Lab environments are places were you can play with machines -- eg. customer POC, product evaluation, training environments etc. The objective is to move those lab environments to the cloud, for certain customer use cases.
We use regular AMIs. What we do is add management around it to make it into the 'lab' type environment. For example, we offer policies to help control costs, we can allow you to share an AMI simply by sending an email and we offer a multi-user environment for all employees within a company. These are all features that aren't readily available in the off-the-shelf EC2 environment.
I am quite certain that the EMV chip, which is the chip on your card, must authenticate the POS machines it talks to. The authentication is done using public key cryptography.
So it's not sufficient just to host a fake machine and expect it to be accepted within the EMV infrastructure (cards, POC machines and backend processors).
Of course, extracting the entered PIN is trivial to do with a covertly modified terminal. (skimming) Short of the card being stolen, that shouldn't let anyone access your account, assuming the crypto implementation is sound. Likewise, the card without the PIN is designed to be equally useless, though support for legacy payment systems partially undermines all of this. I suspect a modified terminal which records entered PINs and clones the magnetic strips would let you withdraw cash from the victim's account via Cirrus/Visa Plus.
> my email address, is shared with a famous (in a bad way) world leader
Kim Jong Il?
Brute forcing gmail is not really feasible, especially not if you have a decent password in place. I suspect that they would just put up a captcha and maybe slow down the login process if you fail too many times.
If your computer is compromised and you keep using the system to either login or change your password then that password will continue to get compromised.
In many ways you are also best off to reimage your PC and create a completely new gmail account. If the account was sending too many nasty things then it may be on various blacklists already, which will just affect your ongoing usage of it.
I may be opening myself up to attack, but I find that the best programmers around are the ones who started at the lowest levels and then progressed up the abstraction levels. It's quite easy to move up in levels of abstraction, but not the other way around.
I'm going to join you or at least offer a personal example.
The best programmer I have ever met programmed medical equipment in assembly when he graduated undergrad. I met him in graduate school and he was scary good regardless of the language.
It's quite possible that the Chinese government hacked your iphone so that they can send out spam for fake Rolexes. But in most likelihood you have a keylogger or browser based password sniffer sitting somewhere in your computer, and you are just a victim of a generic hack. You would have got this malware by installing something you shoudn't or maybe you're running buggy software with a vulnerability. BTW, I'm wondering if your father in law was using your computer recently and had his passwords stolen?
I am just a data point, but it's worth mentioning that LabSlice has no VC funding at all, and is truly a startup (ie. the website has only been online for a month or so). So on the one hand I can attest to some success, even without serious VC backing. On the other hand I will admit to surprise that the AWS competition classifies a startup as a business with less than $10M in revenues or $10M VC funding. Sure, they may technically be a startup, but they are in a much different league to the guy in the basement.
In some ways it would be pragmatic to have a VC funded tier and a non-VC funded tier. That's the only way to differentiate businesses to give a better chance to the little guy. But in reality this is a competition that Amazon funded out of their pocket and they can call whatever rules they see fit.
Wow...I never knew about the part "as a business with less than $10M in revenues or $10M VC funding". Now it sounds like the contest is only a PR exercise. Not that it is surprising though.
"... that have not generated more than $10 million USD (approximately 7,584,950 EUR) in gross annual revenues and no more than $10 million USD (approximately 7,584,950 EUR) in outside funding."
I didn't want my own words to be the only source for this claim, so above is a cut'n'paste from the rulebook.
But still, LabSlice (and I believe one or two others) aren't near these figures and did get some sort of nomination.
I completely disagree. A person who is really passionate about IT security will know about cryptography because they are interested in how security works, not because it's a requirement for the job interview. In fact, I am surprised at the number of highly paid security 'professionals' who are little more than auditors with a pen and a form to tick.
Asking about crypto is a great way to weed out the auditors from the pros. There is also a difference between cryptographic algorithms and cryptographic implementations. I wouldn't expect you to write algorithms, but I definitely would like you to explain real-life implementations. A good set of crypto questions to ask, that are quite basic and yet will trip up lots of security pros:
* What's the difference between a Verisign certificate and a self-signed certificate?
* In which environment would I use the Verisign cert and in which one would I use a self-signed?
* In what cases would I expect the Verisign cert to generate warnings in my browser? What about the self-signed? How do I fix these errors?
Questions about Verisign certs vs. self-signed certs are good, because that's an issue that actually comes up in infosec.
There definitely are good crypto questions to ask. But these questions aren't those. They demonstrate only enough of a command of cryptography to pass an interview. They're signalling questions, not assessment questions.
And, with the exception of things like "what's wrong with self-signed certificates", the real crypto questions will weed out essentially 100% of your candidates (and 99% of appsec candidates as well). Note: the "real" questions I'm thinking of have very little to do with algorithms.
There's a word for things you ask about because a person who was really a member of your club would be fascinated by them: shibboleth.
I've just spent several days improving the startup time of my ASP.NET based business. Some things to note:
* Install both the 'Google PageSpeed' and 'YSlow' plugins for Firefox. They provide great metrics and tell you what's actually slowing down your page.
* Ensure that all images are sent out with a long expiry time. This is not the default setting for IIS. Just setting a long expiry for images, CSS and JS will easily give you a power-boost in your performance.
* Minimize JS and CSS using the 'Chirpy' plugin.
* Make sure to retrieve any library code for its respective CDN (ie. Microsoft AJAX<, Facebook etc.)
* And of-course, as above, make sure your plug-ins load asynchronously. The default code given to me for the 'Add-This' plug-in was synchronous and took about 1.5 seconds to retrieve. Quite silly that they don't give you asynch code by default for these plugins!
It's very hard to say. Ten years ago I wrote an app in C++ and thought it's the greatest language around. It's fast, close to the OS and rather interesting to work with (as opposed to VB6, at that time). Five years ago I was doing a lot of Java work. Now my latest business is completely based on C#. The programming domain is moving too fast to make serious statements about future languages. Actually, I can bet that Cobol and C++ will still be popular in 5 years.
