Can't read today's front page article
-
Anyone have any idea why https://thedailywtf.com/articles/equitf is throwing 500s?
-
@masonwheeler Works for me
-
@timebandit OK, now it's finally loading, after spinning for 30 seconds.
-
@masonwheeler said in Can't read today's front page article:
Anyone have any idea why https://thedailywtf.com/articles/equitf is throwing 500s?
Maybe it does not like you?
-
-
I've noticed it's been giving 500 errors on-and-off on the front page for a few days now.
-
Worked for me though it took a while to load.
Here it is for your convenience:
by Remy Porter in News Roundup on 2017-09-28
Featured comment(s):Â
We generally donât do news roundups when yet another major company gets hacked and leaks personally compromising data about the public. We know that âbig company hackedâ isnât news, itâs a Tuesday. So the Equifax hack didnât seem like something worth spending any time to write an article about.Â
But then new things kept coming out. It got worse. And worse. And worse. Itâs like if a dumpster caught on fire, but then the fire itself also caught on fire.
If you have been living under a rock, Equifax, a company that spies on the financial behavior of Americans and sells that intelligence to banks, credit card companies, and anyone else whoâs paying, was hacked, and the culprits have everything they need to steal the identities of 143 million people.
[Image: The Equifax logo being flushed in a toilet, complete with some artsy motion blur]
Thatâs bad, but everything else about it is worse. First, the executives kept the breach secret for months, and then sold stock just before the news went public. That is a move so utterly brazen that they might as well be a drunk guy with no shirt shouting, âCome at me bro! Come at me!â Theyâre daring the Securities and Exchange Commission to do something about it, and are confident that they wonât be punished.Â
Speaking of punishment, the CEO retired, and heâll be crying about this over the $90M heâs collecting this year. The CIO and CSO went first, of course. They probably wonât be getting huge compensation packages, but Iâm sure theyâll land cushy gigs somewhere.
Said CSO, by the way, had no real qualifications to be a Chief Security Officer. Her background is in music composition.
Now, I want to be really clear here: I donât think her college degree is actually relevant. What you did in college isnât nearly as important as your work experience, which is the real problem- she doesnât really have that, either. Sheâs spent her entire career in âexecutiveâ roles, and while she was a CSO before going to Equifax, that was at First Data. Funny thing about First Data: up until 2013 (about when she left), it was in a death spiral that was fixed after some serious house-cleaning and restructuring- like clearing out dead-weight in their C-level.
Don't worry about the poor shareholders, though. Remember Wells Fargo, the bank that fraudulently signed up lots of people for accounts? They list Equifax as an investment opportunity that's ready to "outperform".
Thatâs the Peter Principle and corporate douchebaggerry in action, and it certainly starts getting me angry, but this site isnât about class struggle- itâs about IT. And itâs on the IT side where the real WTFs come into play.
Equifax spies on you and sells the results. The US government put a mild restriction on this behavior: they can spy on you, but you have the right to demand that they stop selling the results. This is a âcredit freezeâ, and every credit reporting agency- every business like Equifax- has to do this. They get to charge you money for the privilege, but they have to do it.
To âsecureâ this transaction, when you freeze your credit, the credit reporting companies give you a âpasswordâ which you can use in the future to unfreeze it (because if you want a new credit card, you have to let Equifax share your data again). Some agencies give you a random string. Some let you choose your own password. Equifax used the timestamp on your request.
The hack itself was due to an unpatched Struts installation. The flaw itself is a pretty fascinating one, where a maliciously crafted XML file gets deserialized into a
ProcessBuilder
object. The flaw was discovered in March, and a patch was available shortly thereafter. Apache rightfully called it âCriticalâ, and encouraged all Struts users to apply the fix.Even if they didnât apply the fix, Apache provided workarounds- some of which were as simple as, âTurn off the REST plugin if youâre not using it,â or âif you ARE using it, turn off the XML partâ. Itâs certainly not the easiest fix, especially if youâre on a much older version of Struts, but you could even patch just the REST plugin, cutting down on the total work.
Now, if youâre paying attention, you might be saying to yourself, âHey, Remy, didnât you say that they were breached (initially) in March? The month the bug was discovered? Isnât it kinda reasonable that they wouldnât have rolled out the fix in time?â Yes, that would be reasonable: if a flaw exposed in March was exploited within a few days or even weeks of the flaw being discovered, I could understand that. But remember, the breach that actually got announced was in July- they were breached in March, and they still didnât apply the patch. This honestly makes it worse.
Even then, Iâd argue that weâre giving them too much of the benefit of the doubt. Iâm going to posit that they simply donât care. Not only did they not apply the patch, they likely had no intention of applying the patch, because they assumed theyâd get away with it. Remember: you are the product, not the customer. If they accidentally cut the sheep while shearing, it doesnât matter: theyâve still got the wool.
As an example of âthey clearly donât careâ, letâs turn our attention to their Argentinian Branch, where their employee database was protected by the password admin/admin. Yes, with that super-secure password, you could log in from anywhere in the world and see the users usernames, employee IDs, and personal details. Of course, their passwords were obscured as â******â⌠in the rendered DOM. A simple âView Sourceâ would reveal the plaintext of their passwords, in true âhunter2â fashion.
Donât worry, it gets dumber. Along with the breach announcement, Equifax took to social media to direct users to a site where, upon entering their SSN, it would tell them whether or not they were compromised. That was the promise, but the reality was that it was little better than flipping a coin. Worse, the site was a thinly veiled ad for their "identity protection" service, and the agreement contained an arbitration clause which kept you from suing them.
That is, at least if you went to the right site. Setting aside the wisdom of encouraging users to put confidential information into random websites, for weeks Equifaxâs social media team was directing people to the wrong site! In fact, it was directing them to a site which warns about the dangers of putting confidential information into random websites.
And all of that, all of that, isnât the biggest WTF. The biggest WTF is the Social Security Number, which was never meant to be used as a private identifier, but as itâs the closest thing to unique data about every American, it substitutes for a national identification system even when itâs clearly ill-suited to the task.
Iâll leave you with the CGP Grey video on the subject:Â
Your Social Security Card is Insecure – 07:49
— CGP Grey
Some identification :â) (unregistered) 2017-09-28
Â
The biggest WTF about SSN isn't that it is an identifier, the WTF is trying to use an identifyer as an authenticator. The SSN identifies a person, there should be no need to keep an identifier secret. Knowing the SSN of a person should not entitle anybody to impersonate that person, just identify that person.
Knowing my address doesn't entitle you to settle in my house, does it?
-
-
@remi Ah yes, I knew the mention looked strange somehow, put I couldn't put my finger on it. Sorry.
-
@zecc No worries. I wouldn't mind getting TD paycheck to Remy as well. Even if said paycheck is just a mug, I'd take it :-)