01 December 2014

60 Seconds

That appears to be how much time and effort went into last night's "60 Minutes" piece on consumer credit card and ATM and such hacking. If you accepted the statements made, then you believe:
1) retailers and banks are doing everything humanly possible
2) Eastern European hackers are the Smartest Computer Folks in the World
3) breaches can't be stopped
4) Corps. should buy the services of that "security expert"

Here's what we actually know (and the "60 Minutes" reporter[s] would have if they did any reporting):
1) the POS breaches are due to antique versions of Windoze that Corps don't want to spend money to upgrade
2) Corps. routinely don't isolate valuable and vulnerable customer nets from the rest
3) hackers are using time honored methods to breach old versions of Windoze
4) banks are replacing OS/2 run ATMs, which are nearly bulletproof, with Windoze rather than secure certified *nix
I want to be clear with my point of view here. I think that migrating from OS/2 to Windows is the most stupid thing that can be done to an ATM Machine.

So, as with the coders who refuse to upgrade their skills to Organic Normal Form™ schemas, Corps. continue to run vulnerable systems for customer data just because it's seen as too expensive in time and money "to do the right thing". [Aside: if banks ran ATM networks as described by Allen Holub in "The Bank of Allen" series, none of these problems would occur, of course.] IOW, once again, the problem isn't tech it's politics. The restitution, if any, is a slap on the wrist. Just a cost of doing business. The restitution and fines for allowing breaches can be written off, so the taxpayer picks up most of the cost. The upgrades can still be put off. The CxO types still get their fat bonuses for saving on IT spend by not taking security seriously.

No comments: