"Do or Do not. There is no try."

“Satan’s Office Party”: It’s Black Friday And The Religious Zealots Are Running Out Of Places To Shop

On this Black Friday, apparently members of the religious right are running into a problem. After having joined the bandwagon of turning Christmas into a commercialized shopping extravaganza, Linda Harvey says that they’re running out of places to spend their money that are content to discriminate against LGBT people.

Of course she warns people to stay away from the usual suspects like Macy’s for allowing a transexual to use a woman’s dressing room and Target for selling gay pride t-shirts. But oh my, she now has to add that conservative bastion known as Wal-Mart to the list for opposing “religious freedom” bills in Arkansas and Indiana.

But my very favorite is her problem with Mattel.

If you’re thinking toys, avoid Mattel. They just created “Moschino Barbie” with an ad featuring a tragically feminized little boy who plays with Barbies, a wicked accommodation to the current gender-destructive culture.

Little boys playing with Barbies? What is the world coming to? For our “gender-destructive culture,” Harvey has a totally hyperbolized name…”Satan’s Office Party.”

Here’s a thought. What if these religious zealots actually DID run out of places to shop and had to spend some time thinking about what the whole Christmas season was originally about?

Let me tell you something about the Jesus that I know.

He was a real man. Born in a poor region to working poor parents. He loved learning, he loved his mother and his father.

But he left them and spent his life with the poor, the outcast, the rejected, the defiled, the sick, the sinners, the bedraggled, the bereft, the self-hating, the lonely, the banished, the foul, the miserable, the desperate and finally, those sick with their own power.

He did this, not because of his ideology or his creed. He did this not because of his doctrine. He did this, quite simply, because he loved them. He preferred them.

Making up a fictionalized “war on Christmas” is a way to avoid the discomfort these folks would feel if they really did attempt to put Christ back in Christmas.


By: Nancy Letourneau, The Political Animal Blog, The Washington Monthly, November 27, 2015

November 27, 2015 Posted by | Black Friday, Christian Right, Christmas | , , , , , | 1 Comment

“The New Touchy-Feely Organization”: All Of A Sudden The NRA Doesn’t Want To Mention Guns

Two weeks ago, coincidentally on the same day that the unfortunate 9-year old girl accidentally shot and killed a firearms instructor in Arizona, the NRA kicked off a series of Netflix-style video ads that are perhaps the organization’s most disingenuous effort to present itself as something other than what it really is; namely, an organization devoted to ownership and use of guns. In fact, having watched all 12 one-minute productions, I can tell you that the only way you would know that this is an effort of the NRA is that each commentator ends his or her spiel by telling the viewer that their wholesome and didactic script was produced by the “National Rifle Association of America” with a slight pause and then heavy emphasis on the word ‘America’ even though officially the NRA is still just the NRA, not the NRAA.

This new media blitz by the people who used to bring us messages like “only thing that stops a bad guy with a gun is a good guy with a gun” is significant insofar as the word “gun” is never mentioned in any of these videos, not even once. You would think that the NRA had become some kind of touchy-feely civics organization devoted to uplifting our moral virtues rather than a trade association committed to getting everyone in America to own a gun. And not only are the minute-long lectures all about honesty, and decency, and respect for everyone’s point of view, but only four of the homilies are delivered by white males, who just happen to own most of the guns in America — seven of the commentators are women, one is Asian-American and, of course, there’s always room for Colion Noir, aka NRA’s African-American spokesperson.

When I first started watching these videos I thought I was looking at a remake of the Reagan “it’s morning again in America” campaign ads from 1984. Those were slickly-produced messages which never showed Reagan, who was beginning to look his age, but instead had a variety of American families proudly standing in front of a farmhouse, a factory gate, a well-manicured suburban lawn, all smiling, all happy, all gently reminding us that if we just remembered to vote Republican that all those things we cherished and loved would never be taken away.

The NRA scripts flow back and forth between a kind of Tea Party-lite condemnation about the problems we face — government spying, unlawfulness in high places, fear of crime — and an immediate sense of setting things right with the help of the “good guys,” the real Americans who can be counted on every time to keep us safe, honest, decent and sound. And who are these good guys? They are your neighbor with a decal on the back of his truck which reads: N-R-A.

I can’t imagine anyone actually watching one of these messages and coming away having learned anything at all. But I don’t think that’s the point. What the NRA is trying to do is cast itself in a softer, more reasonable and, if you’ll pardon the expression, less combative way, because for the first time they are up against an opponent whose money, smarts and media access can sway lots of people to go the opposite way. And not only does Bloomberg have that kind of dough, for the first time he might be able to energize non-gun owners to stay active and committed to the gun control fray.

