Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Enough is enough...

Reply
Thread Tools

Enough is enough...

 
 
John Hyde
Guest
Posts: n/a
 
      09-27-2005
on 9/24/2005 4:46 PM Hairy One Kenobi said the following:
> "Bit Twister" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>
>>On Sat, 24 Sep 2005 18:10:45 -0400, Imhotep wrote:
>>
>>>Today, I read a story about a company that lost customer information.

>
> They
>
>>>were sued, as they should have been for violating the California

>
> Disclosure
>
>>>Law. The feeble minded incompetent judge, San Francisco Superior Court
>>>Judge Richard Kramer, denied the law suit because he did not see an
>>>emergency or threat of irreparable injury.
>>>
>>>Hum...so, I guess you can only sue in his courtroom when their is a

>
> death?
>
>>Saw that article. I wish all of his creditcard/personal information
>>would be posted to the internet so he may have the experience of
>>identify theft.

>
>
> The judge appears to be acting as a complete arse, *but* that's with me not
> knowing the exact wording of the law that was referred to ("immediate threat
> of irreparable damage" may be a technical phrase)
>


The phrase "immediate threat of irreparable damage" is indeed a term of
art. The lawsuit alledges that the credit card company is required to
follow the California law, then asks for an order that would require the
company to do so with respect to the compromised accounts (an
"Injunction") and then asks for a _preliminary_ injunction requiring the
company to do so without having the opportunity to defend the case at
trial. More on the term of art in a moment.

This is an example of a "positive" injunction (other names may apply)
rather than a negative injunction. Negative injunctions are more easily
understood, as they prohibit conduct by the defendant, rather than
requiring conduct. For example, suppose my neighbor is dumping
hazardous waste on my property, I may ask for an injunction requiring
them to stop. However, it is going to take, maybe, three years for the
case to go to trial. So I ask for a preliminary injunction, pending
trial, to prevent further dumping while we wait to find out if the
neighbor has the right to dump or not. Notice that at this stage of the
case, the defendant has not had a right to have their case heard.
Because the court is being asked to act without waiting for trial, the
will only do so if there is an "immediate threat of irreparable damage"
if there is no injunction.

It appears that this is what is going on in the credit card case. The
court has *not* ruled who wins or loses the case. What the judge says
is that the plaintiff failed to demonstrate that the cardholders are at
risk if they do not get notification, pre trial. The judge has to apply
a balancing test: The risk and extent of harm vs. the cost to the
defendant and the effect on the case. In discussing this balance,
another article reported:

========== Block Quote ==========

If individual notices were sent, more customers might request a
replacement card -- something that could be expensive for the industry.
Each replacement accounts costs about $35.

Visa and MasterCard have maintained there is little financial risk to
even the most vulnerable accountholders because of their "zero
liability" policies that reverse all fraudulent charges.

What's more, the chances of identity theft are minimal, Visa and
MasterCard said, because Social Security numbers and home addresses
weren't taken in the CardSystems breach. The theft involved customer
names, account numbers and security codes, providing the tools for
criminals to make bogus credit and debit cards.

In his oral ruling, Kramer criticized the consumer lawsuit for being
too vague.

"We have a complex case with complex legal questions that got wrapped
into a ball and rolled in here," Kramer said. "It's just not presented
in a way that a court can rationally deal with at this time."

=========== End Quote ===========

Take note of the quote of the judge. In particular ". . . at this time."
The case ain't over yet folks.

The full article is here:
http://www.businessweek.com/ap/tech/...h_down&chan=tc

If you're interested, here is a link to the "Complaint" in the case:
http://www.techfirm.com/cardsystems.pdf


(Note to any other students of the law: Yes, I know this is not the
entire standard for preliminary injunction. But it is the only part
under discussion.)

Cheers,
JH
 
Reply With Quote
 
 
 
 
Imhotep
Guest
Posts: n/a
 
      09-27-2005
John Hyde wrote:

> on 9/24/2005 4:46 PM Hairy One Kenobi said the following:
>> "Bit Twister" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>
>>>On Sat, 24 Sep 2005 18:10:45 -0400, Imhotep wrote:
>>>
>>>>Today, I read a story about a company that lost customer information.

