AC Capehart capehart

Saturday, we awoke late after a mixed night’s sleep. We ate our breakfast procured from Waitrose the day before. Yogurt and blueberries for myself while Sam and Carolyn had Muffins with Bonne Mammon, clementines and milk. We confirmed that trains to Lewes were frequent and headed up to the station. We got our tickets there and boarded a Southern “local” train with a few stops before we even got to Lewes.

I’m opposed to most things that congress does. I find this one especially appalling. In light of abuses before they even granted themselves this power, this MUST be stopped.

Today ls “black Friday.” There are a lot of people out shopping today. I’m not one of them. However, I’m also not part of some ideological movement in opposition to shopping today. I just don’t like crowds. I can’t be bothered. I was invited to a “buy nothing” day on Facebook. I suppose if the point is to raise awareness of needless consumerism, I’m a fan. But in this era of anti-capitalism, of the “99%”, I’m wary.

My mood has been low recently. But it’s been lifted this morning by song. I’m listening to my “Everything but the Girl” radio station on Pandora. As Carolyn put it, “Is it nothing but Everything But the Girl”? Pleasant enough in itself, but thanks to Lexus, I’m enjoying it as part of a free trial to Pandora One. It’s funny how it’s the little things. For no particular reason that I can think of, BMW has always been the target of my automotive lust.

I got a disturbing message on my Steam account, today:

…intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

(emphasis mine)

I’m unimpressed. Credit card data was in the same database as user data, purchase history, billing address, etc? To me, that means either: 1)They kept a whole bunch of information in a PCI-DSS secured vault at great expense as getting data into and out of such a vault is difficult by design, or 2) They were storing credit card data outside of a PCI-DSS vault in direct violation of the guidelines set forth by Visa, MasterCard, etc.

I’m also disturbed by the cagey language. “We do not have evidence that … credit card numbers … were taken by the intruders.” Given that it apparently took them 4 days from the forum defacement until the general announcement, I’m insufficiently impressed with their reported forensics to think that their lack of evidence for some activity means an absence of that activity. Who knows how long they were in breach even before the forum defacement that caused them to stumble over the broader breach? I’m also curious what algorithm was used for the credit card encryption. And where was the encryption key kept? Was it potentially exposed as well?

Of course, I’m also sympathetic. When I was with Linden Lab, we suffered a database breach as well. We ended up forcing a change to everyone’s passwords, pulling an all-nighter to implement new password recovery measures, manning the telephones to personally talk with affected customers and help them validate their accounts and change their passwords. Credit card data, however, was never exposed, nor at risk at the level of penetration the attacker reached.

Ironically, I had a conversation with Valve nearly a year ago. I’d heard they were looking for some international payment expertise and I got in touch. They ended up not thinking that I was what they needed, but at least I was able to put them in touch with the great people at Envoy. They apparently didn’t connect either. I wish they’d gotten someone in though, and that someone had taken a good, hard look at their credit card processing and storage. They’d have been able to write a much less embarrassing letter. The full text of the note follows the break, but it ends with “I am truly sorry this happened, and I apologize for the inconvenience.” I believe they’re sorry it happened, but this is still such a milk toast apology. If I had to write that letter it would say something a little stronger, something like: “I’m deeply disappointed that we failed to maintain the trust you put in us when you shared your personal information with us, and we’re going to do everything we can to redouble our security efforts to ensure this sort of thing never happens again and to earn back your trust and loyalty as our most valued resource – our customer.”

In the meanwhile, if you have a Steam account, do yourself a favor:

• Change your Steam password
• Change your password anywhere else you used the Steam password (you know you did)
• Remove your payment information from Steam until they can demonstrate they can be trusted with it

I had heard that Comcast’s introduction into the area of some greater DOCSIS 3 infrastructure might have a positive impact on my available bandwidth. Sure enough, I’m approaching 30 Mbs. Of course upload speeds aren’t what they were last time I checked, but maybe that’s a “time of test” issue.

I can’t believe it’s been nearly a quarter since my last update. Certainly, I’ve been keeping pretty busy. Singing Horse Studiois doing well, and starting to get as much work as we can handle. We now need to work on managing our growth. Another tricky area for a young business — actually for ANY business. We’ve expanded into the USA having successfully registered with the Virginia State Corporation Comission on July 1st, 2011.

I had gone to do a little play dev work and discovered that my AWS machine was on a version of Ubuntu for which support had long-ago ended. I’m setting up a new AWS host, but it’s taking a little while to get everything sorted back out. So if my sites seem “a bit off” for the next couple of days, that’s probably why. Like for some reason, the permalink structure of my wordpress instance doesn’t seem to be working.

I had a dream last night about a statue. That’s all I remember about the dream – the statue. The statue was titled “The Many Muses of Flight” It was all white as if carved from white marble. It had a man in Dickensian garb complete with top hat leaping up, but he was only partially distinct from the white marble mass which was primarily shaped like the plumes of smoke from the early stages of a rocket launch.

I was thinking recently of things I’ve done, places I’ve been. At forty, I still feel young. New to the world, even though my body isn’t capable of what it once was. Looking back though, I’m astonished and overwhelmed at the people and events that have found their way into my lives.

Sometimes at Thanksgiving, the holiday has just come and gone. Good food, good friends and family. This year, though I spent a little bit of time reflecting. I count myself genuinely lucky for the breadth of experiences I’ve had, people I’ve known, places I’ve been.

Thank you.