Equifax hack
Moderator: Global Moderator
Re: Equifax hack
Well, open source software is not intended to be super-secure. It's meant to give people a free, self-maintained option which is great for, say, a small business. Somehow that doesn't translate to a company that should have security standards far higher than your average Silicon Valley startup, or higher even than a chain retailer like Target or Home Depot. So I'd always assumed that banks, for example, have tightly managed closed systems.
My experience with university accounts is that they're EXTREMELY hackable. Every university account I've ever held has been hacked at one time or another, and a lot of my colleagues have experienced the same. I've also had my SSN spilled several times by university IT depts, so the Equifax hack doesn't make a bit of difference to me. This isn't really surprising. University IT depts are typically underpaid, underfunded, and understaffed. I assume the same is true of most ISPs, which is the only other source of email accounts for most people.
Gmail seems a much safer alternative to me. Ironic given that that the shabby university security is supposed to be safeguarding medical information, and this is the reason why they won't use the Lion/Gmail option.
BTW I can attest that credit freezes, at least in general, work. I tried to create an SSA account after freezing my accounts, and discovered I couldn't. Have to go in person to the nearest SS office.
My experience with university accounts is that they're EXTREMELY hackable. Every university account I've ever held has been hacked at one time or another, and a lot of my colleagues have experienced the same. I've also had my SSN spilled several times by university IT depts, so the Equifax hack doesn't make a bit of difference to me. This isn't really surprising. University IT depts are typically underpaid, underfunded, and understaffed. I assume the same is true of most ISPs, which is the only other source of email accounts for most people.
Gmail seems a much safer alternative to me. Ironic given that that the shabby university security is supposed to be safeguarding medical information, and this is the reason why they won't use the Lion/Gmail option.
BTW I can attest that credit freezes, at least in general, work. I tried to create an SSA account after freezing my accounts, and discovered I couldn't. Have to go in person to the nearest SS office.
Re: Equifax hack
I'll cede your point on university systems. You have more experience in that realm than I do.
Open source gives you that from the start. It may be that the code for secretly-developed software could be examined by a customer if they were big enough and paid enough money.
Regardless, a "tightly managed" system will be fine, but that has nothing to do with whether or not the code is open. You can have a well-managed open-source based setup, or a poorly-managed closed-source setup, or vice-versa.
Any security advantage of being closed-source per se is simply security-through-obscurity, which has long been recognized to not work. The holes will be found. And when they are, you're at the mercy of the vendor to fix them; nobody else can.
The development methodology of the software doesn't necessarily have anything to do with how secure it is. It all depends on the priorities of the developers. I would submit that unless the user of the software can see and examine the code themselves, then it is less secure than any other option, because they don't even really know what it's doing.Well, open source software is not intended to be super-secure. It's meant to give people a free, self-maintained option which is great for, say, a small business. Somehow that doesn't translate to a company that should have security standards far higher than your average Silicon Valley startup, or higher even than a chain retailer like Target or Home Depot. So I'd always assumed that banks, for example, have tightly managed closed systems.
Open source gives you that from the start. It may be that the code for secretly-developed software could be examined by a customer if they were big enough and paid enough money.
Regardless, a "tightly managed" system will be fine, but that has nothing to do with whether or not the code is open. You can have a well-managed open-source based setup, or a poorly-managed closed-source setup, or vice-versa.
Any security advantage of being closed-source per se is simply security-through-obscurity, which has long been recognized to not work. The holes will be found. And when they are, you're at the mercy of the vendor to fix them; nobody else can.
-
- Executive Member
- Posts: 5994
- Joined: Wed Dec 31, 1969 6:00 pm
Re: Equifax hack
All of this is correct.Xan wrote:I'll cede your point on university systems. You have more experience in that realm than I do.
The development methodology of the software doesn't necessarily have anything to do with how secure it is. It all depends on the priorities of the developers. I would submit that unless the user of the software can see and examine the code themselves, then it is less secure than any other option, because they don't even really know what it's doing.Well, open source software is not intended to be super-secure. It's meant to give people a free, self-maintained option which is great for, say, a small business. Somehow that doesn't translate to a company that should have security standards far higher than your average Silicon Valley startup, or higher even than a chain retailer like Target or Home Depot. So I'd always assumed that banks, for example, have tightly managed closed systems.
Open source gives you that from the start. It may be that the code for secretly-developed software could be examined by a customer if they were big enough and paid enough money.
Regardless, a "tightly managed" system will be fine, but that has nothing to do with whether or not the code is open. You can have a well-managed open-source based setup, or a poorly-managed closed-source setup, or vice-versa.
Any security advantage of being closed-source per se is simply security-through-obscurity, which has long been recognized to not work. The holes will be found. And when they are, you're at the mercy of the vendor to fix them; nobody else can.
(BTW, I'm pretty sure that there are a few Microsoft customers who have source-code access to Windows.)
Re: Equifax hack
If you're relying upon the "freezing" of your credit report to protect you, consider this: The "unfreezing" of a credit report requires no verification of identity other than knowledge of the very same information that was released in the security breach. https://krebsonsecurity.com/2017/09/exp ... reeze-pin/
-
- Executive Member
- Posts: 5994
- Joined: Wed Dec 31, 1969 6:00 pm
Re: Equifax hack
So you're saying it's really secure then?Maddy wrote:If you're relying upon the "freezing" of your credit report to protect you, consider this: The "unfreezing" of a credit report requires no verification of identity other than knowledge of the very same information that was released in the security breach. https://krebsonsecurity.com/2017/09/exp ... reeze-pin/
Re: Equifax hack
No, I'm saying that the same bad guys who have your credit file probably have your PIN (or whatever personal information the agency uses to verify your identify) as well. If your credit report is frozen, they can simply unfreeze it. What a mess.Libertarian666 wrote:So you're saying it's really secure then?Maddy wrote:If you're relying upon the "freezing" of your credit report to protect you, consider this: The "unfreezing" of a credit report requires no verification of identity other than knowledge of the very same information that was released in the security breach. https://krebsonsecurity.com/2017/09/exp ... reeze-pin/
-
- Executive Member
- Posts: 5994
- Joined: Wed Dec 31, 1969 6:00 pm
Re: Equifax hack
Yes, I was being sarcastic, thus the .Maddy wrote:No, I'm saying that the same bad guys who have your credit file probably have your PIN (or whatever personal information the agency uses to verify your identify) as well. If your credit report is frozen, they can simply unfreeze it. What a mess.Libertarian666 wrote:So you're saying it's really secure then?Maddy wrote:If you're relying upon the "freezing" of your credit report to protect you, consider this: The "unfreezing" of a credit report requires no verification of identity other than knowledge of the very same information that was released in the security breach. https://krebsonsecurity.com/2017/09/exp ... reeze-pin/
Re: Equifax hack
They've been hacked again....
https://www.cnbc.com/2017/10/12/equifax ... again.html
Apparently, one of their web pages was hacked to download malware which makes me feel not so paranoid about thinking their whole Trusted ID thing was just another hack.
https://www.cnbc.com/2017/10/12/equifax ... again.html
Apparently, one of their web pages was hacked to download malware which makes me feel not so paranoid about thinking their whole Trusted ID thing was just another hack.