Podcast: Play in new window | Download

Sony’s huge PlayStation Network (PSN) has been down for a week now following the theft of ID and credit card data on some or all of the gaming and video entertainment network’s 77 million customer accounts. Readers have been asking for comment but I stay out of these things unless I have something new to contribute. That something finally comes a week into the crisis as gamers begin to wonder why the network is still not back in operation and speculate on what this all means to Sony? It’s a huge loss of face, if course, but beyond that the damage to Sony is minimal. And the upside for PSN members, including those involved in the many emerging class action lawsuits, is likely to be bupkes. Nothing.

Recent history suggests Sony’s likely gift to users as an apology for losing their personal data will be some period of free credit monitoring and a free month of PSN service. If that sounds generous you might be surprised to learn that the going price for wholesale monitoring from the big U. S. credit reporting firms is approximately five cents per account per month or $3.85 million if all 77 million PSN accounts have been compromised. The usual terms for a mea culpa of this sort are three months of monitoring for a total cost to Sony of around $10 million.

“It will cost them more to send the e-mails making the offer than it will to provide the service,” said a source of mine in the credit reporting industry.

If you are hoping for big bucks from a class action lawsuit, go back and read PSN’s Terms of Service you clicked on without reading when you first joined the network. As with nearly all such legal agreements, you signed away any significant right to compensation beyond the direct cost of the service for the time it is disrupted. Only the lawyers will make a dime from this.

That is not to say that Sony doesn’t takes the attack or subsequent outage lightly. No Japanese company would. But the fiercely proud corporation also hasn’t gone out of its way to apologize. No Japanese company would. A funny thing about Japanese business culture is the tendency to apologize profusely for absolutely anything that is beyond the control of the company or its executives. They’ll apologize for traffic, for bad weather, for someone else’s mistake, but if the company or its leaders have actually screwed-up they generally won’t say a thing, which is not at all good for Sony’s global image.

This outage comes in large part because Sony has been so aggressive against hackers, who finally decided to slap-down the electronics giant. This is not to argue that Sony shouldn’t defend itself, but it is to argue that Sony should have expected elevated attacks as a result of its actions. Maybe they did expect more trouble, but the fact that they were so easily compromised shows corporate hubris at a reckless level.

Now let’s consider for a moment why this outage is continuing a week after the break-in. Speaking with a few experts and reading the official Sony FAQ gives some insight into what may really be going on. Sony says it is investigating, but should an investigation really take this long? Can’t the server logs and other network data be locked-down in a few minutes and examined at leisure? Sure. So when Sony says it is investigating what they probably mean is they are trying to fix the problem, seal the breach, and make sure that particular gambit cannot be accomplished again. This takes time — hours of programmer time and dozens or even hundreds of hours of QA time to make sure the fix scales properly and will work under a full network load.

Sony doesn’t say this, of course, but that puts us back to the fierce pride part. While they can admit a break-in they find it very difficult to say they are putting locks on the doors that never had them.

But wait, there’s more! In the official Sony FAQ  and also the Official PlayStation blog there is an amazing admission that the company really has no idea how many user accounts were compromised. They suggest that users “assume” their data has been stolen. Well, was the data stolen or not? That big unencrypted or shoddily encrypted file with the details of 77 million account holders either left the building or it didn’t, right?

Sony doesn’t seem to know.

This is from the official PlayStation blog:

Q: Was my personal data encrypted?
A: All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.

Q: Was my credit card data taken?
A: While all credit card information stored in our systems is encrypted and there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained. Keep in mind, however that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system.

I love the part about it having been a malicious attack. Had the attack been less malicious, would less data have been lost? That is the sound of Sony whining.

When I discussed the attack with a friend of mine in the enterprise data security business he made an interesting speculation. “A really smart criminal would want to cover his tracks,” said my friend. “You can either grab the data and hope to slink away unnoticed or you can grab the data then destroy everything on your way out.”

In a worst case scenario, Sony doesn’t even know what vulnerability the crackers used to gain entry. Sony may be literally clueless.

The people behind this PSN hack didn’t want it to go unnoticed. They wanted Sony and Sony users to know they had been violated. And Sony’s apparent ignorance of just what was taken (possibly even how it was taken) plus the fact that the network is still down a week later strongly suggests the crackers may have thrown a few metaphorical hand grenades into the system on their way to Dennys for that celebratory Grand Slam breakfast.

Podcast: Play in new window | Download

BBC Radio 4 called this weekend hoping I would be willing to be interviewed in the middle of the night for their celebration of what they were calling “the 50th anniversary of the microchip,” which I came to understand meant the planar process that made possible the first integrated circuit.

But this is the 52nd anniversary. The BBC is running two years late.

I broke it to them gently.

If you are interested in those events of 52 years ago, here is a presentation all about it from the Computer History Museum back in 2009.  This is a long video at 1:42 but be sure to look for Gordon Moore’s Powerpoint presentation, which runs about 20 minutes and is well worth viewing.

Podcast: Play in new window | Download

Successful technology startups are usually those that hit the market in a sweet spot — where market conditions create significant demand just as the startup is introducing its product. From the look of the rapidly-consolidating hard drive business, it might appear that I’ve missed the sweet spot with the metal foil disk technology some readers may remember I’ve been working on for several years. Hopefully not. But in any case it is probably time for an update.

When I started down this path toward a drive that uses very thin metal foil instead of polished glass there were several potential customers. Then Western Digital and Seagate started buying their competitors until now there will shortly be just two hard disk companies that actually make their own products. Toshiba may continue on its own course, but Toshiba contracts its manufacturing to others, while Seagate and WD are vertically integrated, making almost everything in-house.

Some of this consolidation can be attributed to the growing success of solid state drives based on flash memory technology. That’s certainly the case with Samsung, which is selling its hard drive operation to Seagate and further expanding its flash business in the process. But hard drives are far from dead. The best technology roadmaps I can find suggest hard disks will remain dominant in PCs and data centers alike until 2025. So I keep telling myself there is plenty of time yet to deploy my technology.

Just because a platform is likely to survive doesn’t mean that it will do so without change, and change is one of the things that has hurt my foil drive. We focused all our work on the 48mm (1.8-inch) form factor drives common in media players and netbooks just in time to see those drives scheduled for retirement as the bottom end of the market gives way to flash. Uh-oh. Back to the drawing board.

What’s interesting about this impending demise of 48mm drives and how I made the wrong call is that by conventional thinking they shouldn’t be going away at all. We always need more storage space in our devices and flash is still too expensive to compete with 48mm on a bit-to-bit basis. What I failed to anticipate (and what killed me) was cloud storage.

For the first time, new media players, netbooks and notebooks generally have less internal storage than did the previous hardware generation. That saves money for the manufacturers but, more importantly, those same manufacturers are further leveraging this deliberate storage deficit to push their own cloud storage services. Who needs a lot of storage on your iPod if you can keep all your movies in MobileMe?

And that cloud storage will all be on hard drives, of course, so we’re back in business, though at a larger form factor.

All hard drives will shortly be either 2.5-inch or 3.5-inch and my sense is that in the long term (that is between now and 2025) the 2.5-inch form factor will prevail. Downward cost pressures will make it logical to standardize on a single physical size and 2.5-inch drives will fit in smaller devices like set-top boxes where 3.5-inch drives are already too big.

So I am aiming at the new sweet spot, the 65mm (2.5-inch) foil drive.

What’s taken so long is that making this stuff turns out to be very hard to do. You have to find the right alloy (more difficult than you’d guess), get someone to make it for you at a purity better, frankly, than the world has ever demanded before, then figure out a way to roll, stretch, punch, deburr, polish, clean, and package it, with each of those stages worth a startup in its own right.

Just the purity part can be difficult for many folks to get their minds around. In this case we’re talking about not just the precise alloy, but also about occlusions — particles within the alloy. Occlusions are chunks of metal that deserve to be in there but ideally would be more completely mixed in the alloy matrix. Typical occlusions might be tiny grains of chromium or cobalt. The trick is that occlusions have to be smaller in diameter than the thickness of the foil so they don’t mess-up the magnetic environment on both sides of the platter at once. If your disk is 30-microns (0.03mm or 0.00118110236 inches) thick, then occlusions have to be guaranteed less than 30-microns.

Try getting that from a company best known for making cannons.

This is not only a pain in the ass to accomplish, nobody had even requested it before. So when you show up at the door of a giant steel company asking them to do just a few kilograms of some obscure alloy at a purity level beyond anything they’d ever even imagined, don’t be surprised if they laugh in your face.

If you can get the right alloy at the right purity, then you have to figure a way to make it super-flat. This is traditionally accomplished through progressive rolling then stretch-leveling then polishing, again to a standard never before required for a material that is also very thin. It takes years and kissing lots of frogs to find vendors who can do such work.

Even then you still have to clean the disks and package them for sputtering. This involves not just special cleaning machines that have to be built, but also designing packaging to protect the disks in transit yet can be opened at the disk drive factory without damaging the very fragile disks.

And that’s all it takes to change the world.

At the bleeding edge of technology there is always a question of whether it is worth the effort. At each platform transition is it better to throw money and energy at being the best of the last generation or the first of the next generation? This question is embodied in the whole disk drive versus flash drive competition. I had decided already to continue with hard drives. But that doesn’t necessarily mean everything has to be made using refinements of techniques that were in some cases developed centuries ago.

We proved by spending a lot of time and money that the roll-stretch-punch-deburr-polish-clean-package process could be done at a level comparable to current glass disks. But what happens next year when our customers inevitably demand even tighter tolerances?

We’d be screwed.

While what we wanted to do was possible it wasn’t practical. Operating on that bleeding edge it was becoming clear that most of the blood would shortly be ours. It was time to either give up the dream or make a quantum leap in manufacturing what many already viewed as a technology that was itself obsolete.

So I of course opted to build my Model T using nanotechnology.

Our new process builds foil disks one atom at a time, completely eliminating every step of the previous process. The new process comes down to: Step One — remove finished foil disk from machine. There is no Step Two.

With the new process there are no occlusions and the disks are absolutely, perfectly flat. The disks can be made of any alloy ever imagined or some new alloy we invent. And here’s the really cool part: while we’re making foil disks why not make the magnetic recording layer, too? No more sputtering.

Every stage of a manufacturing process has some units that can’t pass inspection. Our new process collapses dozens of stages and their associated wastage into a single stage.

It’s all or nothing.

Now to prove we can do it 800 million times per year.

Podcast: Play in new window | Download

I was in Los Angeles last Friday for TV meetings and lost my iPhone 4. It was on my belt and suddenly it wasn’t. Then in one of those deja vu experiences I noticed that I was only steps from an Apple Store, so I went inside to trace my iPhone using the Where is my iPhone? app. But my iPhone was nowhere.

Understand it was fully-charged and I had been using it less than 10 minutes before. My phone was nowhere to be found.

Sadly the kids at the Apple Store knew far too well what had happened because they hear the story every day. My phone was most likely stolen straight from its clip on my belt by a professional iPhone 4 thief. The moment it was grabbed from my belt the thief handed it to an accomplice. Within a minute the phone was powered-off and untraceable. They didn’t want my data, just my iPhone.

An iPhone 4 can go for $300 in China. They replace the SIM card, spoof the MAC address or sell it for use on a network that doesn’t care. The street price in L. A. for my phone is $100. An industrious criminal can grab several phones per day.

My friend Bill, hearing my story, said it is even worse in New York where thieves will steal the iPhone 4 right out of your hand, running off into the inevitable crowd of pedestrians. That will teach us not to use our mobile smart phones when, well, mobile.

I have had a hand-held phone continuously since 1993 and while I have broken phones a variety of ways including dropping one in a toilet, this is the first phone I’ve had stolen in 18 years. It’s not that I felt naked without the phone, I felt violated.

So what do you do? Go back to the Apple Store and pay full price ($599) for a replacement iPhone 4 because AT&T didn’t offer insurance and you didn’t think to buy a policy from a third-party provider

Nope. I bought for a quarter that price an iPhone 3GS which nobody wants to steal.

It’s good enough for me.

While we’ve gone close to a decade since 9/11 without airliners smashing into skyscrapers, it is hard to see the Department of Homeland Security as an unvarnished success. Under a variety of directors the department has consistently taken a heavy-handed approach to security that upsets travelers on the left and right alike, relies too much on fear-mongering, and is frequently just plain incompetent. Yet these are the folks who are now about to take over cyber-security, too.  I think there is a better way.

According to recent reports there is legislation moving shortly from the White House to Congress intended to put all U.S. non-military cyber-security responsibility with the Department of Homeland Security.

It’s logical, of course, to give policing power to the police. But the policing power we are talking about here is international and domestic, and because of automation would necessarily touch every Internet user, most of them without their knowing they were being touched.  Worst of all, there’s a learning curve here, and the people who’ll be climbing that curve are the same ones presently touching our junk down at the airport.

In the 14 years I have been writing this column there have been a number of intrusive security initiatives proposed and abandoned and I have written negatively about all of them. But while I’ve criticized (it is so easy to do, after all) I’ve never proposed an alternative structure… until now.

First let’s admit that there is a huge Internet security problem. Between rogue states, organized crime, industrial espionage, and middle school script kiddies there is plenty of anti-social Internet behavior to go around. Those of us who exist on-line deserve both our privacy and safety from these threats. The problem is that when we invest enforcers with our protection they like to start enforcing before they even know how to protect. Sometimes they enforce and never protect, simply because they don’t know what they are doing.

This DHS cyber-security proposal: we all know it won’t work.  How can lawyers and cops expect to build a secure network if they can’t even reboot their PC’s? That’s just wasted money.

So let’s take a lateral approach to this problem and instead of trying to turn cops into nerds, let’s get the nerds organized to better enhance data security for us all.

The model I would propose we follow is that of the Internet Engineering Task force (IETF) — a brilliant structure that has helped the Internet thrive now for a generation.

Why not take this extra money that’s about to be wasted on expanding DHS and instead offer funding for a security task force like IEFT but called the Internet Security Task Force (ISTF)?  Industry would get behind it. The IT industry would love it.  They’d even help pay for it.

Is your phone ISTF 1.0 compliant?  Are your PC’s ISTF 2.0 compliant?  You won’t get your ISO or PCI if they aren’t.  IT providers would have the ability to recommend and help move us toward a more secure Internet using an open and iterative structure that would encourage what really works and discourage what doesn’t.

But we can’t allow government to take the lead in this, because they’ll just screw it up.

We need to convene a meeting right away to figure out how to organize the ISTF.  Then we need to get DHS to oversee ISTF from the perspective of an evolving security process funded by research and corporations instead of GS-15’s with bloated staffs writing plans that will be funded yet fix nothing.

Who will join me at that first ISTF meeting?


Podcast: Play in new window | Download

A few months ago I wrote a column giving advice to Larry Page when it was announced that he would be taking-over once again as CEO of Google. Not that Google is especially in trouble, but it is a big job getting 50,000 feet marching in the same direction. In order to make that happen I urged Larry to create startups within Google. And sure enough, as he took over the top job last week and started announcing changes, one of the most radical was something very similar to the “five guys in a rented apartment” scheme I had proposed. Who knows, maybe Larry reads this rag, but probably not.

While I say Google isn’t in trouble, that doesn’t mean the company isn’t stuck. Google is very stuck. Like any successful and mature tech enterprise they are very adept at leveraging market advantages. PageRank, AdWords, AdSense are the big money-makers still. Everything else — everything else — is a page view generator and nothing else. Gmail, all the web apps, YouTube — all they are for is generating page views and displaying ads. There hasn’t been a successful new business at Google for more than a decade (no, Gmail is not a business, nor is Android). So Google is still a fabulously successful enterprise and great at making money, but it is a stuck very successful enterprise.

Google hasn’t shown it is very good at inventing new businesses internally and they aren’t good, either, at buying businesses externally. Name one business Google has purchased and taken to a new level of greatness. They tend to buy companies for the people and then throw away or forget the technology.  Name one CEO or CTO hired by Google with an acquisition who is punching out products today. It can’t be done. Graham Spencer, Rohit Khare, Max Levchin just to mention three: what happened to them?

They disappeared. I’m sure they are plenty busy with this and that, but they are also invisible.

So Larry Page has his work cut out for him and I commend him on his first week on the new job. Streamlining management, making Google’s social business a priority for everyone, coming up with new ways for Googlers to start their own businesses inside the company — that’s all great. But it isn’t enough.

Take that internal startup program, whatever it is being called. In principle it is a great idea, but the implementation is flawed. The internal startup founders, for example, are given two years to make their business work — two years before they have to deliver anything. That’s crazy.

Maybe it takes two years for Google to delivery anything, but Google is now a big stupid company with poor communication skills to boot — in many ways a worse Microsoft than Microsoft. A startup that hits its first deadline at 24 months is a startup that is over-capitalized and too lacking in fear.

Listen, these Google engineers with their startups will have already been thinking about their idea for months or years before they ever submit it to management. They need to deliver a prototype in two months, a solid beta product in six months, and have a full release in 9-12 months, tops. After all, they aren’t spending any time at all looking for money, and that’s what startup CEOs do probably half of their time.

