credit cards

I actually wouldn’t use a newer free Paypal or Squareup readers. Allegedly they’re adding encryption to make it solely compatible with their app. All of those el cheapo stereojack readers are just ‘microphones’ to Android or iOS devices. Any app capable of accessing microphones could be used to covertly or overtly decrypt the ‘sound’ credit card data. Old readers are fine.

In case you wanted to use an old disposable phone or running a non-Google variant of Android, or were worried about other people hijacking your stolen credit card info, here’s the code to compile your own credit card sound file decoder:

If you wanna be a cheap criminal, sure, you could use a $15 analog skimmer and your regular phone to skim credit cards. Google wouldn’t know about it unless the app had ads. Or at all if you compiled your own software. No need for root, obviously. Seriously, I’d personally pay the money and get a top of the line skimmer. The previously linked skimmer has plenty of sketchy overseas payment options. Just use a freight forwarder in Eastern Europe or Asia, and you’re fine. Middle route is eBay and a PO box, that can be had for under $100.

Virtually all cards are not RFID, and they’re labeled as specified in AJ’s post. EMV chips require physical contact, being put into a scanner just like magstripe. EMV could be significantly more secure, but isn’t being used that way. EMV and mandatory PIN would be pretty secure. Magstripe btw is essentially plaintext. That should have you absolutely angry and paranoid. Insanely more dangerous than any of the modern stuff.

There’s three tracks. Track 3 isn’t used. Track 1 has a higher data density and alphanumeric, 210 bits/in. Track 2 is a backup and numeric (with control characters), 75 bits per inch.

Here’s the data on track 1.

   Start sentinel — one character (‘%’)
   Format code=”B” — one character (alpha only, usually B)
   Primary account number (PAN) — up to 19 characters. Nearly always your credit card number.
   Field Separator — one character (‘^’)
   Name — Name of the cardholder, from 2 to 26 characters
   Field Separator — one character (‘^’)
   Expiration date — four characters in the form YYMM.
   Service code — three characters
   Discretionary data — Card Verification Value or Card Verification Code (CVV or CVC, 3 characters)
   End sentinel — one character (‘?’)
   Longitudinal redundancy check (LRC) — checks against read corruption

So, there you have it. In plaintext, cheaply/easily skimmable fashion is your credit card number, name, expiration date, and the ‘code’ on the back of the credit card.

Here’s a great model that’s very popular with criminals. $225, 1.7 oz, the size of a lighter, holds 3k swipes, timestamped entries, charges/downloads off USB, downloads all three tracks. With the small size, with even a moderate amount of practice, any bartender or waitress could conceal it in their palm and swipe the credit card ‘in full view’ of the customer without anyone noticing. Sure, it’s easier if the credit card is out of sight, but even a bit of slight of hand would be enough to conceal a valid skim.

There’s plenty of cheaper ones on eBay.

Still not as bad as checks. Checks are nice enough to give your bank routing number, name/address and bank account number in printed plaintext.


Seriously, you’d swear banks were on the take, with how bad their security is.

Read More

Windows 10 – Tech Preview

If you’re using VMware, set as Windows and Windows 8 64 bit, it’ll start up fine.

Edit your settings before doing the install. If you leave it with default boot, it’ll crash with “Your PC couldn’t start properly, error code 0xc0000001”. Right click on VM, Edit Settings, go to Options, Boot Options, change to EFI.

Setup includes Microsoft account, which I’m not sure will be great for Enterprise environments. Will definitely need something for nLite, WinReducer or RT Se7en Lite.

Setup is very user friendly for home users.

Start Menu is just plain weird. Better than Win 8. Niftiest thing so far was right clicking on the start menu button. They moved System and Properties to the start menu button rather than right clicking My Computer.

Windows Update hides a lot of information and is dumbed down. Maybe a good choice for home users, but not so great in the corporate environment or for advanced users. On the other hand, File History looks promising for users to back up their data, and Recovery has a lot of good options for home users. There is a “Refresh” option that likely restores Windows and registry to baseline without deleting user data, “Reinstall Windows” that wipes everything and an Advanced Startup likely for power users.

There’s a way to get to the ‘real’ Windows Update interface. Right click start menu, Control Panel, Windows Update. Yay!

