Never attribute to malice that which is adequately explained by stupidity?

How was it again...
time = money

efficiency = work / time

=> time = work / efficiency
=> money = work / efficiency

So money becomes huge when efficiency goes to zero.

That's why the "MBA-toting pointy-headed bosses" get paid so well.
;-)

This. From the bit I've read, the C-Suite at Home Depot was so concerned about making money that IT security wasn't even a minor consideration. Their "defense" was a copy of Symantec. Purchased in 2007.

Of course when you hire a criminal to be your CIO, it doesn't help matters.

So inside job? Maybe. But equally likely to me is stupidity and greed that is all the rage in the C-Suite these days.

The fact that the owner of a software development company could actually believe this is terrifying.

If that was meant to be in reference to me, then ... let's just dispense with the "ad hominem attacks" and focus on the points at hand. These things should have no place here. I'll never say anything "so obviously false" for any reason. I'm genuinely "scared witless" about what I see around me, and I wasn't born yesterday.

I suspect that the "an outdated copy of Symantec" story was probably unfounded ... tantalizing idea, but no one is really that stupid, even if they use Microsoft Windows all day. But, I do think that we're too-quick to give public face to the myth of "all-powerful Hackers™ in lands far, far away from here." If someone managed to install malware specifically on the self-service POS systems on a company's internal networks, it is to me profoundly unlikely that the attack came from outside and lacked near-perfect knowledge of what was inside.

My second point is only intended to be tangentally relevant to the first. Obviously, we don't yet know who ... nor how many "whos" ... did this. But our hiring and staffing practices, I think, do create a status-quo which, whether directly responsible for large-scale intrusions like this one, certainly could facilitate it. We've created a situation that's full of resentment, and that is also full of people from far-away lands who are frankly being exploited and who must know it. To these people we hand "the Keys," and applaud ourselves for just how much "money" we're saving off the bottom-line. We've "analyzed" and "engineered" and "financially projected" this thing so much that we've completely forgotten that there are people involved ... and we've forgotten what they really do. We pay no attention to what they could do. We expect them to be loyal ... we need them to be ... but what have we done to them, lately?

Computers ... and international computer networks ... live among people.

You are presumably responsible for the security of the systems that your company builds. Therefore, it is irresponsible for you to believe something about security that is so demonstrably false.

Can you think of any methods for doing this type of attack from the outside? Including, oh, one that I already mentioned? Are these methods common, and do they have a history of being effective? (hint: yes). If your next reply does not take this into account, then I will start pointing out that you're ignoring evidence, and you can (wrongly) complain about "ad hominems" all you want.

No ad homimem attacks were made. An ad homimem attack would be saying that something about you or your company reflects on the quality of your arguments. The converse, pointing that the quality of your arguments reflects on you and your company, is not an ad hominem. Neither is pointing out that you are in a position to come up with better, more informed arguments.

Now, I expect your next reply to be more than a simple restating of what you've already said.

The Kroll Annual Survey findings state that at least half of all data theft is a result of insider involvement. Other studies have indicated that percentage may be higher. This does not include "insider stupidity" meaning people who introduce malware unknowingly and inadvertently (but who really should know better).

http://www.kroll.com/library/krl_fraudreport2012-13.pdf

Thank you for the clarification, Dugan. I expected this to be the case, but thank you. Apologies if I offended you.

Now, meanwhile. What we know about the HD case is that malware (supposedly) was specifically installed on the self-service POS machines ... which, I presume, are not on a wireless network. They would not be on any public network at all.

The essence of the attack, as it has been popularly described, is that rogue software was installed onto (only ...) these machines ... so that it not only intercepted the credit-card swipe, but also had the means to send the collected data somewhere, all without being detected.

Now, what I am saying here is that "my BS Detector just went off" with regards to that version of events. Whether or not it is "theoretically possible" is not my point. My point is that it is, in my view, extremely improbable ... whereas another possibility seems, to me, obvious: "this was an Inside Job."

And my larger point, more related to the OP, is that: we, as an industry, are creating conditions in the workplace that not only provide for a strong incentive to commit crime, but which also make these crimes hard to detect. Sure, our new practices provide "cheaper labor," but at what cost?

I've been around long enough to realize that most execs are talking out of their backsides most of the time. They went to skool to talk pretty and to learn how to be a weasel.

What makes you think any of it is about efficiency and competence?

hahahah, to change that with a forum post.

and how exactly is this (inside job) related to "cheaper labor"? I mean earlier you said that people from bangladesh and other countries returned with USB sticks full of information that they presumably sold to criminals. I would imagine once an insider has got the hot credit card numbers, he would already have a customer lined up and would get rid of the numbers ASAP.

OK

What you are saying, at this point, is this:

I hope your future clients find this thread and then choose a competitor. It would be better for the Internet as a whole if they do.

https://twitter.com/kylerichter/stat...26947771039744

Fortunately for me, they don't do that.

Now, just to clarify, I had a very interesting engagement about four years ago. It was an invasion somewhat similar to this one. The lead programmer was insisting that it was an outside intrusion and was spinning all sorts of "defenses." Well, the business owner decided to have someone else (me ...) take a look. And my conclusion was, basically: "you need to call the police."

Quite frankly, I don't share the opinion that we ought to assume that "exotic" attack-vectors were, in fact, taken ... merely because we might be able to show that they could have been. Even if we can say that "a hacker in Hanoi could have made it all the way to Lane-3 in Wichita, and furthermore could have managed to cause Lane-3 to send its captured data to Leningrad," that still doesn't make it the most probable scenario.

Twenty years ago ... and I most-certainly was there ... I would have felt differently. Back then, information-technology was shaping up to be a spectacularly secure profession. You held "the Keys to the Kingdom," and by gawd(!) you Guarded that Gate! But now you find that your accumulated experience has less market-value than that of the "imported for-six-months stable-boy" who drove you everyone around you into Early Retirement At Age 51. So, say, someone tells you that they'll give you the PayPal user-ID of an account with <<LOTS-OF-$>> in it ... just if you "make a few things happen?" Yeah, you'll listen.

Computer technology is "still, absolute." It's still "ones vs. zeros." But, humanity is not. Therefore, as "dramatic security breaches" seem to be popping out of the woodwork left-and-right, I am not prepared to embrace the thought that it is "purely a technical problem." And I happen to think that this "Missouri point-of-view" is valid.

i wish people wouldn't always talk about things happening in the US of A as if it was a global thing (my interpretation of "We" in recent posts).
it is not.
i am not saying it is much better elsewhere (like, western europe) but it is a different situation and the world has not yet foresaken all social security.
america is not the future (anymore).

please be aware that:
a) the thread title says nothing about IT employment in the USA
b) linuxquestions is a worldwide forum.

I agree, I would like it if companies stopped retrenching their IT department because the machines are working at the moment. Additionally, I have been in coding jobs where I wanted to do a good job but our work was measured by lines of code, so we ended up cranking out the most bloated horrible junk that I hope never to see again.

P.S. ZA and UK experiences. (Looking at post before mine)