Hacker News new | ask | show | jobs
by jof 4534 days ago
Well, let's just say it's an architecture Square knows well. :)
2 comments
tptacek 4534 days ago
That has less to do with it than the fact that it was the smallest ISA I could find that GCC would readily compile down to.
link
kaeso 4534 days ago
I would have loved it to be some old ARM ISA to use it as a testcase for Avatar[0]. On the same topic, FIE paper may be an interesting reading for msp430 lovers[1] (but it needs source for symbolic execution, so doesn't directly apply here).

[0] http://www.s3.eurecom.fr/tools/avatar/

[1] https://www.usenix.org/conference/usenixsecurity13/technical...

link
Scaevolus 4534 days ago
In particular, Square's credit card readers use an MSP430 chip to encrypt the stripe data before passing it on the phone.

Their first credit card readers were entirely analog devices, which were very easy to use to skim cards.

Hopefully the latest batches have per-device unique keys (based on some centrally-known KDF) so a compromise of one doesn't re-enable such an exploit.

link
tptacek 4534 days ago
Just so I can be super clear here: none of the code in this challenge has anything whatsoever to do with anything Square ships. We deliberately made things less realistic to make the levels more fun, and easier to ramp up with.
link
bigmac 4534 days ago
Hopefully the latest batches have per-device unique keys (based on some centrally-known KDF) so a compromise of one doesn't re-enable such an exploit.

Yes, that's how it works.

link