Don’t be like: Heartland Payment Systems
August 20, 2009
If you work for Heartland Payment Systems, whether you like it or not, you currently represent “what not to do” in the world of Financial Transactions on the Internet.
If you’re a customer of Heartland then you should take this as an opportunity to verify the security of your own systems. Heartland Payment Systems is a very large organization and if they were more secure you may have been attacked instead. Don’t make their mistake. Be proactive not reactive.
To begin I’d like to immediately point out the DoJ’s release on this event and appreciate the department giving away some details on the attacks which aren’t available on Heartland’s site. I first heard of this story from someone at our office and immediately realized there was more to the story but it wasn’t until I read the DoJ’s release that my suspicions became more than a guess. My response to the email: “Heartland’s negligence was as severe as their assailant’s attack and for this, they should be prosecuted”. According to bloomberg, a shareholder filed suit against Heartland in July and “in a Feb. 24 conference call, Carr [CEO] said the company was the subject of an informal inquiry by the Securities and Exchange Commission, as well as investigations by the Justice Department, the Federal Trade Commission and the Office of the Comptroller of the Currency.”. It’s obvious that the attacks were malefic, but what about Heartland’s security? Was Heartland negligent? Did Heartland employ the “Highest Standards” of security which could have mitigated the severity of their compromise?
Per the DoJ release, Heartland was vulnerable to “sophisticated” SQL Injection attacks which were used in part to compromise more than 130 million credit and debit cards. The attacker, Albert Gonzalez, 28, of Miami, Fla., is now being charged for a “different pattern of hacking activity that targeted different corporate victims and involved different co-conspirators.” – in addition to two other trials for other hacking activities. Thief, criminal, hacker – whatever you want to call him, we can all conclude these attacks were wrong. This guy has been in your Internetz stealing your credit cardz.
Meanwhile, if you’ve been a business who accepts credit cards through Heartland you likely have customers with stolen credit card information and are in a delicate position considering the significant cost required to change payment processors, both technically, and contractually. Changing payment processors often requires programming and the contract agreements required by most payment processors are stifling, costly, or both. So now you’re left with the question as to whether you should trust Heartland with your customers credit card information?
I can’t answer these questions for you but we can at least explore the idea that Heartland’s operations were negligent and ineffective at providing “The Highest Standards” and “The Most Trusted Transactions” as, according to reports, their attacker profiled several systems before determining that Heartland’s system was one to be compromised. If Heartland’s system was as-advertised, would it have withstood these attacks or would the attacker have targeted a different system instead?
Based on the DoJ report of the attack and amount of information compromised I would suspect the attack was preventable if “standard” security systems and practices were adopted. SQL Injection, while it sounds like a complicated attack requiring intricate knowledge, planning, and acrobatic stunts — is really a simple exploit which has been documented and addressed for almost a decade. In fact, a similar attack – code injection – was used in the SQL slammer worm which essentially broke the Internet in 2003. Basically, both attacks depend on a “parameter” not being checked and then being executed; this is akin to letting a stranger drive your car. Being exploited by one of these attacks is like letting an intoxicated stranger drive your car into a pole; maybe he said he was good to drive, and maybe the pole jumped in front of him, but the point is you had no experience to trust a stranger and you shouldn’t ever let an intoxicated driver behind the wheel of a car.
Ignorance is not an excuse for information security just as it isn’t an excuse for tax evasion or violating regulations. If you want to sympathize for Heartland for being attacked then that’s your prerogative and I hope you’re not the person responsible for security at any organization. If you’re concerned for the privacy and security of consumer’s financial and personal information then it’s your right to ask these questions of Heartland Payment Systems, or any company who significantly compromises the security of your information.
Skype over 3g is unfortunately, irrelevant
April 2, 2009
If Skype was allowed to transmit voice calls over a cell data network, for several reasons, it would be unusable. There’s overhead in buffering and accommodating the effects of cellular data service in order to provide reasonable voice quality. Whereas IP packets and browsers don’t care if there is a slight delay, voice has stricter latency requirements and that’s one reason cell phone networks didn’t start out as data networks to begin with! Triangulation, echo cancellation, and multiplexing are systems that IP isn’t built for and even if it was, it would be like powering a computer with a solar panel that’s fed by a light bulb, plugged into the power grid.
If you’d like an example, get a 3g laptop card and open Skype on your laptop, then try and hold a phone call as a passenger traveling in a vehicle at 55mph; you’ll soon be disconnected or be unable to understand the call. Skype and the Internet it runs over has no idea you’re switching from Cell Tower 5 to Cell Tower 14 and to expect parts of the call in a different order from the different towers; even if it did, the towers aren’t aware of skype and the bandwidth overhead for the towers to communicate between Skype’s system and your cell phone would be excessive and negatively impact the network as a whole. ATT isn’t handicapping anybody, it’s just not that simple.
I can understand consumer advocacy but some things just don’t work. If it was really practical to run VoIPoCell then none of us would have Cell phones. Skype’s best effort would be to find a carrier to work with them at a higher level than just the iPhone; if Skype wants you to seamlessly transfer your call between the most efficient network, they’ll need much more than Apple’s cooperation.
LED Cinema Display + Unibody MacBook Pro is broken
April 2, 2009
Now that I’ve railed on Dell I need to return the favor to Apple. Well, not really, but I do wish to post about an issue I’m having simply because I haven’t found a solution, Apple read’s these posts, and a resolution is posted, I will joyfully note it for others to find.
