Defensive Computing

Read all 'TJX' posts in Defensive Computing
August 16, 2008 9:30 PM PDT

Some companies you can trust, and some you can't

by Michael Horowitz
  • 1 comment

All companies have computer problems, how they deal with them separates the men from the boys.

Netflix

When I was away from home recently for an extended period of time, I tried to change the shipping address on my Netflix account. What should have been trivial became a problem because the Netflix web site made assumptions about the format of the address that didn't apply in my case. Every time I entered the address, their system reformatted it. I could not, for the life of me, figure out how to enter the correct address, so I contacted someone at Netflix for help. The person I spoke with sympathized and offered a way to fudge things to get the good data past their system filters. What I remember from the experience is the good customer service, not the problem.

Over the time I have been a Netflix customer, they repeatedly showed themselves interested in providing great customer service in other ways too. Thus, I trust they are telling me the whole story. Recently, I ordered their Roku box for watching movies over the Internet. I didn't care a lot about online movies and at $100 the price just about matched how much I cared. I could have taken it or left it. But, because I trusted the company wouldn't have any hidden gotchas, I ordered it.

Now, Netflix is all over the news for a massive system failure that affected all 55 of their distribution centers. Here too, what I'll remember is not the screw-up, but the way they handled it. After all, computer systems fail, it happens to everyone. Before I knew there was a problem, Netflix sent an email message apologizing. That makes an impression. And, now that the problem has been fixed, they are offering a 15% rebate on the monthly fee to affected customers. The take-away from this, at least for me, is that they dealt with the problem honestly and fairly.*

Amazon

Amazon.com offers a file storage service called S3 (Simple Storage Service). Not long ago it suffered an outage of a few hours. I don't use S3 so my interest was marginal, but I did run across the after-the-fact accounting of the problem from Amazon. It was fairly technical and explained the internal functioning of the system in a clear way and detailed what when wrong and how the problem was unanticipated. They explained how they fixed the immediate problem and the steps they would take to prevent a recurrence in the future.

I was impressed with how Amazon came clean, even Netflix is mum on the technical details of their problem. This inspires confidence and if I ever need a web service that Amazon offers, I would not hesitate to use them.

Netflix and Amazon stand in stark contrast to the companies described a few days ago in the Wall Street Journal.

Credit Card Breaches

Recently the US government charged men in five countries with stealing credit cards from a number of retailers. The poster boy for this credit card and ID theft ring was TJX, the corporation behind the T.J.Maxx, Marshalls, HomeGoods and A.J. Wright retail chains. The breach of their computer systems has been extensively publicized, it was even featured on 60 Minutes. From what I've learned, their computer security was disgraceful. But, at least they came clean.

The crime ring in question hit other outfits besides TJX. In Some Stores Quiet Over Card Breach three Wall Street Journal reporters describe how other companies didn't tell their customers about the data theft.

Boston Market and Forever 21 "never told their customers because they never confirmed data were stolen from them".

Of course, it can be impossible to tell if data was copied. Certainly bad guys getting credit numbers over a WiFi network wouldn't leave any trace, and neither would other types of breaches. According to the New York Times, BJ's Wholesale Club, the Sports Authority, OfficeMax, DSW and Barnes & Noble had their wireless networks breached.

The Journal reports that OfficeMax, Barnes and Noble and Sports Authority "wouldn't say whether they made consumer disclosures".

The best companies at disclosure were BJ's Wholesale Club, DSW and Dave and Buster's. Each disclosed the breach to their customers shortly after they became aware of it.

There is more detail in the article and it's definitely worth reading to form your own opinion on which companies you can trust and which you can't.

*Still, Netflix needs some better computer nerds. Speaking as a techie, a three day outage is inexcusable. No doubt, more than one thing went wrong to cause such an extended problem. Human error is likely on the list as is poor up-front planning.

See a summary of all my Defensive Computing postings.

