I enjoyed reading a recent article in the Sydney Morning Herald called New victim in India-Pakistan ‘cyberwar’.

The title does not really fit the body of the text. Here is a complete smack-down of the threat of cyberwar, for example:

“They hack through any number of sites every year. It’s just a bunch of kids who have got nothing better to do,” said Sahni, the executive director of the Institute for Conflict Management in New Delhi.

“The more serious threat is not this kind of childish prank but Pakistan’s use of net-based communication for actual terrorist operations,” he told AFP.

There is no juicy anecdote or data given at this point, just a reference to an old incident with India’s Oil and Natural Gas website. Actual terrorist operations sound serious but evidence of any such threat is missing.This is important to keep in mind when the article next turns to a self-described “evangelist” that dismisses the threat entirely:

Indians place little or no value on the kind of data individuals and organisations in many countries prefer to keep confidential, like passport and bank account details or work contracts, he said.

“Privacy is a concept not rooted in India culture. I don’t think we can change that and I don’t think it’s going to change in my lifetime,” said Mukhi.

“The government doesn’t care” about protecting information online, he said. “Corporates for some reason just don’t want to spend the money. They don’t think it happens often…. Web security is a low priority.

Thus the story boils down to a group in Pakistan issuing threats and warning how intent they are on starting a cyberwar with India by defacing websites, while India does not seem to put a high value on protecting their sites from defacement. It comes across like a fairy-tale wolf saying “I’ll huff and I’ll puff” as the pigs say “nothing like a good breeze to stay cool”.

I think it safe to say these results from Austin Texas’ new red light traffic cameras are not what anyone expected:

At seven of those intersections, the number of accidents has dropped. But at two intersections, authorities have actually seen a significant increase in crashes.

The intersection of MLK and I-35 has seen a 33 percent jump in the last year. The intersection of 15th Street and I-35 has had a 64 percent increase in crashes in nearly two years.

It does not give details on the kind of crashes.

Then again, maybe someone saw this coming. A 2005 report in Virginia says a risk trade-off comes into consideration because cameras cause new types of accidents.

Further the data show that the cameras are correlated with…an increase in total injury crashes. More time is needed to determine whether the severity of the eliminated red light running crashes was greater than that of the induced rear-end crashes.

That being said, the cameras are not the only control factor. Some might say they are for detection as much or more than prevention. A 2004 Texas study argued that increasing the yellow-light interval by a second is what will reduce overall crash numbers.

Austin, Texas local news reports the police department has named Heartland in a payment card breach at Tino’s Greek Cafe.

“Through our investigation and through the investigation of the credit card companies, we’ve determined the compromise was not at the restaurant itself. It was somewhere in the network,” APD Sgt. Matthew Greer said. APD said a computer hack at Heartland Payment Systems, where the payments were processed, is a possible source of the problem.

Possible source. Not very encouraging. This has left the door open for Heartland to register disbelief and uncertainty.

“Recent reports of data theft at one Austin-area merchant clearly point to a localized intrusion initiated within the stores, either in their point-of-sale system or as a result of other fraud,” Heartland Payment Systems said in a statement.

So this time (or should I say so far) Heartland has not pointed the finger at auditors and QSAs or other payment card processing companies for leaving them in the dark. Quick flashback: Heartland’s CEO last year gave an odd reason for being breached.

The false [PCI DSS] reports we got for 6 years, we have no recourse. No grounds for litigation. That was a stunning thing to learn. In fairness to QSAs, their job is very difficult, but up until this point, we certainly didn’t understand the limitations of PCI and the entire assessment process.

PCI compliance never meant an entity could not be breached. A CEO can say he was misled, or misinformed, but it is not the responsibility of the QSA for that CEO to know the rules.

The Heartland CEO is saying the equivalent of a citizen should rely on a police officer to know the driving laws and if they crash they should be able to litigate against their driving test examiner. That is not how compliance works.

Complicating Heartland’s position is another recent Austin retail payment card breach, which also used them as a processor. Their image in the public eye is not exactly one of security so they should have to prove that a “localized” incident actually removes them from the fix.

As it happens the fix reported in the news makes Heartland appear involved more, not less. The police say the breach came from a weak link between the point-of-sale and the processor. The fix is to stop sending Heartland payment information over the Internet — processing is done over plain old telephone service (POTS) again. An architecture change such as this is usually not due to a localized flaw. Other retailers who connect to Heartland over the Internet might be asking themselves if they should dust off their modems.

One might think that Heartland’s recent efforts with end-to-end encryption would play directly into this issue and they would step up and wave their giant hand over the tiny merchant to make the problem go away. Instead they take a tough negotiation stance that angers the merchant.

Heartland issued a statement denying any involvement in the Tino’s breach, saying the problems, “clearly point to a localized intrusion initiated within the stores, either in their point-of-sale system or as a result of other fraud…the company is unaware of any broader issue.”

“I think that’s very irresponsible of them to issue a statement like that,” said [Tino’s restaurant co-owner] Nouri.

It might not be a broader issue, just a misconfiguration or flaw in communications security, but that still implicates Heartland. They do seem responsible.

When they use words like “unaware” it reminds me of when I presented in November 2005 at the Retail Security Forum in Chicago, Illinois a model for end-to-end encryption that would solve the problem described above. It was called “Manage Identities and Keys for the Retail Risk Model”. In fact, it described exactly a solution for what Heartland’s CEO started to discuss publically three years later (after the Hannaford Brothers breach) and their CIO started talking about four years later.

True end-to-end encryption to us, and what we’re putting forward as the standard, [starts] from the time the digits leave the magstripe on the consumer’s card, and is turned from analogue data into digital data, [and continues] all the way through the terminal, through the wires, through our host processing network until we securely deliver it to the brands. That’s end-to-end encryption.

They do seem aware of the broader issue. Whether or not this breach turns out to be on the point of sale or the network, I hope the APD will be able to push Heartland towards more awareness and accountability and get them to drop the “unaware” defensive line.

This seems like a nice idea: better parents would make kids safer online.

This astonished me. Here I was, only 23 and childless, and I was telling adults how to parent their teen! At that point I realized the awful truth: lots of people just don’t know how to raise their kids.

The same situation holds true for MySpace. The company can hire all the security officers it wants, and it could replace every ad with a flashing banner that says “DO NOT TRUST RANDOM STRANGERS!!!”, and send fliers to every parent in America … and bad things would still happen to kids connected to MySpace. A lot of parents aren’t very good at parenting, and part of being a teenager is saying and doing stupid things (I’m example number one for that particular precept), trying to socialize as much as possible, and worrying at the same time about your hair and your weight and your zits and your clothes.

It is a story from 2006. The MySpace reference might have given it away. Remember how 2006 was full of stories about the need for better parenting and education of parents?

Symantec marketing published a product press release. Politicians in America rattled ideas around on the hill. Microsoft released a guide in 2006 that was last updated in 2008 (a dead link in 2019, try this instead). You can blame me (at least partially) for the https://security.yahoo.com/ site. The result?

That was then. If the goal was to make parents better, I do not think the mission succeeded. Educating parents about threats and vulnerabilities has not generating a market for better parenting skills and eduction tools but rather fueled demand for surveillance. That is probably because a lot of the parenting lists include phrases like “supervise and monitor”.

Kids who are growing up today are less likely to be able to benefit from a hypothetical “if only your parents were better” discussion and more likely to be faced with a barrage of parental surveillance controls. In other words they are being raised not so much to be informed about choices but rather the presence of perimeters and monitoring controls. I suppose this is not much different than before (e.g. learning to sneak out the bedroom window) but it is interesting to me how the discussion has chilled and changed since 2006; not many progress reports to be found.