I skipped OneDrive setup, and it setup anyways.

I like the App Store, it looks exactly like Google Play. But again, corporate environment should be interesting. I’d love if they had an enterprise app store. Be nice for licensing compliance.

Read More


Exporting from CSV is extremely straight forward. Don’t forget to clean up the tab file afterwards. Field names will be the first entry.

perl -lpe ‘s/”/””/g; s/^|$/”/g; s/t/”,”/g’ < > test.csv

You can delete the first line with the following (no output, just file edit):
sed -i 1d file.csv

You can display (or pipe to another program or file) everything except the first line with:
sed 1d file.csv

Entry is not that much worse:

USE TestData;

Field1 VARCHAR(40),
Field2 VARCHAR(40),
Field3 VARCHAR(40));

FROM ‘/path/to/testdata.csv’

Or the following:



(Field1, Field2, Field3);


Read More

It’s Halloween time. Time for the Safety Briefing!

Howdy folks, it’s getting closer to everyone’s favorite holiday season. No doubts you’re looking forward to Trick’r’Treat, maybe a costume party, or ritualistic sacrifice to the Dark Ones! But always remember, safety comes first! Now, here’s some very simple rules that should make your Halloween a fun and safe holiday for everyone!

1. If someone tells you that you are the Chosen One and must save whoever or whatever, kill them and change your name.
2. Same bloody well goes for any harbinger of any “prophesy”. If possible, resurrect them and kill them a second time.
3. If a mysterious and beautiful woman appears out of nowhere and is interested in you, run.
4. If you see a lone young child in the middle of nowhere and is uncommonly cheerful and/or giggling, run like you heard banjos.
5. Black cats, not so bad. Black dog that watches you without ever blinking? Don’t run. Slowly back away.
6. Attics? Tell one of your buddies that you hid the beer up there.
7. Cellars? Tell your buddy that you forgot you moved the beer down to the cellar. That’s the point of buddies, they’re gullable.
8. Bullets may or may not work. Either way, shoot the evil entity. A lot.
9. Fire always makes a situation better. Or more entertaining, and that’s the truly important thing.
10. If mysterious folk with foreign or ancient accents pop on any suspicious date (full moon, ides of march, etc), pretend to not understand them.
11. If you can’t outrun the evil entity, well, you only have to outrun the more cliche characters.
12. For the love of the gods, if you are driving at night, fill the tank when you’re between a quarter and half tank.
13. Fix-A-Flat. Cheaper than being hung up on a rusty meat hook.
14. Hawt chicks are like canaries. Always keep a few around when you visit Bad Place. They’ll die first.
15. Little known fact, vampires are allergic to magnesium. When ignited and shoved down their throat.
16. If you have reason to believe you are being stalked by an evil entity, someone might want to stay awake when everyone else sleeps.
17. If one member of your party starts hearing voices, party over, time to leave.
18. If a disembodied voice tells you to get out, follow the advice.
19. Vacations to run down shacks in the middle of nowhere never work out well.
20. Vacations to Eastern Europe can end with you dismembered. But they have very attractive women. Definitely worth the risk.
21. If anyone says “But Whatever Bad Entity doesn’t exist”, kneecap them and leave them while the rest of you wait to see if he or she is right.
22. A flamethrower is always appropriate.
23. When various members of your party mysteriously start missing, don’t individually go looking for them.
24. There’s no such thing as overkill. Only “Not enough” and “Needs more”. Remember this when you think the evil critter is finally dead.
25. When you find the sacred/cursed/ancient artifact, don’t screw with it. Just put it on eBay and let the feedback answer your curiosity.
26. If some random weirdo offers you unsolicited food, drugs or drink, politely decline.
27. If the innkeeper is way too happy to see you, leave. They probably want to sacrifice you. Or they have termites.
28. If someone gives you a quest to find something oddly obscure that happens to be bloody far away with implausibly complicated directions, go on a vacation instead.
29. If you really HAVE to go, dial Blackwater’s Rent-A-Friend program then rent a helicopter to take you and friends to said obscure location.
30. If you manage to escape the werewolves, undead, aliens, or whatever long enough to get to the phone, don’t try to explain the situation. Just call the National Guard and tell them al-Qaeda is planning to poison the nation’s beer supplies and they’re currently at such and such an address. You’ll have all the Blackhawks and Apache gunships you’d want in about ten minutes.

