Merchant Processes and CID/CVV2

I recently received a letter from the company that monitors my home alarm. It basically stated that to avoid a $3US surcharge that I must opt out of receiving bill in the mail (which is fine) and that I must set up automatic transactions.  I also found this form attached.

Merchant Form

This is not the first time that I have seen a payment option that includes a requirement for the CVV2  or CID value from my credit card. However with a little knowledge of PCI, I have to ask myself the following question, “What exactly are they going to do with this information?” According to PCI-DSS, this information must not be stored (even in an encrypted format) after authorization.

That raises the following questions for the merchant requiring this information–

  1. Is this truly only for the first transaction authorization and the physical form will be securely destroyed?
  2. In this particular case, this is for a monthly transaction. So their relationship with their provider is such that CID/CVV is optional (and not used) for secondary transactions?
  3. Or is this information being stored, electronically or physically, allowing for the possibility of later transactions?

In this Continue reading

How to map OpenFlow switch TCP ports in Mininet SDN simulations

When testing SDN functions in the Mininet network emulator and viewing captured OpenFlow messages in a packet analyzer such as Wireshark, it is difficult to identify which SDN switch is the source or destination of each captured message.

The only reliable way to identify which SDN switch sent or received an OpenFlow message is to look at the source or destination TCP port of the OpenFlow packets. This is because most OpenFlow messages exchanged between switches and the controller do not contain any other information that helps identify the sending or receiving switch. Neither Mininet nor the Open vSwitch database provides information that might be used to identify the TCP ports used by each switches to communicate with the OpenFlow controller in the network.

This post describes a procedure to map which TCP ports are used on each switch to communicate with the SDN controller in the Mininet network simulation. This procedure will enable researchers or students to study the interactions between SDN controller and switches in a more detailed and accurate way.

Summary of procedure

To map which TCP ports are used on each switch to communicate with the SDN controller in the Mininet network simulation, execute the steps Continue reading

Site Upgrades for September 2015

First, I want to apologize for not doing my job. Over the past couple years I’ve let this site become slightly stagnant. I won’t attempt to make excuses, but I will say that I’m in a much better place now. Hopefully inspiration will continue to strike, and I will continue to put pen to paper… or finger to keyboard?

2015-09-18 at 8.52 PMOver the past couple weeks I’ve put a fair amount of time and monetary resources into RouterJockey. I’ve fixed quite a few CSS bugs, without hopefully creating more. I purchased an SSL certificate and moved the site to HTTPS, which helps me more than it really does you… but in doing so, I’ve also enabled SPDY 3.1. SPDY should help load times, but Nginx was already doing a pretty good job. Oh, in order to get SPDY up to 3.1 I was forced to migrate away from the Ubuntu repo for Nginx.. but that’s not a huge deal.

I’ve also spent some time redesigning the menu bar, adding new links, removing some useless ones, and writing an all new disclaimer. Please be sure to read and understand everything posted on that page before attempting to read any of my Continue reading

Some notes on NSA’s 0day handling process

The EFF got (via FOIA) the government's official policy on handling/buying 0days. I thought I'd write up some notes on this, based on my experience. The tl;dr version of this post is (1) the bits they redacted are the expected offensive use of 0days, and (2) there's nothing surprising in the redacted bits.


Before 2008, you could sell 0days to the government many times, to different departments ranging from the NSA to Army to everybody else. These government orgs would compete against each other to see who had the biggest/best cyber-arsenal.

In 2008, there came an executive order to put a stop to all this nonsense. Vuln sellers now only sold 0days once to the government, and then the NSA would coordinate them with everyone else.

That's what this "VEP" (Vuln Equities Process) document discusses -- how the NSA distributes vulnerability information to all the other "stakeholders".