Giving them two years is saying the engineers should take a year on the beach first, then get to work.

And if the startup idea fails then the Googlers working on it should fail, too. They should be fired.  Now there’s a proper incentive to succeed, not this fantasy startup thing.

Maybe Larry has forgotten all this, maybe he’s just slow, but he’s also wrong. This internal startup program may well keep people from leaving Google for awhile, but it won’t generate many new businesses, because it creates the wrong atmosphere — one that actually encourages failure.

But at least it is a step in the right direction.

Now what, Larry?

Podcast: Play in new window | Download

At the heart of the current U. S. mortgage crisis are a variety of players that include circa 2006 home buyers with houses they couldn’t really afford, mortgage brokers who sold mortgages to people they knew couldn’t afford them, banks who turned those mortgages into securities that were bound to (in some cases designed to) fail, all held together with bureaucratic glue made almost entirely of testosterone and bullshit, and decorated with robo-signers and lost documents by the millions. Old news, right? But who would have thought we’d see many of the same behaviors emerge around one crappy refrigerator from Home Depot?

My friend Ralph owns that crappy fridge, an LG model based on a Whirlpool design that was built for only one year it was so bad. Ralph, who didn’t know any of this at the time, bought the Fridge at Home Depot and bought the extended warranty there, too. Since then he’s had seven service calls to replace all the circuit boards, the compressor (twice), the ice maker (three times), and to replace various plastic parts that had literally fallen off. One failure spoiled all the food in the fridge which (GE?) paid to replace. One ice maker failure was so bad it flooded Ralph’s house. The ice maker especially is so bad on these fridges that there are no longer any replacement parts available to be ordered. None.

Now if you have bought any larger ticket item at Home Depot you know they have a three strikes and you are out policy very similar to certain state lemon laws. For all I know it may even be a state or federal regulation that prompts Home Depot to replace the entire unit if any part breaks three times.

Ralph, with his third ice maker lying dead in the bottom drawer freezer of his old LG, is due a new refrigerator-freezer.

But so far he can’t get one.

Here’s the problem. Like most big box retailers, Home Depot doesn’t really offer its own extended warranties. They resell warranties from a third party, which in the case of Ralph’s fridge came from General Electric.

It’s pretty ironic, don’t you think, getting a GE warranty on an LG appliance?

So it is GE, not Home Depot or LG, that should pop for Ralph’s new fridge. Except GE sold the warranty along with a lot of others to another company called Assurant Solutions, which now handles extended warranty repairs for Home Depot.

This is analogous to your mortgage being bundled with a bunch of other mortgages and sold to a different bank.  Assurant Solutions is like that mortgage servicer  you love to hate.

Ralph dutifully made his claim, then, to Assurant Solutions. “Give me my new refrigerator!”

No.

Assurant Solutions assured Ralph that he indeed would qualify for a new fridge if his ice maker had, in fact, failed three times, but they had no reason to believe that was the case, BECAUSE THEY RECEIVED NO SERVICE RECORDS AT ALL WHEN THEY BOUGHT HIS WARRANTY FROM GE.

Ralph has receipts, he has photos of bad parts, he even has the complete second-to-last ice maker as a memento from the repairman who by now has his own coffee mug at Ralph’s house. Ralph has plenty of documentation to prove that his fridge is a dud and he is therefore owed a new one. But since Assurant Solutions has no repair records, they say they can’t help him, so he has to go back to Home Depot.

And that’s exactly what Ralph did. Calling Home Depot he learned that store managers have super powers they can invoke in cases like this. So Ralph took his receipts and his pictures and his busted ice maker to the very Home Depot where he bought the fridge and confronted the store manager, who was very sympathetic. The manager took his own pictures, asked questions, filled out a form, and submitted it to Home Depot HQ as proof that Ralph’s beef was legit.

And Home Depot, accepting all this on the word of its store manager, sent all the paperwork along to Assurant Solutions, which promptly denied the claim BECAUSE THEY RECEIVED NO SERVICE RECORDS AT ALL WHEN THEY BOUGHT HIS WARRANTY FROM GE.

Are we seeing a trend here? Ralph is being victimized. After all, he paid for that extended warranty. It’s easy to see Assurant Solutions as the bad guy, but why didn’t GE hand over those service records? Why didn’t Assurant Solutions demand them a part of its due diligence? Because Ralph’s LG fridge is the food storage equivalent of a sub-prime mortgage might be the answer to this question. Neither GE nor Assurant Solutions probably wanted to even think about Ralph in the midst of their deal-lust.

