Excellent analysis of the Somali bomber plot in Portland, Oregon. From The Agonist:

These are well-known among local fellow [Somali] nationals.

1.) The suspect’s father two years ago notified federal authorities that his son was in sympathy with Islamicist terrorists, and even turned over to them his passport, so that he was unable to leave the country.

2.) The young man entered the United States at 3 years of age and had been at odds with his parents for quite some time, since they appreciated the opportunities here much more than he did.

3.) So assimilated are his parents that his mother was present among the crowd celebrating the beginning of the Christmas shopping season while he was engaged in attempting to kill everyone in it.

I have every reason to believe these assertions to be valid. One man after another started to tell them to me, right after joining the conversation at the table, without having spoken to the others about it. Taking them as credible, then, means that the effort to characterize this case as one of entrapment is both weak and superficial.

The real reason for the safe outcome of this incident of a disaffected Islamic man has little to do with the vigilance of our national police. We are no safer today as a result of the efforts of the National Security State. Rather, the potential for violence was averted, fundamentally, due to the unusual openness of American society, which made the parents of the young terrorist wannabee feel welcome enough in the U.S. to sacrifice their own child to the protection of the community of which they felt themselves to be a part.

The US Department of Justice made an announcement on November 18th that gives only a shadow of the story of Lin Mun Poo. It says he is a Malaysian citizen who made a stop in New York on his way home from Europe. He was detained by the Secret Service not long after arrival.

A more complete version of events and allegations is found in his detention letter.

…the defendant appears to have traveled to the United States for the sole purpose of engaging in criminal activity; within hours of his arrival at JFK on October 21, 2010, United States Secret Service agents observed the defendant selling stolen credit card numbers for $1,000 at a diner in Brooklyn and arrested him shortly thereafter. In his post-arrest statement, the defendant admitted that the primary purpose of his journey to the United States was to meet with an individual who the defendant believed was capable of regularly providing the defendant with a large volume of stolen card numbers and personal identification numbers, which the defendant said he planned to use to withdraw cash from automated teller machines.

I see a problem in this story: Poo is made out in most reports to be a “career” criminal hacker. He is alleged to be very proficient stealing card numbers and identification from financial institutions. Why was he in a New York diner trying to find someone to give him stolen card numbers if he already had a way to get them remotely?

It seems foolishly risky for him to fly into the US. It would make some sense, in terms of risk, if he had to meet a buyer. That is how the allegation starts out — he has 400,000 card numbers and someone (the Secret Service must have set him up in a sting operation) offered him $1,000 for some amount of them.

Why would someone like Poo fail to use a mule for this operation on American soil? It is obviously high-risk — career-ending for a criminal. Why would he also fail to use a mule to make ATM withdrawals?

Maybe he could not figure out a mule system? That seems unlikely, given that he was said to have hacked into a bank anonymously. Even if I assume he could not figure out mule systems to sell his bounty of stolen card numbers, I have no good explanation for why he would need to arrive in the US to acquire more stolen card numbers.

The full story thus sounds like one of three things: a mule was arrested and has been made out to be a mastermind to block his escape, this criminal mastermind is actually not much brighter than a mule, or the Secret Service has been doing some top-notch social engineering to get a criminal mastermind to walk straight into their arms.

The PCI Security Standards Council gave notice today of a 90-day extension for the PABP (Payment Application Best Practices) expiration date.

After discussion with Payment Application vendors, the PA-QSA community and other stakeholders, the Council is extending this deadline by 90 days to March 2nd 2011. Accordingly, after March 2nd 2011, PCI SSC listed PABP v1.4 applications may only be used in pre-existing deployments.

This updated deadline recognizes the challenges many merchants and Payment Application end users have in implementing system changes over the busy holiday period, and allows the Payment Application vendor community to consider submitting new versions of their products for assessment against the new PA-DSS 2.0 standard that was discussed at our recent Community Meetings.

Neither the PA-DSS 2.0 standard nor the holiday period are any kind of surprise, so the Council may have had other reasons at this late date for extending the deadline.