The above quotation is perhaps the best non-technical explanation for the ever-increasing number of highly publicized computer break-ins.
While many commercial websites tout they use "secure servers" to prohibit theft of credit card data, in many instances the security provided is illusory at best.
When traveling over the Internet, the packets of data containing your sensitive information are encrypted so that only your computer and the recipient's computer can read them. The problem is what the receiving site does with your data after it gets there.
Ideally, your information stays scrambled and is transferred to another computer that cannot be directly accessed from the Net.
What recent events show, however, is that in many cases your order is translated from its secure, encrypted form into plain English and is dumped into a database on an Internet accessible machine, where savvy net bandits can grab the data with almost laughable ease.
Imagine the night depository on a bank. You need a key to unlock the slot in order to dump in your money.
Now imagine the deposited funds land in an open cardboard box inside the bank. And that the bank's doors are unlocked and the windows are wide open. And that there are no guards on duty, and the security cameras are aimed only at the safe. That pretty much sums up the situation for many net commerce sites.
Unfortunately, it's impossible to tell whether a site is really secure. Some itty-bitty sites have superb security. Other giant sites might as well print a weekly insert to TV Guide with their customers' credit card numbers.
Many feel the term computer security is an oxymoron, anyway. Any security program can be breached, given enough time, money, intelligence, or persistence.
Consider Serge Humpich, 36, a French computer programmer, who in his spare time over a period of four years developed a counterfeit "smart card" which could fool all of the French banking system's electronic point of sale terminals. This meant, according to an article in The Register, he could pick out all 35 million French PINs (personal identification numbers) used on Visa and other credit cards.
Serge told the banks of the gap in their security, and offered to point out the weaknesses in their systems for a mere £20,000,000, far less than what it would cost to replace all the credit card terminals in France.
Prove it, the banks said. So, using
one of his homemade cards, Serge bought ten Paris Metro tickets
from a machine that didn't seem to notice it was being duped. He sent the tickets and
receipts on to the credit card company as the requested proof
of their system's vulnerability.
In response to its friendly little challenge, the credit card
company sent 40 policemen to Serge's house, seized all his computer
equipment and managed to get him fired from his job The prosecutor
in the case has recommended a two-year suspended sentence and
a £5,000 fine, which seems a bit stiff for taking up the
banks' invitation to filch some Metro tickets which he returned
anyway.
The real question is: how many Serges are out there who keep their
mouths shut and quietly funnel funds out of the world's banking
systems?
If computer security is, in fact, a shared hallucination of the
banking establishment, should you avoid using your credit cards
in cyberspace?
No. You probably have far more exposure visiting brick-and-mortar
establishments, especially restaurants. Think about it: you routinely
hand your card over to Laslo, your waiter, who disappears for
a couple minutes before returning. During his absence, he could
order 30 copies of Alfred Brendel's Liszt:
Hungarian Rhapsodies
for his extended
family, and you won't know until you get your bill at the end
of the month.
Bear in mind you're only liable for $50 worth of unauthorized
purchases on your card, and most issuers waive that if you're
caught in a publicized wholesale website security breach. Incidentally,
getting a new card in the mail from an issuer far in advance of
the expiration date is a pretty good indicator someone's security
suffered a major hit.
But beware of using your debit card. Different rules apply, and
you could be turning over the equivalent of a ream of blank checks
to the crooks.
Also, watch out for arrangements where you're offered the "convenience
of check by phone"... you give the operator your account
number, your bank's transit number and a check number, and the
company presents to your bank an electronic draft that gets paid
without question.
While there are all sorts of laws limiting the use of the information
you provide, remember that you're still talking to a human being
at the other end of the phone, that some companies outsource their
order entry operations to other companies, and that some of those
firms use folks currently enjoying the lush surroundings of some
the country's leading penal institutions.
When I declined an offer to make a check-by-phone payment to a
credit card company, the operator huffily told me, "You realize,
we are a Fortune 500 company."
To which I responded, "And that's supposed to reassure me?"
Online update: Click here for chilling example of what can happen when others have
your checking account numbers.
---
I'm so confused... Okay, so the entertainment industry,
hysterical about the DVD hack which allows the discs to be played
back on Linux computer systems, got a federal court judge to issue
an injunction forbidding "[p]osting or otherwise disclosing
or distributing, on their websites or elsewhere, the DeCSS program,
the master keys or algorithms of the Content Scrambling system
("CSS"), or any other information derived from this
proprietary information."
Included in the court documents filed by one of the DVD Copy Control
Association people in the ongoing battle against those horrible
hacker persons who posted the source code to their super-duper
encryption program on The Evil Internet is... the source code
to their super-duper encryption program. And it's available on
the Internet.
If you think about it, filing the source code with the court does
makes sense, since you'd need the original DeCSS source in order
to prove that the hacked copies are indeed copies.
But by making the source available in publicly accessible court
records, are the DVD people pretty much giving away what they
went to court to protect in the first place?
And does the court order prohibiting disclosing or distributing
the code apply to the court's own documents?
This sounds like one of those infinitely self-referential questions
Captain Kirk would use to destroy an irritatingly smug super computer
system on the original Star Trek series.
Realizing their error, the DVD people asked the judge to seal
the documents containing the source code, which he did. But the
genie's out of the bottle.
As of this writing, the court document was still available at
http://cryptome.org/dvd-hoy-reply.htm
Electronic versions of this newsletter do not have a hypertext
link to the URL because some people think providing one would
be in violation of the law.
If anything, this case shows how clueless the courts and business
are about software. Perhaps Dave Farber, the newly appointed Chief
Technologist of the Federal Communications Commission, made the
best observation on the case.
In a radio interview, Professor Farber noted "if your security
is good enough you can tell everyone about every detail of it
and they still can't break your security. In the DVD case, the
reason they kept it quiet was because it was very poor technology...
it's bad to propagate that on the world, because it just invites
people to go in and attempt to break or to break it."
Regarding proposed new software agreements that prevent reverse
engineering or even making critical comments about the software,
Farber said it results in "bad technology being propagated
by just suing the hell" out of people.
---
My Life As A Kiddie Porn Purveyor: "the dot com people®",
those friendly folk at Network Solutions, Inc., still list me
as the owner of the domain name lo-li-ta.org, a site which originally displayed nude photos
of disturbingly young females. See the
last KGB Report for details. While
the web hosting service pulled the plug on the offending site
within hours of my complaint, I've yet to get an official response
from Network Solutions despite emails, faxes and letters.
One irony... in its instructions for complaining about falsely
registered domain names, the company demands "Evidence of
your name and address, such as preprinted corporate or personal
stationery, a copy of your driver's license, or a utility bill."
Too bad they don't apply the same standards to the initial registration
procedure.
I've received scores of emails from folks giving me tips on how
to change the dead link to some other less offensive sites, but
they're missing the point.
The domain still shows up as being registered to me.
I didn't authorize the acquisition of the domain in the first
place.
I don't want a domain named "lo-li-ta" associated with
my company, even if it is linked to something as innocuous as
the kgb.com web site.
I'm appalled by the fact the site operated for nearly a month
until I discovered it.
I'm extraordinarily peeved that Network Solutions has failed to
respond to my numerous emails, faxes and letters.
On the plus side, I'm not going to pay their invoice for the domain,
which arrived a couple days after the letter from the German fellow
who wanted to buy kiddie porn from me. So I know that eventually
it will be yanked from their database when the account
goes delinquent.
---
The Upgrade of Death... If you're toying with the idea
of installing one of those bazillion free America Online Version
5 cd-roms that have infested the planet, restrain yourself. The
net is awash with screaming victims of the software, which effectively
takes over all net browsing and email functions, wipes out all
previous networking configurations and makes it virtually impossible
to connect with any other internet service provider- or, for that
matter, your business' mail server. And that's if the installation
is successful. The Associated Press says AOL 5.0 simply causes
many systems to crash and stop functioning. AP quoted a magazine
review that reported "AOL can reduce a perfectly good computer
system to a paperweight."
---
DOH! TheSimpsons.com, the
web site devoted to the long-running Fox animated series, is offering
free Internet access and email. The downloadable access software
places a navigation bar with ads on your desktop, so surfing does
come at a price.
The service is actually run by 1stUp.com, not Homer, so reliability
shouldn't be a problem. Why is Fox entering the market? Notes
the quasi-evil Mr. Burns on the site's free service promo: "My
top men tell me the Internet is going to be big! Daguerreotype
big!"
---
Warmer climes... After decades of reading
endless snow closing announcements with his partner John Garry,
Pittsburgh radio legend Larry O'Brien pulled up stakes and moved
south to Hilton Head Island, South Carolina late last year, where
he can be found indulging his passion for golf on a daily basis.
If you reached Larry's answering machine during the Christmas
holidays, you heard a typical O'Brien one-minute comedy routine,
ending with, "I think I'm gonna do me some carolin'. Oh Caroline,
honey?" Sigh. I still miss those guys in the morning.