Ralph can go to court, of course, and probably will.  But short of Home Depot doing the right thing or GE fixing its error and Assurant Solutions then fulfilling its obligation, I’m expecting to enter shortly, stage left, the robo signers! They might claim Ralph’s LG refrigerator doesn’t even exist.

Update — It took about an hour but Ralph now has a $2400 credit from Home Depot for a new refrigerator of his choice.

Podcast: Play in new window | Download

Like a lot of you, this week I received several messages telling me my e-mail address had been stolen from a company called Epsilon that provides mass e-mail services to many giant corporations. At the end of this post you’ll find what I believe is the latest list of companies affected. I have heard from four of these companies so far — Best Buy, Chase, Hilton, and Ritz-Carlton, which is interesting because I don’t recall having even stayed at a Ritz-Carlton. From a look at the master list below I’m surprised I haven’t yet heard from Verizon, where I am also a customer. The point of this post isn’t just to print a list of Epsilon customers, but to say how screwed-up and perilous this event is for everyone involved including you and me. Heads should be rolling and there is no evidence yet that they are.

Epsilon, which has millions of consumer e-mail addresses and associated names, was hacked, losing some unstated number of customer files probably numbering in the millions. The affected companies have sent very earnest messages notifying us, expressing hopes that the damage is limited, but urging us to be on the lookout for bad guys messing with our ID’s. What they aren’t saying yet is this: “Epsilon screwed-up so we’re firing their sorry asses and suing them back to the stone age. ”

If Epsilon made such a huge mistake they should be punished. If they are being punished we, as the truly affected parties, should be told that is the case. Better, still, we should be compensated for our inconvenience. This is not business as usual. This is a huge steaming mess. Polite e-mail messages that say almost nothing are not an adequate response.

Here’s why I feel this way and you should too:

This stolen data will be used is for phishing attacks, which is what the companies are warning us to be on the look for. There will be such attacks and telling us to be on our guard won’t stop them from being successful to some degree. It is in my view a woefully inadequate response. Remember these bad guys have a lot of data on us — the name of the company with which we are doing business, our names (in most cases), and our e-mail addresses.

No matter what spin the companies put on it this is huge. Consumers will be compromised and losses in the millions — maybe tens of millions — will be incurred. And I don’t care if the banks say they’ll cover the losses, that never happens gracefully, at least not for me.

People who opted-out with these companies were also exposed. So it isn’t just customers but also former customers and non-customers whose information was stolen. What is the legal exposure there? It’s an issue I haven’t seen discussed anywhere.

What if the bad guys start sending mail to the opt-out people (you know they will) and by doing so cause the affected companies to violate the CAN-Spam Act of 2003? That can cost $16,000 per violation.

But hey, this is a case of simple theft and Hilton can’t be held responsible, can it? It isn’t clear.

Here’s what the Federal Trade Commission says: “The law makes clear that even if you hire another company to handle your email marketing, you can’t contract away your legal responsibility to comply with the law. Both the company whose product is promoted in the message and the company that actually sends the message may be held legally responsible. ”

That’s a giant class action lawsuit just waiting to be filed.

But wait, there’s more! Any company that accepts credit cards can be subject to a security audit. Will these companies listed below pass their next such audit? On the face of it they shouldn’t because their systems have been compromised. Blaming Epsilon doesn’t change that because, as in the FTC example above, the companies can’t simply delegate responsibility. And I sincerely doubt that Epsilon or its parent, Alliance Data Systems, is in a financial position to indemnify all those companies.

Again you might say this is an over-reaction on my part, that cooler heads will prevail. Maybe so, but the ugly truth here that isn’t being addressed is that some — maybe many — of these companies could be hiding a multitude of security sins that would come to light in such an audit. Do they really want to let anyone who knows what they are doing have a close look at systems that may be antiquated or even non-existent?

If this Epsilon mess causes a rash of credit card claims and chargebacks that trigger automatic security audits, then even if the Epsilon event itself is explained-away a lot of these companies will still be in trouble.

The worst part of all, though, is that nobody in this mess is on our side, nobody. Apparently we’re not too big to fail.

Here is what I understand to be the current list of affected companies:

1800-Flowers

Abe Books

Air Miles CA

Ameriprise Financial

Barclays Bank of Delaware

Beachbody

Bebe Stores Inc.