Topics:
FYI,
Phishing
Tags:
TJX,
OfficeMax,
Amazon,
Netflix,
Barnes and Noble,
Boston Market,
Sports Authority
Share:
Digg
Del.icio.us
Reddit
November 25, 2007 6:40 PM PST

'60 Minutes' on TJX computer security

by Michael Horowitz
  • 6 comments

I just finished watching Leslie Stahl do a piece called "Hi-Tech Heist" on 60 Minutes in which she describes the theft of credit card and other personal information from TJX. These are a couple quick Defensive Computing thoughts on the subject.

I can't imagine using a credit card at T.J. Maxx, Marshall's, Bob's Stores or any of the other stores owned by TJX. In the 60 Minutes piece, the focus was on the poor Wi-Fi security and keeping sensitive customer information for much too long. But, after the hackers got into the Wi-Fi network, they were able to get to the master database of customer information, meaning that there were many other security problems along the way.

And, as was mentioned in the story, the bad guys poked around the internal TJX computers for about a year and half without getting noticed. The word inexcusable doesn't begin to describe the many security problems. Unless I hear that TJX has laid off people responsible for computer security, they will never see a credit card of mine again.

The story ends on a happy note, TJX has upgraded all their Wi-Fi to use the newer, better type of encryption known as WPA. But this is far from the end of the story. It may not be well known, but WPA encryption can be good or bad.

Because it is vulnerable to a brute force attack, the crucial point is the length of the password. A short password, or a word in the dictionary, offers no better security than the much maligned WEP encryption. But a really loooooooooong password is very secure. WPA supports passwords up to 63 characters long. You can think of it as a "pass sentence" rather than a password.

The WPA password only needs to be entered once on each computer, so there is no excuse not to use a long password. If you can't think of one yourself, then Steve Gibson has a Web page that will generate long passwords.

The WPA encryption may also be turned off if a WEP-using computer joins the network. Many consumer grade routers can do either WEP or WPA but not both at the same time.

Finally, if WEP is still being used at retailers, as the story pointed out, then online purchases may very well be more secure than brick and mortar.
Update: Robert Vamosi of CNET wrote an interesting story on this in his Security Watch column - What's behind retail data breaches

Update November 25: A reader comment mentioned WPA-PSK and WPA2 Enterprise. Let me explain the terms. The simplest way of using WPA encryption involves a single password for the entire network. It is entered once when configuring the router and once at each computer accessing the wireless network. This mode of operation is called "Pre-Shared Key" or "PSK" or "Personal" and is what I was referring to.

Companies with the necessary technical skill, can use WPA in such a way that each user gets his or her own password. The software that validates passwords is a Radius server. This mode of operation has multiple names. An old Belkin router calls it simply "WPA with Radius Server", it has also been called "WPA Enterprise" and "server-based infrastructure mode".

Topics:
FYI
Tags:
wpa,
wep,
wifi,
tjx
Share:
Digg
Del.icio.us
Reddit
  • prev
  • 1
  • next
advertisement

15 sites that went kaput in 2009

Web sites launch all the time, but they also shut their doors. We highlight 15 that bit the dust this year.

Top 10 news stories of the decade

Let the debate begin: Was the iPhone more important than iTunes? Was anything bigger than Google finding a great business model? CNET offers its list of the 10 most important stories of the '00s.

About Defensive Computing

Michael Horowitz is an independent computer consultant and the author of several classes on Defensive Computing. He views Defensive Computing as taking steps, when things are running well, to avoid or minimize the inevitable problems down the road. It's about educating yourself to the level where you can make your own intelligent decisions about keeping your computers and data happy and healthy. If you depend on computers, yet are on your own, without an IT department or nearby nerd, this blog's for you. His personal web site is michaelhorowitz.com.

He is a member of the CNET Blog Network and is not an employee of CNET.

Disclosure.

Add this feed to your online news reader

Defensive Computing topics

Most Discussed

advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
CES 2010
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET