Mel Brooks once said, “Tragedy is when I stub my toe. Comedy is when you fall in an open manhole and die.”

The real victims of the Choicepoint breach have been allowed to fall in the open manhole by their State Attorneys General.

ChoicePoint Inc. has settled with 44 U.S. states over a 2005 data breach that resulted in criminals potentially having accessed personal information from more than 145,000 consumers.

The company, which maintains profiles of nearly every U.S. consumer, agreed to adopt stronger security measures and pay $500,000 to the states, Connecticut Attorney General Richard Blumenthal said in a statement.

That’s right, folks. If you’re a business whose core competency is supposed to be dealing in Personal Information, the criminal(?) penalty for mishandling it is approximately $3.50 per record. That ignores the mulititude of other costs that have come out of the Choicepoint breach(es), but it certainly adds a solid data point for one of the line items of breach costs.

Choicepoint’s shares closed up $0.08 on the news, which means that the market implicitly felt that the potential liability that eliminated was worth about $6 million.

The Inquirer has some commentary which includes a nice rant about the economics of the security industry today.

Whose interests are really threatened by cybercrime? Well, certainly not the software makers, the chip makers, the hard disk makers, the mouse makers, and least of all the virus busters and security firms which daily release news of the latest “vulnerabilities” plaguing the web.

No, the victims are the poor users. Not that they’re likely to have their identity stolen or their bank account plundered or their data erased by some malicious bot or other. The chances of that happening are millions to one.

No, what they are forced to do is continually fork out for spam-busting protection, for “secure” operating systems, for funky firewalls, malware detectors or phish-sniffing software. All this junk clogs up their spanking new PC so that they continually have to upgrade to newer chippery clever enough to have a processing core dedicated to each of the bloatsome security routines keeping them safe while they surf.

It’s a con, gentlemen. A big fat con.

No one has a business interest in catching identity thieves or malware writers. There’s no money in it, so no-one’s bothered.

There’s too much money to be made in solving the problems to actually eliminate them. No amount of software security liability is going to change that fact. The Legal OODA Loop is orders of magnitude too slow to keep up with the situation on the ground, the concepts are still too esoteric to lawyers and judges, and the entrenched interests are too well-funded.

You manage the risks this world brings and you go on. That’s all there is to it.

As a scooterist, I’ve been the survivor of countless near-misses here in downtown Chicago and Dutcher Stiles can confirm that the problem isn’t limited to my neighborhood.

Now we get some data from Boston.com regarding risks of multi-tasking behind the wheel.

The most extensive study of driver behavior — released last year by the Virginia Tech Transportation Institute after monitoring 100 motorists in the Washington, D.C., area, each for about a year — found that 80 percent of the 82 crashes and 65 percent of 761 near-crashes occurred when drivers were distracted, primarily by wireless devices such as cellphones and PDAs.

“We definitely saw that any time a driver’s eyes were away from the roadway doing any secondary task . . . the more dangerous it is and the more devices that come into a vehicle, the more that risk increases,” said Charlie Klauer, the senior research associate who headed the study.

Federal safety officials estimate that driver distraction or inattention is to blame for up to 30 percent of all crashes, about 1.2 million a year. It’s dangerous enough that many states are taking action.

Anyone who has spent any significant amount of time in traffic has seen people doing all sorts of things behind the wheel which have no place there.

The latest is the rise of electronic interruptions, which I agree are actually worse than the traditional eating-while-driving, grooming-while-driving (I’ve seen both shavers & make-up artists) or even reading-while-driving or working-the-crossword-while-driving in that the device demands attention and people feel psychologically bound to react, putting the driving effectively “on hold” while they do so. That is, as I see it, the truly aggravating factor related to driving-while-{texting|phoning|emailing|.*}.

Recently, for example, I spent about half an hour in heavy traffic behind a girl watching a girl named Jessica (according to the nametag hanging from her rearview mirror) texting constantly. She had several near-rear-end collisions and managed to sit through the first 5-10 seconds of every green light she when she was near the front of the queue. I decided that the safest place in that particular traffic stream was directly behind her until the chance arose to get fully clear of her area of impact.

Not only did she put herself at risk, but her inattentiveness led to even more aggressive behavior by those around her, thus further amplifying the risk of an accident within her vicinity.

One thing we often fail to consider when assessing risk is the amplification effect that it might have. Will it produce cascading failures? Does it have a “ripple effect” increasing the likelihood (and thus the risk) of seemingly independent events? If so, how would you measure it? For that matter, how would you even know?

