Funny I was expecting this one instead: http://www.penny-arcade.com/comic/2002/3/25/

Ummm... only available through the App Store means Snow Leopard by default because there is no App Store on Leopard from which to buy it.

My LaserJet 4M (+ I THINK) died a couple of months ago after 10+ years of service. I actually stared at the phone-net to ethernet adapter for a few seconds trying to figure out what it was. Man, was that a blast from the past.

*SIGH* I think I'll go shake my fist at some teenagers and fall asleep in front on Matlock now.

=tkk

But they don't encourage the larger picture is my point. Their testing methodology encourages checklist thinking so you pass a limited test at 100% and you get your certification. Because you don't get any real protection from the certification - because they will retroactively deny your compliance after the fact - it becomes a necessary evil to be complied with not an active process. You're encouraged to think completely inside the box to get PCI certs but not rewarded in any way for taking a comprehensive security approach.

They will certify your computers as PCI compliant when they share domains with the unsecured network. Because you don't get any protection from PCI compliance and the testing is expensive the scope narrowed to computers themselves. Ignore the fact that I can steal credentials from the unsecured domain and then try them out on the secured PCI certified domain - to get the whole network certified is way too expensive so only do the minimum. And yes, I do know people who do exactly this kind of pen testing for PCI certified companies and that's exactly how you go about it. Your don't target the 5% PCI certified part of the network you look at the other 95% and work from there.

They seem much more interested in maintaining the appearance of unbreakable security than actually creating a system than helps users the right thing. There is never 100% security, but rather than really help people achieve really good security they make you jump through hoops that encourage limited security scope examinations and then deny you any protection if you get breached. Their money would be much better spent on having a decent security over view of the entire network but instead they spend their money on a certification audit and then do a (worthless) internal "assessment" of the risks from the rest of the network.

It's like an ISO 9000 certification of a shitty product - they've certified that you have excellent management practices but your product is still shitty.

And back to something vaguely on topic I bet it was something like this at Sony. Their (criminally stupidly) unpatched public facing services probably didn't have any data they were worried about but they were connected to servers that did. If a simple network intrusion into an insignificant system yields a single login into a more important server that's all it takes. Major breaches are usually a chain of smaller security problems that get exploited in series until it actually adds up to something huge.

PCI certification is joke. It's in the best interests of all involved to severely limit the scope of the "certification" - due to cost, time, intrusiveness etc.- so only certain areas get tested. You can have your "certified" PCI system hooked up on a network to a botnet but insist that only your PCI computer get "certified". It's like going to doctor and telling him your arm hurts but he can only examine your arm. When it turns out to be a heart attack and you die the doctor only gets to say "His arm was fine when I checked it."

They like to brag that "no PCI certified system has ever been breached" but that's because when you're breached they forensically figure where you violated PCI and retro-actively revoke your certification. It's worse than bullshit it's an expensive fig leaf of security theater.

I don't think it sounds like that at all - I think it sounds like a schizophrenic "business" model. The USPS supplies mail to virtually everyone - that's their mandate. They maintain post offices in tiny places you wouldn't even consider towns and charge an extremely reasonable fee to move mail regardless of distance or address. They are an organ of the US government that has decided that almost all citizens should access to mail communications and I agree. What's crazy is to believe that they can do both things - run at cost and and fulfill the mandate to provide access for all.

The idea that the government should be run "like a business" when it is trying to do unbusinesslike things is the failed idea. The public good doesn't have a profit motive that can be measured in dollars and cents and therefore running like a business misses the point completely.

=hiredman