I’m sure others have had this problem but it’s a gamble for me on if and how I plug my LED Cinema Display into my unibody MacBook Pro. This is really lame considering both have been out for months and Apple touts the simplicity of using the new display. There is a reason however, that their advertising has the macbookpro lid open and not closed, it’s really buggy. With laptop closed, when plugging in the cinema display there’s a chance that I will only get a blank screen — the laptop is alive because I’ll get sound feedback by pressing keys on the keyboard; from there, if I sleep (power button, tab key, space key), then when I wake the machine w/click or keypress, half of the time it will be frozen. The fans will light up but no more sound feedback and no video. My only course of action here is to forcefully power down the machine by holding the power button and thus, loosing any unsaved changes.
I know this is a bug between the laptop and display because I have one of each (laptop/display) at home and work and all have this problem. I would note that this would sometimes happen on the old macbook pros but those systems had the F7 key set to essentially ‘refresh displays’ and that would always resolve my problem. Now apple has changed the fn key bindings and that key is no longer available! I don’t know why they took it away because while they did add an expose button they only added ONE button for expose functionality. Needless to say I’m very glad Apple’s keyboard still has 15 functions keys.
If you’re holding out on a unibody MBP then I say keep holding out till these bugs are fixed. Aside from this issue, you *still* have to log out/log back in to change to/from “high performance” — annoying because I never know when I’d like to boot up vmware. Moreover, if you’ve got an older 15″ matte display then you’ve got a feature I personally miss (glare on the glass screens is horrible in any environment).
I really like the machine, don’t get me wrong, but my previous generation MBP would be fine [if I hadn't busted the display].
Adamo: Dell in love, with fail
April 1, 2009
I’m sure the buzz has reached out past SXSW for enough folks to have taken a glance at Dell’s new adamo laptop. From the elegant sound track to the vogue appearance of adamo’s web site, you would think you’re getting a laptop worth complimenting BMW’s Nieman Marcuss 7-series. Dell commits that this machine’s style, craftmanship, and performance is so tempting that “you’ll fall in love.” Unfortunately the Adamo falls short.
I’m not alone nor am I the first in bringing this to light but there’s a few factors for folks to consider which paints a grimmer picture. Dell has grown year over year based on it’s leverage, market position (small business), and visceral partnerships with Intel and Microsoft. Crucial for Dell’s current revenue operations, Adamo ignores Dell’s assets in favor of aesthetics. Indeed, the adamo is profound; it’s black and white presentation is a shadow over Dell’s lack of focus on their industry, engineering, and customer.
So let me first put up these factstimates to keep things in context:
- Leverage: Dell took on > $1bn in debt last year; six times that of 1q08
- Market Position: HP is kicking Dell’s ass with server sales and Apple is turning the industry upside down
- Microsoft/Intel: Intel is giving Apple chips before Dell and Apple’s OS is slowly gaining momentum at the cost of Dell’s cash incentives from Microsoft
As the PC industry dries up and laptops peak, being replaced by mobile devices, netbooks, and non-msft OS, Dell is spending who knows how much money on marketing the Adamo and trying to create a ‘luxury’ image akin to Rolls Royce or Bentley.
Despite the fact that you can’t create prestige over night, even if you could, it’s obvious that the Adamo was an expensive device to engineer and the parts are costly; how can this be sustainable? Such an imbalance might be considered an R&D cost but not so with the Adamo. In it’s most recent iteration the MacBook Air was given a beefier video card making it useful for gamers (why else would a ‘road warrior’ need ‘power’?) yet the Adamo is stuck with an Intel GPU which is OK but won’t do much more than power Vista’s gpu-hungry GUI. Speaking of Vista, the machine comes w/4GB of RAM which is now standard on PCs but is really the equivalent of 2GB to a mac or linux simply because Vista uses the other 2GB. I get it, building fast hardware is difficult and expensive and Dell has to make money somehow. But why then, did they add multimedia start/stop/pause/play buttons to the face panel of the machine? The machine doesn’t even come with a DVD/CD player! You’re going to have to have the laptop open, have windows running, and have an audio application running to use the buttons. Moreover, the Dell already has an FN button on the keyboard so Dell could have re-purposed the function keys rather than adding additional hardware, firmware, and software that’s required to power the face panel buttons. Dell can argue usability here but for a device that’s supposed to be thin, light, and fashionable, the cost is simply not justified.
Dell could have knocked a home run with the Adamo by making it simple, fashionable, light and practical – yet they failed. I’m sorry Dell, but you just aren’t a luxury brand and that bandwagon will likely be over for PC before you’ll make a dent.
Here are reviews I discovered which contain additional technical information and opinions about Adamo:
Dell Adamo Luxury Laptop [ctv.ca]
Dell’s Adamo Imitates MacBook Air’s Price, Not Its Profile [wired.com]
Dell’s Adamo Laptop: Too Sexy for the Times? [seekingalpha.com]
links for 2009-03-31
March 31, 2009
-
Met these guys at SXSW. Their cards were AWESOME as they were careved out of wood. kudos for the company name.
-
This article missed one problem with the cameras. £250k per camera is ridiculous to begin with for even a a 720×576 camera.
links for 2009-03-30
March 30, 2009
-
Dell's laptop is still overweight compared to macbook air. Neither have a cd/dvd rom drive. Why did Dell integrate back/fwd/play/stop/start button next to power button? Why not use FN+Function keys?
It doesn't take an engineer to figure these things out. I don't even know why Dell tries.
links for 2009-03-29
March 29, 2009
-
For the cat lovers who might read this blog.
links for 2009-03-28
March 28, 2009
-
Tokyo based Appliya is a leading publisher of Japanese iPhone and iPod Touch applications.
links for 2009-03-26
March 26, 2009
-
China asks world to say goodbye to USD. Why now?
-
great code to test with
source: ftp://ftp.idsoftware.com/idstuff/wolf3d/wolf3d_iphone_v1.0_src.zip