It’s been said that the first step to solving a problem is realizing you have one. Fortunately, problems can be anywhere, you just have to look. And ignore fundamental precepts of logic such as “you can’t prove a negative. And avoid awkward topics like “math” and “science.”

Thus the beauty of Silent Blinking Death.

BusinessWeek recently published a puff piece about a compressed air-powered car which showed up on a scooterist mailing list I’m on. One thing that was interesting to the list was that

The MiniC.A.T is a simple, light urban car, with a tubular chassis that is glued not welded and a body of fibreglass.

There are a lot of questions about this car, including things like how it works in low temperatures (a real issue in places like Chicago that have winter), how factually correct some of the claims in the article were, etc. In general, members of the list liked the green factor but had concerns about its survivability in a crash–ironic from a bunch of cyclists.

B one of the list members who posts under the name “korhag” provided a wonderful risk assessment of scootering versus driving, the impact of a car’s mass in a collision, and consideration of how this all leads to a Tragedy of the Commons where the environment is concerned.

And how is that different then the safety factor of any two-wheeler?

I think the salesmen have done wonders selling large SUV, trucks and such on the perceived notion that bulk of steel in your cage actually increases the drivers personal safety. In a scientific way, I guess it does. But those NASCAR guys have all the safety features with fire and ambulance trucks at the ready and yet drivers still get injured and worse. Occasionally even the big Semi-truck drivers are hurt and worse on our roads and highways.

Someone invents a lightweight (glued not welded) zero-emission vehicle and the criticism that first comes up is about the safety of such a lightweight car. BOLLOCKS! Anyone can be knocked senseless by an idiot no matter what they are riding/driving. The number one safety factor is safe driving habits and uber-awareness of the unexpected. Idiots will and do run red lights. They go the wrong direction up a one-way, etc. Sometimes there’s no avoidance and you’re just gonna get hit. There’s a better survival rate in a Volvo then on a Vespa. Probably better in an SUV then this airC.A.T. thing… but if Al Gore is right then there’s better survival for us all if we all drive zero emission vehicles like the airC.A.T. then if we all rode 2-strokes (Not that I’m willing to give up my Vespa).

Keep in mind this comes from a guy, me, who rode my scooter all winter in a half helmet. I fell a few times on the ice and gravel and have the dents to prove it. It’s just that before we had helmets and seatbelts and all this hyper-sensitivity about safety (medicare even) we still kept going.

In short, there are some activities where, when you have an incident, even having every possible countermeasure isn’t enough. Most of the time, though, you don’t need every possible countermeasure to mitigate risk to an acceptable level. Finally, we’re all better off when we utilize countermeasures which don’t have excessive externalities.

As a follow-up to my original TJX cost estimate, the IT Compliance Institute published this updated TJX cost note today:

The TJX data breach cost that company $12 million during the last quarter, and it has informed investors at it will probably face expenses of at least that much in the next quarter, not counting litigation.

Prior to the last quarter the breach had already cost the firm $7 million.

The expenses included investigating and containing the data breach, reinforcing computer security, and communicating with customers.

This has been sitting in draft for a while, but I don’t recall seeing too much commentary on it, so I think it meets the test of, “It’s all news if you haven’t read it.”

Thanks to the enterprising criminals in the great state of Florida, we now have a floor for the impact of the TJ Maxx credit card breach:

Data stolen from TJX — the parent company of T.J. Maxx and other retailers — has surfaced in the Sunshine State, where it’s been used to help thieves steal about $8 million in merchandise from Wal-Mart stores. The thieves used the stolen TJX customer data to create dummy credit cards for purchasing Wal-Mart and Sam’s Club gift cards, and then used those to hit stores in 50 of Florida’s 67 counties.

The Florida Department of Law Enforcement confirmed that the information used to make the fake credit cards was obtained as a result of the TJX data breach. Dominick Pape, the special agent in charge for the Florida Department of Law Enforcement, said he couldn’t provide further details about how the TJX intrusion was committed or how the thieves got the stolen customer information used to make the fake credit cards because of the ongoing investigation into the breach that’s taking place in Massachusetts, where TJX is based.

The fraud ring was uncovered after Wal-Mart employees became suspicious of certain shoppers who were using multiple gift cards — many of them worth $400 — to pay for their purchases. The $400 denomination was used because gift cards valued at $500 or more require the customer to provide some form of identification. “They knew enough to go through the area of least resistance,” Pape says.

So, best case, we’re talking about 20,000 individual incidents of fraud (at $400 per gift card). That’s a lot of gift cards and a lot of transactions. But even if a different victim’s card was hit for each transaction, that’s still a drop in the bucket compared to the millions of cards which are believed to have been compromised.