---
Dare to be stupid: Confirming what many of us have suspected
for a long time, there are a lot of incompetent people out there
who not only don't know they're incompetent, but truly
believe they're superior to the folks who actually know
what they're doing.
In a recent New
York Times article, Dr. David A. Dunning had an elegant explanation
for the situation: "the skills required for competence
often are the same skills necessary to recognize competence."
(Emphasis added.) Dr. Dunning's studies also revealed that an
individual's appraisal of self-competence is pretty much inversely
proportional to his or her intelligence.
That pretty much explains politics, computer security systems
and network television programming. Thanks, Doc.
Credits: Thanks to Lou Pilla, Kevin McNeill, David Fitzsimmons and the usual assortment of Those Who Wish To Remain Nameless for their contributions this week.
What's with all the underlines? No, I'm not making an artistic statement. The words and phrases underlined in the newsletter indicate the presence of hypertext links available to those reading the Adobe Portable Document Format or web (HTML) versions of this document on their computers. If you were reading this online and clicked here, for example, your computer would fire up your web browser and display my daughter's web site.
Consider converting your Postal Service delivered print subscription to e-delivery. Drop us a line at kgbreport@kgb.com.
Readers who get KGB Report via US Mail recently received a form enclosed in a pre-stamped return envelope.
If you want to continue receiving KGB Report, just seal the envelope and drop it in the mail. But, if you have the time, please answer the few questions on the form before returning it.
Please note: if your form isn't received by March 1, your subscription will be terminated.
Answer to our previous question: Jan-Michael Vincent, Airwolf's Stringfellow Hawk, also appeared in an episode of NBC's late 60s revival of the hit 50s show Dragnet. The name of the episode (#28 in the series) was "The Grenade". The TVLand synopsis: "Friday and Gannon are called to a theatre to investigate an acid-throwing incident. A teenage suspect, traced to his home, runs away carrying a live grenade. MUST-SEE EPISODE. This one features a memorably tense climax at a teen party". Vincent was the acid victim.
This week's question: Invented by the Emerson Drug
Company, this product was marketed from 1957 until 1968, when
it was voluntarily withdrawn due to its cyclamate content. Reformulated
with NutraStreet, it was reintroduced nationally in 1995. Name
the product. Use your lifelines and email your final answer to
trivia@kgb.com. For more fun, visit our recommended Trivia Site
of the Week: http://www.kcircle.com.
http://driveways.com is the web-based home of Driveways of the Rich and Famous, a public-access cable television show that airs in LA, Manhattan and a few other cable systems. The site contains scores of small photos of... well, driveways of the rich and famous, as well as all sorts of fascinating trivia. For example, Regis and Joy Philbin don't have a garbage disposal. Mary Tyler Moore stiffs delivery people. Bill Gates' house may be worth $60 million, but the driveway gatehouse is incredibly cheap.
Peter Allen (an engineer
quoted in the Wall
Street Journal) :
"You can never be too rich, too thin, or have too much bandwidth."
Dave McNeill (Datalogics, Inc.): "Just because I speak English doesn't mean I use every word in the dictionary!"
How Digital Equipment Corp. (now Compaq) would market sushi: "Cold, Wet, Dead Fish."
The KGB Random
Quotations Generator has over 4,000 entries and is frequently
updated. Visit it online at http://www.kgbreport.com/kgbquote.shtml, and
be sure to try the search feature.
Written
by Kevin
G. Barkes
and
published by KGB
Consulting, Inc. ,
1512 Annette Avenue, Library, Pennsylvania (USA) 15129-9735-125.
email: kgbreport@kgb.com.
Copyright
© 2000-2013 by Kevin G. Barkes. All rights reserved. No portion
of this publication may be reproduced in any form without the
consent of the publisher, except for brief excerpts with full
source attribution. So there. Internet web site syndication provided
by iSyndicate. This issue's Flesch-Kincaid reading
level: grade 11.0
Free subscription information: Subscriptions
to electronically distributed versions of KGB Report are
available at no cost. For subscriptions in Adobe Portable Document
Format (PDF), send requests to pdfsub@kgb.com. For subscriptions in HTML format, send
requests to htmlsub@kgb.com.
Printed
subscriptions delivered via first class mail are also available.
For additional information, send requests to the street address
listed above or email mailsub@kgb.com.
Advertising
information: Contact 412.854.2550 or email ads@kgb.com.