Equifax Part 2



  • This post is deleted!


  • @jaloopa said in Equifax Part 2:

    @bb36e inB4 a reply saying they're not even unique

    And inb4, perhaps, a reply pointing out that using an American SSN in any way not linked to Social Security (e.g. using it as a generic identifying number) isn't even legal, or at least it wasn't in the 1980s.

    Of course that didn't stop organisations (example: both the universities I went to) using it as a personal identifier.

    And it fails the uniqueness test in both directions. Administrative ... errors ... cause the same number to be issued to two different people, and I've personally known at least two people who had two different SSNs.



  • @dcon said in Equifax Part 2:

    @pie_flavor said in Equifax Part 2:

    If it ain't broke, break it.
    - George Carlin

    I thought that was Facebook's motto...

    Actually...

    https://www.youtube.com/watch?v=EjgHSkb2pEE



  • I've seen more than a few people start calling Equifax 'Equifux' for these failures.


  • Impossible Mission - B

    A different perspective on all this:

    The “Stupid User” Defense

    The computer industry has developed a defense that most industries have tried at one point or another: the “stupid user” defense. When a hack occurs, the spotlight turns to the victim, who is said to be responsible for preventing such attacks. Consider my favorite attack: phishing. A phishing attack happens when someone receives an email and clicks on a malicious link contained in the email. This triggers a process where the program linked to the email searches for, finds, and transmits information from the computer to the sender of the email.

    The view of the computer industry is that the responsibility for this attack rests with the stupid user who clicked on the link. The computer industry has made it clear that you should never click on a link from an unknown sender. Announcing this has discharged the industry’s responsibility. But assume that a company had 5,000 employees. The probability that one person out of 5,000 would not click on the link is near zero. An effectiveness rate of 99.98% in preventing clicks would not be enough to prevent potential disaster. A business or individual would have to prevent all mistakes perfectly and permanently.

    At a higher level, the industry blames the stupid administrator. The security sold with servers, laptops, and the rest is primitive. In selling the equipment, the rule is caveat emptor, let the buyer beware. It is the job of the IT administrator not only to keep things running but also to acquire and maintain a host of security hardware and software to keep the system secure. The problem is not that these tools are fiendishly expensive but that they constantly become obsolete and have to be reconfigured or replaced.

    ...

    The problem, as I have written before, has to do with the primitive nature of computers. The basic structure of hardware and software was created to allow upgrades and third-party software to run on the systems. Since much of this came from outside vendors, authenticating the legitimacy of the code was difficult. It still is difficult. Computers can play vastly complex games, but they cannot identify malicious code. Computer companies solve the lack of evolution in computer security by pointing at the users. Try this in any other industry and I am reasonably certain that the lawsuits would be flying, regardless of what the fine print on contracts said.

    ...

    The computer and the car have become utilities where the manufacturers are given great value by society. Cars have roads, and computers have access to the Internet. Both have utilitarian necessity. But cars are expected to maintain certain safety features. It would seem reasonable that an industry whose failures can wreak havoc globally should be expected to build security into its own systems.



  • @masonwheeler car safety features are pretty primitive too. They won't be as safe as that article wants computers to be until all vehicles everywhere are self-driving. There are still many car accidents caused by "stupid users". I definitely agree that today's desktop operating systems have very little in the way of proper security, but that analogy bothers me. The phishing analogy also bothers me - how do you protect a someone from walking into a store that looks like the real store and paying money for fake groceries?


  • Impossible Mission - B

    @lb_ Cars are still ridiculously safe. Stupid user actions that would have killed the stupid user 20 years ago can now be walked away from, which I think is the point the author was making there: you can't prevent stupid, but you can mitigate the damage. (Just look at the guy who lost control of his Tesla and it jumped off the road, went right through a brick wall, plowed into a tree and then caught fire and he and his passengers all walked away from it unharmed!) They've done that with cars, but much less so with computers.



  • @masonwheeler I think my issue is that I'm interpreting the analogy in a different way or something. To me, modern cars and Microsoft Windows are equally safe, which is to say they're not very safe at all. You can drive off the road and crash and walk away unscathed just as you can try to execute data and walk away unscathed. You can also leave your car windows rolled down and let anyone steal everything inside it, or you can let your "friend" borrow the keys.


  • Impossible Mission - B

    @lb_ said in Equifax Part 2:

    You can also leave your car windows rolled down and let anyone steal everything inside it

    Well, if someone really wants my USB charge cable, about $3 worth of loose change, and a half-empty bottle of washer fluid that badly, there's really not much I can do to keep them from swiping it anyway, so... 🤷♂

    The valuable stuff isn't in the car, it is the car.



  • @masonwheeler Uncle bob made this very point in one of his presentations. We have a huge responsibility as software continues to grow, and is getting noticeably worse. Because if we don't keep things under control, eventually the government will, and we won't like the way they do it.



  • @masonwheeler said in Equifax Part 2:

    @lb_ Cars are still ridiculously safe. Stupid user actions that would have killed the stupid user 20 years ago can now be walked away from, which I think is the point the author was making there: you can't prevent stupid, but you can mitigate the damage. (Just look at the guy who lost control of his Tesla and it jumped off the road, went right through a brick wall, plowed into a tree and then caught fire and he and his passengers all walked away from it unharmed!) They've done that with cars, but much less so with computers.

    I see a huge flaw in the analogy, though. With cars, there are scenarios that must be protected against regardless of how the scenarios occurred: Keep the passengers from hitting hard surfaces at high speed, limit bodily movement in the event of collision, etc. That's why we have such advanced safety features, yet there are still holes that we are working to fill. Of course, when it comes to vehicle safety, we are working against essentially known quantities: the laws of physics.

    Now, like cars, computers do have some static scenarios that must be guarded against no matter what, but the problem in those scenarios is that we are working against constantly evolving antagonists. If hackers were only using the same tactics now that they used 5, 10, or 20 years ago, hacking would likely be a non-issue. But on top of that, there is also the concern of protecting against bad behavior under only specific circumstances. How do you detect a good login versus a bad login, without inconveniencing the user? Or is it worth inconveniencing the user? How do you improve the install process to allow the user to install the software they want, while preventing the install of constantly evolving malicious software?

    The analogy sounds nice on the surface, but the problems are worlds apart.


  • :belt_onion:

    @abarker said in Equifax Part 2:

    The analogy sounds nice on the surface, but the problems are worlds apart.

    Indeed. And I strongly disagree with blanket statements such as "Computers can play vastly complex games, but they cannot identify malicious code. Computer companies solve the lack of evolution in computer security by pointing at the users." The author is arguing in circles.


  • Impossible Mission - B

    @heterodox said in Equifax Part 2:

    The author is arguing in circles.

    How so?


  • :belt_onion:

    @masonwheeler said in Equifax Part 2:

    How so?

    He's saying "The industry is broken" then using hyperbolic claims to back that up like "The computer industry is knowingly selling defective products" (that was my favorite)... i.e. the industry is broken. With nothing to back up his claims except his own authority.


  • Notification Spam Recipient

    @heterodox said in Equifax Part 2:

    @masonwheeler said in Equifax Part 2:

    How so?

    He's saying "The industry is broken" then using hyperbolic claims to back that up like "The computer industry is knowingly selling defective products" (that was my favorite)... i.e. the industry is broken. With nothing to back up his claims except his own authority.

    You should invite him to the forums! I think you get some kind of badge if they join, yeah?



  • @heterodox I personally don't disagree with that. I know that my company certainly has no problem selling broken, useless things and then cancelling them.


  • Discourse touched me in a no-no place

    @abarker said in Equifax Part 2:

    Now, like cars, computers do have some static scenarios that must be guarded against no matter what, but the problem in those scenarios is that we are working against constantly evolving antagonists.

    There are analogies still in the automotive world. Some car users seek to deliberately crash their cars into other people's cars (as part of an insurance scam). Protecting those who are not at fault in that scenario would seem to be a reasonable thing to try to do (and a front-facing video camera helps a lot ;)), but in that case you've got an evolution of assholery.

    OTOH, we also have some computing devices that really are much safer than computers used to be: smartphones and tablets. They've lost a lot of key flexibility in the process, but they're genuinely much safer…



  • @dkf they're working on undoing the progress made in securing phones by making the password something you need surgery to change and your phone can be unlocked while you are asleep by your face.

    That last part of the sentence sounds like something from a really confused sci fi author's rejected story ideas.


  • Considered Harmful

    @ben_lubar said in Equifax Part 2:

    @dkf they're working on undoing the progress made in securing phones by making the password something you need surgery to change and your phone can be unlocked while you are asleep by your face.

    That last part of the sentence sounds like something from a really confused sci fi author's rejected story ideas.

    What if you have resting bitch-face, and you only unlock it with a big smile?


  • ♿ (Parody)

    @pie_flavor said in Equifax Part 2:

    What if you have resting bitch-face, and you only unlock it with a big smile?