The real costs will be borne either by the victimized retailers (in this case, Wal-Mart) or the card issuers who pre-emptively issued new cards to prevent fraud. Wal-mart was pretty much helpless to do anything preventative, so now all they can do is try to recoup their losses by suing TJX (TJ Maxx’s parent company). Due to the scale of their loss, they might actually do that at some point.

So if the number of lost card #’s was two million (the lowest possible value of “millions”), then we would have to have a fraud rate of 1%. ($8,000,000 / $400 = 20,000 charges).

I think it costs about $28 to re-issue a credit card. So this is both the cost of countermeasure and the minimum incident response cost (you have to replace the cards)

Thus, the absolute minimum incident response cost is $560,000 ($28 for each of the 20,000 abused cards, spread across the various issuers), plus $8,000,000 in real fraud losses to Wal-Mart, and that assumes everything else associated with a major consumer privacy breach, such as the cardholders’ (the real victims, IMHO) time is free or share price impact is free.

Updated: Corrected mis-attribution of Ross Stores involvement in the second paragraph of my commentary based on updates from the comments. Thanks, Bob!

Iang raises an excellent point in his remarks on my post:

…the attacker is aggressive. Whatever we measure, the attacker actively perverts. So, unlike insurance models, security doesn’t work well with just statistics. Much as we say we need more data, if we had all the data in the world, and fixed what we could see, the attacker would simply move faster than we could.

Attackers will always hold the advantage over even the best-funded and most responsive organization for the simple reason that the attacker is acting and the defender is reacting. Attackers will cheat if they see an opportunity. It’s in their nature as attackers.

Effective security systems are those with the latitude to effectively cheat back and which can identify and, as Schneier likes to note, prevent or react to generic threats rather than specific (usually past) threats, often to the point of ignoring the generic.

As to relative leverage of attackers and defenders, John Robb has coined the term “Open Source Warfare” to describe the rapid pace of innovation highlighted in case after case where insurgents have seen immediate-term ROI’s on their attacks of 5,000% or more from their operations. These sorts of imbalances are becoming the norm in conflicts between formal actors such as governments or multi-national corporations and insurgents or crackers.

Throw in Gen. Boyd’s OODA Loop, which works great for fighter pilots where everyone is working at the same rate of response, but produces a loop that looks more like a solar orbit in Enterprise and Government timeframes, and you should immediately see why responding to specific threats is a losing proposition.

Personally, I think that many people get so caught up in “winning” or “losing” versus an attacker that they forget that you can never really win*; you can only make the attacker go bother someone else. Damage by attackers is eventually inevitable. The key is to ensure that the impact of incidents and cost of countermeasures does not exceed a tolerable level over time (e.g. through methodologies such as ALE or FMEA). Any other approach leads only to over-spending on defense, lost business agility and stomach ulcers.

* Ironically, the way that you would “win” against an attacker once it becomes personal would be to suffer a big enough loss that you can get the police to prosecute the (successful) attacker.

As Doug pointed out in the comments to my last post, a hard part of managing risk today is dealing with the absence of data. Even when we have data, it’s often been Overtaken By Events since our environments evolve so rapidly that even the data we have is, at best, red apples to green apples.

So what do do about it? The easy answer would seem to be to find a similar problem where someone has better data, but as John Quarterman deftly illustrates while examing wildfire risks, that solution may be worse than the problem:

Regarding risk management, it is important to know something about your specific risk swamp. If you apply a risk management regime from some other ecology, you may find it fails badly for your peat and pines. This is yet another reason it would be good to have as much past history as possible.

I don’t have the answer, but I can remind everyone that the key to managing risk in a changing environment (which is to say, any environment) is not just about having data points, but is even more about knowing the trendlines for those data points. After all, risk management is about ensuring that you’re prepared for what the future will bring, rather than just solving the problems of the past.

Coming the day after Microsoft began threating open source with patent demands (I have a list of some 235 patents!) they allege open source software infringes, I thought this reminder about patents from someone whose opinion is worth listening to on the subject might be nice:

I have not had the time to search the patent literature systematically; indeed, I decry the current tendency to seek patents on algorithms. If somebody sends me a copy of a relevant patent not presently cited in this book, I will dutifully refer to it in future editions. However, I want to encourage people to continue the centuries-old mathematical tradition of putting newly discovered algorithms into the public domain. There are better ways to earn a living than to prevent other people from making use of one’s contributions to computer science.

— Donald E. Knuth. The Art of Computer Programming.
Volume III. 2nd Edition. Preface. p vi.
Addison-Wesley. 1998.