Retailer Sues Visa Over $13 Million ‘Fine’ for Being Hacked | Threat Level | # End of the road for PCI ?

Damn, I’m not sure what I think about this:

A sports apparel retailer is fighting back against the arbitrary multi-million-dollar penalties that credit card companies impose on banks and merchants for data breaches by filing a first-of-its-kind $13 million lawsuit against Visa.

The suit takes on the payment card industry’s powerful money-making system of punishing merchants and their banks for breaches, even without evidence that card data was stolen. It accuses Visa of levying legally unenforceable penalties that masquerade as fines and unsupported damages and also accuses Visa of breaching its own contracts with the banks, failing to follow its own rules and procedures for levying penalties and engaging in unfair business practices under California law, where Visa is based.

It’s the first known case to challenge card companies over the self-regulated PCI security standards — a system that requires businesses accepting credit and debit card payments to implement a series of technological steps to secure card data. The controversial system, imposed on merchants by credit card companies like Visa and MasterCard, has been called a “near scam” by a spokesman for the National Retail Federation and others who say it’s designed less to secure card data than to profit credit card companies while giving them executive powers of punishment through a mandated compliance system that has no oversight.

Yes, but:

In December 2010, Genesco announced that it had been hacked, but provided few details about the breach other than to say it was possible that certain details of cards used in its stores might have been compromised.

In the court documents for its lawsuit against Visa, (.pdf) the company maintains that it found packet-sniffing software on its network but never uncovered forensic evidence that the hackers actually stole any card data.

And yet again:

Nonetheless, Visa accused the company and its banks of violating the Payment Card Industry standards, and fined the banks $5,000 each for noncompliance, then later levied $13.3 million against them for operating expenses incurred over the breach and to recover the cost of fraudulent charges made to the accounts. Visa collected the money this last January from the banks.

How much?

continues at Retailer Sues Visa Over $13 Million ‘Fine’ for Being Hacked | Threat Level |

Craig: “Are you a libertarian or something, because I’m not sensing any clear political philosophy behind your position?”

Alec: “No, I’m not a libertarian. I’m from the Internet. I’m here to help.


BBC – dot.Rory: Cyberwar or cybermirage? # some sanity from @BBCRoryCJ #cyber

One to add to the Decyber page – extract from: BBC – dot.Rory: Cyberwar or cybermirage?

My emphasis:

But hold on a minute – are we now in danger of overhyping all of this?

Recently I spent a day at a conference listening to some very clever people discuss these issues in grave terms. I can’t name them because the meeting took place under the Chatham House rule, but suffice to say they included a number of those responsible at the highest level for protecting Britain from cyber threats, in both the public and private sectors.

They all seemed terribly worried but as I looked round the room I realised that just about everybody had some interest in promoting the problem. The public sector people, facing big cuts in their budgets, had found something that the Treasury seemed prepared to fund, even as the rest of the defence budget went south.

The private sector executives know that billions of pounds worth of contracts are being handed out as countries try to shore up their cyber-defences and naturally they want their share. And yes, even I had a motive for talking up cyber terror – it does make for a good headlines.

But after a morning listening to thousands of words about the scale of the threat, the new government structures designed to protect our national infrastructure, and the way the private sector could feed into that process. I was left somewhat bemused.

Yes, there’s evidence that criminals are launching attacks on banks and other private sector businesses, that consumers are suffering from the effects of cybercrime, and that poor security is allowing government secrets to flood out onto the internet. But where is this cyber terror or indeed warfare?

Everyone latched onto the Stuxnet incident – “if it was done to them, they could do it to us” the cry went up. But it became evident that nobody quite understood what had happened in Iran and whether it really was a symptom of a wider threat.

But there was a sober voice at the meeting, a man who had been studying the evidence of the nature of cyber threats. The danger of cyber terrorism, he told us, seemed limited. Terrorists got more publicity from a car bomb than from taking down a computer network, which was a complex operation to mount.

And many of the incidents referred to as cyberwarfare were “nothing of the sort”. He pointed to the attacks on Estonia, on Georgia and South Korea, and quoted American officials describing them as “annoying and embarrassing”, rather than really damaging. After all, they had caused no casualties or loss of territory. Cyberwarfare, it seemed, could only be a “support function”, rather than a primary weapon.

After hearing this measured assessment, we moved straight on to a man from the private sector. He told us that cyberwar was going on right now, largely invisible to the public, from a whole variety of actors. He quoted the IRA, “You have to be lucky all of the time, we only have to be lucky once,” and he called on the government and the private sector to spend even more on shoring up Britain’s cyber defences.

