Enough is enough...

Discussion in 'Computer Security' started by Imhotep, Sep 24, 2005.

  1. Imhotep

    Imhotep Guest

    Today, I read a story about a company that lost customer information. They
    were sued, as they should have been for violating the California Disclosure
    Law. The feeble minded incompetent judge, San Francisco Superior Court
    Judge Richard Kramer, denied the law suit because he did not see an
    emergency or threat of irreparable injury.

    Hum...so, I guess you can only sue in his courtroom when their is a death?

    Here is the problem I have. If a company holds my data, then they *should*
    be held accountable if they can not secure *their* *own* *machines*.
    Penalizing the credit card holder is like saying "your a fool for using a
    credit card; your a fool for trusting corporations". Maybe. How can
    companies make billions of dollars on us but not be held accountable for
    *their* *own* *screwups*?

    To make matters worse, a bad credit rating can prevent you from attaining
    some jobs. I worked for the US Gov in a highly secure facility and you
    could lose your job, that's right your job, if you credit should become
    bad. Their point of view is that you *might* be tempted to do something you
    should not. The job I have now, also requires the utmost in security, could
    result in termination should your credit receive a bad rating. Some
    insurance companies charge you more if your credit is bad (yes, that is
    true). In short, you life can take a nose dive fast should ID theft hit
    you. So what are our fearless congressmen doing. NOTHING! On top of it Big
    Business gets a free pass....BULLSHIT!

    Anyway, here is the story...


    "Visa and MasterCard argued that because their relationship is with the
    issuing banks, not the customers, they don't have to notify the victims."

    "The Californian disclosure law, passed in January 2003 and a template for
    disclosure legislation in other states, says that consumers should be
    notified in the case of ID theft, although it's riddled with loopholes."

    "The effects of online security fears are already being felt. Analyst firm
    Gartner Group has revised its 2005 ecommerce prediction downwards this year
    after 42 per cent of consumers said they were spending less online because
    of security fears. Some 14 per cent have stopped paying bills online
    Imhotep, Sep 24, 2005
    1. Advertisements

  2. Imhotep

    Bit Twister Guest

    Saw that article. I wish all of his creditcard/personal information
    would be posted to the internet so he may have the experience of
    identify theft.
    Bit Twister, Sep 24, 2005
    1. Advertisements

  3. Imhotep

    Imhotep Guest

    Judge Jackass? Yes, I think he should go through the experience.....

    Imhotep, Sep 25, 2005
  4. From: "Imhotep" <>

    | Judge Jackass? Yes, I think he should go through the experience.....
    | Imhotep

    While two wrongs don't make a right....

    I think this is the exception to the rule.
    David H. Lipman, Sep 25, 2005
  5. The judge appears to be acting as a complete arse, *but* that's with me not
    knowing the exact wording of the law that was referred to ("immediate threat
    of irreparable damage" may be a technical phrase)

    That said, I can see the Visa/MasterCard arguments - it's the issuer's
    responsibility to notify their customer (as happened a couple of years ago,
    with Amex - both responsible entity and issuer of their cards)

    The *really* annoying thing is - what's the betting that this didn't make
    the non-techie news in any form? And that compromised cards are still out


    Hairy One Kenobi

    Disclaimer: the opinions expressed in this opinion do not necessarily
    reflect the opinions of the highly-opinionated person expressing the opinion
    in the first place. So there!
    Hairy One Kenobi, Sep 25, 2005
  6. Imhotep

    Imhotep Guest

    Perhaps. Although it is never good to wish ill upon some else, you must
    admit that sometimes people need to learn by falling on their own
    faces....and maybe Judge Jackass needs a "good old fashioned" education.

    Imhotep, Sep 25, 2005
  7. Imhotep

    optikl Guest

    Yes, they *should* be held accountable, but guess what? As a consumer,
    it's your responsibility to make sure you understand the laws of your
    state to make sure if there is a mishap, you have recourse.
    optikl, Sep 25, 2005
  8. From: "Imhotep" <>

    | Perhaps. Although it is never good to wish ill upon some else, you must
    | admit that sometimes people need to learn by falling on their own
    | faces....and maybe Judge Jackass needs a "good old fashioned" education.
    | Im

    Reminds me of the story of the King who dressed as a commoner and walked amongst the common
    folk to see how the common folk actually live to be a truly just King.
    David H. Lipman, Sep 25, 2005
  9. Imhotep

    Imhotep Guest

    Well, the kinda is the point. A company *lost* the consumers data but, since
    they are a company, their is *no* recourse. Only consumers left to fix
    their lives ruined by a greedy company/companies....

    Unfortunately, in the US companies get away with too much. Hence the title.

    Imhotep, Sep 25, 2005
  10. Imhotep

    Imhotep Guest

    Not sure if you are an American or not but, our "leaders" (US) think of
    themselves as kings. Good analogy anyway.

    Imhotep, Sep 25, 2005
  11. Imhotep

    John Hyde Guest

    The phrase "immediate threat of irreparable damage" is indeed a term of
    art. The lawsuit alledges that the credit card company is required to
    follow the California law, then asks for an order that would require the
    company to do so with respect to the compromised accounts (an
    "Injunction") and then asks for a _preliminary_ injunction requiring the
    company to do so without having the opportunity to defend the case at
    trial. More on the term of art in a moment.

    This is an example of a "positive" injunction (other names may apply)
    rather than a negative injunction. Negative injunctions are more easily
    understood, as they prohibit conduct by the defendant, rather than
    requiring conduct. For example, suppose my neighbor is dumping
    hazardous waste on my property, I may ask for an injunction requiring
    them to stop. However, it is going to take, maybe, three years for the
    case to go to trial. So I ask for a preliminary injunction, pending
    trial, to prevent further dumping while we wait to find out if the
    neighbor has the right to dump or not. Notice that at this stage of the
    case, the defendant has not had a right to have their case heard.
    Because the court is being asked to act without waiting for trial, the
    will only do so if there is an "immediate threat of irreparable damage"
    if there is no injunction.

    It appears that this is what is going on in the credit card case. The
    court has *not* ruled who wins or loses the case. What the judge says
    is that the plaintiff failed to demonstrate that the cardholders are at
    risk if they do not get notification, pre trial. The judge has to apply
    a balancing test: The risk and extent of harm vs. the cost to the
    defendant and the effect on the case. In discussing this balance,
    another article reported:

    ========== Block Quote ==========

    If individual notices were sent, more customers might request a
    replacement card -- something that could be expensive for the industry.
    Each replacement accounts costs about $35.

    Visa and MasterCard have maintained there is little financial risk to
    even the most vulnerable accountholders because of their "zero
    liability" policies that reverse all fraudulent charges.

    What's more, the chances of identity theft are minimal, Visa and
    MasterCard said, because Social Security numbers and home addresses
    weren't taken in the CardSystems breach. The theft involved customer
    names, account numbers and security codes, providing the tools for
    criminals to make bogus credit and debit cards.

    In his oral ruling, Kramer criticized the consumer lawsuit for being
    too vague.

    "We have a complex case with complex legal questions that got wrapped
    into a ball and rolled in here," Kramer said. "It's just not presented
    in a way that a court can rationally deal with at this time."

    =========== End Quote ===========

    Take note of the quote of the judge. In particular ". . . at this time."
    The case ain't over yet folks.

    The full article is here:

    If you're interested, here is a link to the "Complaint" in the case:

    (Note to any other students of the law: Yes, I know this is not the
    entire standard for preliminary injunction. But it is the only part
    under discussion.)

    John Hyde, Sep 27, 2005
  12. Imhotep

    Imhotep Guest

    Wow! Thanks for taking the time to write about this. My main concern is
    this. I work in computer security and companies (American anyway) have
    always "swept" security breaches under the rug. Even when they come "clean"
    they are only admitting some but not the full extent. It is unfortunate
    that companies has taken this stance but, they were allowed to for so long
    that it is almost second nature. Again, my concern here is the very real
    concern that this company did not totally disclose the full extent of the

    Clearly, there needs to be laws constructed where companies are forced to
    give full disclosure or be heavily penalized.

    P.S. It sounds like you are in the legal profession. If you hear more about
    this case, please post. I am very interested in the outcome.

    Anyway, thanks again.

    Imhotep, Sep 27, 2005
  13. <snip>

    Thanks, John - very informative for someone not used to US terminology!

