Cost of a Breach: $6, not $187?

So TJX recently announced a $118m setaside to deal with the loss of control of 45 million records. Now, I’m not very good at math (if I was, I’d say $2.62, not $3), but it seems to me that the setaside is less than $3 per record. That doesn’t line up with the $187 per record that’s going around. In fact, it’s off by a factor of 60. Even if I’m not good at math, I can see that.

So to every journalist who’s quoted $187, I ask: what’s up with that discrepancy?

[Update: Apparently, the cost was $196M before taxes, and a commenter linked to a Boston Globe article arguing costs could reach $1B. I’ve updated the title to $6 (it was $3), but even at $1B, that’s roughly $21 per record, not $187. Which is “only” off by a factor of 6, not 60.]

[Update2: Thurston has comments in “Why TJX and Ponemon disagree.”]

Examining Wikipedia Anonymous Edits

It’s recently been amusing to look at where Wikipedia’s anonymous edits come from. There have been many self-serving edits from obvious places, as well as selfless ones from unexpected sources.

I am most amused by this selfless edit which came from IP address, which translates to

I can only think that had the BBC person in question made an attributed edit instead of an anonymous edit, it would have been considered as coming from an authoritative source.

Breach outliers: $118m charge for TJX

The Associated Press reports that “TJX profit plunges on costs from massive data breach:”

FRAMINGHAM, Mass. (AP) – TJX’s second-quarter profit was cut by more than a half as the discount store owner recorded a $118 million charge due to costs from a massive breach of customer data….About one-tenth of the charge from the data breach was to cover costs this past quarter. The rest is a reserve to cover future expenses from lawsuits, investigations, and other items.

Previous costs were either “$25 million” (Boston Globe, May 16, 2007) or “$17 million” (Security Focus, May 21, 2007). The Globe reports on a previous $5m charge, but there’s a $3m discrepancy that I can’t account for.

Doubtless, an army of consultants will be out there trumpeting the top line number, and not explaining that most of it is a reserve, to make future earnings more predictable. Also, when you plug the $37 million into the “buy our product” ROI calculators and results in a far less ‘compelling’ pitch.

(Via Pogo Was Right.)

Fake Steve and Real Mackey

So with the small, literal men at the New York Times poking through the veil of anonymity that allowed Fake Steve to produce the best blog since “The Darth Side,” we have a serious threat to the stability of the republic, which is the false hope that by assigning people names, we can control them. Prevent the random, the funny, the disrespectful. The powerful have always hated having fun poked at them by the anonymous. They forget that anonymity acts as an important social valve, allowing people to share ideas without retribution.

John Mackey took a different approach. He didn’t blog, but engaged in conversation on a message board about his company.

I think it’s a good thing to be able to hear from CEOs shedding their spin, from journalists freed of their need for access, and everyone else who wants to put forth their own words to stand or disappear on their own strength.

Fake Steve is a little less interesting since the unveiling. The posts about immortality were a nice touch, but, I thought, over-wrought.

I can’t concieve of a better use for anonymity

There’s a fascinating little sidebar article in the Economist (4 August 2007), “Misconceived:”

Now that anonymity is no longer possible, there has been a huge decline in the number willing to donate. So more patients travel for treatment to countries where anonymity is still legal. If this new proposal is implemented, it may give such “fertility tourism” a further boost. It may even compound the problem that it purports to solve and encourage parents to reveal still less.

British House of Lords gets it

From a report published August 10 by the House of Lords select committee on science and technology:

5.55.  We further believe that a data security
breach notification law would be among the most important advances
that the United Kingdom could make in promoting personal Internet
security. We recommend that the Government, without waiting for
action at European Commission level, accept the principle of such
a law, and begin consultation on its scope as a matter of urgency.

5.56.  We recommend that a data security breach
notification law should incorporate the following key elements:

  • Workable definitions of data
    security breaches, covering both a threshold for the sensitivity
    of the data lost, and criteria for the accessibility of that data;
  • A mandatory and uniform central reporting
  • Clear rules on form and content of notification
    letters, which must state clearly the nature of the breach and
    provide advice on the steps that individuals should take to deal
    with it.

One of the members of this committee, Lord Toby Harris, delivered a keynote at the most recent FIRST conference. His presentation (PDF) foreshadowed this report somewhat, and put me in a great mood. I am eager to read this report and the supporting evidence.
Tip of the hat to Light Blue Touchpaper, who have much more on this report (the scope of which is broader than just data breaches)

ChoicePoint’s data quality

In a comment, Tom Lyons asked:

I have two clients who are asking me to investigate matters with Choice
Point as it relates to inaccurate employment records provide to
prospective employers. I am seeking persons who have similar
experiences to determine a “pattern and practice” on the part of Choice

I don’t know Mr. Lyons, but I can’t imagine anyone would object to “more informed, more timely decisions that positively impact society.” Feel free to get in touch with him.

I love the emergent chaos of breach analysis

[Updated: see below] hands.jpg

Over at Storefront backtalk, Evan Schuman writes “TJX Kiosk Rumors Re-Emerge:”

Reports that the attack began using a wireless entry point have been confirmed by multiple investigators, but reports that circulated in March that the attacks began via an in-store employment kiosk have re-emerged.

Could both be true? It’s unlikely, as both entry attempts were reportedly successful, raising the question of why the second was attempted. Could TJX have actually been the victim of two simultaneous and unrelated attacks, one using wireless and the other a jobs kiosk that was not firewall-protected?

I don’t know didn’t recognize Evan Schuman’s name–he’s a reporter who’s been around for quite a while. Most of his writing [on that blog] is about the retail space. However, he’s been following the TJX story closely, and here he offers up a new theory of what went wrong, one that I hadn’t seen before.

This is happening because data is being let out of its planters (none of them are big enough to be called walled gardens) and into the light. Strange stuff emerges. New analysis comes from folks who aren’t the usual suspects, and haven’t been given privileged access to the facts.

Image: “Red and Orange Hands” by pliene.

Pseudonyms in the News: Fake Steve Jobs Outed

Allegedly Brad Stone

Brad Stone of the New York Times is a killjoy. Geez. Part of the joy of reading The Secret Diary of Steve Jobs is was thinking of him as Fake Steve Jobs, and nothing more. Sure, it’s all good that his employer was so delighted that FSJ is going to be hosted by them, now, but — Geez. Have you no sense of decent fun?

The next think you know, someone’s going to out the guy who plays Stephen Colbert.

The only good thing to come out of this is that the BBC has come out with the article, “How to mastermind a fake blog” and it is a very good thing.

Photo is the first person you get when you do a Google image search for “Brad Stone New York Times.” Hah.

Obscenities in Passwords


El Reg reports that “Pipex invites customer to get ‘c**ted’” in which the generated passwords that the Pipex system suggested contained a rude word. A screenshot is available on the Register article.

There is, however, a second obscenity here that is far more subtle.

That obscenity is in the password selection advice and suggestions. The advice is:

We highly recommend you include at least one of each of the following to make your password more secure:

  • A capital letter
  • A lowercase letter
  • A number

In case you’re having trouble thinking of a new password, here are three that might be suitable.

Of course there’s the amusement factor of the rude one being described as “might be suitable.” I will note that ages ago when the world was young, some operating systems allowed vetting of generated passwords to avoid precisely this issue.

But that brings us to the two obscenities in the three suggested passwords. As you, Clever Reader, have no doubt already noticed, all three of the suggestions are eight-character passwords that are a capital letter followed by six lowercase letters followed by a digit.

Naïvely, they thought that this would be more secure than just lower case. However, there are 80,318,101,760 total passwords using their scheme, and 208,827,064,576 total passwords if you just use lowercase. The latter number is 2.6 times as many passwords.

In case you’re bored with math, eight lowercase numbers is 268 total possibilities. In the latter case, you are trading 26 lowercase possibilities with 26 uppercase possibilities in the first character, so there’s no actual improvement. Combine this with replacing 26 lowercase possibilities with 10 digit possibilities in the last character. Thus you have 267 * 10. Dividing them out, a lot of 26s cancel, leaving you with a ratio of 26/10 or 2.6. (If you are not only bored with math but bored with people explaining math, skip this paragraph.)

Here, then, is the second obscenity. Pipex customers are less secure for taking Pipex’s advice.

