AC Capehart capehart

Today ls “black Friday.” There are a lot of people out shopping today. I’m not one of them. However, I’m also not part of some ideological movement in opposition to shopping today. I just don’t like crowds. I can’t be bothered. I was invited to a “buy nothing” day on Facebook. I suppose if the point is to raise awareness of needless consumerism, I’m a fan. But in this era of anti-capitalism, of the “99%”, I’m wary.

My mood has been low recently. But it’s been lifted this morning by song. I’m listening to my “Everything but the Girl” radio station on Pandora. As Carolyn put it, “Is it nothing but Everything But the Girl”? Pleasant enough in itself, but thanks to Lexus, I’m enjoying it as part of a free trial to Pandora One. It’s funny how it’s the little things. For no particular reason that I can think of, BMW has always been the target of my automotive lust.

I got a disturbing message on my Steam account, today:

…intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

(emphasis mine)

I’m unimpressed. Credit card data was in the same database as user data, purchase history, billing address, etc? To me, that means either: 1)They kept a whole bunch of information in a PCI-DSS secured vault at great expense as getting data into and out of such a vault is difficult by design, or 2) They were storing credit card data outside of a PCI-DSS vault in direct violation of the guidelines set forth by Visa, MasterCard, etc.

I’m also disturbed by the cagey language. “We do not have evidence that … credit card numbers … were taken by the intruders.” Given that it apparently took them 4 days from the forum defacement until the general announcement, I’m insufficiently impressed with their reported forensics to think that their lack of evidence for some activity means an absence of that activity. Who knows how long they were in breach even before the forum defacement that caused them to stumble over the broader breach? I’m also curious what algorithm was used for the credit card encryption. And where was the encryption key kept? Was it potentially exposed as well?

Of course, I’m also sympathetic. When I was with Linden Lab, we suffered a database breach as well. We ended up forcing a change to everyone’s passwords, pulling an all-nighter to implement new password recovery measures, manning the telephones to personally talk with affected customers and help them validate their accounts and change their passwords. Credit card data, however, was never exposed, nor at risk at the level of penetration the attacker reached.

Ironically, I had a conversation with Valve nearly a year ago. I’d heard they were looking for some international payment expertise and I got in touch. They ended up not thinking that I was what they needed, but at least I was able to put them in touch with the great people at Envoy. They apparently didn’t connect either. I wish they’d gotten someone in though, and that someone had taken a good, hard look at their credit card processing and storage. They’d have been able to write a much less embarrassing letter. The full text of the note follows the break, but it ends with “I am truly sorry this happened, and I apologize for the inconvenience.” I believe they’re sorry it happened, but this is still such a milk toast apology. If I had to write that letter it would say something a little stronger, something like: “I’m deeply disappointed that we failed to maintain the trust you put in us when you shared your personal information with us, and we’re going to do everything we can to redouble our security efforts to ensure this sort of thing never happens again and to earn back your trust and loyalty as our most valued resource – our customer.”

In the meanwhile, if you have a Steam account, do yourself a favor:

• Change your Steam password
• Change your password anywhere else you used the Steam password (you know you did)
• Remove your payment information from Steam until they can demonstrate they can be trusted with it

On the invitation of Sam’s soccerfootball coach from West City Soccer with whom we play “Family Futbol”, I have joined a Co-Rec soccer league with SOCA. If I’m not the oldest player on the team, I’m pretty close. This team has a reserved field on Wednesdays for practice. We had our first practice last week, and there were maybe 6 or so team members who came out to practice. We did a little bit of practice on corner kicks, but it pretty quickly devolved into a small pick-up game.

— 75.75.0.1 ping statistics — 203 packets transmitted, 148 packets received, 27.1% packet loss round-trip min/avg/max/stddev = 6.303/43.857/4017.386/327.895 ms I just wrote how much better my very fast internet is. However, things are not looking so rosy right now. 27% packet los to my upstream router is not so good.

I had heard that Comcast’s introduction into the area of some greater DOCSIS 3 infrastructure might have a positive impact on my available bandwidth. Sure enough, I’m approaching 30 Mbs. Of course upload speeds aren’t what they were last time I checked, but maybe that’s a “time of test” issue.

I can’t believe it’s been nearly a quarter since my last update. Certainly, I’ve been keeping pretty busy. Singing Horse Studiois doing well, and starting to get as much work as we can handle. We now need to work on managing our growth. Another tricky area for a young business — actually for ANY business. We’ve expanded into the USA having successfully registered with the Virginia State Corporation Comission on July 1st, 2011.

I had gone to do a little play dev work and discovered that my AWS machine was on a version of Ubuntu for which support had long-ago ended. I’m setting up a new AWS host, but it’s taking a little while to get everything sorted back out. So if my sites seem “a bit off” for the next couple of days, that’s probably why. Like for some reason, the permalink structure of my wordpress instance doesn’t seem to be working.

I have two really smart friends who are building MailRank. I don’t know more than they’ve posted online or made inferences from their name, but I think they are trying to make email distinguish between the stuff you do care about (mail from your spouse) and stuff that’s not spam, but you don’t care about (mail from the bike shop, mail from your mom). If it works (and, to be sure, I’ve got no idea how it possibly could), I’d love to get a “biff” style notification of “mail I do care about”!

I do some of my best thinking in the shower. Or at least it feels like it while I’m in the shower. 🙂 But, if ever there were a guilty pleasure of mine, it’s a long, hot shower. Both the water required and the power required to heat that water are a wasteful luxury. As I was musing this over in the shower this morning, it occurred to me that most of this waste is because the water going down the drain that is still “mostly hot” and “mostly clean.