The Daily Parker

Politics, Weather, Photography, and the Dog

PINs stolen from retailer; thousands of debit cards recalled

MSNBC is reporting today that thieves have stolen a batch of PINs from a retailer—PINs the retailer shouldn't have stored in the first place:

Criminals have stolen bank account data from a third-party company, several banks have said, and then used the data to steal money from related accounts using counterfeit cards at ATM machines.
The central question surrounding the new wave of crime is this: How did the thieves managed to foil the PIN code system designed to fend off such crimes? Investigators are considering the possibility that criminals have stolen PIN codes from a retailer, MSNBC has learned.
In recent weeks, Bank of America, Wells Fargo, Washington Mutual and Citibank have all reissued debit cards after detecting fraudulent activity. Smaller banks, such as Ohio-based National City Bank and Pennsylvania-based PNC Bank, have taken similar steps.

Bruce Schneier reported on this Monday, but now the scope of the crime is becoming more apparent.

So how did the thieves get the customers' PINs? It appears that a retailer stored them along with other credit-card data in its database, and the thieves stole the database:

[Gartner analyst Avivah Litan] says many merchants incorrectly store PIN information they should be destroying after customers enter the secret code on PIN pads in stores around the country. While the information is often encrypted into something called a PIN block, the keys necessary to decrypt the information are often stored on the same network, she said. That makes stealing the PINs as easy as breaking into an office computer using a password a careless employee has taped to the screen.

The thing is, the retailers have no need to store the PINs:

While storing PINs is against network rules, many retailers inadvertently store the information, said Mike Urban, who runs Fair Isaac Inc.'s ATM fraud detection program called CardAlert. It ends up accidentally saved in temporary files and other software nooks and crannies.

ZDNet has this story too.

The solution to this problem, long known to concientious software developers, is never to keep secrets unless they're absolutely necessary. I tell my clients all the time that neither I nor anyone else should ever know their passwords, for for example.

It will be interesting, and important to every consumer, to see how liability for this event is apportioned. Sadly, most courts and legislators are woefully ignorant of the technology, which should lead to some fascinating legal work in coming months.

Until this issue gets resolved, which could take weeks, I urge people to be very careful using point-of-sale debit card readers. And if you suspect unauthorized activity on your bank account, call your bank immediately.

Why a mobile phone might be a huge security risk

Here's a hint: the problem is between chair and receiver.

Bruce Schneier linked today to this excellent essay on the unseen dangers of mobile phones:

About four seats away is a gentleman (on this occasion pronounced 'fool') with a BlackBerry mobile device and a very loud voice. He is obviously intent on selling a customer something and is briefing his team. It seems he is the leader as he defines the strategy and assigns each of his unseen team with specific tasks and roles.
Eventually, he starts to close down the conversation. Relief might be here at last! Oh no, he goes on to announce the conference number and the pass code - and say he will see them all on the conference call in a minute.

Programming languages compared

My colleague Cameron Beatley sent me this handy chart:

Quick Guide to Programming Languages

The proliferation of modern programming languages (all of which seem to have stolen countless features from one another) sometimes makes it difficult to remember what language you're currently using. This handy reference is offered as a public service to help programmers who find themselves in such a dilemma.

Task

Shoot yourself in the foot.

Comparison

C
You shoot yourself in the foot.
C++
You accidentally create a dozen instances of yourself and shoot them all in the foot. Providing emergency medical assistance is impossible since you can't tell which are bitwise copies and which are just pointing at others and saying, "That's me, over there."
FORTRAN
You shoot yourself in each toe, iteratively, until you run out of toes, then you read in the next foot and repeat. If you run out of bullets, you continue with the attempts to shoot yourself anyways because you have no exception-handling capability.
Pascal
The compiler won't let you shoot yourself in the foot.
Ada
After correctly packing your foot, you attempt to concurrently load the gun, pull the trigger, scream, and shoot yourself in the foot. When you try, however, you discover you can't because your foot is of the wrong type.
COBOL
Using a COLT 45 HANDGUN, AIM gun at LEG.FOOT, THEN place ARM.HAND.FINGER on HANDGUN.TRIGGER and SQUEEZE. THEN return HANDGUN to HOLSTER. CHECK whether shoelace needs to be re-tied.
LISP
You shoot yourself in the appendage which holds the gun with which you shoot yourself in the appendage which holds the gun with which you shoot yourself in the appendage which holds the gun with which you shoot yourself in the appendage which holds the gun with which you shoot yourself in the appendage which holds the gun with which you shoot yourself in the appendage which holds...
FORTH
Foot in yourself shoot.
Prolog
You tell your program that you want to be shot in the foot. The program figures out how to do it, but the syntax doesn't permit it to explain it to you.
BASIC
Shoot yourself in the foot with a water pistol. On large systems, continue until entire lower body is waterlogged.
Visual Basic
You'll really only appear to have shot yourself in the foot, but you'll have had so much fun doing it that you won't care.
HyperTalk
Put the first bullet of gun into foot left of leg of you. Answer the result.
Motif
You spend days writing a UIL description of your foot, the bullet, its trajectory, and the intricate scrollwork on the ivory handles of the gun. When you finally get around to pulling the trigger, the gun jams.
APL
You shoot yourself in the foot, then spend all day figuring out how to do it in fewer characters.
SNOBOL
If you succeed, shoot yourself in the left foot. If you fail, shoot yourself in the right foot.
Unix
ls
foot.c foot.h foot.o toe.c toe.o
% rm * .o 
rm:.o no such file or directory
% ls
%
Concurrent Euclid
You shoot yourself in somebody else's foot.
370 JCL
You send your foot down to MIS and include a 400-page document explaining exactly how you want it to be shot. Three years later, your foot comes back deep-fried.
Paradox
Not only can you shoot yourself in the foot, your users can, too.
Access
You try to point the gun at your foot, but it shoots holes in all your Borland distribution diskettes instead.
Revelation
You're sure you're going to be able to shoot yourself in the foot, just as soon as you figure out what all these nifty little bullet-thingies are for.
Assembler
You try to shoot yourself in the foot, only to discover you must first invent the gun, the bullet, the trigger, and your foot.
Modula2
After realizing that you can't actually accomplish anything in this language, you shoot yourself in the head.

