The TJX case just keeps giving and giving. A recent indictment of a man named Gonzales, which has the rather revealing filename of N:\SHeymann\Case Files\TJX\Indictment and Informations\Final Versions\Gonzalez Indictment Final.wpd, shows that PIN numbers were being decrypted in large batches:

e. Downloaded from the corporate networks processing and/or storing payment card transactions the track 2 data for tens of millions of credit and debit cards and PIN blocks associated with millions of debit cards;

f. Obtained technical assistance from criminal associates in decrypting encrypted PIN numbers

This is major news. How did they decrypt PINs?

I have seen few report on the implications of this for bank security, but frankly it changes everything. If an attacker can steal your PIN number even when it is encrypted and stored within a bank, then your financial data is under an even bigger threat than ever before.

Another overly detailed post on Schneier’s Blog

“Corporations are people, too!”

That’s the problem. They really should not be treated as such. They should be allowed privileges, but no rights. Rights should be reserved for people.

The modern American treatment of corporations came out of post-Civil War lawless and corrupt practices. From 1866 onward, following the stupid mistake of a judge who allowed a court reporter to insert his opinion into the official record, it has been tough to pin down and put the robber barons back in the bottle.

http://www.straightdope.com/columns/030919.html

Oil, Finance, and Transportation industries among others in America have all been totally f*$ckd by giant corporations fighting to gather all the rights of a singular person, while avoiding any kind of accountability that a real person would face.

President Grover Cleveland explained the problem in his 4th Annual Message to Congress on December 3, 1888

“Corporations, which should be carefully restrained creatures of the law and the servants of the people, are fast becoming the people’s masters.”

Kind of like Asimov’s laws of robots, they need to live within the rules, as dictated by humans, not the other way around.

http://en.wikipedia.org/wiki/Three_Laws_of_Robotics

Should free speech, for example, be a right of corporations, artificial entities created by states, or only extended to individual and real people? In other words is commercial speech to be treated as free speech or should it be regulated more strictly to guard against harm?

Here is a case on the matter:

http://www.law.ucla.edu/volokh/nike.htm

If America rules that commercial speech is free speech, than does it seem plausible that even phishing and spam corporations would have their tactics protected by the courts as a form of expression?

Here is an excellent essay about America’s founding fathers their warnings on this very issue:

http://www.thevoicenews.com/News/2003/0111/Front_page/002.html

“…with an audacity and willingness to take on overwhelming multinational corporate power similar to that displayed by the Founders, the elders of Porter Township said that: ‘Corporations shall not be considered to be ‘persons’ protected by the Constitution of the United States or the Constitution of the Commonwealth of Pennsylvania within the Second Class Township of Porter, Clarion County, Pennsylvania.'”

Or something like that…

There was a lot of doom and gloom at BlackHat this year, but my favorite presentation was the one just picked up by the ACLU of Northern California

Researcher Nate Lawson has discovered that FasTrak transponders are vulnerable to sniffing, cloning, and surreptitious tracking of a driver’s comings and goings.

That is because the systems have no encryption or other technological protection measures to ensure that the information is not read by unauthorized readers or copied and cloned for misuse. Without protections, it is not just those toll booth and freeway sign readers that can track who you are and where you are going, but also that homegrown sniffer that Lawson plans to put up to collect information.

Lawson is amazed that “there has not already been widespread fraud, cloning, and selling of ‘free transponders’ that” were hacked and reprogrammed, he says. “There’s nothing there technically to prevent it.”

What he meant to say, I think, is that the system was not designed to prevent it today. However, an important point to his research is that the transponders also allow an attacker to WRITE data to them. This actually would allow the system to prevent abuse, should new/fixed code be installed with authentication capabilities.

Thus, something COULD be done to prevent and fix a number of flaws. The question is whether they will be done. In the meantime, you can not only sniff IDs and track people by the FasTrack system, but you can mix and install IDs as you please.

Hacking this system is actually not news, as Lawson suggests in the fact that he is buying transponders off the grey/black market. The officials surely watch this as well. They usually monitor some degree of abuse. Lawson is just the guy who wants credit for writing up his “research” and wants to be in the press for announcing the flaws, as opposed to building himself and his friends/family a free ride or making some pocket change for selling transponders.

In a similar case, Barbadians have harshly criticized the researcher who recently claimed to have “discovered” a snake on their island:

“If he needs to blow his own trumpet … well, fine,” said 43-year-old Barbadian Charles Atkins. “But my mother, who was a simple housewife, she showed me the snake when I was a child.”

One writer to the Barbados Free Press blog took an even tougher tone, questioning how someone could “discover” a snake long known to locals, who called it the thread snake.

At least Lawson did not try to rename FasTrack.