FYI - More wonderful publicity for Microsoft.
Lame.
Blaming your firewall and/or policy failures on *any* OS infrastructure is just plain lame.
It's probably more like blaming Ford for someone driving an Expedition into someone's house, or blaming Colt for some gangsta getting capped.
What the h*ll are politicians supposed to do about flawed software? Are they personally now supposed to fix the security holes in Microsoft software?
(Why does everything that's broken need a new law in order for it to be fixed??)
The credit card companies are very explicit about what data you can hold onto, and what data you cannot retain. I do not keep a record of my customer's CC info (I do recurring billing) on ANY machine that is EVER connected to the Internet. Period.
This ought to be flat-out illegal. Victims, or potential victims of fraud should be notified.
Just the latest in a string of security f**kups. Bank of America, Wachovia, LexisNexis, and more.
The problem isn't Microsoft, though their swiss cheese software contributes. No one takes security very seriously, except of course when they're the victim of a lapse, in which case they always get enraged and blame everyone except themselves.
Meanwhile, it pays to be paranoid. Very paranoid.
Microsoft software is a tool. In the proper hands (someone very Microsoft savvy), IT CAN BE SECURED.
Due to the nature of the information available at CardSystems, the OS is irrelevant. The data being sought was highly treasured by the criminals, and they would have tried to find a way in no matter what OS was being run.
Before anyone bashes MS or anyone else Cardsystems voilated Visa/MC rules under their card holder security programs. They kept data on cardholders that thyey weren't allowed to keep or even see !
doh!
In the time of the "Wild West", a horse thief would be hung. The rational being that if you stole a man's horse, you took away his ability to feed himself.
In this day and age, your credit is the way you feed, clothe, house, and get medical care (just the short list). So why aren't the bastards doing this hung? This is what the politicians need to address.
And for every instance of credit theft, the company that didn't take security seriously should have to pay $10,000. to each of the victims. Forty million customers x $10,000. = a whole lot of incentive to tighten up security.
I don't know if anything MS was involved, but I for one don't want IIS 5 anywhere near my personal data. I might accept IIS 6 in a heavily locked-down configuration though.
Then why did they have the business? In other words, they outsourced the work and had absolutely zero control over how the transactions were being processed and how the data for same were stored. This mishap is just the tip, tip, tip of the iceberg, just the tip.