That’s it! Remember these rules, and you’ll have a safe and happy Halloween! Ph’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn!

Read More

Backup thoughts

Backup your stuff.  Period.  No exceptions.  Viruses, power surges, HD failures, etc will never go away.  Evar.  Entropy is just one of those things.

For simplest form of backup, copy My Documents, Favorites and Desktop to an external HD (cheap on Newegg, TigerDirect, etc), thumb drive or SD card.  Keep one off-site, one in a safety deposit box or a buddy’s place.  Swap every few months.  Every year or so, buy a new one.  Retire the old one to your safety deposit box or whatever clearly labeled with the year in question.

I’m partial to 32 gig micro SD cards for critical data, which are the size of your pinky nail.  Very easy to hide.

Next simplest is “cloud” backups.  (cloud.  ugh.)  For home users, I highly recommend BackBlaze.  $4-5 a month for unlimited (and they bloody well mean unlimited) storage.  There are others, any of them are good enough.  Mozy is another.

Geeks, read this:
If you’re not drooling, you’re not a geek.

If you’re a slightly more geeky person, you can use the S3.  I use it for my servers, as s3sync is very handy.

Here’s my script for my CentOS servers:

It’s a very stripped down version.  I’m obviously not publishing the locations of anything that’s not standardized stuff.  I do daily light backups of log files, configuration files, SQL databases, etc.   Weekly backups for my HTML files, graphics, MP3s, videos.  Now, in the posted code, I left it using ECB.  Why, I friggin forget, but it should be cipher-block chaining.  Don’t use ECB in multiple block encryption.  Evar.  CBC is fine for most stuff, but you could adjust for whatever you’re doing.

Prune it down every month or two and you’re looking at 12 cents a month or so.  Most I ever reached was a dollar, because I forgot to prune for a few months.  I added an appointment every two months.  I keep monthly and yearly heavy uploads.

For a paranoid non-geek home user, use TrueCrypt and just backup the TrueCrypt container.  The program and documentation are friendly to non-geeks.

Read More

Stock anti-virus advice

My stock solution is to disconnect from network/internet, remove the crapware “anti-malware” software, blacklight to check for rootkits, Microsoft safety scanner, some of the AV quick scanners, install Kaspersky AV, reconnect to the network/internet and patch the machine.

Ideally, if a user is backing up their data, just format the machine, re-install with an unattended install disk (nLite for the win), install KAV, connect to internet, patch.  Microsoft killed off any offline patching utilities.  But if you’re clever, you can isolate a port on a switch to only connect with your WSUS server.

You should not be using multiple AV/AM (anti-virus, anti-malware) products under normal circumstances.  Pick a good AV and use it solely under normal circumstances.  Trend, F-Secure, KAV are top tier.  McAfee, Bitdefender, Norton, Clam, Microsoft Security Essentials are second tier.  NOD32, AVG, et al are third tier.

Patch your OS and software regularly.  Backup your info regularly.  This is as important or more important than your AV/AM solution.

Read More

Useful Android apps


    c:geo – Free, pretty good
    Geocaching – Paid, but extremely well written. Use c:geo if you rarely cache, but if you’re a regular geocacher, buy this.

Sensors –

    Tricorder – Free, uses virtually all of the sensors built into an Android phone

Utilities –

    SuperBox – Multipurpose utility, I use it mainly for quickly checking my battery and moving apps to the SD card
    MyBookDroid – You can use it for many purposes, but I use it to quickly scan/catalog my book collection
    WordPress – Bit obvious, this.
    ConnectBot – SSH client, tiny letters but handy for rebooting a server or restarting a service
    ColorNote – Best notepad app I’ve found thus far
    ElectroDroid – Multipurpose electronics utility, has all kinds of reference material
    Diaster Alerts – Good way to check on world wide alerts of bad things
    How To Tie a Tie – I’m not much of a tie person, so this is surprisingly handy
    KnotsGuide – Very handy
    Net Scan – Works alright, scans a wifi network
    Net Swiss Tool – Various tools that are common on OS’s (ping, tracert, etc)
    Wifi Analyzer – Has a handful of utilities for scanning wifi networks
    SSHTunnel – If you are using public Wifi, you want to secure your traffic. This is the best way of doing so.
    Where’s My Droid – Handy for “Where did I leave my phone” situations


