The big news today is that version 2.0 of the Payment Card Industry Data Security Standard (PCI DSS) has been released in final format. It replaces version 1.2.1.

Version 2.0 does not introduce any new major requirements. The majority of changes are modifications to the language, which clarify the meaning of the requirements and make understanding and adoption easier for merchants.

Although this is great news it still begs the question of why it is designated a major release (e.g. 2.0 instead of 1.3).

The major changes, as opposed to new major requirements, include the following:

• More formal Cardholder Data Environment (CDE) scope exercise before an assessment
• Centralized logging of application data as well as all systems
• Incorporation of the risk-based approach for vulnerability management

This is said to be the start of a three year lifecycle but validation for version 1.2.1 is allowed through the end of 2011. The overlap allows either version 2.0 and 1.2.1 for the entire next year; organizations are only encouraged to use 2.0 in 2011.

Perhaps most important of all is this new item that addresses virtualization:

2.2.1.b If virtualization technologies are used, verify that only one primary function is implemented per virtual system component or device.

It is not allowed to run multiple primary functions on a virtual system — one primary function per system component or device, even when running a virtual system.

This should be interpreted as enabling multiple virtual systems to run on shared physical hardware as long as each virtual system has just one primary function:

2.2.1 Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.) Note: Where virtualization technologies are in use, implement only one primary function per virtual system component

A hypervisor is a virtual system component. It’s primary function is to support multiple hosts. Each host is a virtual system component. They have to have only one primary function each.

The High Tech Crime Team in Holland have taken over the 143 command and control servers that manage a 30 million node botnet based on the Bredolab malware.

…Bredolab was capable of infecting 3 million computers a month. At the end of 2009 it was estimated that 3.6 billion emails, each containing the files needed to infect the system and join it to the Bredolab botnet, were sent daily.

Shortly after the takedown announcement, a 27-year-old Armenian was arrested in connection with the botnet. He was detained at the Yerevan Airport in Armenia [on his way home from Moscow]. It’s reported that he had tried to regain control of the botnet, and when the attempts failed, he used 220,000 systems to launch an attack against LeaseWeb. The DDoS failed when the servers [in Paris] were pulled from the Web.

Bredolab also spread by looking for Web server passwords and then installing an infection kit on Web pages.

The above quote is from the Tech Herald, which also makes note of the fact that the majority of command and control servers for botnets are actually hosted in the US. Botnet administrators might live in another country from their servers, or they might not. The Tech Herald calls it an ISP “shame” inside American borders.

The Dutch Police action already might seem like a big step for fighting botnets. Yet that is not the end of the story. It just gets more controversial from here. They also used their new found control of the botnet to update infected systems and redirect their browsers to a warning page on the Police website. Would you believe this page is real?

Ironic that the bottom of the page just has a link called “More information”. Would you click on the link? There is scant information to prove this page is authentic. It should be hard to trust this if you have never before read pages from the Dutch Police and their HTCT.

Although some who are infected may appreciate hearing from the police that their computer has malware (cue image of woman tied to railroad tracks) the police action seems aggressive and definitely breaks new ground. I wonder whether victims will see this as a public service saving them from even greater disaster or as a breach of trust and unnecessary risk.

Do the police justify moving from takedown to control and command of a botnet as necessary — quick action in the face of imminent harm? Maybe it will prove to be the most effective way to educate users and prevent reinfection.

It is difficult to say victims could ever be worse off when controlled by Dutch police instead of the former Botnet administrator. The man accused and arrested clearly had malicious intent. Then again police abuse and corruption is not totally fiction.

I am tempted to compare the situation with a non-technology rescue operation. Victims first end up in the care of a rescue team before being released. The problem with technology, however, is the abuse of the situation by those in control is far less clear than the physical world. It therefore makes sense to address the tough questions ahead of time. The Dutch victims should be able to review police rules of engagement such as their procedure and policy. Victims should know what other actions the police may take or their protection from abuse, in other words, now that they are in something akin to “safe custody”.

An article called ” Microsoft’s consumer brand is dying” by CNN points out that the software giant’s execution is no longer winning the market. They cite a blog from Ray Ozzie who says fit and function has been surpassed. This sounds right to me. Consumers often say they like the feel of Apple and Google better.

Then the article has this odd quote from an analyst:

“In this age, the race really is to the swift. You cannot afford to be an hour late or a dollar short,” says Laura DiDio, principal analyst at ITIC. “Now the biggest question is: Can they make it in the 21st century and compete with Google and Apple?”

I disagree. Apple and Google were not swift. Neither was first to market. The race is to the simple (smooth and sexy), not the swift. Ozzie is right, Didio wrong.

More importantly no one seems to be saying the race is to the secure. Microsoft used to get beaten up in the news for being insecure. Although they have done much to improve this, which helped them stop loss in the enterprise market, it appears not to be a primary factor in the fashion-fickle American consumer market where simplicity reigns.

EDITED TO ADD: Tonight I spoke with students at Cal Berkeley and they asked me to explain this further.

First, let me give another great example of a latecomer strategy that is successful:

…interviews conducted by SF Weekly with several former Zynga workers indicate that the practice of stealing other companies’ game ideas — and then using Zynga’s market clout to crowd out the games’ originators — was business as usual.

Rather than comment on whether Zynga is right or wrong, my point is just that they are not in a race to the swift. Zynga apparently is making a lot of money and being successful with a strategy of being later but executing better.

Second, since they were students of political science, I emphasized that people underestimate the value of complexity. Consumers often say they like simplicity but they probably do not realize that this is inversely related to freedom.

The less you can adapt and alter an environment the less freedom you are granted. Looking at the spectrum of freedom in another context, democracy is complicated while a dictatorship is simple. It was at this point the eyes of my audience suddenly lit up, wide with excitement. I was gratified to hear:

Oh! I see now. I never thought of it that way.

Reducing complexity in one area can open up freedom to tinker in another area. Demand for simple interfaces is not hard to understand. But if the market for simplicity gets crowded then differentiation may next come from privacy or security, which Microsoft has actually made progress with lately. I still do not see speed to market as the race Microsoft has to win.

Park staff in South Africa have installed GPS devices into Rhino horns to help protect them from poachers. Rusty Hustler, head of security for North West Parks Board, explains:

“There are a number of alarms that can be programmed: one for excessive movement, so if the rhino starts running, and another that goes off if the rhino sleeps for longer than six hours, which is abnormal.”

An alarm also sounds if the chip goes outside of the area of the game reserve.

Poachers could jam the signal to obscure their location but this too would set off an alarm.