Benefit Cosmetics

BestBuy

Brookstone

Capital One

Charter Communications

Chase

Citibank

City Market

The College Board

Crucial.com

Dell Australia

Dillons

Disney Vacations

Eurosport/Soccer.com

Eddie Bauer

Food 4 Less

Fred Meyer

Fry’s

Hilton Honors

The Home Shopping Network

Jay C

JP Morgan Chase

King Soopers

Kroger

LL Bean

Marks & Spencer (UK)

Marriott Rewards

McKinsey Quarterly

Moneygram

New York & Co.

QFC

Ralphs

Red Roof Inns Inc.

Ritz Carlton

Robert Half

Smith Brands

Target

TD Ameritrade

TIAA-CREF

TiVO

US Bank

Verizon

Viking River Cruises

Walgreens

World Financial Network National Bank

Podcast: Play in new window | Download

Eat more herring!

Thorstein Veblen was a cranky Norwegian-American economist best known for his 1899 book The Theory of the Leisure Class where he coined the term conspicuous consumption, which meant that if former Tyco CEO Dennis Kozlowski bought a $9000 shower curtain with company money he should probably go to prison… and did. Veblen instantly came to mind this morning when I read about how nine of the top editors were leaving Engadget for a new gig no longer associated with AOL. There’s a lot to think about in this move, which Veblen (who died in Palo Alto in 1929) would have appreciated.

Veblen, you see, was a socialist of sorts but really he was more a dour Norwegian who respected hard work and the accumulation of knowledge, if not wealth. Give a man enough pickled herring, Veblen thought, and what else did he really need?

Veblen was fascinated with what he called engineers, by which he meant the folks whose ideas and expertise made possible technology-based economic output. Veblen had no time for workers or bosses, but he loved engineers, seeing them as the heart of any real enterprise. In this Engadget story those nine editors constitute the engineering class as opposed to workers who are a commodity and bosses who are parasites.

Veblen thought correctly that production workers couldn’t fix the very machines they ran and neither could the bosses, so he saw the real power in an organization lying with the engineers, whether they knew this or not. If the engineers walked out, Veblen theorized, then the enterprise was screwed. But this ignored the importance of capital (provided by the big bosses in exchange for those shower curtains) and didn’t anticipate the global pool of technical talent available today, where almost any geek can be replaced.

There’s a long tradition of techies hitting the road en masse. Gordon Moore, Bob Noyce and the rest of the traitorous eight did just that when they left Shockley Semiconductor to start Fairchild Semiconductor back in the 1950s. The eight had had enough of Shockley and so took their balls down the road to Fairchild where, ironically, the big boss wasn’t a geek at all but a much more traditional hands-off tycoon.

At Engadget we see the top editorial talent (the word-engineers) leaving because they didn’t like the factory machinery (blogging software that hadn’t been upgraded since 2003) and felt unappreciated and under-rewarded in an organization that I have in the past referred to as a sweat shop. I think it didn’t help, either, that AOL just spent $315 million in cash for the Huffington Post, giving Arianna Huffington — a very smart (and smart-ass) executive who tends to see technologists as a commodity — oversight of Engadget.

Maybe Huffington was intending to clean house at Engadget, but probably not. More likely she made comments about how she and her crew were going to fix things — things that this new traitorous nine may not have seen as broken.

Any time new management asks you to re-apply for your own job it is a sign of zero professional regard.

There’s a wonderful experiment here, in which we’ll shortly see just how valuable are those nine editors and, for that matter, Engadget itself. The Engadget brand stays with AOL, but will the readers? Or does the real value lie with those departing editors?

My guess is that both will fare well. Huffington now has an incentive to throw a little money at Engadget, so that crappy blogging platform will no doubt be improved. The editors taking over will rise to the task and get raises to boot. Yet at the same time the departing editors will create something interesting at their new site, whatever it is called, and readers will love that, too.

The reason why all this happiness will ensue is something Veblen never considered: this is a frictionless information economy where more is nearly always better.

When it comes to information there is no such things as conspicuous consumption and none of us are ever information-rich enough.

If I am right, what does it say about brand value? It says AOL paid too much for the Huffington Post, that building and buying in this market are comparable efforts if you take into account the cost of time, and neither deserves a premium as a result.

The engineers neither win nor lose in this while the big bosses will learn that their factories and shower curtains may not be worth so much after all.