs with contactless capabilities also feature this same wireless icon.

Once you become aware of ATM skimmers, it’s difficult to use a cash machine without also tugging on parts of it to make sure nothing comes off. But the truth is you probably have a better chance of getting physically mugged after withdrawing cash than you do encountering a skimmer in real life.

So keep your wits about you when you’re at the ATM, and avoid dodgy-looking and standalone cash machines in low-lit areas, if possible. When possible, stick to ATMs that are physically installed at a bank. And be especially vigilant when withdrawing cash on the weekends; thieves tend to install skimming devices on Saturdays after business hours — when they know the bank won’t be open again for more than 24 hours.

Lastly but most importantly, covering the PIN pad with your hand defeats one key component of most skimmer scams: The spy camera that thieves typically hide somewhere on or near the compromised ATM to capture customers entering their PINs.

Shockingly, few people bother to take this simple, effective step. Or at least, that’s what KrebsOnSecurity found in this skimmer tale from 2012, wherein we obtained hours worth of video seized from two ATM skimming operations and saw customer after customer walk up, insert their cards and punch in their digits — all in the clear.

If you enjoyed this story, check out these related posts:

Crooks Go Deep With Deep Insert Skimmers

Dumping Data from Deep Insert Skimmers

How Cyber Sleuths Cracked an ATM Shimmer Gang

Read the whole story
rosskarchner
17 days ago
reply
pretty impressive, honestly
DC-ish
Share this story
Delete

Step Functions adds support for 14 new intrinsic functions to perform data processing tasks.

1 Comment
Step Functions adds support for 14 new intrinsic functions for performing data processing tasks, such as array manipulations, data encoding and decoding, hash calculations, JSON data manipulation, math function operations, and unique identifier generation.
Read the whole story
rosskarchner
31 days ago
reply
"Functionless" looking more and more feasible
DC-ish
Share this story
Delete

Technologists wanted

1 Share

The CFPB is hiring product managers, designers, engineers, data scientists, and more to help detect and prevent unfair, deceptive, and abusive practices in financial markets.

Read the whole story
rosskarchner
79 days ago
reply
DC-ish
Share this story
Delete

AWS achieves the first OSCAL format system security plan submission to FedRAMP

1 Comment

Amazon Web Services (AWS) is the first cloud service provider to produce an Open Security Control Assessment Language (OSCAL)–formatted system security plan (SSP) for the FedRAMP Project Management Office (PMO). OSCAL is the first step in the AWS effort to automate security documentation to simplify our customers’ journey through cloud adoption and accelerate the authorization to operate (ATO) process.

AWS continues its commitment to innovation and customer obsession. Our incorporation of the OSCAL format will improve the customer experience of reviewing and assessing security documentation. It can take an estimated 4,200 workforce hours for companies to receive an ATO, with much of the effort due to manual review and transcription of documentation. Automating this process through a machine-translatable language gives our customers the ability to ingest security documentation into a governance, risk management, and compliance (GRC) tool to automate much of this time-consuming task. AWS worked with an AWS Partner, to ingest the AWS SSP through their tool, Xacta.

This is a first step in several initiatives AWS has planned to automate the security assurance process across multiple compliance frameworks. We continue to look for ways to earn trust with our customers, and over the next year we will continue to release new solutions that customers can use to rapidly deploy secure and innovative services.

“Providing the SSP packages in OSCAL is a great milestone in security automation marking the beginning of a new era in cybersecurity. We appreciate the leadership in this area and look forward to working with all cyber professionals, in particular with the visionary cloud service providers, to help deliver secure innovation faster to the people they serve.”

– Dr. Michaela Iorga, OSCAL Strategic Outreach Director, NIST

To learn more about OSCAL, visit the NIST OSCAL website. To learn more about FedRAMP’s plans for OSCAL, visit the FedRAMP Blog.

To learn what other public sector customers are doing on AWS, see our Government, Education, and Nonprofits case studies and customer success stories. Stay tuned for future updates on our Services in Scope by Compliance Program page. Let us know how this post will help your mission by reaching out to your AWS account team. Lastly, if you have feedback about this blog post, let us know in the Comments section.

Want more AWS Security news? Follow us on Twitter.

Matthew Donkin

Matthew Donkin

Matthew Donkin, AWS Security Compliance Lead, provides direction and guidance for security documentation automation, physical security compliance, and assists customers in navigating compliance in the cloud. He is leading the development of the industries’ first open security controls assessment language (OSCAL) artifacts for adoption of a faster and more reliable way to process resource intensive documentation within the authorization process.

Read the whole story
rosskarchner
93 days ago
reply
OSCAL or GTFO
DC-ish
Share this story
Delete

Rethinking the approach to regulations

1 Share

Markets work best when rules are simple, easy to understand, and easy to enforce. The CFPB is seeking to move away from highly complicated rules that have long been a staple of consumer financial regulation and towards simpler and clearer rules. In addition, the CFPB is dramatically increasing the amount of guidance it is providing to the marketplace, in accordance with the same principles.

Read the whole story
rosskarchner
105 days ago
reply
DC-ish
Share this story
Delete
Next Page of Stories