There have been a lot of stories this week I wish I had the time to write about, but given the choice between blogging or getting ready for traveling to Kyoto, Japan to speak at and podcast from the FIRST conference, preparation has been winning out. My wife is going with me and she’s been shouldering a lot of the mundane, pedestrian tasks, but I don’t think she can write up reports for me or get ready to make presentations in my place. Of course, if I could teach how to do those things for me I would have a lot more free time; which I’d probably fill up immediately with more blogging or maybe tweeting. Spending more time on Twitter is exactly what I need (that’s sarcasm, for anyone who doesn’t follow me on Twitter). As silly as it may sound, I’m also starting preparations for Black Hat and Defcon, even though their nearly six weeks away. By the way, it was revealed late yesterday afternoon that Adam Savage from the Myth Busters will be speaking at Defcon 17! My kids may force me to take them to Las Vegas just so they can see him.
First off, I have a cluster of stories on PCI. MasterCard stunned a lot of us this week by changing the requirements for Level 2 merchant, making it mandatory for them to have an annual audit by a Qualified Security Assessor (QSA) by December 31, 2010. I still haven’t talked to anyone who had an idea this was coming, other than in very general terms, so it’ll be interesting to see how this will this plays out over the next couple of months. I need to catch up with Avivah Litan some time and find out where Gartner’s negative view of QSA’s come from. Three more PCI stories that are related are “Weak Security enables credit card hacks” from AP, “Security issues weigh most heavily with acquirers, research says” at Digital Transactions and “Best practices for protecting banking sites” at BankersOnline.com. It’s good to have a story with some solutions, or at least ideas, to go with some posts about all the security problems we’re facing.
Next up is a couple of stories about some of my co-workers. The guys over at Spider Labs got called in to look at some malware that was found on ATM machines in Europe. With the right ATM card and a few keystrokes, bad guys could have the ATM machines spit out reciepts with card numbers, PINs, expiration dates and nearly everything else that’s on the Track 2 data. Then the software can quitely erase itself so minimal evidence is left behind. The You Shot the Sheriff conference is going on this weekend in Sao Paulo, Brazil and a pair of the guys from Spider Labs will be presenting on Rich Internet Applications and the risks they pose. Potential disaster because of Silverlight and Adobe AIR? Not possible (again with the sarcasm).
Finally, I have four unrelated stories: First of all Jeremiah Grossman is asking the Feds to make it legal to hack .Gov and .Mil sites. We know these sites are mostly insecure, we know hackers are already attacking them, so why not set some rules of engagement and let white hat and grey hat hackers attack them as well, provided they report the findings back to the site owners? The idea has some merit, but I’m still on the fence for this one. Speaking of government web sites, the Department of Homeland Security now has a blog. Now if Secretary Napolitano would just stop by the Bay Area for a short chat like her predicessor did, I’d be very happy. Of course, it may be that asking lighting to strike twice is unreasonable of me, but I can dream. Dave Shackleford has a post about an interesting book, “Adventures of an IT Leader“. I don’t have time to get a copy from Amazon for the flight to Japan, but it sounds like interesting reading.
The last story is “the evolution of a blogger’s ego” by Jason Alba. Any blogger who says they don’t have a fair amount of ego tied to their writing is lying, either to themselves or to you. It’s not a bad thing to be proud of your writing, but some of the yardsticks bloggers have been using to measure their success have been superceded by new measurements. Comments on your blog used to be what’s important, now it’s how many tweets, retweets, friendfeed comments, etc. which are important. The conversation’s getting more and more fragmented between bloggers and their audience, but it’s also getting more interactive daily.
I’ve got another PCI related post to write this weekend, so that’s it for now.