    Hairy One Kenobi, Sep 27, 2005
  14. Uh huh. While not very useful to the security profession, it's often a
    useful way to stay in business, paying peoples' wages. Not that CERT-style
    disclosure-after-it's-fixed isn't a very good policy - it depends upon the
    target market.
    I'd /love/ a specific cite on that.
    Out of interest, why the "very real" concern?

    Such a sweeping statement requires an example.

    OK, so there's this London-based company supplying news and fundamental
    company data; it's bought by a much larger news agency back in the eighties.

    At the time, they provided news services to custom DOS clients (Windows 2
    was too unstable). These used a client modem to dial-up to a series of modem
    banks at the main switching centre near Old Street, just north of the City.

    Security was pretty good - too many failed logins caused that particular
    modem (and phone number) to be suspended. And alerted the 24x7 operations
    staff (in the case of one particular Kiwi, usually to be found asleep under
    his desk).

    If another modem in the same bank experienced a similar problem, the entire
    bank (and the link to that particular London telephone exchange) was
    automatically shut down, and the System Manager automatically paged.

    Sounds secure, huh? Well, it wasn't secure enough - some idiot forgot to
    resuspend the FIELD account after a bit of PM on one of the VAXen. Someone
    got in before it was automatically resuspended (given that it wasn't a
    standard password being used, you can draw our own conclusions as to how he
    did it)

    Ops and SysMan watched his every move (as I'm sure you're aware, that's very
    easy to do on a VAX) while the police traced the call. He was unable to do
    any harm - finger poised over split VT340 screen if he so much as tried to
    break out of his limited-function shell - and received a knock on his door
    from the Met for his troubles (not the DEC engineer, I hasten to add).

    Company policy meant that this site was forever considered to be vulnerable.

    The result was that staff at the building were forever forbidden from having
    a pass that let them into the main development centre down the road (I had
    to sign-in as a visitor just to see my boss..).

    Another result was that - despite the fact that the main data links went
    through that very building, and could be cut by flipping a circuit breaker -
    staff working there were forbidden from accessing any production or test
    machine, under any circumstances (generally a good rule, until you hit that
    inevitable System Down or DR hiccough).

    Ironically, the actual response and security levels were deemed to be fine -
    although Ops were transferred to the company's main centre in Docklands
    (where they lost the expertise of /our/ Ops and generally annoyed customers
    with slow, if methodical, responses to problems).

    So, let's see. The benefits of disclosure were.. more difficult working
    practises for staff, reduced skill spotting emerging problems, and worsened
    customer response.

    In some respects, this is probably a bad example - given that it was a
    simple read-only service, customers wouldn't actually given a hoot. Billing
    was handled separately.

    OTOH, the main company would have had the underpinnings of its nineties
    strategy kicked from under it - what customer is going to be discriminating
    enough to tell the difference between an isolated dial-up service hosted by
    a subsidiary, and a direct IP link to a (wholly separate) worldwide network?
    Result: millions flushed down the loo, and hundreds of techies laid-off.

    (As it happens, that ever-so-slightly dodgy policy of connecting a series of
    Extranets without firewalls *did* lead to a breach in Hong Kong, about 8
    years later. Inside job, and widely reported)


    Hairy One Kenobi

    Disclaimer: the opinions expressed in this opinion do not necessarily
    reflect the opinions of the highly-opinionated person expressing the opinion
    in the first place. So there!
    Hairy One Kenobi, Sep 27, 2005
  15. Imhotep

    John Hyde Guest

    What makes you think that??? Not that it matters much, But I do work in
    the U.S. Whatever imperfections there are in my use of terminology is
    because this type of case is not in my usual perview, not geographical.

    John Hyde, Sep 28, 2005
  16. Sorry, John - my bad! I meant that *I* am not used to US terminology!

    <Tenders humble apology>

    Didn't stop to think that my response could be read two ways... :eek:(

    Hairy One Kenobi, Sep 28, 2005
  17. Imhotep

    John Hyde Guest

    Oh, no problem. I wasn't offended at all, I just thought you had deduced
    a location (as is often done in this NG) and wondered how you'd done it
    and been wrong

    Neither did I apparently! One thing about the legal field is that we
    often have witnesses who see the same thing and reach a different
    "Truth". Easy to see how that can happen.

    Ok, probably time to get back on topic . . .

    John Hyde, Sep 28, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.