|
Kazinsal posted:James Mickens' bit on the Mossad/Not Mossad Threat Model is something that deeply applies here i didn't even know this was a thing; i too mention the mossad but the example i use is a trustworthy host-nation employee who gets flipped overnight cause the target audience can relate to that the insider threat is way more realistic than some agent of evil shutting himself in your cabinet and waiting for you to go afk, state actors don't care about you and if they did you're hosed, and if the taliban take one of your kids then you'll do whatever you think you need to do anyway infernal machines posted:trying to manage endpoint security on employee owned devices. managing endpoint security on employer-owned devices is hard enough thank you very much byodon't think so
|
#
?
Jun 6, 2019 13:18
|
|
|
|
| # ? Apr 19, 2024 02:00 |
|
|
Tankakern posted:what fud is this, "latent malware" if you flatten and reinstall? power botton posted:lets not forget persistant malware in your bios that exfiltrates data through microwaves or morse code or something quote:your intel-based laptop comes with three operating systems installed, and you can only have an effect on the one that is least trusted and loads last. evil_bunnY fucked around with this message at 14:27 on Jun 6, 2019 |
|
#
?
Jun 6, 2019 14:19
|
|
|
evil_bunnY posted:Doesn't exfiltrate poo poo, windows will happily run it elevated i'm p. sure that was a "badbios" reference
|
|
#
?
Jun 6, 2019 14:38
|
|
|
nicky mossad ft. badbios
|
|
#
?
Jun 6, 2019 14:57
|
|
|
more like bhad bhios
|
|
#
?
Jun 6, 2019 16:29
|
|
|
apparently we're going to be writing software that runs on and operates self-checkouts  any hot tips on making sure i don't get thrown under the bus when 5 million credit card numbers wind up on the darknet and they need someone to blame
|
|
#
?
Jun 6, 2019 16:37
|
|
|
Shame Boy posted:apparently we're going to be writing software that runs on and operates self-checkouts use e2e credit card scanners and make it a subcontractor's liability
|
|
#
?
Jun 6, 2019 16:38
|
|
|
if you're doing things properly you should only be dealing with authorizations coming back from the card terminal. you should never have card numbers or personal details.
|
|
#
?
Jun 6, 2019 16:38
|
|
|
dehumanize yourself and face to PCI DSS
|
|
#
?
Jun 6, 2019 16:41
|
|
|
BangersInMyKnickers posted:use e2e credit card scanners and make it a subcontractor's liability Shaggar posted:if you're doing things properly you should only be dealing with authorizations coming back from the card terminal. you should never have card numbers or personal details. yeah this is how we already do things when we touch credit cards, except in specific situations where we got it in writing from both our client and our PCI person that "oh no that's not actually a PCI thing so it's fine" even though i'm pretty sure it is a PCI thing but w/e at least that's what we're doing for credit card info, personal info on the other hand...
|
|
#
?
Jun 6, 2019 16:45
|
|
|
if you have to ask if its in pci scope, it is absolutely in pci scope
|
|
#
?
Jun 6, 2019 16:47
|
|
|
like we've done plenty of payment integration with card scanners that do all the auth and number handling and poo poo for us, that's our whole thing these days, but so far they're all systems that are exclusively operated by employees of a store and not really accessible to the general public so this should be... exciting...
|
|
#
?
Jun 6, 2019 16:49
|
|
|
the best solution is not to have the data at all. second best solution is to let someone else handle storage of the data. is this data you need to collect from the user during the transaction or is it something being sent to your software from something else?
|
|
#
?
Jun 6, 2019 16:49
|
|
|
Shame Boy posted:like we've done plenty of payment integration with card scanners that do all the auth and number handling and poo poo for us, that's our whole thing these days, but so far they're all systems that are exclusively operated by employees of a store and not really accessible to the general public so this should be... exciting... what payment systems are accessible to the public? that sounds insane.
|
|
#
?
Jun 6, 2019 16:50
|
|
|
i guess you're worried about pii from a store loyalty card perspective? that's the only situation i can imagine a self checkout system coming into contact with that - but even then i assume you'd actually just be passing around a token to a back end system.
|
|
#
?
Jun 6, 2019 16:54
|
|
|
Shaggar posted:what payment systems are accessible to the public? that sounds insane. Self-checkout systems (I assume the poster's referring to physical self-checkout)
|
|
#
?
Jun 6, 2019 16:54
|
|
|
We segregate our payment processing up entirely, the only thing we get out of it is the confirmation number to 'Approve' the transaction at the register, everything else is handled by a segregated network that only touches our datacenter.
|
|
#
?
