Welcome!

Bill Roth, Ulitzer Editor-at-Large

Bill Roth

Subscribe to Bill Roth: eMailAlertsEmail Alerts
Get Bill Roth via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Blog Feed Post

Lush Hack: Really!?!

A friend sent over a link to the Lush Hack this morning. I immediately had 2 reactions. First, I love the title and the mental image it conjures up. Second, my reaction was right out of Saturday Night Live’s Weekend Update….Really!?!

This breach should be embarrassing to Lush and any online retailer, if it is a PCI DSS failing (which has been implied by several industry commentators). PCI DSS has been around for years, and isn’t terribly difficult to follow - in fact, some analysts are recommending using it as a base for a company’s security model (see Forrester’s PCI Unleashed paper, http://www.loglogic.com/pci-unleashed). It makes Lush appear incredibly sloppy with their internal systems.

I really should not be surprised. In general, I have a very dark view of human nature. I inherited this from being born in the 20th century, which gave the world several spates of genocide and two world wars. Given the opportunity, the human species will always find some way to mess up.

PCI DSS however is not a tough standard and Lush shouldn’t have failed itself and its customers. PCI DSS say things like “don’t use default passwords”. Duh. "Log Everything”. Double duh (we have a full PCI 2.0 Info Center at http://www.loglogic.com/solutions/compliance/pci/center).

So, I have arrived at two conclusions: First, my dark view of human nature has been reaffirmed. Second, we still need PCI, and there still needs to be auditing and fines.

The once bright spot in all of this is that it appears people will need Compliance Manager 2.0 more than ever! :)

Read the original blog entry...

More Stories By Bill Roth

Bill Roth is a Silicon Valley veteran with over 20 years in the industry. He has played numerous product marketing, product management and engineering roles at companies like BEA, Sun, Morgan Stanley, and EBay Enterprise. He was recently named one of the World's 30 Most Influential Cloud Bloggers.