The traffic police in California have provided a convenient guide to excuses they will and will not accept. The San Jose Mercury News is the first to publish the details.

The two men in their 20s said they had studied U.S. traffic laws before heading to the United States and were told that speed limit signs here are black and white — like the signs that read “101” along the freeway.

Wasn’t that, they asked, the speed limit?

“I let them go,” Barnett said, “and told them to make sure the sign also said ‘Speed Limit.'”

Yes, those French tourists probably laughed themselves all the way home.

I saw a similar situation the other day when an officer pulled over a car and yelled at the driver “Did you not see me? You just ran a red light!” A minute later his voice was calm and he said “Oh, tourists? Where in France are you from?” Soon after he was wishing them a nice vacation.

The news article warns that social engineering your way out of a ticket will fail if it includes any of these topics.

# The light was yellow.
# I’m a doctor and I’m late for surgery.
# I’m late for an important business meeting.
# I just used my cell phone for a second.
# I have to go to the bathroom.
# Everyone else was speeding.
# Isn’t there a 10-mile cushion on the freeway?
# I had to go into the carpool lane because I was cut off by another driver.
# I’m late to pick up the kids.
# My mom is dying.

The last one I am a bit surprised to see, especially after the Dallas incident outside the emergency room. The others are easy to understand. For example, an officer is not going to empathize with a bathroom story. They are going to logically analyze it. How many bathrooms around here? How many in the past ten miles? How many bushes near the roadside? They won’t relate to a doctor, mother or business man being late (e.g. leave earlier next time and you won’t get a ticket). Use of the cell phone for a second, or failure to see a light change, does not give perspective or justification. Alternatively, consider stories that take it to the next level. These examples escape logical analysis because they appear to be exceptions and deserving of empathy:

“I stopped one guy for speeding on Hillsdale Avenue who said that he was guilty and that he was speeding because he was mad,” Raye said. “He had just left from his house, where he had just caught his wife in bed with another guy. I didn’t give him a ticket.”

Marital excuses sometimes work. Barnett stopped a speeder on Highway 17 who said he was getting married the next day but was having second thoughts.

“He said he was trying to get out of town before anyone noticed,” Barnett said. “I let him go.”

Empathy of the police officer, where that empathy is with little risk and likely to diffuse or even help the situation, is clearly the social engineer’s ticket (pun intended) to not get a ticket.

The PSC, who call themselves the “Payment and Security Experts”, audited Network Solutions for PCI compliance. Unfortunately, Network Solutions just warned merchants that they were hacked and exposed for several months.

In a letter sent to merchants who use its Ecommerce Hosting services, the company said that someone illegally installed software on company servers used handle credit card transactions initiated by 573,928 people between March 12 and June 8, 2009.

The code “may have been used to transfer data on certain transactions for approximately 4,343 of our more than 10,000 merchant Websites outside the company,” Network Solutions said in the letter, signed by company chairman and CEO Roy Dunbar and sent to merchants on Friday.

This will again raise the issue of compliance versus security. The parties involved, including the card brands, may start to dance around fault or explain why this is not a failure of the Data Security Standard (DSS). I say breaches like this one are not a sign of failure of the DSS, and we should really be focused on learning from the specifics of the attack rather than nitpicking a standard.

It would be interesting to apply this in a risk management context. Seed Magazine explains how Ants and Neurons are related:

Choosing a new home, or house hunting, is the most complicated decision an ant colony makes. When an ant nest is overcrowded or damaged, scout ants begin searching for a new building site by making independent evaluations of different spots and reporting back to the colony. A decision is made when a “quorum” is reached, when a certain number of ants agree on a location.

This same process occurs among neurons in a monkey’s visual cortex when the animal performs a visual discrimination task. In the task, a monkey is flashed an image of dots moving in different directions and must decide which way the majority of them are going. When the image appears, neurons in the monkey’s visual cortex gather bits of information from the monkey’s eyes, much like ants evaluating a nest site. As more data is gathered, the neurons with the correct answer gradually increase their firing rate. When their activity reaches a certain threshold level, the monkey makes a decision.

This is an excellent metaphor for managing security operations through the use of numerous simple data points/feeds rather than trying to build just a few very intelligent sensors. It’s the opposite of the traditional ingress/egress control suite of products and more like total awareness engineering. Correlation of all the host antimalware data with internal network behavior analysis for example would be a rich source of decision-making material.