    Amazon Kindle – eBook reader. I just use it for free classics and reading books from Baen
    Slacker – Internet radio
    Khan Academy – Educational classes on just about anything

Read More

Disaster Recovery planning

Ok, let me start off by saying, I’m not a survivalist. I’m not even really a “prep’er” (preparedness, think survivalist lite). Closest I come is hiking and camping. I however have done a lot of Disaster Recovery and Contingency Planning work, primarily for IT and businesses. It’s entirely the business of mitigating risk to the needs and capacity of the customer. Disaster Recovery, whether for a business or for an individual, is pretty straight forward. It’s just like any other project. Figure out your specifications, and then go about meeting them within time/budget.

We’ll skip the business stuff and go for personal. If you’re a business that’d like DR consulting, feel free to drop me a line at revdisk@ this domain. The examples in this blog posting isn’t meant to be taken overly seriously and will be overstated for entertainment value.

Let’s start off with the specifications. Specifications can be anything, and are the core of any DR planning. You need to know what you want to do before you work toward it. Your specifications can be anything from “personally surviving as many bad things as possible”, “getting my family to crazy Uncle Carl’s fortified retreat in Oklahoma”, “minimizing financial damage from bad things” or “Saving my family”. You can have as many as you’d like, but the more you have the more work you’ll have to do. Keep it as simple as possible, and spend a fair amount of time thinking about your real priorities.

Draw up any significant concerns you have that may impact your specifications.

Growing up within half a mile of TMI, possible nuclear disaster wasn’t an idle thought. There were plenty of other localized concerns. Within fifty miles were chemical plants, ethanol plant, plenty of old bridges, natural gas plants, etc. Spend some time going over what your pressing concerns actually are. “zOMG zombie apocalypse”, “Martians invading the US” or “Russian/Cuban soldiers dropping out of the sky” should not be on it. If they are, you need lithium or at least a long vacation more than you need planning.

It should start off with the most realistic options. For me, it’s snow storms. They occur virtually every year and being shut in for a couple days is very likely.

If you live on a fault line, sooner or later, you WILL have an earthquake of note. Same with a flood plain. If you’re on the coast, do a bit of research and figure out previous damage from storms. Go to the library and do some research. Don’t rank them by how theoretically bad they could be. Rank them intelligently, which means impact assessment * frequency at a minimum. You can factor in other things like financial concerns, social/family commitments or whatnot, up to you.

In this case, my example and Impact Analysis methodology. I ranked by impact multiplied by the likelihood of occurring. A snow storm is not likely to be lethal unless you are intentionally stupid or unprepared. So let’s give it a weight of 3 (on a scale of one to ten for impact). We multiple that weight by the likelihood of happening. Which would be rounded to 10 out of 10. So net weight of 30. Another nuclear meltdown at Three Mile Island might have an impact of 10, but a likelihood of happening at 0.5 (that’s actually too high, but I’m using simple numbers for demonstration purposes), with a final weighting of 5.

So a snow storm should have six times the priority in preparation. If you’re doing one priority at a time, you just sort the list by the weight. If you’re working toward all of them on a schedule, you should allocate resources toward snow storm preparation at six times the rate of radiation from nuclear meltdown preparation.

So suppose I do my research, run my Impact Analysis and come up with a prioritized list of concerns:

1. Snow storm
2. House on fire
3. Earthquake
4. Wildfire
5. Flood
6. Nuclear disaster
7. Other – Significant, Non-Local
8. Other – Localized

You can break them out discretely in as granular manner as you would like. More granular, more works. You can create subsets for variations, but you only want to do that on your revisions and not on your first project.

Obviously, the last two categories are basically anything else not covered on the list. But basically vague general contingency plans for anything that isn’t on your list. An “Other – Localized” could be anything from a very unlikely accident like a train wreck to a meteor strike. Anything where somewhere else is safer than right here, and it’s contained to a specific geographic area.

“Other – Significant, Non-Local” is your “it’s bad everywhere, and there’s no point in going somewhere else” category.