>>
>> They
>>
>>>>were sued, as they should have been for violating the California

>>
>> Disclosure
>>
>>>>Law. The feeble minded incompetent judge, San Francisco Superior Court
>>>>Judge Richard Kramer, denied the law suit because he did not see an
>>>>emergency or threat of irreparable injury.
>>>>
>>>>Hum...so, I guess you can only sue in his courtroom when their is a

>>
>> death?
>>
>>>Saw that article. I wish all of his creditcard/personal information
>>>would be posted to the internet so he may have the experience of
>>>identify theft.

>>
>>
>> The judge appears to be acting as a complete arse, *but* that's with me
>> not knowing the exact wording of the law that was referred to ("immediate
>> threat of irreparable damage" may be a technical phrase)
>>

>
> The phrase "immediate threat of irreparable damage" is indeed a term of
> art. The lawsuit alledges that the credit card company is required to
> follow the California law, then asks for an order that would require the
> company to do so with respect to the compromised accounts (an
> "Injunction") and then asks for a _preliminary_ injunction requiring the
> company to do so without having the opportunity to defend the case at
> trial. More on the term of art in a moment.
>
> This is an example of a "positive" injunction (other names may apply)
> rather than a negative injunction. Negative injunctions are more easily
> understood, as they prohibit conduct by the defendant, rather than
> requiring conduct. For example, suppose my neighbor is dumping
> hazardous waste on my property, I may ask for an injunction requiring
> them to stop. However, it is going to take, maybe, three years for the
> case to go to trial. So I ask for a preliminary injunction, pending
> trial, to prevent further dumping while we wait to find out if the
> neighbor has the right to dump or not. Notice that at this stage of the
> case, the defendant has not had a right to have their case heard.
> Because the court is being asked to act without waiting for trial, the
> will only do so if there is an "immediate threat of irreparable damage"
> if there is no injunction.
>
> It appears that this is what is going on in the credit card case. The
> court has *not* ruled who wins or loses the case. What the judge says
> is that the plaintiff failed to demonstrate that the cardholders are at
> risk if they do not get notification, pre trial. The judge has to apply
> a balancing test: The risk and extent of harm vs. the cost to the
> defendant and the effect on the case. In discussing this balance,
> another article reported:
>
> ========== Block Quote ==========
>
> If individual notices were sent, more customers might request a
> replacement card -- something that could be expensive for the industry.
> Each replacement accounts costs about $35.
>
> Visa and MasterCard have maintained there is little financial risk to
> even the most vulnerable accountholders because of their "zero
> liability" policies that reverse all fraudulent charges.
>
> What's more, the chances of identity theft are minimal, Visa and
> MasterCard said, because Social Security numbers and home addresses
> weren't taken in the CardSystems breach. The theft involved customer
> names, account numbers and security codes, providing the tools for
> criminals to make bogus credit and debit cards.
>
> In his oral ruling, Kramer criticized the consumer lawsuit for being
> too vague.
>
> "We have a complex case with complex legal questions that got wrapped
> into a ball and rolled in here," Kramer said. "It's just not presented
> in a way that a court can rationally deal with at this time."
>
> =========== End Quote ===========
>
> Take note of the quote of the judge. In particular ". . . at this time."
> The case ain't over yet folks.
>
> The full article is here:
>

http://www.businessweek.com/ap/tech/...h_down&chan=tc
>
> If you're interested, here is a link to the "Complaint" in the case:
> http://www.techfirm.com/cardsystems.pdf
>
>
> (Note to any other students of the law: Yes, I know this is not the
> entire standard for preliminary injunction. But it is the only part
> under discussion.)
>
> Cheers,
> JH



Wow! Thanks for taking the time to write about this. My main concern is
this. I work in computer security and companies (American anyway) have
always "swept" security breaches under the rug. Even when they come "clean"
they are only admitting some but not the full extent. It is unfortunate
that companies has taken this stance but, they were allowed to for so long
that it is almost second nature. Again, my concern here is the very real
concern that this company did not totally disclose the full extent of the
breach....

Clearly, there needs to be laws constructed where companies are forced to
give full disclosure or be heavily penalized.

