Okay, this is convoluted but still kinda cool. I was looking through some pages on various tools out there, and happened across GRC’s probe page that is designed to detect if there are open ports and what the threats are associated with that port. It is protected from nefarious purposes by only scanning the port of the IP address you are originating from. Then I thought, wait, I can come from anywhere that I can get to request this page. The first page that came to mind? W3C’s validator.

Click here to see W3C’s validator requesting and getting the results of GRC’s probe against W3C’s port 80. Pretty esoteric, huh? Yah, I know, there’s not a whole lot of practicality here, except if I wanted to launch a port scan against a site that had something like a http get function (remote image include for instance) I could get GRC to perform the probe on my behalf. If someone were actually logging, they’d most likely see GRC as the attacker. GRC would say, “no, you are the attacker, asking us to attack you.” and W3C would have to look in their logs to find my IP (which would unlikely be associated with me if I had any clue, as an attacker). Maybe locking things down to IP based restrictions isn’t the best security measure if the only input is via a GET string. Something as simple as a post parameter would have stopped me. Odd but worth mentioning.

Normally I don’t pass this kind of stuff along on ha.ckers (rather this generally winds up on sla.ckers) but I wanted to get this out to a wider audience as I’m not sure there are a lot of people who are involved in this who read sla.ckers. Anyway, I can vouch for this person, and if you want to talk to him about secondary ticket markets (in particular using timing to buy lots of tickets all at once, based on our conversation) let me know and I’ll forward his contact info to you.

I’m a producer for a cable network and looking to do a story on the explosive growth of the secondary ticket market (Stubhub, Ebay, etc.) I’m not interested in doing an extended debate on the pros and cons of the free market system because I think that would be horribly boring. Rather I’m interested in exploring how programmers and software developers have figured out ways to take advantage of the arbitrage opportunities that the primary market system offers. The two most recent examples are a Hannah Montana concert that the “average” fan couldn’t get tickets for and the Colorado Rockies website crashing as they tried to sell their World Series tickets to the public. I’m looking to talk with as many people as possible about exactly how this works and anyone/everyone who might be involved in buying from the primary markets and re-selling on the secondary markets. Our conversations can be off-the record and if we both decide it makes sense to move forward we can talk about shooting an on-camera interview for the story.

Btw, I love the title - I feel like a matchmaker. Is it valentines day, already?

Time to take a step back and look at PCI. We all know and love it, or love to hate it for various reasons, but I’d like to go back to the roots of it all and ask one question, “What is PCI for?” The simple answer that I can get on board the most with is that it’s to promote spending by increasing consumer confidence. So the obvious goal is to reduce account take-overs, and information disclosure wherever possible - not necessarily to eliminate it, but to increase buyer confidence by lowering the statistical probability that they will be compromised by purchasing online.

I’ve always been an advocate of increasing the potency of PCI by making it more stringent for which I have been told I am anti-business. Not exactly. Let’s use an example. Let’s say I’m mega huge company-A and I follow every security restriction on the planet that I can to ensure that data isn’t leaving our site, but meanwhile mega huge company-B is doing nothing, or the bare minimum. Since we will most likely share a great deal of users if we have any amount of web presence company-A is now at the mercy of company-B. Users tend to use the same passwords, answer the same answer to secret questions and so on, so once a user on company-B is compromised, they are also compromised on company-A. Same exploit another day.

I remember a long time ago there was one of those giant worms going around where the solution was easy enough - egress filtering. You couldn’t stop it ingress, but if you and everyone else blocked egress the worm would stop spreading. But how as an IT administrator can I tell my management that we need to do egress filtering, which will do little to nothing for the worm as it stands at the moment, but will stop us from infecting other people? It’s a tough sell. Yet, it’s a similar problem. My security directly impacts a lot of people who read this site, whether they want it to or not, and therefore it also impacts their businesses and their personal lives which bleed onto many other sites. If I were to have a major 0-day exploit on this site, it would be a problem, not just for me, but for everyone who visits the site who would be vulnerable, and any sites they then use.

So PCI, while not an easy sell and even tougher for people who lack a sense of altruism, has the potential of solving a lot of problems with an amendment of more stringent requirements. Yes, it’s tough on companies now, and yes, they will often go to the low cost solutions as a result, but raising that bar actually has the potential to improve consumer confidence. That’s the theory anyway. Perhaps in practice we’ll find that the end result is that we’ll stop seeing small hacks and start seeing a lot more huge ones to make up the difference in any improvement in security since we all know we can’t be 100% perfect in security. It’s an interesting case study anyway.