“Other – Insignificant, Non-Local” means it’s not in your neighborhood and it’s not likely to effect you. You can leave it on, or toss it. But it does sometimes pop up. This category would cover dealing with the secondary effects from someone else’s problems. Katrina refugees would be an example.

Ok, you have your list of priorities. Develop a plan for dealing with each. You want to make your plan as modular as possible. “Stocking extra food in plastic, water resistant containers” would assist in all categories except “House on Fire”. Actually think through the scenario. Walk it out or simulate it as closely as possible.

If your house burned to the ground, what would you actually need? You may have under a minute to get out. An AR15 and a pallet of MREs would be near useless, but copies of your insurance paperwork, birth certificates, medical records, asset documentation, and contact information for friends, relatives, business would be worth their weight in gold. Immediately after a major earthquake, the situation may be reversed.

Start on the highest priorities, and work your way through the list. Make records of your current state, and the state you want to be in when you’re finished. I like a Green-Yellow-Red coded spreadsheet. Gives you a sense of accomplishment as the red and yellow starts to disappear, and more green fills the screen.

So an example:

1. Snow storm
2. House on fire
3. Earthquake
4. Wildfire
5. Flood
6. Nuclear disaster
7. Other – Significant, Non-Local
8. Other – Localized

Item Plan(s) Status Notes
Extra batteries 1, 3, 4, 5, 6 GREEN
Pallet of MREs 1,3,5,6 RED Swap out on 01/15
Essential Paper Docs 2-6 YELLOW Need X, Y and Z
Digital copies 2-6 RED Encrypt on multiple thumb drives
Waterproof boxes 5 GREEN

Allocate resources in accordance with a schedule, and in direct proportions to your weighted priority list. Leave a margin for targets of opportunity. Once you’re done, draw up a maintenance/inventory schedule. Revisit your Impact Analysis on a set duration (annual, usually).

If you’re working without an overall plan, you’re probably wasting money, time and reducing effectiveness. Go with the right methodology, and you’re more likely to be successful than winging it. The above general “philosophy” is stone cold, tested and true, core disaster recovery management. You can use whatever format you’d like or fits your needs.


Some potentially useful templates:

DR Inventory Template

DR Impact Analysis Template

Planning Guide Template



Read More

Adding TLS, SASL, SSL support to Postfix on CentOS

k, so you have a wonderfully working email server. Then you try to send an email from your PC or mobile device, with no joy. Congrads, your email is set up right and postfix is refusing to send out unsecured and/or unauthenticated email.

Time to add some secure authentication.

Add the following to /etc/postfix/

smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous

Check smtpd_recipient_restrictions in, which I usually put dead last in the file. It needs permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination at a minimum. You can test out sasl if you wish at this point. I didn’t bother, but I like living on the edge. Save your and restart postfix (at the command prompt: postfix reload)

Now run these commands from root.

yum install crypto-utils
genkey –days 1000 mail.domain.tld

I went with the super paranoid encryption level, but that’s me. It’ll take a while to crunch. Don’t encrypt the key. You’d need to input a password at boot, which would be bad. You can sign your key with a CA if you wish, I didn’t see the need to pay to do so for my private email server. The keys should be put in the following locations:


Make sure the private key is owned by root and chmod 600. Verify the files exist.

Now, fire /etc/postfix/ up again and add the following:

smtpd_tls_security_level = may
smtpd_tls_key_file = /etc/pki/tls/private/mail.domain.tld.key
smtpd_tls_cert_file = /etc/pki/tls/certs/mail.domain.tld.cert
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
tls_random_source = dev:/dev/urandom
smtpd_tls_auth_only = yes # Dork with this setting during testing

Run another postfix reload.

Fire up /etc/dovecot.conf and make sure the following is included:

protocols = imap imaps pop3 pop3s
#disable_plaintext_auth = no
#ssl_disable = no
ssl_cert_file = /etc/pki/tls/certs/mail.domain.tld.cert
ssl_key_file = /etc/pki/tls/private/mail.example.tld.key
ssl_cipher_list = ALL:!LOW:!SSLv2

Restart dovecot. If it squawks, you need to add pop3_uidl_format = %08Xu%08Xv to the pop3 section. Remember to update iptables.

Read More