Maybe he was right and we should not be complacent about the dangers to our national security lurking in cyberspace. But in the past the ICT and security industries have found it very easy to scare governments into spending huge sums on initiatives that have not always proved their worth.

Hairdressers Registration (Amendment) #regulation #security #cybersecurity @openrightsgroup /ht @julianhuppert

Courtesy of cyberstalking Julian Huppert, I found this, do take a look at it:

Hairdressers Registration (Amendment) — 30 Nov 2011 at 14:37
Julian Huppert MP, Cambridge voted with the majority (No).

I beg to move,

That leave be given to bring in a Bill to amend the Hairdressers (Registration) Act 1964 to provide for the mandatory registration of hairdressers with the Hairdressing Council; to empower the Hairdressing Council to issue and charge for licences to hairdressers holding certain qualifications; to provide for the removal of names from the register by the Hairdressing Council on the recommendation of its investigating and disciplinary committees; to introduce a scale of fines payable by those without a licence charging for hairdressing services; and for connected purposes.

Question put (Standing Order No. 23). The House divided: Ayes 63, Noes 67.

I post this to illuminate one thing for my fellow security geeks, viz: that Parliament does this sort of thing.

All it would take is for someone from (say) the British Computer Society to convince a Parliamentarian that Computer Security was at least as important as Hairdressing, and that therefore there should be:

a bill to provide for the mandatory registration of systems administrators with the British Computer Society; to empower the British Computer Society to issue and charge for licences to systems administrators holding certain qualifications; to provide for the removal of names from the register by the British Computer Society on the recommendation of its investigating and disciplinary committees; to introduce a scale of fines payable by those without a licence charging for systems administration services

– and instantly all our jobs, careers, research and innovation would be at the discretion of a committee. We’re not there yet, but somebody is going to try it on someday.

Beware regulation, guys. And while you’re at it, join the Open Rights Group.

via Hairdressers Registration (Amendment) — 30 Nov 2011 at 14:37 — The Public Whip.

Guest Post: ‘A Venture Capitalist’s Experience of Startups and Security’

A security-aware and very technically competent venture capitalist within my circle recently shared an epic rant, which with a little light editing and with requisite permission I have edited into this posting. I think it contains an important message – not least it demonstrates that funders are catching up with the fundamentals, and you’ll soon be less able to get away with merely being ‘the next big thing’:

A Venture Capitalist’s Experience of Startups and Security; by AVC

First published at

Which class of company has the absolute worst security in the world?

Answer? A ‘Silicon Valley Startup’!

I am pissed at people who think that by merely having a CS degree and knowing PHP means they have a shred of a clue about security and why it’s important. In 10+ years of VC, seeing 3500 pitches per year, not once have I seen one lousy dollar nor one head allocated in any of those pitches or spreadsheets to have anything to do with the startup’s security, sysadmin or similar – unless it was a security company, of course.

Not once! Shockingly depressing.

If you reading this and are in a startup, make a checklist of these bad practices and see how many you do? Assign 10 points per naughty action, then calculate your naughtiness score. Now take that score to your VCs and tell them that all that money they gave you to develop that super-proprietary, market leading technology is flying out the window and the value of their investment is therefore squat?”

Wanna bet that causes a firestorm ?

Really, it’s so awful it’s driving me batty. Every one of these items is 100% true and most of them I have seen dozens of times:

FX: please add the sounds of a chiaroscuro violin chorus swelling in the background for effect, with a whiny, arrogant, ‘pleading engineer’ tone to most of the following quotes – you know both the tone and the snivelling look too…