Jun 6, 2019 16:55
|
|
|
Shaggar posted:the best solution is not to have the data at all. second best solution is to let someone else handle storage of the data. pretty sure it's all "needed" if you define that to mean "is part of a feature the client specifically wants". now in terms of "actually necessary for the task of ringing up your poo poo" then... that's a different matter anyway if this works out like old projects i should wind up working on backend hardware stuff and not touching any of that personal data myself, but i'm trying to get ahead of any dumbass ideas that will gently caress us over even if they don't directly have to do with me. most of the stuff y'all have mentioned is stuff i push for anyway so I guess i'm on the right track already also i wanted to bitch to the thread a bit because that's therapeutic, thanks for listening
|
|
#
?
Jun 6, 2019 16:55
|
|
|
El Mero Mero posted:Self-checkout systems (I assume the poster's referring to physical self-checkout) yeah this is a physical self-checkout koisk to be clear
|
|
#
?
Jun 6, 2019 16:56
|
|
|
Shame Boy posted:apparently we're going to be writing software that runs on and operates self-checkouts do you get to design any of the UX? go and stand around a self-checkout for at least one working day and write down everything you see people doing, particularly if they're struggling. the user interaction with those machines could be so so much better
|
|
#
?
Jun 6, 2019 16:57
|
|
|
Chalks posted:i guess you're worried about pii from a store loyalty card perspective? that's the only situation i can imagine a self checkout system coming into contact with that - but even then i assume you'd actually just be passing around a token to a back end system. yeah the loyalty system is where it's coming up, you got it. maybe we could deal with that using tokens but then how could we ~~~personalize the experience~~~ and ~~~recommend products~~~ huh???
|
|
#
?
Jun 6, 2019 16:57
|
|
|
Sagebrush posted:do you get to design any of the UX? go and stand around a self-checkout for at least one working day and write down everything you see people doing, particularly if they're struggling. the user interaction with those machines could be so so much better our UI/UX team will be designing it and they're generally pretty good about stuff like that, i'll mention the idea to em' cuz yeah by default they're awful...
|
|
#
?
Jun 6, 2019 16:59
|
|
|
Shame Boy posted:yeah the loyalty system is where it's coming up, you got it. maybe we could deal with that using tokens but then how could we ~~~personalize the experience~~~ and ~~~recommend products~~~ huh??? oh man, i'm looking forward to a self checkout suggest that i turn around and go back into the store to pick up some recommended products
|
|
#
?
Jun 6, 2019 17:00
|
|
|
Shame Boy posted:our UI/UX team will be designing it and they're generally pretty good about stuff like that, i'll mention the idea to em' cuz yeah by default they're awful... if the UX team doesn't already do observational user research uhhhhhhhhhhhhhhhhhhhh the vast majority of software ux design is based on literally nothing and it's shameful as hell
|
|
#
?
Jun 6, 2019 17:00
|
|
|
Sagebrush posted:if the UX team doesn't already do observational user research uhhhhhhhhhhhhhhhhhhhh maybe they do? i know they've gone on field trips to client stores before, idk man they're on the other side of the building and i work on server/hardware/backend stuff so i rarely talk to them 
|
|
#
?
Jun 6, 2019 17:02
|
|
|
Imo unless it's a 100% unattended self-checkout system that's outside I'd think the added security concerns above and beyond normal POS issues would be minimal. Are skimmers or other public physical access fuckery issues actually a thing for grocery store self-checkout? (Also yeah, seconding the "fix the drat ux first" post)
|
|
#
?
Jun 6, 2019 17:02
|
|
|
Sagebrush posted:do you get to design any of the UX? go and stand around a self-checkout for at least one working day and write down everything you see people doing, particularly if they're struggling. the user interaction with those machines could be so so much better it should be harder. its too easy for old people to use and they clog up the self checkout lanes.
|
|
#
?
Jun 6, 2019 17:04
|
|
|
Chalks posted:oh man, i'm looking forward to a self checkout suggest that i turn around and go back into the store to pick up some recommended products i've seen the future of retail and it's awful, every place apparently took a look at the internet of tracking scripts and targeted ads and amazon's recommendation system and went "hm yes this is good, let's implement a physical version of this somehow" at least we've mostly avoided doing that poo poo ourselves, though i wonder how long that will last... El Mero Mero posted:Imo unless it's a 100% unattended self-checkout system that's outside I'd think the added security concerns above and beyond normal POS issues would be minimal. it should be the usual "one person standing there managing the thing" self-checkout so it's probably fine
|
|
#
?
Jun 6, 2019 17:09
|
|
|
Chalks posted:oh man, i'm looking forward to a self checkout suggest that i turn around and go back into the store to pick up some recommended products Lol at this lack of awareness of the coupons that get shitted out at the same time as the receipt
|
|
#
?