    I feel like this is discriminatory against people who get botox treatments.



  • @pie_flavor said in Equifax Part 2:

    @ben_lubar said in Equifax Part 2:

    @dkf they're working on undoing the progress made in securing phones by making the password something you need surgery to change and your phone can be unlocked while you are asleep by your face.

    That last part of the sentence sounds like something from a really confused sci fi author's rejected story ideas.

    What if you have resting bitch-face, and you only unlock it with a big smile?

    Sorry boss. Can't work today because my face is numb after the dentist and I can't unlock my computer.


  • area_can

    https://www.washingtonpost.com/news/the-switch/wp/2017/11/09/equifax-faces-hundreds-of-class-action-lawsuits-and-an-sec-subpoena-over-the-way-it-handled-its-data-breach/

    Equifax said this week that it had cleared its executives of wrongdoing after an internal investigation found that the executives did not personally know about the breach before their stock sales.

    With execs like these, no wonder that place is such a clusterfuck



  • @bb36e said in Equifax Part 2:

    after an internal investigation found that the executives did not personally know about the breach before their stock sales.

    I wonder if you're allowed to institute policies to stop people from reporting problems to you so you won't be aware of them and thus won't be legally held responsible.

    https://www.youtube.com/watch?v=0V_E_Jnyhks



  • @anonymous234 said in Equifax Part 2:

    I wonder if you're allowed to institute policies to stop people from reporting problems to you so you won't be aware of them and thus won't be legally held responsible.

    One-box fail:

    Imputed knowledge

    [edit]

    This is relevant in strict liability offences and in corporate crime. For example, if a bar manager delegates his duties to others and those others know of unlawful activities on the premises, the manager can be fixed with imputed knowledge of the unlawful activities.[7]

    [7] is from a case in England, so may or may not be applicable in the US.

    See also Willful Blindness, which would (to this layman) seem to fit this situation to a tee:

    Willful blindness (sometimes called ignorance of law,[1]:761 willful ignorance or contrived ignorance or Nelsonian knowledge) is a term used in law to describe a situation in which a person seeks to avoid civil or criminal liability for a wrongful act by intentionally keeping himself or herself unaware of facts that would render him or her liable.
    ...
    In United States v. Jewell, the court held that proof of willful ignorance satisfied the requirement of knowledge as to criminal possession and importation of drugs.[1]:225

    In that case, the defendant did not ask what was in the package he was carrying. It has also been applied to file-sharing/copyright cases; if one designs a file-sharing system that is widely used for infringing copyright, one does not avoid liability for abetting the infringement by designing the system in a way that prevents one from knowing the content of the files being shared.



  • @bb36e said in Equifax Part 2:

    https://www.washingtonpost.com/news/the-switch/wp/2017/11/09/equifax-faces-hundreds-of-class-action-lawsuits-and-an-sec-subpoena-over-the-way-it-handled-its-data-breach/

    Equifax said this week that it had cleared its executives of wrongdoing after an internal investigation found that the executives did not personally know about the breach before their stock sales.

    Correct me if I am wrong here, but IIUC the timeline was:

    • Breach occurred in late spring or early summer 2017
    • Breach was detected about a month after it occurred/began
    • Executives including the CTO and the CFO sold off company stocks no less than three weeks after the breach was recognized by Equifax's security managers
    • the day after the biggest stock sales, the CTO in question holds a press conference announcing the breach

    I will admit that I probably am a bit off here, possibly very far off, as I haven't been watching things closely enough. However, the salient point which I seem to recall is that at least one of the executives who sold stock was one who, in a sane world, would have been among the first people apprised of the security failure, and the timing of the stock sale was both well after the problem was discovered, and suspiciously close to the public announcement on the topic.




  • Java Dev

    @hardwaregeek Sounds like how the nationalist party in Sweden is dealing with its key members doing criminal acts within the party and related businesses. By making sure the party leader is kept uninformed he can claim he had no knowledge of what was going on and therefore keep on not having to take responsibility for what happened whenever shit hits the fan. Genius!


  • Discourse touched me in a no-no place

    @scholrlea said in Equifax Part 2:

    I will admit that I probably am a bit off here, possibly very far off, as I haven't been watching things closely enough. However, the salient point which I seem to recall is that at least one of the executives who sold stock was one who, in a sane world, would have been among the first people apprised of the security failure, and the timing of the stock sale was both well after the problem was discovered, and suspiciously close to the public announcement on the topic.

    Also, press conferences need a bit of organising; you need to get the word out enough ahead of time to get the press to actually bother turning up.


Log in to reply