Dumb school administrators: the continuing story

Ah, the Peter Principle rears its ugly head once again, in its purest form.

MSNBC is reporting that a Costa Mesa, Calif., middle school has suspended students for viewing a Web page. They're also trying to expel the student who put up the page (internal links mine):

A middle school student faces expulsion for allegedly posting graphic threats against a classmate on the popular myspace.com Web site, and 20 of his classmates were suspended for viewing the posting, school officials said.
Police are investigating the boy's comments about his classmate at TeWinkle Middle School as a possible hate crime, and the district is trying to expel him.
According to three parents of the suspended students, the invitation to join the boy's MySpace group gave no indication of the alleged threat. They said the MySpace social group name's was "I hate (girl's name)" and included an expletive and an anti-Semitic reference.
... "With what the students can get into using the technology we are all concerned about it," Bob Metz, the district assistant superintendent of secondary education, said Wednesday.

Putting aside the somewhat complicated question about whether or how the school district should discipline the page's author, what are they thinking disciplining the kids who just viewed the posting? One of two things seems to be happening here: either MSNBC's reporting is sloppy (e.g., the kids didn't just view the posting, they committed an affirmative act endorsing it), or Metz is just not a very smart man. (As one snarky friend once put it, he Can't Understand New Technology.)

I'm thinking, it's a little of both. This comes not too long after a kid got expelled for a doodle in McHenry, Ill. The similarity is that a kid is getting disciplined harshly for expressing something. Now, it seems like this could be a valuable "teachable moment" for the kids involved, but it also seems like expulsion won't teach them anything helpful.

What is it about school administrators? Getting tough on free speech isn't exactly an American value.

Antarctic ice sheet melting; Miami doesn't care

I just started reading The Weather Makers by Tim Flannery, which contains a fairly good overview of climate change and how we're making it happen. It's important to understand that climate change has happened rapidly throughout history, meaning changes of 2-4°C (4-7°F) have occurred over decades rather than millennia.

So, having started that book yesterday, I'm warmed (so to speak) by this morning's Washington Postarticle on the shrinking Antarctic ice sheet:

The Antarctic ice sheet is losing as much as 36 cubic miles of ice a year in a trend that scientists link to global warming, according to a new paper that provides the first evidence that the sheet's total mass is shrinking significantly.
The new findings, which are being published today in the journal Science, suggest that global sea level could rise substantially over the next several centuries.
... [T]he amount of water pouring annually from the ice sheet into the ocean—equivalent to the amount of water the United States uses in three months—is causing global sea level to rise by 0.4 millimeters a year.

That may not sound like a lot, but (a) it's not the only ice sheet melting in the world and (b) it equates to a 30 cm (1 ft) rise in sea levels over the next century.

One more time: Global warming is great for Chicago, bad for Miami, disastrous for Bangladesh. And my own children will probably have to decide whether to build seawalls and polders around our coastal cities. The children of my Filipino friends probably won't have that option.

Borowitz on the President

Andy Borowitz today jokes about a hypothetical Bush visit to reality:

For Mr. Bush, the visit to reality, while brief, was still significant because it represented his first visit to the real world since being elected President in 2000.
"The President deserves a lot of credit for making this visit to reality," one aide said. "He doesn't have a natural constituency here."

Bush, Chertoff knew about levee failure possibility August 29th

The AP reported today that the President, Secretary Chertoff, and other officials were clearly warned about the likelihood of levee failures three days before Bush went on television claiming otherwise:

Bush didn't ask a single question during the final government-wide briefing the day before Katrina struck on Aug. 29 but assured soon-to-be-battered state officials: "We are fully prepared."
Six days of footage and transcripts obtained by The Associated Press show in excruciating detail that while federal officials anticipated the tragedy that unfolded in New Orleans and elsewhere along the Gulf Coast, they were fatally slow to realize they had not mustered enough resources to deal with the unprecedented disaster.

This is information the Administration didn't want published, for the simple reason that it makes them look stupid, just like all the other information they've wanted to keep secret for five years. It kind of makes you wonder what they're holding back on global warming, doesn't it?

In a not-entirely-unrelated vein, I had a conversation with a colleague today who claims to be more worried about the unlikely (but dramatic) possibility of an asteroid strike than the demonstrated (but, barring the occasional flood, humdrum) occurrence of global climate change. People are funny that way.

Have laptop, will travel

Like the journeymen of old, I have packed up my tools and traveled far from home to practice my craft. Unlike the journeymen of old, I can go home every weekend.

So, I have a new cube, a new team, and a room at the nearby Extended Stay America. As I get settled, I'll write more on a few subjects familiar to the thousands of other software developers who find themselves in similar circumstances:

  • Work/Life balance when your life is there, you're here, and you bill by the hour (i.e., the importance of finding a good brewpub);
  • Why East Bumble pays better than Chicago or New York;
  • Agile software development on two cups of coffee a day; and
  • How to feel peaceful at O'Hare first thing Monday morning.

At this precise moment, however, I need to obtain a Brita pitcher and a clock with a radio (do I really want to have to futz with streaming audio just to hear Morning Edition?) from the local Target. Then, I'm off to find a brewpub.