What do these have in common?

Please read thee two news articles:

Passenger Says He Hacked Windows In New York Taxi Display Screen

and

Porn industry frets over security breach

Back already? That was fast.

What do they have in common? Not just a security breach, but that the spokesman takes a particular attitude towards the risk and the PII:

The VeriFone spokesman, however, said Chasen had merely accessed media
files, and passengers could not gain control of sensitive information.

“It’s a Windows-based system, so I could never say never,” he said. “But
there is no credit card information stored in the system.”

and

According to industry chat boards that have been buzzing about the
problem, the violation so far appears to be limited to e-mail addresses,
with an avalanche of spam e-mail hitting Web site customers’ inboxes –
including unique addresses created for joining specific porn sites.

John Albright, owner of the Too Much Media Corp., said in a statement
Wednesday that no credit-card information was affected by the October
incident.

The latter report adds some interesting observations:

Firstly:

“The adult industry has worked for a long time to become an industry
that can be trusted with personal information,” said Kathee Brewer,
former editor of AVN Online, the trade journal of the digital
adult-entertainment industry.

It then goes on to say:

When customer information is leaked – even if it is only e-mail
addresses – Brewer said, “consumers begin to back away because they
don’t trust the industry any more. All it takes is one issue like this.”

I don’t think that’s fair. I don’t think its fair for a few basic reasons.

Lets look at the case of the taxis. If you feel their InfoSec is compromised, what alternatives do you have, as the average Newyorker?
Bus? Limo? Drive your own car? In downtown NYC? Its a monopoly, and the the New York City Taxi and Limousine Commission mandates it. I
suspect that the also mandate a specific implementation.

The porn industry may or may not be a monopoly; you can always visit another site, but what do they have in common? The same authentication
software? The article seem to imply that software from Too Much Media Corp. is the norm.

But this just illustrates a point about such sites being an oligopoly.

In reality, how is this different from Amazon’s on-line services?
Yes, there is Chapters here in Canukistaniland, and yo have a few other book-sores (type intended) on-line down in the USA, but have you tried
comparing prices?

How is this different from gas stations? A few blocks from here there is an intersection with a different gas station on each corner (and a few blocks from that an intersection with three different donut stores and one gas station). They all display the same price and they all change prices at the same time. Well, almost: the independents is about 0.2 cents cheaper (as if it matters!). But who do you think he buys his gas from and how do you think he can manage to cut his margin?

You might look at Marin Fowler’s article “Catastrophic Failover” and think about “common failure mode” and the risks of a monopoly. I pointed this article out to a friend in operations and he commented that the cost of running a diversely heterogeneous site would be difficult to defend against the risk of a “domino effect”.

But in the InfoSec business we’re very aware of common failure mode.

Aren’t we?

But that wasn’t the point I was hoping to make with those two articles.

Look again at the quotes; look at the focus on credit card information, as if that was the only PII that was significant. As if harvesting e-mail addresses or other information wasn’t of value to spammers.

Bah!

About the author

Security Evangelist