Equifax hack

Other discussions not related to the Permanent Portfolio

Moderator: Global Moderator

User avatar
Maddy
Executive Member
Executive Member
Posts: 1694
Joined: Sun Jun 21, 2015 8:43 am

Re: Equifax hack

Post by Maddy » Sat Sep 16, 2017 6:14 am

You all know my biases, but I can't help but wonder why people continue to embrace technology as they do. Seems like the majority of my day--every day--is spent troubleshooting computer problems (mine or somebody else's), dealing with tech-dominated bureaucracies that can't solve a simple problem if it's not pre-programmed into their "system," or taking defensive action against computer-driven intrusions into my personal life and privacy. And I've disconnected myself from all but the most basic technologies.

I wonder whether today's young people even remember a time when life didn't involve a constant barrage of technology-related stresses. Are they even aware of how much their "toys" are costing them in terms of quality of life?
User avatar
Xan
Administrator
Administrator
Posts: 4392
Joined: Tue Mar 13, 2012 1:51 pm

Re: Equifax hack

Post by Xan » Sat Sep 16, 2017 3:07 pm

There's nothing inherently insecure about collaboratively-developed software. Equifax could have developed their own everything, I suppose, but it would have been enormously expensive and it's a virtual certainty it would be much, much worse security-wise than anything from the Apache project.
Libertarian666
Executive Member
Executive Member
Posts: 5994
Joined: Wed Dec 31, 1969 6:00 pm

Re: Equifax hack

Post by Libertarian666 » Sun Sep 17, 2017 12:13 pm

WiseOne wrote:
farjean2 wrote:
ochotona wrote:EF says they will waive credit freeze fees for 30 days
How generous of them.

Nice windfall for Experian and TransUnion who aren't waving fees.
My sister just checked the Equifax site and had some excellent questions. Her entire family including her two kids, who have no credit history at all not to mention that the family live in Canada, came up as potentially compromised. My sister pointed out that searching a database of 143 million SSNs should take a while, whereas the site instantly comes back with the answer "yes".
A lookup just to see if an SSN is in a database should take a few disk accesses, totaling considerably less than a second. And that's if they aren't using SSDs, which would make it much faster.

Of course the fastest way is to use a bit map, which would take 125 MB of RAM (a pittance these days) and could return the answer within a few CPU clock cycles (each of which takes less than a nanosecond).
Libertarian666
Executive Member
Executive Member
Posts: 5994
Joined: Wed Dec 31, 1969 6:00 pm

Re: Equifax hack

Post by Libertarian666 » Sun Sep 17, 2017 1:18 pm

WiseOne wrote:Is it common for institutions with reams of highly sensitive data to use open source software???

Given what they're holding, Equifax's security should be more like the NSA, the Pentagon, and major banks like Chase. It shouldn't be run like a video game company. I'm a little shocked that they were using open source software, and still more shocked that the lawyers who should be crawling around all over the place allowed such a thing. Because, you know, there has to be someone to sue when something goes wrong.
Open source is no less secure than proprietary code.

It might be more secure because more people can look for and fix bugs.

"Security through obscurity" doesn't work, for code at least.
Libertarian666
Executive Member
Executive Member
Posts: 5994
Joined: Wed Dec 31, 1969 6:00 pm

Re: Equifax hack

Post by Libertarian666 » Sun Sep 17, 2017 1:19 pm

So does that mean that the music stopped?
Libertarian666
Executive Member
Executive Member
Posts: 5994
Joined: Wed Dec 31, 1969 6:00 pm

Re: Equifax hack

Post by Libertarian666 » Sun Sep 17, 2017 1:20 pm

Maddy wrote:You all know my biases, but I can't help but wonder why people continue to embrace technology as they do. Seems like the majority of my day--every day--is spent troubleshooting computer problems (mine or somebody else's), dealing with tech-dominated bureaucracies that can't solve a simple problem if it's not pre-programmed into their "system," or taking defensive action against computer-driven intrusions into my personal life and privacy. And I've disconnected myself from all but the most basic technologies.
So are you using Morse code or smoke signals to post here?
Libertarian666
Executive Member
Executive Member
Posts: 5994
Joined: Wed Dec 31, 1969 6:00 pm

Re: Equifax hack

Post by Libertarian666 » Sun Sep 17, 2017 1:28 pm

Maddy wrote:Speaking of two-factor authentication, it seems that they're now hijacking cell phones to get around those protections--and doing it with greater ease and success than through ordinary hacking. https://mobile.nytimes.com/2017/08/21/b ... 19&referer
Right. Don't use your cell phone for the second factor, if you have a choice. Use your email address, which is harder to take over.
User avatar
Maddy
Executive Member
Executive Member
Posts: 1694
Joined: Sun Jun 21, 2015 8:43 am

Re: Equifax hack

Post by Maddy » Sun Sep 17, 2017 1:44 pm

Libertarian666 wrote:
Maddy wrote:You all know my biases, but I can't help but wonder why people continue to embrace technology as they do. Seems like the majority of my day--every day--is spent troubleshooting computer problems (mine or somebody else's), dealing with tech-dominated bureaucracies that can't solve a simple problem if it's not pre-programmed into their "system," or taking defensive action against computer-driven intrusions into my personal life and privacy. And I've disconnected myself from all but the most basic technologies.
So are you using Morse code or smoke signals to post here?
Compared to most of you, a slow satellite internet connection that works about half the time is pretty basic. But for the fact that telephone service here is frequently down and there's no cell phone reception, having internet service at least part of the time provides at least some assurance that in the event of an emergency (wild fire, for example) I'd have some way of knowing what's going on. Were it not for that need, I'd disconnect entirely. In fact, I'm getting into ham radio, which makes much for sense all the way around.

I never claimed to be a purist. In my case, it's not about ideology, but rather a practical choice to do without the stress and aggravation.
Libertarian666
Executive Member
Executive Member
Posts: 5994
Joined: Wed Dec 31, 1969 6:00 pm

Re: Equifax hack

Post by Libertarian666 » Sun Sep 17, 2017 1:58 pm

Maddy wrote:
Libertarian666 wrote:
Maddy wrote:You all know my biases, but I can't help but wonder why people continue to embrace technology as they do. Seems like the majority of my day--every day--is spent troubleshooting computer problems (mine or somebody else's), dealing with tech-dominated bureaucracies that can't solve a simple problem if it's not pre-programmed into their "system," or taking defensive action against computer-driven intrusions into my personal life and privacy. And I've disconnected myself from all but the most basic technologies.
So are you using Morse code or smoke signals to post here?
Compared to most of you, a slow satellite internet connection that works about half the time is pretty basic. But for the fact that telephone service here is frequently down and there's no cell phone reception, having internet service at least part of the time provides at least some assurance that in the event of an emergency (wild fire, for example) I'd have some way of knowing what's going on. Were it not for that need, I'd disconnect entirely. In fact, I'm getting into ham radio, which makes much for sense all the way around.

I never claimed to be a purist. In my case, it's not about ideology, but rather a practical choice to do without the stress and aggravation.
Ham radio makes a lot of sense for emergency conditions. That's why I set up a station for Y2K, although I haven't participated in the last 10 years or so.

And for the rest, I was pulling your leg.
User avatar
Maddy
Executive Member
Executive Member
Posts: 1694
Joined: Sun Jun 21, 2015 8:43 am

Re: Equifax hack

Post by Maddy » Sun Sep 17, 2017 4:42 pm

Libertarian666 wrote: I was pulling your leg.
Oh good. :)
WiseOne
Executive Member
Executive Member
Posts: 2692
Joined: Wed Feb 16, 2022 11:08 am

Re: Equifax hack

Post by WiseOne » Thu Sep 21, 2017 2:29 am

Libertarian666 wrote:
Maddy wrote:Speaking of two-factor authentication, it seems that they're now hijacking cell phones to get around those protections--and doing it with greater ease and success than through ordinary hacking. https://mobile.nytimes.com/2017/08/21/b ... 19&referer
Right. Don't use your cell phone for the second factor, if you have a choice. Use your email address, which is harder to take over.
Are you sure about that??

It might depend on where you have your email address. A university or small company's email server would probably be less safe than a cell phone. Gmail probably pretty good, but who knows. If you used to think that Yahoo was safe, you must have gotten quite a surprise a while back.
User avatar
ochotona
Executive Member
Executive Member
Posts: 3353
Joined: Fri Jan 30, 2015 5:54 am

Re: Equifax hack

Post by ochotona » Thu Sep 21, 2017 5:25 am

Charles Schwab gave me a token which has a six digit PIN for account access. The code changes every 30 seconds or so. I feel much safer than otherwise, though I'm sure some criminal knows the algo used generate the codes. Nothing is perfectly safe. They have a hacking guarantee anyway, they will restore theft from hacking.
User avatar
Mountaineer
Executive Member
Executive Member
Posts: 4959
Joined: Tue Feb 07, 2012 10:54 am

Re: Equifax hack

Post by Mountaineer » Thu Sep 21, 2017 6:39 am

This is my experience with Equifax after the hack. I decided to see if my wife and I were affected by the Equifax hack on their website. We were. I then decided to enroll in the "free" TrustedID Premier service they were offering. I filled out the online form and submitted. Was told on the online site I would receive an email in a couple of days to verify my information and complete the signup process. I received that email after 3 or 4 days, and tried to complete the enrollment - got an error message that I would need to call their customer care number to complete the enrollment as it could not be done on line. Over the next two days, after being on hold for extended periods each time, I spoke with three different customer care agents. The first two did not speak English as a first language, I could not understand much of what they said; they gave up and said to call back later (with the excuse their computers were out of service temporarily). The third agent I spoke with had very good diction in English but clearly did not have an understanding of the language. He kept transposing digits when repeating them back to me. He asked me the same questions three or four times. There were several other mistakes on his part. I came to the conclusion he had no comprehention of English or what he was doing so I asked to speak to his supervisor. Finally, he agreed and put me on hold ... then the call was disconnected. All in all, I probably spent three plus hours trying to enroll.

My conclusion: Buyer beware!!!!!!!! I would no more trust Equifax to perform well with their "TrustedID Premier" service than I would trust a used car salesman to sell me a slightly used Yugo. It seemed to me that both their computer systems and their people are incompetent, at least those that I dealt with. I have little confidence that the credit freeze I placed with Equifax will actually work. The credit freezes I established at the other agencies went smoothly.
DNA has its own language (code), and language requires intelligence. There is no known mechanism by which matter can give birth to information, let alone language. It is unreasonable to believe the world could have happened by chance.
User avatar
Xan
Administrator
Administrator
Posts: 4392
Joined: Tue Mar 13, 2012 1:51 pm

Re: Equifax hack

Post by Xan » Thu Sep 21, 2017 11:08 am

WiseOne wrote:Are you sure about that??

It might depend on where you have your email address. A university or small company's email server would probably be less safe than a cell phone. Gmail probably pretty good, but who knows. If you used to think that Yahoo was safe, you must have gotten quite a surprise a while back.
WiseOne, you and I seem to have different instincts on things like this. Like the other day with your presumption was that open-source software is less secure than closed-source.

From my perspective, I would think that your email at a university or small company would be much LESS hackable than a big provider like Google. If nothing else, because Google has a "forgot my password" feature, and the small company or university probably require you to go talk to an admin. Google is a big target with known procedures, and every university or small company has a different setup.

But I do this kind of thing for a living, so it makes sense that my perspective might be different. What's weird is that I hadn't considered that anybody would think otherwise on either of those two questions.

So now I'm REALLY wondering what kind of medical ideas I might have in my head which you'd think are totally bonkers!
WiseOne
Executive Member
Executive Member
Posts: 2692
Joined: Wed Feb 16, 2022 11:08 am

Re: Equifax hack

Post by WiseOne » Fri Sep 22, 2017 2:27 am

Well, open source software is not intended to be super-secure. It's meant to give people a free, self-maintained option which is great for, say, a small business. Somehow that doesn't translate to a company that should have security standards far higher than your average Silicon Valley startup, or higher even than a chain retailer like Target or Home Depot. So I'd always assumed that banks, for example, have tightly managed closed systems.

My experience with university accounts is that they're EXTREMELY hackable. Every university account I've ever held has been hacked at one time or another, and a lot of my colleagues have experienced the same. I've also had my SSN spilled several times by university IT depts, so the Equifax hack doesn't make a bit of difference to me. This isn't really surprising. University IT depts are typically underpaid, underfunded, and understaffed. I assume the same is true of most ISPs, which is the only other source of email accounts for most people.

Gmail seems a much safer alternative to me. Ironic given that that the shabby university security is supposed to be safeguarding medical information, and this is the reason why they won't use the Lion/Gmail option.

BTW I can attest that credit freezes, at least in general, work. I tried to create an SSA account after freezing my accounts, and discovered I couldn't. Have to go in person to the nearest SS office.
User avatar
Xan
Administrator
Administrator
Posts: 4392
Joined: Tue Mar 13, 2012 1:51 pm

Re: Equifax hack

Post by Xan » Fri Sep 22, 2017 8:50 am

I'll cede your point on university systems. You have more experience in that realm than I do.
Well, open source software is not intended to be super-secure. It's meant to give people a free, self-maintained option which is great for, say, a small business. Somehow that doesn't translate to a company that should have security standards far higher than your average Silicon Valley startup, or higher even than a chain retailer like Target or Home Depot. So I'd always assumed that banks, for example, have tightly managed closed systems.
The development methodology of the software doesn't necessarily have anything to do with how secure it is. It all depends on the priorities of the developers. I would submit that unless the user of the software can see and examine the code themselves, then it is less secure than any other option, because they don't even really know what it's doing.

Open source gives you that from the start. It may be that the code for secretly-developed software could be examined by a customer if they were big enough and paid enough money.

Regardless, a "tightly managed" system will be fine, but that has nothing to do with whether or not the code is open. You can have a well-managed open-source based setup, or a poorly-managed closed-source setup, or vice-versa.

Any security advantage of being closed-source per se is simply security-through-obscurity, which has long been recognized to not work. The holes will be found. And when they are, you're at the mercy of the vendor to fix them; nobody else can.
Libertarian666
Executive Member
Executive Member
Posts: 5994
Joined: Wed Dec 31, 1969 6:00 pm

Re: Equifax hack

Post by Libertarian666 » Fri Sep 22, 2017 10:53 am

Xan wrote:I'll cede your point on university systems. You have more experience in that realm than I do.
Well, open source software is not intended to be super-secure. It's meant to give people a free, self-maintained option which is great for, say, a small business. Somehow that doesn't translate to a company that should have security standards far higher than your average Silicon Valley startup, or higher even than a chain retailer like Target or Home Depot. So I'd always assumed that banks, for example, have tightly managed closed systems.
The development methodology of the software doesn't necessarily have anything to do with how secure it is. It all depends on the priorities of the developers. I would submit that unless the user of the software can see and examine the code themselves, then it is less secure than any other option, because they don't even really know what it's doing.

Open source gives you that from the start. It may be that the code for secretly-developed software could be examined by a customer if they were big enough and paid enough money.

Regardless, a "tightly managed" system will be fine, but that has nothing to do with whether or not the code is open. You can have a well-managed open-source based setup, or a poorly-managed closed-source setup, or vice-versa.

Any security advantage of being closed-source per se is simply security-through-obscurity, which has long been recognized to not work. The holes will be found. And when they are, you're at the mercy of the vendor to fix them; nobody else can.
All of this is correct.

(BTW, I'm pretty sure that there are a few Microsoft customers who have source-code access to Windows.)
User avatar
Maddy
Executive Member
Executive Member
Posts: 1694
Joined: Sun Jun 21, 2015 8:43 am

Re: Equifax hack

Post by Maddy » Sat Sep 23, 2017 8:25 am

If you're relying upon the "freezing" of your credit report to protect you, consider this: The "unfreezing" of a credit report requires no verification of identity other than knowledge of the very same information that was released in the security breach. https://krebsonsecurity.com/2017/09/exp ... reeze-pin/
Libertarian666
Executive Member
Executive Member
Posts: 5994
Joined: Wed Dec 31, 1969 6:00 pm

Re: Equifax hack

Post by Libertarian666 » Sat Sep 23, 2017 4:33 pm

Maddy wrote:If you're relying upon the "freezing" of your credit report to protect you, consider this: The "unfreezing" of a credit report requires no verification of identity other than knowledge of the very same information that was released in the security breach. https://krebsonsecurity.com/2017/09/exp ... reeze-pin/
So you're saying it's really secure then? :P
User avatar
Maddy
Executive Member
Executive Member
Posts: 1694
Joined: Sun Jun 21, 2015 8:43 am

Re: Equifax hack

Post by Maddy » Sat Sep 23, 2017 7:23 pm

Libertarian666 wrote:
Maddy wrote:If you're relying upon the "freezing" of your credit report to protect you, consider this: The "unfreezing" of a credit report requires no verification of identity other than knowledge of the very same information that was released in the security breach. https://krebsonsecurity.com/2017/09/exp ... reeze-pin/
So you're saying it's really secure then? :P
No, I'm saying that the same bad guys who have your credit file probably have your PIN (or whatever personal information the agency uses to verify your identify) as well. If your credit report is frozen, they can simply unfreeze it. What a mess.
Libertarian666
Executive Member
Executive Member
Posts: 5994
Joined: Wed Dec 31, 1969 6:00 pm

Re: Equifax hack

Post by Libertarian666 » Sat Sep 23, 2017 8:07 pm

Maddy wrote:
Libertarian666 wrote:
Maddy wrote:If you're relying upon the "freezing" of your credit report to protect you, consider this: The "unfreezing" of a credit report requires no verification of identity other than knowledge of the very same information that was released in the security breach. https://krebsonsecurity.com/2017/09/exp ... reeze-pin/
So you're saying it's really secure then? :P
No, I'm saying that the same bad guys who have your credit file probably have your PIN (or whatever personal information the agency uses to verify your identify) as well. If your credit report is frozen, they can simply unfreeze it. What a mess.
Yes, I was being sarcastic, thus the :P .
farjean2
Executive Member
Executive Member
Posts: 284
Joined: Thu Feb 23, 2017 12:51 am

Re: Equifax hack

Post by farjean2 » Thu Oct 12, 2017 3:25 pm

They've been hacked again....

https://www.cnbc.com/2017/10/12/equifax ... again.html

Apparently, one of their web pages was hacked to download malware which makes me feel not so paranoid about thinking their whole Trusted ID thing was just another hack.
Post Reply