February 15, 2006

Freedom to Tinker and Sony DRM

The giant brains over at Freedom to Tinker (http://www.freedom-to-tinker.com) have released their opus on the Sony DRM technology. Their thorough and thoughtful analysis should be required reading for anyone in the security industry.

http://itpolicy.princeton.edu/pub/sonydrm-ext.pdf

April 26, 2005

The effect of legislation

The register has an article which mentions the approaching deadline (June 30th) for merchants to comply with the PCI Data Security Standard for credit cards, which unifies requirements from VISA, MasterCard, Discover and American Express. The deadline has already passed for the really large merchants, those who have over 6 million transactions a year - that was September 30th, 2004. It generated a lot of pressure on larger companies as they rushed to comply - we could see it clearly in our customer base at Sana Security - and this deadline for smaller merchants is having a similar effect.

But I'm not sure how much these requirements help. Some of them are too technologically specific, for example, "Install and maintain a firewall configuration to protect data", and some seem far too vague, such as "Develop and maintain secure systems and applications". I think the merchants should be left to protect their networks as they see fit, without having to comply with requirements that may not make sense in any given environment, or that may not represent the most effective use of security dollars. For example, the Jericho Forum is promoting "deperimeterisation", and the requirement for firewalls goes against their thesis that we need to abandon the idea of a secure perimeter.

Those who drew up the PCI standard should learn from the lessons of the California disclosure act (SB 1386), which simply requires companies to inform customers when their personal information has been exposed. 1386 has resulted in many hacking incidents becoming news lately, including Polo Ralph Lauren, LexisNexis, DSW, and PayMaxx. (For a full list of recent publically announced data breaches see here). The effect of public knowledge of these incidents upon a company can be profound, leading to loss of confidence and customers. In fact, analysis has shown that publically known hacking incidents can cause a significant drop in stock price for the targeted company.

1386 provides a huge incentive for companies to secure their systems, without restricting or constraining the way in which they should do so, leaving companies to choose the most effective way. This encourages innovation in defense, because should new, more effective defense strategies become available, companies are more likely to adopt them, whereas if they are restricted to using specific technologies and practices, they won't be able to take advantage of new developments.

So, having said all that, my suggestion to the credit card companies would be to impose heavy penalties on merchants that get compromised, but not to specify what exactly those merchants should do to make themselves secure. And to offset the impact of losses, they should continue to incorporate the notion of quarterly scans by independent assessors, which is one of the few good things about the PCI Data Security Standard.