Equifax hack

Other discussions not related to the Permanent Portfolio

Moderator: Global Moderator

WiseOne
Executive Member
Executive Member
Posts: 2692
Joined: Wed Feb 16, 2022 11:08 am

Re: Equifax hack

Post by WiseOne » Fri Sep 22, 2017 2:27 am

Well, open source software is not intended to be super-secure. It's meant to give people a free, self-maintained option which is great for, say, a small business. Somehow that doesn't translate to a company that should have security standards far higher than your average Silicon Valley startup, or higher even than a chain retailer like Target or Home Depot. So I'd always assumed that banks, for example, have tightly managed closed systems.

My experience with university accounts is that they're EXTREMELY hackable. Every university account I've ever held has been hacked at one time or another, and a lot of my colleagues have experienced the same. I've also had my SSN spilled several times by university IT depts, so the Equifax hack doesn't make a bit of difference to me. This isn't really surprising. University IT depts are typically underpaid, underfunded, and understaffed. I assume the same is true of most ISPs, which is the only other source of email accounts for most people.

Gmail seems a much safer alternative to me. Ironic given that that the shabby university security is supposed to be safeguarding medical information, and this is the reason why they won't use the Lion/Gmail option.

BTW I can attest that credit freezes, at least in general, work. I tried to create an SSA account after freezing my accounts, and discovered I couldn't. Have to go in person to the nearest SS office.
User avatar
Xan
Administrator
Administrator
Posts: 4392
Joined: Tue Mar 13, 2012 1:51 pm

Re: Equifax hack

Post by Xan » Fri Sep 22, 2017 8:50 am

I'll cede your point on university systems. You have more experience in that realm than I do.
Well, open source software is not intended to be super-secure. It's meant to give people a free, self-maintained option which is great for, say, a small business. Somehow that doesn't translate to a company that should have security standards far higher than your average Silicon Valley startup, or higher even than a chain retailer like Target or Home Depot. So I'd always assumed that banks, for example, have tightly managed closed systems.
The development methodology of the software doesn't necessarily have anything to do with how secure it is. It all depends on the priorities of the developers. I would submit that unless the user of the software can see and examine the code themselves, then it is less secure than any other option, because they don't even really know what it's doing.

Open source gives you that from the start. It may be that the code for secretly-developed software could be examined by a customer if they were big enough and paid enough money.

Regardless, a "tightly managed" system will be fine, but that has nothing to do with whether or not the code is open. You can have a well-managed open-source based setup, or a poorly-managed closed-source setup, or vice-versa.

Any security advantage of being closed-source per se is simply security-through-obscurity, which has long been recognized to not work. The holes will be found. And when they are, you're at the mercy of the vendor to fix them; nobody else can.
Libertarian666
Executive Member
Executive Member
Posts: 5994
Joined: Wed Dec 31, 1969 6:00 pm

Re: Equifax hack

Post by Libertarian666 » Fri Sep 22, 2017 10:53 am

Xan wrote:I'll cede your point on university systems. You have more experience in that realm than I do.
Well, open source software is not intended to be super-secure. It's meant to give people a free, self-maintained option which is great for, say, a small business. Somehow that doesn't translate to a company that should have security standards far higher than your average Silicon Valley startup, or higher even than a chain retailer like Target or Home Depot. So I'd always assumed that banks, for example, have tightly managed closed systems.
The development methodology of the software doesn't necessarily have anything to do with how secure it is. It all depends on the priorities of the developers. I would submit that unless the user of the software can see and examine the code themselves, then it is less secure than any other option, because they don't even really know what it's doing.

Open source gives you that from the start. It may be that the code for secretly-developed software could be examined by a customer if they were big enough and paid enough money.

Regardless, a "tightly managed" system will be fine, but that has nothing to do with whether or not the code is open. You can have a well-managed open-source based setup, or a poorly-managed closed-source setup, or vice-versa.

Any security advantage of being closed-source per se is simply security-through-obscurity, which has long been recognized to not work. The holes will be found. And when they are, you're at the mercy of the vendor to fix them; nobody else can.
All of this is correct.

(BTW, I'm pretty sure that there are a few Microsoft customers who have source-code access to Windows.)
User avatar
Maddy
Executive Member
Executive Member
Posts: 1694
Joined: Sun Jun 21, 2015 8:43 am

Re: Equifax hack

Post by Maddy » Sat Sep 23, 2017 8:25 am

If you're relying upon the "freezing" of your credit report to protect you, consider this: The "unfreezing" of a credit report requires no verification of identity other than knowledge of the very same information that was released in the security breach. https://krebsonsecurity.com/2017/09/exp ... reeze-pin/
Libertarian666
Executive Member
Executive Member
Posts: 5994
Joined: Wed Dec 31, 1969 6:00 pm

Re: Equifax hack

Post by Libertarian666 » Sat Sep 23, 2017 4:33 pm

Maddy wrote:If you're relying upon the "freezing" of your credit report to protect you, consider this: The "unfreezing" of a credit report requires no verification of identity other than knowledge of the very same information that was released in the security breach. https://krebsonsecurity.com/2017/09/exp ... reeze-pin/
So you're saying it's really secure then? :P
User avatar
Maddy
Executive Member
Executive Member
Posts: 1694
Joined: Sun Jun 21, 2015 8:43 am

Re: Equifax hack

Post by Maddy » Sat Sep 23, 2017 7:23 pm

Libertarian666 wrote:
Maddy wrote:If you're relying upon the "freezing" of your credit report to protect you, consider this: The "unfreezing" of a credit report requires no verification of identity other than knowledge of the very same information that was released in the security breach. https://krebsonsecurity.com/2017/09/exp ... reeze-pin/
So you're saying it's really secure then? :P
No, I'm saying that the same bad guys who have your credit file probably have your PIN (or whatever personal information the agency uses to verify your identify) as well. If your credit report is frozen, they can simply unfreeze it. What a mess.
Libertarian666
Executive Member
Executive Member
Posts: 5994
Joined: Wed Dec 31, 1969 6:00 pm

Re: Equifax hack

Post by Libertarian666 » Sat Sep 23, 2017 8:07 pm

Maddy wrote:
Libertarian666 wrote:
Maddy wrote:If you're relying upon the "freezing" of your credit report to protect you, consider this: The "unfreezing" of a credit report requires no verification of identity other than knowledge of the very same information that was released in the security breach. https://krebsonsecurity.com/2017/09/exp ... reeze-pin/
So you're saying it's really secure then? :P
No, I'm saying that the same bad guys who have your credit file probably have your PIN (or whatever personal information the agency uses to verify your identify) as well. If your credit report is frozen, they can simply unfreeze it. What a mess.
Yes, I was being sarcastic, thus the :P .
farjean2
Executive Member
Executive Member
Posts: 284
Joined: Thu Feb 23, 2017 12:51 am

Re: Equifax hack

Post by farjean2 » Thu Oct 12, 2017 3:25 pm

They've been hacked again....

https://www.cnbc.com/2017/10/12/equifax ... again.html

Apparently, one of their web pages was hacked to download malware which makes me feel not so paranoid about thinking their whole Trusted ID thing was just another hack.
Post Reply