  1. Engineers need easy access to the code!” – How many times have you heard this? Have you never heard of encrypted Git hubs?
  2. The members of the Engineering access group are.. everyone” !
  3. We keep it all mounted under /project..”
  4. We embed the full path and servername in the code header” – sure, so the bad guys know where to go!
  5. We need to work from home / a train / a bar / the planet venus” – so everyone has a checked-out copy of everything on every laptop
  6. …including the finance guy…
  7. (followed by) – “I lost my laptop in Prague at the IETF“.
  8. We have a VPN using ‘COMPANYNAME’ for credentials“. Grrrr.
  9. It’s such a pain to have a complex password on the Wireless Access Point that we just will make it ‘1234’ or ‘COMPANYNAME‘”.
  10. We use WEP. what’s wrong with that?
  11. We give the wireless password to every joker who ever visits the company, including the cleaning guys and the guy who restocks the Coke machine” – I have seen this personally – “Hey man, they need to check their email on their iPhones too. They are nice guys, we trust them…
  12. Change the password? “Naw.” Buy a second access point for private use and put it on a private internal VLAN and spend 5 min and maybe $49? “Naw. I’m really busy, leave me alone, you are a moron. don’t tell me what to do, I’m a graduate of CMU.
  13. Oh screw it, no password on the access point is fine” – I have seen this too.
  14. Bad guys using your net to grab porn and stash it on your engineering server? I have seen this, and when the server ran out of disk space someone then said “Hey, why are there 900gb of JPGs under an account name we dont have? WOW, that shit is filthy, let me examine every one…
  15. Having your VM instance running a porn server serving up porn for free to the net at large which you didn’t know about? Yep. Oh and it was at Amazon so you were paying for S3 and EC2 cycles to do it. Why did you never check what goes on up there? Answer: “The guys are really good, they just know what’s going on up there“.
  16. Firewall? “We have a DMZ, that’s good enough on a default ipf/iptables. Ok, ok, we will go to Fry’s and get one, plug it in and we are good.
  17. Change the default network address or password? “Naw too busy!” – I have seen dozens of companies with 192.168.1.x with cisco/admin and the outside admin web interface left on – shodan is your friend in this instance.
  18. We need to open up over 9000 ‘special testing’ ports for the ‘special services’ that Fred/Bob/Guido/Aunt Emma are developing and testing. No, they don’t use SSL, yes they need to connect to MySQL from outside too. We are ok because we moved the MySQL socket to port 23456
  19. Hey, man that drop password table to ASCII sure is an odd operation, wonder what they are doing?” – seen this too often to even be even slightly amused
  20. System Administrator? We don’t have budget for one, so one of the guys does it” – or rather, he doesn’t. He’s too busy.
  21. Dealing with logs? Syslog? Splunk? Outsource it one day a week? – “Nah. Too busy.
  22. Sourcefire? Intrusion Detection? Snort? “What’s with all these pig references anyway?
  23. Lock on the door? Nope, really.
  24. Door left ajar 24×7? Right.
  25. Building 3/4 empty, random people walking through? “Sure. Probably a new hire or candidate anyway. I’m too busy to ask him what he’s doing in any event. Everyone looks the same…” – hipster pork pie hat, three-day stubble, peglegs, yellow keds, bowling shirt, warby parkers – “…so if he wears the uniform, he’s in!
  26. We need to open port 5060 (SIP) so our guys can use their soft phones from Defcon, SXSW or on the road. With auto refill on the credit card for the VOIP provider.
  27. VOIP over SSH? Too tough to set up and maintain, skip it. Every time a new guys joins, gening all those keys and all that junk under Windows is such a drag.
  28. VOIP phones on the same VLAN as the code machines and the finance machines? “What’s a VLAN? What’s a trunk port? Isn’t that something on a ship?” – oh Lord, please make it stop.
  29. Find that the carefully designed and separated VLANs are all plugged in to the same router, with that router totally open to route any-to-any as it was never touched from out of the box?
  30. Ask the engineering team if they have read (much less used) the free NSA guidelines on IPv4, Cisco, IPv6, recommended security practices? “The what? The who?” – Kill me now, please.
  31. Consider the cloud code repository with an account name of ‘COMPANY NAME’ and password of ‘engineering’; $16m has been invested in that company. What’s the bet that every last byte of that repo has been exfiltrated?
  32. Same company keeping its financials in the cloud on QuickBooks with an account name of ‘COMPANYNAME’ and ‘cfo1234’ for the password. Plus their banking information was in there too. Oh, and they were getting ready for an IPO, so we had to remove them from QuickBooks in order to pass the investment bank’s security profile – thank god!
  33. Banking transfer procedures not having at least 2 physical steps involved, such as phone call and 2 sigs or fax and 1 sig etc. We stopped a $486k transfer to Romania via a contaminated PDF this way. The PDF was a spearphish from a financial analyst with a report on ‘VC Performance’ addressed to the CFO. Nicely done, phisherman. The report was actually pretty good too!
  34. Stupid banks that fundamentally don’t understand password entropy and require ‘8 characters of which 3 must be numbers and 2 a symbol‘ so the users write them on a sticky note; this kind of education leads to the services they develop being similarly brain dead.

Runner-Up Prize

Needing to copy the data to a ‘secure’ location, as their boss finally woke up to the risk of only having one copy of the data locally, junior woodchuck engineer #1 says:

“Dude, let’s increase the size of the logical units at the same time, while the system is up, this will only take a sec to resize? Incidentally, aren’t my white laces with the red keds just too hip, man?”

“Fine by me, and yes they are stylin!”, says woodchuck #2.

