I’ve been meaning to write this post for a few weeks now, but I’ve just been too busy. Now that I’m finally starting to get a bit more caught up (and after I thought about it again today when using Windows XP on VMWare to access ROS) I figured I’d better write it.
Previously, I’d figured out a way to convince ROS to work under Linux. What I didn’t realize at the time, was that it only works on 32-bit Linux and not 64-bit. Read the rest of this entry »
I finally completed the convoluted identity proofing process required by the Irish Revenue Commissioners’ Revenue Online System (ROS) so that I could view/file all of the necessary tax forms for Archistry myself. The registration process/identity proofing for business customers theoretically involves the following 3 steps: Read the rest of this entry »
How many people ever saw the SNL skits featuring Doug & Wendy Whiner? If you never did, then the title won’t make much sense to you. Essentially, the Whiners are a couple that whine about nearly everything. Unfortunately, it’s remarkable how much reality was in those skits.
Having just come back from giving presentations about effective data protection and understanding the fundamental premise of legitimacy or fairness expected implicitly by customers from organizations who store our data, this CNET article scared me to death: “Credit card security rules to get update.”
The article discusses proposed changes to the security requirements for businesses that accept credit card information. Currently, the PCI standard (PDF) developed by both MasterCard and VISA requires the following (from the VISA CISP information page):
To anyone who has ever built or implemented a security policy, the above should seem to be pretty standard stuff, and it’s pretty fair to the customer in attempting to protect access to their data. However, these quotes from the article indicate that some legacy systems can’t cope with the requirements, so they need to be “relaxed”:
“Today, the requirement is to make all information unreadable wherever it is stored,” Maxwell [director of e-Business and Emerging Technologies at MasterCard] said. But this encryption requirement is causing so much trouble for merchants that credit card companies are having trouble dealing with requests for alternative measures, he said.
and
The challenge with encryption is that older payment systems were not built to support the scrambling technology, said Qualys CEO Philippe Courtot. “Encryption is the ultimate measure of security, but the current applications have not been designed with encryption in mind,” Courtot said.
These systems and their delinquent owners are holding your, yes, that’s right, they’re holding your credit card data unencrypted because of flaws in the application. That’s equivalent to the police saying that it was too hard to catch the guy breaking into your car, so you should just keep it in the garage instead where it’s safe.
The Whiners who own the defective applications are whining to Visa and MasterCard–and they’re listening! This is incredible. To be fair to Qualys’ CEO, I’m going to assume that he’s stating that there were complaints rather than his own opinion here.
So, how are these delinquent systems going to keep your data (and your identity) safe from the bad guys? You’ll love this:
Changes to PCI will let companies replace encryption with other types of security technology, such as additional firewalls and access controls, Maxwell said. “There will be more-acceptable compensating and mitigating controls,” he said.
Right, so let me get this straight: no encryption; more firewalls. Because, as Marcus Ranum says firewalls just don’t work, and, well, nobody reads any of these articles anyway:
Granted, this article from ZDNet, “Lose your backup tapes? It could be worse” makes two good points: a) it would take some pretty serious knowledge to get the data off the tapes, and b) the fact that the tapes are missing is going to be pretty obvious. However, what he also points out is that there are even easier ways to get at the data–all you need to do is get to the machine. Since the data isn’t going to need to be encrypted on the machine anymore, once you have access to the machine, you have access to the credit card data. It’s as simple as that.
The silly thing is that encryption isn’t rocket science, and it isn’t hard to design systems to take advantage of encryption techniques to store the information. In the absolute worst case scenario, you just have to pay your database vendor to solve the problem for you, and you don’t even need to change a single line of application source code. I don’t recommend this as the right way to solve the problem, but it is an alternative if all else fails. The latest versions of Oracle actually have some pretty sophisticated mechanisms for compartmentalizing data in the database.
The good news is that it’s only currently a proposal, but the bad news is that, due to the Whiners of the world, the proposal is likely to be accepted by MasterCard and Visa. If MasterCard and Visa accept it, they’re really going to loose a lot of points with people, because it proves that they really aren’t as serious about security as they should be, and that with enough pressure, they’ll revisit security controls which some find “inconvenient” or “difficult to implement”. Given the number of people in IT and especially management who actually understand security is quite low, this is a slippery slope to start down.
How many times have you been in a conversation with otherwise educated, sensible people and you hear something along the lines of “In this pacific case, I think we should…” You wince internally and just figure they made a mistake because they’re in a hurry, or they’re trying to make a point and their mouth got ahead of their brain or whatever–generally giving them the benefit of the doubt. However, it seems that this often isn’t a one-time occurrence. Funnily enough, none of the 6 entries on dictionary.com for pacific seem to mention that it’s an appropriate replacement for specific.
Another one of these sorts of language abuses that I have heard more than once recently when a number of things need to be considered before one is decided goes like this: “We need to make sure this gets trashed out before we have the next meeting.” Normally, one would use thrashed in this situation, but it occurs more often than you might imagine.
When I started this post this morning, I didn’t have an example which backed up what I’m saying, but, thanks to Slashdot, this timely article from the New York Times about appalling writing skills in corporate America seems to fit the bill. As one Slashdot reader pointed out, the examples are pretty bad. I would be lying to say that I never make mistakes, or that I didn’t get my tongue tied in knots occasionally, but stuff like “there” instead of “they’re” is just basic English everyone should’ve learned in grade school. Makes me think back to how the CS students groaned about the campus-wide initiative to require a minimum amount of writing in all classes. Methinks it was not stressed enough. 
I only hope that the amount of writing required for students at UMR has increased rather than decreased. No matter how intelligent you are, if you can’t communicate orally or in written form, people will think you’re an idiot–even if you aren’t.
Simley is courtesy of the Gaim project and is Copyright © 1998-2004 by the Gaim team.