P.S. It sounds like you are in the legal profession. If you hear more about
this case, please post. I am very interested in the outcome.

Anyway, thanks again.

Im
 
Reply With Quote
 
 
 
 
Hairy One Kenobi
Guest
Posts: n/a
 
      09-27-2005
"John Hyde" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> on 9/24/2005 4:46 PM Hairy One Kenobi said the following:
> > "Bit Twister" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...


<snip>

> > The judge appears to be acting as a complete arse, *but* that's with me

not
> > knowing the exact wording of the law that was referred to ("immediate

threat
> > of irreparable damage" may be a technical phrase)
> >

>
> The phrase "immediate threat of irreparable damage" is indeed a term of
> art. The lawsuit alledges that the credit card company is required to
> follow the California law, then asks for an order that would require the
> company to do so with respect to the compromised accounts (an
> "Injunction") and then asks for a _preliminary_ injunction requiring the
> company to do so without having the opportunity to defend the case at
> trial. More on the term of art in a moment.


<snip>

Thanks, John - very informative for someone not used to US terminology!

H1K


 
Reply With Quote
 
Hairy One Kenobi
Guest
Posts: n/a
 
      09-27-2005
"Imhotep" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...

<snip>

> My main concern is
> this. I work in computer security and companies (American anyway) have
> always "swept" security breaches under the rug.


Uh huh. While not very useful to the security profession, it's often a
useful way to stay in business, paying peoples' wages. Not that CERT-style
disclosure-after-it's-fixed isn't a very good policy - it depends upon the
target market.

> Even when they come "clean"
> they are only admitting some but not the full extent.


I'd /love/ a specific cite on that.

> It is unfortunate
> that companies has taken this stance but, they were allowed to for so long
> that it is almost second nature. Again, my concern here is the very real
> concern that this company did not totally disclose the full extent of the
> breach....
>
> Clearly, there needs to be laws constructed where companies are forced to
> give full disclosure or be heavily penalized.


Out of interest, why the "very real" concern?

Such a sweeping statement requires an example.

OK, so there's this London-based company supplying news and fundamental
company data; it's bought by a much larger news agency back in the eighties.

At the time, they provided news services to custom DOS clients (Windows 2
was too unstable). These used a client modem to dial-up to a series of modem
banks at the main switching centre near Old Street, just north of the City.

Security was pretty good - too many failed logins caused that particular
modem (and phone number) to be suspended. And alerted the 24x7 operations
staff (in the case of one particular Kiwi, usually to be found asleep under
his desk).

If another modem in the same bank experienced a similar problem, the entire
bank (and the link to that particular London telephone exchange) was
automatically shut down, and the System Manager automatically paged.

Sounds secure, huh? Well, it wasn't secure enough - some idiot forgot to
resuspend the FIELD account after a bit of PM on one of the VAXen. Someone
got in before it was automatically resuspended (given that it wasn't a
standard password being used, you can draw our own conclusions as to how he
did it)

Ops and SysMan watched his every move (as I'm sure you're aware, that's very
easy to do on a VAX) while the police traced the call. He was unable to do
any harm - finger poised over split VT340 screen if he so much as tried to
break out of his limited-function shell - and received a knock on his door
from the Met for his troubles (not the DEC engineer, I hasten to add).

Company policy meant that this site was forever considered to be vulnerable.

The result was that staff at the building were forever forbidden from having
a pass that let them into the main development centre down the road (I had
to sign-in as a visitor just to see my boss..).

Another result was that - despite the fact that the main data links went
through that very building, and could be cut by flipping a circuit breaker -
staff working there were forbidden from accessing any production or test
machine, under any circumstances (generally a good rule, until you hit that
inevitable System Down or DR hiccough).

Ironically, the actual response and security levels were deemed to be fine -
although Ops were transferred to the company's main centre in Docklands
(where they lost the expertise of /our/ Ops and generally annoyed customers
with slow, if methodical, responses to problems).

So, let's see. The benefits of disclosure were.. more difficult working
practises for staff, reduced skill spotting emerging problems, and worsened
customer response.

In some respects, this is probably a bad example - given that it was a
simple read-only service, customers wouldn't actually given a hoot. Billing
was handled separately.