I use "stakeholders" loosely, because there are a lot of government organizations who feel entitled to being part of the 0day gravy train, but who really shouldn't be. I have the impression the NSA has two processes, the real one that is tightly focused on buying vulns and deploying them in the field, Continue reading

iPexpert’s Newest “CCIE Wall of Fame” Additions 9/18/2015

Please join us in congratulating the following iPexpert students who have passed their CCIE lab!

This Week’s CCIE Success Stories

  • Ajay Edara, CCIE #36424 (R&S & Wireless)
  • Shiv Shankar, CCIE #43675 (Routing & Switching)
  • Andy Harrison, CCIE #50052 (Routing & Switching)
  • Mike Burk, CCIE #50207 (Wireless)
  • Tony Ilorah, CCIE #50210 (Security)
  • Ahmad Nawid Azizi, CCIE #50254 (Routing & Switching)

We Want to Hear From You!

Have you passed your CCIE lab exam and used any of iPexpert’s self-study products, or attended a CCIE Bootcamp? If so, we’d like to add you to our CCIE Wall of Fame!

F5 Certification Path – How to become F5 Certified

Original content from Roger's CCIE Blog Tracking the journey towards getting the ultimate Cisco Certification. The Routing & Switching Lab Exam
The F5 certification path is a series of exams administered by pearsonvue where you start of by passing 2 exams to become an F5 Certified Administrator and then depending on your specialist area you can add to that by becoming an F5 Certified Technology Specialist. The certification cost is $135 per exam which would be $170 […]

Other pages of interest:

Post taken from CCIE Blog

Original post F5 Certification Path – How to become F5 Certified

Stuff The Internet Says On Scalability For September 18th, 2015

Hey, it's HighScalability time:


This is how you blast microprocessors with high-energy beams to test them for space.

  • terabits: Facebook's network capacity; 56.2 Gbps: largest extortion DDoS attack seen by Akamai; 220: minutes spent usings apps per day; $33 billion: 2015 in-app purchases; 2334: web servers running in containers on a Raspberry Pi 2; 121: startups valued over $1 billion

  • Quotable Quotes:
    • A Beautiful Question: Finding Nature's Deep Design: Two obsessions are the hallmarks of Nature’s artistic style: Symmetry—a love of harmony, balance, and proportion Economy—satisfaction in producing an abundance of effects from very limited means
    • : ad blocking Apple has done to Google what Google did to MSFT. Added a feature they can't compete with without breaking their biz model
    • @shellen: FWIW - Dreamforce is a localized weather system that strikes downtown SF every year causing widespread panic & bad slacks. 
    • @KentBeck: first you learn the value of abstraction, then you learn the cost of abstraction, then you're ready to engineer
    • @doctorow: Arab-looking man of Syrian descent found in garage building what looks like a bomb 
    • @kixxauth: Idempotency is not something you take a pill for. -- ZeroMQ
    • Continue reading

What Does It Mean When A Project Has Been Forked?

Open source projects that involve lots of folks sometimes run into conflicts. Should the project go in direction X, or direction Y? Is feature A more important, or feature B? And so on. Sometimes the concerns around an open source project are more pragmatic than pedantic. Should we, as a commercial entity, continue to use this open source project as is, or go in our own direction with it? The keyword to look for in these circumstances is fork.

Cyber Supply Chain Security Is Increasingly Difficult for Critical Infrastructure Organizations

As the old cybersecurity adage states, ‘the cybersecurity chain is only as strong as its weakest link.’  Smart CISOs also understand that the proverbial weak link may actually be out of their control. U.S. retailer Target certainly experienced this lack of cybersecurity control in 2013.  The now infamous Target data breach that exposed the personal information of 110 million people began with a spear phishing attack on one of the company’s HVAC contractors, Fazio Mechanical of Sharpsburg, PA.  Cyber-criminals compromised a Fazio Mechanical system, gained credentialed access to Target, and proceeded to wreak havoc on Target’s data, customers, and reputation.To read this article in full or to leave a comment, please click here

1 3,311 3,312 3,313 3,314 3,315 3,837