OK, so I lied unintentionally all those months ago when I said I wouldn’t write any more PCI-DSS posts.

My impetus for this blog post is a PCI-DSS panel at ShmooCon that several of my friends (Jack Daniel, Anton Chuvakin, Mike Dahn, and Josh Corman, in no particular order) were on.  I know I’m probably the pot calling the kettle black, but the panel (as you would expect for any PCI-DSS discussion in the near future) rapidly disolved into chaos.  So as I’m sitting in the audience watching @Myrcurial’s head pop off, I came to the realization that this is really 4 different conversations disguised into one topic:

1. The Cost-Benefit Assessment of replacing credit card # and CVV2 with something else–maybe chip and pin, maybe something entirely different–and what responsibility does Visa and Mastercard have towards protecting their business.  This calls for something more like an ROI approach because it’s infrastructure projects.  Maybe this CBA has already been done but guess what–nobody has said anything about the result of that analysis.
2. Merchants’ responsibility to protect their customers, their business, and each other.  This is the usual PCI-DSS spiel.  The public policy equivalent here is overfishing: everybody knows that if they come back with full nets and by-catch, they’re going to ruin the fishery long-term for themselves and their peers, but they can’t stop the destruction of the fishery by themselves, they need everybody in the community to do their part.  In the same way, merchants not protecting card data mess over each other in this weird shared risk pool.
3. Processor and bank responsibility.  Typically this is the Tier-1 and Tier-2 guys.  The issue here is that these guys are most of the processing infrastructure.  What works in PCI-DSS for small merchants doesn’t scale up to match these guys, and that’s the story here: how do you make a framework that scales?  I think it’s there (IE, the tiers and assurance levels in PCI-DSS) but it’s not communicated effectively.
4. Since this is all a shared risk pool, at what places does it make sense to address particular risks?  IE, what is the division of roles and responsibilities inside the “community”?  Then how do you make a community standard that is at least reasonably fair to all the parties on this spectrum, Visa and MasterCard included?

PCI-DSS Tag Cloud photo by purpleslog.

There are a bunch of tangential questions, but they almost always circle
back to the 4 that I’ve mentioned above:

• Regulatory capture and service providers
• The pitfalls of designing a framework by committee
• Self-regulation v/s legislation and Government oversight
• Levels of hypocrisy in managing the “community”
• Effectiveness of specific controls

Now the problem as I see it is that each of these conversations points to a different conversation as a solution and in doing so, they become thought-terminating cliches.  What this means is that when you do a panel, you’re bound to bounce between these 4 different themes without coming to any real resolution.  Add to this the fact that it’s a completely irrational audience who only understand their 1 piece of the topic, and you have complete chaos when doing a panel or debate.

Folks, I know this is hard to hear, but as an industry, we need to get over being crybabies and pointing fingers when it comes PCI-DSS.  The standard (or a future version of it anyway) and self-regulation is here to stay because even if we fix the core problems of payment, we’ll still have security problems because payment schemes are where the money is.  The world as I see it is that the standards process needs to be more transparent and the people governed by the standard need a seat at the table with their rational, adult, and constructive arguments on what works and what doesn’t work to help them do their job to help themselves.

• Why We Need PCI-DSS to Survive
• Preliminary Findings on Cybersecurity Review Now Out
• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 5
• Where For Art Thou, 60-Day Review
• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 3

First, it was thundersnow.  Then a couple of weeks later, we have snowmageddon V2.0 and 3.0 right in the middle of ShmooCon.  Now maybe on Monday we’ll get even more.  How could IKANHAZFIZMA refuse this as a lolcat topic?

• IKANHAZFIZMA and Transparency
• Cyber-FEMA LOLCATS Prepare for Cyber-Katrina
• Happy New Year
• Exhaustive Security Testing is Bad For You
• LOLCATS: Defending our Cyber-Turf

So it started with an idea.  How cool would it be to get everybody to install a QR code reader and read temporary tattoos off each other?  Anyway, at Shmoocon I walked around with a bag of QR temporary tattoos much to the delight and chagrin of the hackers assembled therein.