This week we have another retail chain, Panera, which is walking down the path blazed by Starbucks and Target and asking gun owners to leave their weapons at home. Like the other chains, Panera isn’t posting a gun-free sign on their front doors, but if any of the 2nd-Amendment vigilantes believes that this isn’t a victory for the folks who want more gun control, they better think again. The fact that Panera’s announcement coupled their concern about guns with their desire to build social “communities” in their stores should tell you why, all of a sudden, the NRA has stopped talking about guns.


By: Mike Weisser, The Huffington Post Blog, September 10, 2014

September 11, 2014 Posted by | Gun Control, Guns, National Rifle Association | , , , , | Leave a comment

“Unto The Breach”: For Credit Card Data Breaches, There Really Hasn’t Been Any Business Consequences

On Wednesday, a letter landed in my email inbox from Gregg Steinhafel, the chief executive of Target. He wanted me to know that there was a decent likelihood that some of my personal information had been stolen by criminals who had “forced their way into our systems,” as Steinhafel put it, and pulled off one of the biggest data breaches in history.

I’m not a regular Target shopper, so I had to think about this for a minute. Then I remembered: In mid-December, while marooned in Houston after missing a connecting flight to Rio de Janeiro, I went to a Target store to buy some clean clothes. I paid with my debit card, which I swiped through the little “point of sale” machine, and then entered my passcode — something I probably do a dozen times a day. The very ordinariness of the transaction is partly why it hadn’t stood out in my memory.

Since receiving Steinhafel’s letter, however, I’ve been brushing up on data breaches, and I’m here to say it is going to be a while before I’m sanguine when I make that little swiping motion with my debit card. In the battle between hackers and retailers, it sure looks as though the hackers are winning.

If you have read anything about the Target data breach, you know that from Nov. 27 to mid-December, hackers siphoned off the credit card information of 40 million Target shoppers, including card numbers, passcodes and the three-digit security code on the back. They also took names and email addresses of tens of millions of other Target customers.

Target acknowledged the breach on Dec. 19, but only after a reporter named Brian Krebs had broken the news on his authoritative blog, Krebs on Security.

When I talked to Krebs, he told me that while Target was “hardly a poster boy for how to secure data,” the company probably wasn’t all that much worse than most other retailers. Its digital system undoubtedly had all the current antivirus software, none of which had detected the malicious software — “malware,” as it’s called — that had infected it. Krebs was pretty convinced that the hackers were Russians. It was obvious that they were extremely sophisticated in how they went about stealing credit card data.

After burrowing into a Target server, he explained on his blog, the malware would then grab data from Target’s point-of-sale terminals all across the country shortly after customers swiped their cards. At that moment, a moment of maximum vulnerability since all the data was unencrypted at that point, the magnetic stripe would yield all the information the hacker needed.

Another security expert, Gerhard Eschelbeck, the chief technology officer at Sophos, wrote in a recent report that “one trend that stands out is the growing ability of malware authors to camouflage their attacks.” Eschelbeck described attacks by modern hacks as “innovative and diverse.”

Virtually every security expert I spoke to said it is likely that a lot more retail companies have been breached than has been acknowledged. Indeed, last week, Neiman Marcus admitted that its systems had been breached. And just the other day, the Department of Homeland Security sent a report to retailers and banks warning about point-of-sale malware, which it suspects has infected more systems than just Target’s.

So why don’t retailers do more to stop such attacks? Part of the reason is that nobody is forcing them to. It costs a lot of money to completely revamp their systems in ways that would make them harder to breach. However disruptive to customers, there really hadn’t been any business consequences, not until the Target breach, anyway. (Target saw its Christmas sales decline after the breach was announced.)

The simplest thing we could do to diminish data breaches would be to move away from magnetic stripes, which are relatively easy to copy, and go to a system in which credit and debit cards are embedded with chips. In widespread use in Europe and elsewhere, such cards are practically nonexistent in the United States (though a rollout is supposed to begin in the fall of 2015). In 2009, a payment company called Heartland suffered a breach that was even larger than Target’s. You would think that would have been a wake-up call, but apparently it wasn’t.

The most galling part of Steinhafel’s letter is its advice to consumers. “Never share information with anyone,” he writes. “Be wary of emails that ask for money.” None of this advice, of course, would have helped anyone who had the misfortune to shop at Target during the three weeks the malware was doing its devious work. The fault was not ours, Mr. Steinhafel; it was yours.

As for me, it turns out that the Russian hackers won’t be able to use my debit card information after all. I had to get a new card — after I was hacked in Brazil.


By: Joe Nocera, Op-Ed Columnist, The New York Times, January 17, 2014

January 20, 2014 Posted by | Consumers, Corporations | , , , , , , | Leave a comment

“There’s Always Bitcoin”: Your Credit Card Has A Dangerous Flaw That The Banks Refuse To Fix

Hackers stole payment records on as many as 110 million customer accounts from Target over the holiday shopping season, in one of the largest data security breaches in history. The company has struggled to regain customers’ trust, with noticeable drop-offs in sales since they disclosed the breach on December 19. And Target is not alone in what looks like an identity theft epidemic. Neiman Marcus announced a similar hack of payment records, and at least three more major retailers could come forward in the next several weeks. As more and more customers have reported fraudulent charges, Congress has begun to ask questions about why this happened.

Here’s an answer: The United States has one of the worst payment systems in the entire world, inviting fraud and increasing hassles for anyone who wants to exchange money. In this case, a simple credit protection available on virtually all payment cards outside the U.S. could have dramatically narrowed the scope of the Target breach. It hasn’t happened here, mainly because banks don’t want to spend the money to upgrade the system, writing off the hassle and expense of your identity fraud as a cost of doing business.

Almost alone among developed nations, U.S. credit and debit cards have a magnetic stripe that contains all the financial information necessary to make a purchase. Once information gets stolen from a merchant, it can be encoded into a magnetic stripe and used with a new card. Smart cards in Europe and elsewhere encrypt that data and store it on a microchip, which is much tougher to replicate. More important, the cards also require a personal identification number (PIN) to work. This “chip-and-PIN” system introduces a second authentication, forcing thieves to have both pieces of information to successfully use the card. It’s a combination of advanced technology and simple common sense.

Chip-and-PIN would not have prevented hackers from stealing payment information from Target’s databases, but would have made it more difficult to use the records. Because of this, says Georgetown law professor Adam Levitin, would-be identity thieves would have a lower incentive to steal the data in the first place. “Like Willie Sutton says, bank robbers go where the money is,” he said. “Fraud will always find the weakest link. Now that the rest of world has gone to chip-and-PIN, we’re the weakest link.” Nearly half of all card losses in 2012 occurred in the U.S., according to the trade journal the Nilson Report.

Though 130 countries around the world have phased out their magnetic stripe cards (which you may have noticed if you’ve tried to use a credit card overseas), the U.S. has lagged behind, with both merchants and banks assigning the blame to each other. Retailers need new card readers to handle chip-and-PIN cards, and they can be costly; it’s why only 10 percent of U.S. merchants have upgraded. The merchants don’t want to spend the money until they know banks will issue chip-and-PIN cards. And the banks don’t want to spend money on the more expensive cards until merchants install the card readers. So both sides are effectively telling the other to go first. With no regulatory mandates for anyone, this standoff could continue for years, with consumers paying the price.

“This is different than it has worked everywhere in the world,” said Adam Levitin. “Elsewhere, issuers and merchants have moved in lockstep.”

Some analysts place the blame squarely on banks, arguing that merchants eat the majority of the fraud costs, giving banks no incentive to upgrade. In addition, blogger and author Yves Smith notes that the banks sell the card reader equipment to the merchants, and they have inflated the price. “The impediment is almost assuredly the price point the banks have set,” Smith writes.

Credit card networks like Visa and MasterCard introduced the Payment Card Industry (PCI) Security Standards, which are supposed to provide more anti-fraud controls. But that effectively tries to band-aid an inherently insecure magnetic stripe system. More recently, the card networks proposed a shift in liability rules that they hope will nudge banks and merchants toward upgrading. By October 2015, if the merchant has a chip reader and the card has a traditional magnetic stripe, the bank will be liable for any fraud. Likewise, if a chip-and-PIN card is presented to a merchant with no chip reader, the merchant will be liable. In other words, both sides will be penalized for not upgrading to the chip-and-PIN system.

But again, this is voluntary. And in the meantime, both merchants and issuers manage to absorb the costs of fraudulent purchases (which total around five cents per $100 charged, according to the industry). They consider this cheaper than the costs of upgrading. In fact, one facet of the current system is a profit center for the banks. When a fraud transaction goes through, merchants reverse it through something called a charge-back. Merchants must pay the same fee to reverse a charge that they do to swipe one through, along with additional fees. “The retailers say, ‘we’re having to pay to not be paid,’” Adam Levitin said.

This reluctance to upgrade in the U.S. has led to a general creakiness in the payment system. Most U.S. retailers don’t even have real-time authorization capabilities, making it more difficult to detect fraud at the point of sale. The Automated Clearing House (ACH) system can take days to process transactions, wasting time and increasing costs for customers. Banks have outdated processing systems and have been similarly reluctant to upgrade them. Says Levitin, “We’re still using horse and buggies.”