…and thus we can say adios to 3TB of work, none of which of course was backed up.

Luckily the 13 copies on various insecure laptops were able to be laboriously copied back (phew!) and then hand resolved (diffed) to create a blob which had to be hand walked to get it to compile again.

Did they make their release date? I think not.

Woodchucks #1 and #2 now are pulling doubleshot lattes with skim milk and ventes at a place with free wifi so they can work on their next startup idea.

Grand Prize Winner

Sending a crashed SATA drive – no backup of course – containing HR/employee personal information including banking, health care, family, etc, info on employees to the site they googled as being the world’s best disk recovery service – rated #1 by users! Guaranteed satisfaction! Most trusted name in the business! – which in the end turned out to be a mail drop at Mailboxes Etc for a Bulgarian operation of lesser trustworthiness.

Excuse? “But I was in the middle of a release!”

How Newegg crushed the “shopping cart” patent and saved online retail # patent trolls on the back foot? #mustread

“Thank you for calling Soverain technical support,” says Wolanyck, if you press option 2. “If you are a current customer and have a tech support question, please call us at 1-888-884-4432, or e-mail us at” That number, like the “customer support” number on Soverain’s contact page, has been disconnected.

Soverain isn’t in the e-commerce business; it’s in the higher-margin business of filing patent lawsuits against e-commerce companies. And it’s been quite successful until now. The company’s plan to extract a patent tax of about one percent of revenue from a huge swath of online retailers was snuffed out last week by Newegg and its lawyers, who won an appeal ruling [PDF] that invalidates the three patents Soverain used to spark a vast patent war.

via How Newegg crushed the “shopping cart” patent and saved online retail | Ars Technica.

Amazon, Apple, and the beauty of low margins — Remains of the Day #mustread


The day Amazon launched its video store, the top DVD store on the web at the time, I think it was DVD Empire, lowered its prices across the board, raising its average discount from 30% off to 50% off DVDs.

This forced our hand immediately. Selling DVDs at 50% off would mean selling those titles at a loss. We had planned to match their 30% discount, and now we were being out-priced by the market leader on our first day of operation, and just before the heart of the holiday sales season to boot (it was November, 1998).

We convened a quick emergency huddle, but it didn’t take long to come to a decision. We’d match the 50% off. We had to. Our leading opponent had challenged us to a game of who can hold your breath longer. We were confident in our lung capacity. They only sold DVDs whereas we had the security of a giant books and music business buttressing our revenues.

After a few weeks, DVD Empire blinked. They had to. Sometime later, I can’t remember how long it was, DVD Empire rebranded, tried expanding to sell adult DVDs, then went out of business. There were other DVD-only retailers online at the time, but none from that period survived. I doubt any online retailer selling only DVDs still exists.

And this:

An incumbent with high margins, especially in technology, is like a deer that wears a bullseye on its flank. Assuming a company doesn’t have a monopoly, its high margin structure screams for a competitor to come in and compete on price, if nothing else, and it also hints at potential complacency. If the company is public, how willing will they be to lower their own margins and take a beating on their public valuation?

Because technology, both hardware and software, tends to operate on an annual update cycle, every year you have to worry about a competitor leapfrogging you in that cycle. One mistake and you can see a huge shift in customers to a competitor.

Think Apple.  Think Google. Compare and contrast.

From: Amazon, Apple, and the beauty of low margins — Remains of the Day.

Via: kottke

Hat-tip: Bart

Why I believe that we will have to break up Nominet, the UK domain’s registry

A few months ago I wrote about this (PDF) at ComputerWorld:

Nominet: a website, by any other name, would be more secure?

So Nominet – the people who own, manage and monetise the top-level .uk DNS domain – propose to allow creation of domain names directly under the UK suffix (PDF).

Thus instead of you could instead own, and it is argued that this is somehow better.

I would argue that in terms of the value it offers, the proposition is actually an irrelevance and potentially harmful overall.

Having top-level domains like “.uk” is certainly an elegant way to distinguish local services like from – but you can see even in the titlebar of this posting that internet users at large have adopted many diverse ways of naming themselves.


The best example of this phenomenon that I have found so far is – a national campaign by entrepreneurs for entrepreneurs, harnessing the expertise and passion of Britain’s leading businesspeople to celebrate, inspire and accelerate enterprise in the UK – which just happens to have a Colombian domain name.


People no longer care about the nationality of domain names – you know that is a Libyan domain, right? – instead what they care about more is that domain names are consistent and that hosts are reachable, so that the link you received from a friend works just like it did for them, albeit he/she is in another country.

So I just wrote the following, in response to a query on the Open Rights Group Advisory maillist:

I’ve not yet bothered to write the followup posting to my original article, but to make a point: there’s a “tragedy of the commons” aspect to the whole thing, too.

Nominet are unilaterally declaring themselves to be not only the trustees of, but also the police and estate agents for, a negative form of space.

To put this into English it would be something like:

We own all conceivable subdomain names under “.uk” – excluding those which already exist such as {co,ac,gov,police,nhs,plc,ltd}.uk – and shall imbue any future domain name with security as an “added value“; and we shall police their usage and shall charge extra for them accordingly; conversely all existing domains (including are henceforth to be denigrated as insecure and should be treated accordingly.

They have declared a negative space* – everything that does not already exist – to be theirs, and to have pre-existing “security” qualities associated with it, qualities which will be theirs alone to exploit (ie: enforce) and for which homesteaders will have to pay.

It could be argued that Nominet have the privilege to do this / those rights already in their role as registrar, and I respect that argument; but if they were going to add value to something then I would prefer that they make a positive-space approach to it – eg: create a “*” domain – which they police and sell real-estate beneath, and then open-up the possibility for competitors (Sophos, McAfee) to create similar.

Instead Nominet have grabbed negative-space – everything that does not already exist, including,, – and declared that it is premium realestate that will demand a premium price, and that they alone shall police it; or you can do your own security in addition but if you don’t come up to scratch / meet Nominet’s zoning requirements then you will be kicked out.

If they get their way then I shall be pushing for a campaign for Nominet to be broken up; as opposed to being some bureaucratic and not entirely unbeloved equivalent of the National Grid or English Heritage for the Internet namespace, they seem now to be bent upon profit maximisation, diversification into value-add services and exploitation of monopoly.

My belief is that the “.uk” TLD is a commons only slightly more commercial than the IPv4 address space – but fortunately restricted only by human imagination, not 32-bit wordlengths – and I believe that that commons should be overseen equitably and without telling people what they will have to do (ie: conform to Nominet’s policing) merely to be permitted to exist in it.

As such I foresee breaking up Nominet into a small and strictly not-for-profit trust to disburse chunks of “.uk” and then a series of companies that monetise those chunks with value add services.

Prettymuch like we are currently supposed to be, in fact.

* obligatory joke to explain the concept of negative space:

One day a farmer called up an engineer, a physicist, and a mathematician and asked them to fence of the largest possible area with the least amount of fence. The engineer made the fence in a circle and proclaimed that he had the most efficient design. The physicist made a long, straight line and proclaimed “We can assume the length is infinite…” and pointed out that fencing off half of the Earth was certainly a more efficient way to do it. The Mathematician just laughed at them. He built a tiny fence around himself and said “I declare myself to be on the outside.”

Nominet have done the latter.

Hence the title of this posting.

Funny, I’ve always assumed that at least some of the reason for calling it #BigData was by analogy to this:

Supermajor: Big Oil

Petroleum and gas supermajors are sometimes collectively referred to as “Big Oil”, a term that emphasizes their economic power and perceived influence on politics, particularly in the United States. Big Oil is often associated with the Energy Lobby.

Usually used to refer to the industry as a whole in a pejorative or derogatory manner, “Big Oil” has come to encompass the enormous impact crude oil exerts over first-world industrial society.

…i.e. an term encompassing the industry and its corporate interests, too.

TechCrunch disagrees:

Why have I grown to hate the words “big data”? Because I think the term itself is outdated, and consists of an overly general set of words that don’t reflect what is actually happening now with data. It’s no longer about big data, it’s about what you can do with the data. It’s about the apps that layer on top of data stored, and insights these apps can provide. And I’m not the only one who has tired of the buzzword. I’ve talked to a number of investors, data experts and entrepreneurs who feel the same way.

According to Vincent McBurney, ”Big Data” originates from Francis Diebold of the University of Pennsylvania, who in July 2000 wrote about the term in relation to financial modeling. That was over 10 years ago. In the meantime, so much has happened since then with respect to how and what people can do with these enormous data sets.

And big data is not just about the enterprise. The fact is that every company, from consumer giants like Facebook and Twitter to the fast-growing enterprise companies like Cloudera, Box, Okta and Good Data are all big data companies by definition of the word. Every technology company with a set of engaged regular users is collecting large amounts of data, a.k.a. “big data.” In a world where data is the key to most product innovation, being a “big data” startup isn’t that unique, and honestly doesn’t say much about the company at all.

Oh well, it’ll be back…

Data Centers As Art

Data centers – Google Data centers.