This is also the problem with trying to increase the number of characters people use in a password. If you tell them to use a capital letter, they will capitalize the first one. If you tell them to use a digit, it will usually be the last character and usually be a 1. If it’s not a 1, it’ll be (ooo, this is so cool) “4u” or equivalent.

In short, when you convince people that using their dog’s name, at best they move from “fluffy” to “Fluffy14me”.

Photo “#26 Power street” by jnoc.

Welcome iouhgijudgviujs, please log in!


Ben Laurie has shown time and again that OpenID is Phishing Heaven. It’s also a huge boon for anyone who wants to start tracking on the web. I firmly agree that if you want to steal from people or invade their privacy, OpenID is for you.

I also know that there are people I respect who disagree with this harsh opinion. I believe that the ultimate decider of who is right on this is depends on whether an effective OpenID exploit gets created, either in vitro or in vivo, and how well the OpenID people can fix it. My money is on the exploiters, but that’s what makes horse races fun, as Twain put it.

At Black Hat last week, Eugene and Vlad Tsyrklevich gave a talk on OpenID security, and I just nodded as they outlined mechanism after mechanism to show how OpenID can be hijacked, MiTMed, spoofed and so on. They had short examples to show the HTML for how to do all the things that Laurie has described in words.

But then they summed up with saying that they like OpenID, they think it’s kinda cool, and despite its flaws, it gives people a single sign on system that is good for — I don’t know, giving criminals a way to ruin your reputation on LiveJournal, eBay, and your employer all at the same time. I can’t adequately relate it, because I just blinked a lot.

There’s an old joke that exists only as a punch line: “But other than that, Mrs Lincoln, how was the play?” It’s as if they summed up their presentation with, “Well, Booth’s bit of performance art was over-dramatic with all that shouting Latin, but the characterization of the American Cousin was quite touching, and I thought the acting up to Ford’s usual high standards.”

I went up to talk to the speakers, hoping I could be more eloquent than “WTF?!” As I waited, I heard someone say that he just didn’t get it at all, because he’s been using the username/password saving and forms-filling in Firefox. He said that he likes it because now he picks web site names and passwords by just running his hand over the keyboard randomly. He added something like, “I know all of the problems with what I’m doing, but at least they are all on my machine.” Inevitably, several people pointed out that the Mac has had that for years.

There then seemed to be a murmured assent that handing the problem locally may be a better solution.

I’m fascinated by the possibility that identity management might be headed the way of “push.” I also wonder that while making fun of Microsoft cloning things is a sport rivaled only by grousing about Apple’s disdain for battery compartments, this would be a case where it’s called for. Out with InfoCardSpace, in with KeyChain.

Photo “Trunk ‘n Branches” by slightly-less-random.

Obligation to Secure


Chronicles of Dissent has a good article on this topic, “If you don’t secure your data, it’s not unauthorized access.”

A court in Pennsylvania ruled that it’s not illegal to get information you really shouldn’t have if you got it from a search engine or the search engine’s caches.

This is important because there have also been some stupid cases where someone has been prosecuted for “unauthorized” access to wireless networks and this provides clarity, too. If you didn’t secure your network, and my laptop finds it, it’s your problem, not mine.

However, I also agree that if I am told that a network isn’t free, even if it’s open, I shouldn’t use it. (That case was one in which someone used a cafés wireless network repeatedly after being told that it’s for customers.) I think of it as the difference between a fence and a no-trespassing sign. (I was once in a hotel and saw the SSID “STAY THE HECK OFF MY NETWORK” — except that it didn’t say “heck,” it used a different first two letters. It was clear that proceeding further would in fact be digital trespass.)

Read the article, and if you are so inclined the larger law report.

Photo “Unlocked door” by coveman.

German Biometric Trials

The assessment of the Federal Criminal Police Office (BKA) according to which biometric visual-image search systems are not advanced enough to be used by the police to search for persons has led to mixed reactions. The Federal Criminal Police Office presented the fairly sobering research results of its visual-image search systems project on Wednesday in Wiesbaden. Given the present state of the technology the system was unfit to be deployed, the Office concluded.

Mixed reactions to the facial-features recognition technology project of the BKA” at Heise online.