OTOH, the main company would have had the underpinnings of its nineties
strategy kicked from under it - what customer is going to be discriminating
enough to tell the difference between an isolated dial-up service hosted by
a subsidiary, and a direct IP link to a (wholly separate) worldwide network?
Result: millions flushed down the loo, and hundreds of techies laid-off.

(As it happens, that ever-so-slightly dodgy policy of connecting a series of
Extranets without firewalls *did* lead to a breach in Hong Kong, about 8
years later. Inside job, and widely reported)

--

Hairy One Kenobi

Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!


 
Reply With Quote
 
John Hyde
Guest
Posts: n/a
 
      09-28-2005
on 9/27/2005 2:42 AM Hairy One Kenobi said the following:
> "John Hyde" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>
>>on 9/24/2005 4:46 PM Hairy One Kenobi said the following:
>>
>>>"Bit Twister" <(E-Mail Removed)> wrote in message
>>>news:(E-Mail Removed). ..

>
>
> <snip>
>
>>>The judge appears to be acting as a complete arse, *but* that's with me

>
> not
>
>>>knowing the exact wording of the law that was referred to ("immediate

>
> threat
>
>>>of irreparable damage" may be a technical phrase)
>>>

>>
>>The phrase "immediate threat of irreparable damage" is indeed a term of
>>art. The lawsuit alledges that the credit card company is required to
>>follow the California law, then asks for an order that would require the
>>company to do so with respect to the compromised accounts (an
>>"Injunction") and then asks for a _preliminary_ injunction requiring the
>>company to do so without having the opportunity to defend the case at
>>trial. More on the term of art in a moment.

>
>
> <snip>
>
> Thanks, John - very informative for someone not used to US terminology!
>
> H1K
>
>

What makes you think that??? Not that it matters much, But I do work in
the U.S. Whatever imperfections there are in my use of terminology is
because this type of case is not in my usual perview, not geographical.

Cheers
JH
 
Reply With Quote
 
Hairy One Kenobi
Guest
Posts: n/a
 
      09-28-2005
"John Hyde" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> on 9/27/2005 2:42 AM Hairy One Kenobi said the following:


<snip>

> > Thanks, John - very informative for someone not used to US terminology!


> What makes you think that??? Not that it matters much, But I do work in
> the U.S. Whatever imperfections there are in my use of terminology is
> because this type of case is not in my usual perview, not geographical.


Sorry, John - my bad! I meant that *I* am not used to US terminology!

<Tenders humble apology>

Didn't stop to think that my response could be read two ways... (

H1K


 
Reply With Quote
 
John Hyde
Guest
Posts: n/a
 
      09-28-2005
on 9/28/2005 2:47 AM Hairy One Kenobi said the following:
> "John Hyde" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>
>>on 9/27/2005 2:42 AM Hairy One Kenobi said the following:

>
>
> <snip>
>
>>>Thanks, John - very informative for someone not used to US terminology!

>
>
>>What makes you think that??? Not that it matters much, But I do work in
>>the U.S. Whatever imperfections there are in my use of terminology is
>>because this type of case is not in my usual perview, not geographical.

>
>
> Sorry, John - my bad! I meant that *I* am not used to US terminology!
>
> <Tenders humble apology>


Oh, no problem. I wasn't offended at all, I just thought you had deduced
a location (as is often done in this NG) and wondered how you'd done it
and been wrong


>
> Didn't stop to think that my response could be read two ways... (
>
> H1K
>
>

Neither did I apparently! One thing about the legal field is that we
often have witnesses who see the same thing and reach a different
"Truth". Easy to see how that can happen.

Ok, probably time to get back on topic . . .

JH
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
When will you people say enough is enough already? TSA going too far? richard Computer Support 13 02-19-2010 03:29 AM
"Enough is enough! I have had it with .... Evan Platt Computer Support 1 08-04-2009 12:04 AM
L A county says enough is enough richard Computer Support 7 02-26-2008 03:27 AM
Enough is enough.... ajacobs2 Digital Photography 33 10-05-2003 12:14 PM
Resolution - when is Enough ENOUGH? (a personal view) VT Digital Photography 43 09-12-2003 11:15 AM



Advertisments