The howto:
#1 Get a barcode generator. I use zint, it’s my favorite tool for generation.  For those of you on Ubuntu or Debian, I have packages built for you.  And give the zint guys some money while you’re at it, they use the funds to buy standards and make zint work with every symbology known to mankind.

#2 Get a layout program. I use Inkscape.  Key here is that it has to be able to import .svg files and be able to flip images horizontally.

#3 Get printable temporary tattoo paper. It’s not really cheap, but I found kits on tattoofun.com.  The kit consists of waterslide temporary tattoo paper, adhesive sheets, and an instruction sheet.

#4 Make .svg Barcodes! I load up zint and toss some text at it, then use the QR symbology.  Some examples:

• sms:7035551234 body:Greetz from teh Internetz
• MATMSG: TO:shredder@guerilla-ciso.com; SUB:Test; BODY:This is a test. Please reply if received.;;
• MECARD:N:Wizzleteague, Stinky;ADR:1234 Main St, Arlington, VA 22202;TEL:+17035551234;EMAIL:shredder@guerilla-ciso.com;;
• Hi, I’m Quine. I haz a RAGE! https://twitter.com/quine
• I went to Shmoo and all I got was the flu
• BTW, if you want to pay me to make QR tattoos for promotion events, drop me an email.

#4.5 Add in QR error correction. The more error correction you use, the more data in the barcode so the smaller the blocks are.  However, some error correction compensates for distortion and glare.  IIUC, Zint automagically adds in 20% error correction.  I’m not sure what the magic number here is because it depends on the size of the printed barcodes.

#5 Export barcode from zint. SVG is awesome to save as because you can scale the barcodes up as much as you want and they won’t get all pixelated-looking.  You can grab a ton of the barcodes I made here.

#6 Import barcode into inkscape.  File=>Import then select the .svg file you want.  Since the barcodes are svg, you can scale them awesomely.  For mine, I set up guidelines so I could lay out rows proportionately.  Be sure to lock the object proportions or you’ll get hideously warped QR monstrosities that nothing can read.  You can grab my sheet of barcodes here.

#7 Make “The Big Flip” and print.  Inkscape-specific: Edit=>Select All   followed by   Object=>Flip Horizontal.  Then print the page on the glossy side of the slide water paper.

#8 Add the sticky.  It’s a bit like laminating a map only the adhesive is way more forgiving.  Poke some pin-holes in the adhesive sheet and smooth out all the bubbles.

#9 Cut, peel, stick, wet, pull, read, lol.  You can get a reader here, but the important bits: iTunes Store: Barcodes.  Android: Barcode Scanner.

Lessons Learned:

Laser barcode scanners don’t work because the film is reflective.  Photo-based barcode scanners (ie, most mobile scanners) work pretty well.

You have to make the barcodes bigger than I did.  Mine were .75x.75 inches and due to the glare on the paper and some distortion due to putting them on skin, they were hard to read.  I think maybe 2×2 inches are optimum.

Hackers don’t like informational urls in their tattoos: “I got an add for ZXing, this sucks”.  I think random goofy phrases and skin pwnage would work better than informational urls.

Some people (Quine) weren’t happy with a grab-bag random url and needed their own custom witty saying.  I felt the rage, it has now been fixed.

You can’t read the barcodes until they’re on the skin because of the horizontal flip.  Before you do the flip, print out the barcodes on regular paper.  You can read these easily enough.  Then flip the finished barcode sheet over after you’ve printed it and you can match up the barcode with the non-flipped sheet.  Even better if you use your computer monitor as a lightbox.

• Micro Digital Signatures Howto
• Turning Routers into Firewalls
• Barcode Hacking
• Barcode Hacking Process
• Because Life Isn’t Random Enough