Meanwhile, other countries have leapt past the U.S. In Kenya, the M-Pesa system allows consumers to pay for virtually anything by mobile phone. It has become widely adopted by merchants, making the African nation a world leader in mobile money. Mobile transactions over M-Pesa hit $19.6 billion in 2013. (Attempts to create mobile payment systems in the U.S. are in the startup phase, with entrepreneurs literally going from one business to the next to find retailers willing to use it.)

Levitin argues that America’s previous position as a payments system leader led to its slow pace in keeping up with new technologies. “The reason we’ve lagged behind is because we were ahead,” he said. “Everyone else had to upgrade, while our card system networks were making money. Kenya just didn’t have a regular banking infrastructure. The alternative to M-Pesa is paying in cattle.” Similarly, Europe upgraded to chip-and-PIN because credit card authorization was typically done through phone lines, and 10 years ago, European telecom costs were fairly expensive. “Our technology was not bad enough to upgrade,” Levitin says.

Congress is highly unlikely to get involved in an argument between banking lobbyists and retailer lobbyists. They learned their lesson when trying to legislate “swipe fees,” what banks charge retailers to process credit and debit card transactions. The result was a knock-down, drag-out affair that took months to negotiate.

But the Target breach, and the reputational risk to the big box store, has both merchants and banks rethinking the consequences of maintaining a substandard old system. Mallory Duncan, general counsel for the National Retail Federation, said this week at the trade group’s annual convention that they now encourage members to upgrade to chip-and-PIN card readers, saying “The technology that exists in cards out there is 20th-century technology and we’ve got 21st-century hackers.” And banks have responded to complaints by gradually distributing dual-use cards with magnetic strips and chip-and-PIN technology, mostly to frequent foreign travelers. U.S. Bank expects all its customers to have the cards by next year.

So there’s a chance that the U.S., like a lumbering giant, will finally make the move to more secure payment systems. Failing that, there’s always Bitcoin.


By: David Dayen, The New Republic, January 16, 2016

January 17, 2014 Posted by | Cybersecurity | , , , , , , , , | Leave a comment

“No Company Is Secure”: Stop Asking Me For My Email Address

It’s hard out there for a paranoid cybersecurity reporter.

I’ve covered enough breaches, identity thefts, cybercrime and worse, to know it’s a terrible idea to hand over my personal data — even something as seemingly innocuous as my birthday or email address — to a store clerk, or a strange login page on the Internet.

But it’s getting hard to resist. I was in the middle of buying a swimsuit recently when the sweet lady behind the boutique counter asked me for my email address. I explained, as I have a hundred times before, that I’m a paranoid security reporter who makes it a general rule of thumb not to hand out information unnecessarily.

“We won’t spam you or anything,” she said, perplexed. “We just need it for our database.”

I knew then that the conversation was headed into a whole lot of awkward, as it had dozens of times before. The fact is, a boutique doesn’t need my email address so I can buy a swimsuit. The hotel I stayed in recently didn’t need my birth date, or my home address, or my driver’s license number, before I could check in. And Target doesn’t need to store your debit card PIN.

After news of Target’s breach first broke last month, a reader emailed complaining that after a recent purchase at a Target store in San Francisco, she was asked for her driver’s license after her credit card was authorized. “I gave it to her thinking she was only going to look at it, however she immediately scanned it through her register. I was a bit shocked and asked why she did that. She said it is always done but ‘Don’t worry, it is secure.’”

That, we now know, is absurd.

There is a temptation to think that major retailers like Target– and now Neiman Marcus– are more secure because they have more cash to spend on security. It’s the same assumption users made thinking Snapchat was secure because it magically makes selfies disappear, or that LinkedIn knew how to protect data because it likes to talk up big data, or that Adobe could protect our passwords.

Actually, I take that back: Compromised Adobe PDF files have been used in far too many cyberattacks to mention here.

The point is that no company is secure. None of them. Not when they are up against an increasingly sophisticated, elusive enemy. But the problem is not just retailers, or technology companies or hackers, it’s us.

We regularly hand over data simply because we’re politely asked. We don’t read privacy policies, or ask companies whether our email addresses and passwords will be “salted” or “hashed,” encrypted with long or short keys, or whether those keys will be stored on separate systems from the ones they can unscramble. We don’t challenge major credit card companies to hurry up and adopt smart-chip credit cards. And we don’t stop doing business with companies that don’t take data protection seriously.

So we’ll all feign shock that the Target breach did not just affect 40 million people as it previously reported, but well over one-third of America’s adult population. And then, in a few days, we will likely go back to politely handing over our email addresses and birth dates.

But for now, the sweet lady at the boutique just has this:


By: Nichole Perlroth, Digital Diary, The New York Times, January 10, 2014

January 12, 2014 Posted by | Privacy | , , , , , , , | Leave a comment

%d bloggers like this: