Oh wow, it's happening there! I've followed and starred and bookmarked and all that, and will be having a browse around a bit more closely when I get a moment. I think I'm roughly understanding what the group is about. I'll follow up, thanks!
My step great grandmother is currently the oldest in the UK, the family had to take her car keys off her when she turned 100, she wasn’t best pleased about it.
It’s a shame it’s probably going to take another 10 years before any of the banks actually migrate to ISO20022 (if it ever happens) SwiftMT conversion software is currently the big sell so they don’t have to rewrite / build everything they already have.
In 2018 I implemented a software client that sent SEPA pain messages to the Luxembourg branch of a swedish bank. I don't know where you live, but at least in Europe this standard seems somewhat broadly adopted.
As of early next year, the Fed (US) will not accept anything other than ISO20022 messages on their networks. So any banks that are using Fed networks are required to use ISO20022.
I work for a large financial institution and we've been migrating our Fed network processing to ISO20022. All financial institutions we work with, and vendors who process payments for fraud and such, are also doing so. I'm highly skeptical of the date, but it is going to happen.
The delay is 1s for placing bets inplay on racing, you are correct in regards to zero delay on cancellations. The advantage is simply down to latency and being ahead of everyone (except GPS users) in an event where probabilities move very fast. A lot (maybe the majority) is liquidity provided by automated systems or ’keep’ bets placed before the race where the user has no intention to cancel.
Maybe. But aside from that little artifact, it is really nice and it fits a description well. And probably it only took the author few moments to get it generated.
Since this is specifically related to accepting payment, one would hope this infrastructure has received adequate security testing as required by PCI standards.
In practice, PCI standards compliance is a mess of people selling "point and click compliance solutions," companies being too big to be properly audited, code churn between audits, companies misleading auditors or hiding key data. Security theater is especially pervasive in PCI compliance.
To your point - Although the post discusses possible PCI implications, I don't think exposing last 4 and PII alone are enough to run afoul of the requirements (at least 3.2 as far as I remember). We would need the full PAN or CVV or evidence that this was being stored improperly, etc. If I recall, a company can store first 6 and last 4 in plaintext. With that said, these problems may indicate bigger issues that would violate the DSS, he may have found more that wasn't written about, or I could just be mistaken.
Yep. It's a shame. I once (long ago :)) alerted our CTO to an ongoing attack in production after seeing some obviously attack-oriented requests coming in and hitting our gateway. It became a pretty high-visibility incident for about 20 minutes until a manager spoke up that his "pen test" was being performed. Looking into the "testing" that was occurring they were attempting to scan for decade-old PHP bugs in a set of services which were written in Java and NodeJS. Very high value stuff... Can only imagine what the invoice was for this valuable service.
So, to try and add some value to this conversation vs just reporting a personal anecdote... Do people here have suggestions for actually-good white-hat companies?
Can you recommend companies that you've personally worked with who employ knowledgeable security engineers (hackers) to perform real penetration tests and conduct valuable security scans resulting in value-add reports your engineering team can work with?
Not looking for naming and shaming...but rather "Who doesn't suck at doing this?".
NCC Group is probably the biggest name because they go around Hoovering up companies that are usually above average in the competencies you asked about. And they can attract and retain talent.
Trail of Bits is another big name because they hire and retain talent across a large number of enterprise, emerging tech, and research verticals.
Other established firms include Atredis Partners, IOActive, Security Innovation. There are more one could list.
Sometimes these companies work with partners who ask to publicly disclose some artifact resulting from the test. Here is a collection of those reports aggregated by firm: https://github.com/juliocesarfort/public-pentesting-reports (Edit: note this is not a great way to evaluate any particular company, but it does provide an objective listing of companies that exist in the pentesting space).
Each firm will also have variability in their personnel for your project which can yield different results for two independent tests on the same target from the same firm.
One valuable thing that did come out of that is that it proved your monitoring works and you caught the attack quickly. I also had a similar experience in where we were getting bombarded with alerts from our wifi controller all of sudden. It turned out that a pen tester showed up in the middle of the day and started to run “scans” probably with Nessus or something.
I could have done all of this myself and saved the company tens of thousands of dollars but I think management insisted it came from an outside company. It would be nice though to find an actual pen tester from the back alley of DEFCON who you have to pay in crypto or precious metals and have them do some actual hacking. :)
I enjoy reading far out theories like these. I recently[1] saw one that claimed all the weird tunnels that terminate just short of the outside resemble wave guides, the big tunnel with the grooves was a low pass filter and the whole structure was basically a giant antenna
Any electrical engineers around feel like modelling it seeing how true it is?
You wouldn't make an inverted-inverted-V antenna out of waveguide. The whole point of waveguide is to be a transmission line, not a radiating element. Even if we ignore that, a dipole antenna of those dimensions is two orders of magnitude larger than what you'd use to radiate on the hydrogen line.
I use yara for real time screening in Django rest and it’s super fast and easy, Airbnb open sourced binary alert which is a cool serverless implementation.
https://github.com/betcode-org