Jun 6, 2019 17:14
|
|
|
Volmarias posted:Lol at this lack of awareness of the coupons that get shitted out at the same time as the receipt now what if those coupons were screens and they were all around the store and reacted to you approaching them and also your phone buzzed and the Official Wal Mart Customer Love And Appreciation LGBT Awareness App popped up to tell you about the fantastic deals never ever install a store app is what i'm saying. i mean not that any of you would have in the first place but still.
|
|
#
?
Jun 6, 2019 17:18
|
|
|
Shame Boy posted:never ever install a store app is what i'm saying.  I stopped using the self check-out scanners that let you basically bag your stuff as you go because they would. not. stop. making GBS threads out "offers" as you shopped with an obnoxious cash register ka-ching noise every 15 seconds.
|
|
#
?
Jun 6, 2019 17:21
|
|
|
Sagebrush posted:do you get to design any of the UX? go and stand around a self-checkout for at least one working day and write down everything you see people doing, particularly if they're struggling. the user interaction with those machines could be so so much better Probably the best ones I've used so far are at Sam's Club because you don't have to weigh items and there's no bagging anyway, so all you have to do is use the wand to scan each item and then slide them to the other side of your cart (so you know which ones you've scanned). They're so fast there's basically never any line (they then gently caress this up by having a huge line to have your receipt checked, of course.) There are pure UX issues like searching being really slow, but I think normal grocery stores could be a lot faster if they stopped requiring you to weigh the items and then moved bagging to a separate location *after* the self-checkout machines. For produce it would probably be better to have preprinted barcodes that you could stick on the bags. Also, the idea of devices that you take around the store to prescan stuff (or a smartphone app) is good but in practice stores screw this up by making you wait in the same lines as assholes who get into the self-checkout line with 10,000 things in their cart and then sometimes making you have an employee come over to see if you've actually checked everything. mystes fucked around with this message at 17:36 on Jun 6, 2019 |
|
#
?
Jun 6, 2019 17:32
|
|
|
Volmarias posted:
they used to have ones here when the bagging area was a small carousel like the attended checkout has so you could just pull from your cart directly, scan, and bag all in one motion. But then they took them away and replaced them with a big chute so you have to dump all your poo poo in to a messy pile then go bag it up as a second step and now I just use the attended lanes every time as protest
|
|
#
?
Jun 6, 2019 17:43
|
|
|
BangersInMyKnickers posted:use e2e credit card scanners and make it a subcontractor's liability BangersInMyKnickers posted:I just use the attended lanes every time as protest Shame Boy posted:yeah this is a physical self-checkout koisk to be clear the loyalty poo poo should be handled exactly the same way as it is with cashiers. evil_bunnY fucked around with this message at 17:52 on Jun 6, 2019 |
|
#
?
Jun 6, 2019 17:46
|
|
|
mystes posted:It seems like a lot the problems are created intentionally, though. The ones where you have to wait for it to weight stuff take forever, and lots of products at most stores are unscannable and require employee intervention. are you saying you have to weigh every item not just the ones that are priced by weight?
|
|
#
?
Jun 6, 2019 18:16
|
|
|
PCI constraints are pretty clearly defined. If something seems suspicious the rules are available for you to verify it for yourself. Everyone has the same reasonable advice about avoiding the storage and (hopefully) in memory handling of sensitive data. Just be sure to be careful about the usual bullshit too like accidental handling of logging, exposing error codes, tokens, and traceable transactions.
|
|
#
?
Jun 6, 2019 18:18
|
|
|
Shaggar posted:are you saying you have to weigh every item not just the ones that are priced by weight? yeah, its a theft control mechanism so you don't run through a stack of the same item but only scan the bottom one or whatever. that's why it yells at you to put the item in your cart and stops you from scanning the next thing
|
|
#
?
Jun 6, 2019 18:21
|
|
|
Shaggar posted:are you saying you have to weigh every item not just the ones that are priced by weight? there's a scale built in to the bagging area that automatically weighs every item as you pass it through. you have to wait for it to finish doing that before you can scan your next item, and if it gets the weight wrong or if your thing doesn't weigh what it expects it flags you and the attendant has to come over and override it, it's real dumb. supposedly it's there to prevent shoplifting but i'm really not sure how the gently caress it's supposed to do that. like are people going to put the stuff they're shoplifting on the scale area to weigh it?
|
|
#
?
Jun 6, 2019 18:22
|
|
|
I think they have a weight estimate for the item in a database somewhere linked to the upc, and they can probably calculate it dynamically from previous people scanning and bagging the same item
|
|
#
?
Jun 6, 2019 18:23
|
|
|
|
| # ? Apr 19, 2024 02:00 |
|
|
one of the asks from one of our own executives was if we could figure out a way to either "fix" the scale component to not suck, or disable it altogether but still retain it's anti-theft effects since i seriously doubt it actually has any anti-theft effects i'm pretty sure we can just disable it and everything will be fine
|
|
#
?
Jun 6, 2019 18:23
|
|