undefined | Better HN

0 pointslelanthran1mo ago0 comments

> EMV terminals are not under daily cybersecurity attack - you need to have physical access unless you designed your system weirdly.

They are under daily attack - in public, at tills, operated by minimum-wage earners.

> You probably had loads of vulnerabilities.

Sure. Hundreds of thousands of terminals sitting in the field, networked, under the control of minimum wage employees, each holding credit card details for hundreds of cards at a time...

Yeah, you're right, not a target at all!

> But also depending on when you did it, all you had to process was a bar code which is also isn’t some super complicated task.

You are hopelessly naive. Even in the magstripe era, certification was not easy.

> It’s just wild for me to encounter someone who believes C is a safe language

When did you meet this person?

Look, the bottom line is, the errors due to memory safety in programs written in C is so small it's a rounding error. It's not even statistical noise. You spent your life surrounded by these programs that, if they went wrong, would kill you, and yet here you are, not only arguing from a place of ignorance, you are reveling in it.

Just out of interest, have you ever used an LLM to write code for you?

0 comments

vlovich1231mo ago

Physical attacks are difficult to pull off at scale, especially anonymously. There’s a huge evidence trail linking the people involved to the scheme. And a device being in the hands of a minimum wage employee is very different from a bored and talented and highly skilled person probing your software remotely. Now who’s naive?

As for certification and it being difficult, what does that have to do with the process of bread in Paris? Unless you’re somehow equating certification with a stamp of vulnerability imperviousness in which case you’re seeing your own naivete instead of in others. Btw, Target was fully certified and fully had their payment system breached. Not through the terminals but through the PoS backend. And as for “but you’re here living and breathing”, there’s constant security breaches through whatever hole, memory safety or otherwise. Persistent access into the network is generally only obtainable through credential compromise or memory safety.

> When did you meet this person?

You. You’re here claiming that memory safety issues are statistical noise yet every cloud software I’ve seen deployed regularly had them in the field, sometimes even letting a bad one through to canary. And memory safety issues persisted despite repeated attempts to fix issues and you couldn’t even know if it was legitimately an issue or just a HW flaw due to being deployed at scale enough that you were observing bad components. It’s a real problem and claiming it’s statistical noise ignores the consequences of even one such issue being easily accessible.

lelanthranOP1mo ago

> You. You’re here claiming that memory safety issues are statistical noise yet

Claiming that the exploit rate percentage is statistical noise is different from claiming that it's a safe language.

Looks like you have a premade argument to argue.

You haven't answered my question, though: Have you used LLMs to generate any code for yourself?

j / k navigate · click thread line to collapse