Massassi Forums Logo

This is the static archive of the Massassi Forums. The forums are closed indefinitely. Thanks for all the memories!

You can also download Super Old Archived Message Boards from when Massassi first started.

"View" counts are as of the day the forums were archived, and will no longer increase.

ForumsDiscussion Forum → Inauguration Day, Inauguration Hooooooraaay!
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401
Inauguration Day, Inauguration Hooooooraaay!
2017-09-08, 1:55 PM #4001
There was some uproar about the Equifax website TOS including a clause that has you agree to binding arbitration, but the NY AG has said that this is unenforceable, and Equifax had also added a section to their FAQ page that this doesn't apply to this security breach.

Not sure if I trust that reassurance to go check through their site just yet, though.
2017-09-08, 2:04 PM #4002
LMAO. From the Equifax FAQ on the breach.

2017-09-08, 2:09 PM #4003
So I was thinking I ought to freeze my credit file, as is required to be possible under CA law, for a nominal fee.

But get a load of this: "Equifax allows you to get a new PIN to unfreeze with if you provide personal identification, such as (seriously) the info that was stolen. I would not be shocked if the other two allow the same."

:psyduck:

In other words, everyone is ****ed.
2017-09-08, 2:11 PM #4004
Ahahahah: "The 10-digit PIN that Equifax assigns is NOT random. It is the date and time stamp from when the freeze was submitted. Literally every person who submits a freeze today will get 090817xxxx."
2017-09-08, 2:43 PM #4005
Let me tell you how it will turn out, because it's how these things always turn out.

Equifax will ask for all of the class action lawsuits to be consolidated. This will be granted. They will settle out of court for low tens of millions in legal fees and free vouchers for two credit freezes. They will deduct this cost from their taxes and it will cost them nothing.

The criminal investigation will find that information security is hard, and that Equifax did everything reasonable to protect confidential information. The hackers were just too good.

The government will advance legislation that limits the damages corporations can pay arising from security breaches.
2017-09-08, 5:28 PM #4006
Apparently the beach wasn't the fault of Equifax. An open source Java framework, Apache Struts, contained a remote execution vulnerability. The REST API of Struts let's you feed it XML that contains Java objects, but which are supposedly checked to ensure nothing is allowed to execute. However, during the decoding of the XML data, there also existed crafted forms of XML that would silently execute code as a side effect of the decoding, so that it might not even be detected, let alone discovered soon enough in the pipeline to sanitize....

The moral of the story, I am reading, is to simply use JSON instead of XML, but I am sure there are even better lessons here.
2017-09-08, 5:45 PM #4007
CVE-2013-0333.
2017-09-08, 5:50 PM #4008
(Just to be clear, the relevant CVE for this particular breach is CVE-2017-9805.)
2017-09-08, 5:52 PM #4009
Ah I see what you mean.

Yeah, just switching to JSON and crossing your fingers didn't sound like a good strategy to me. I suggest taking a sledgehammer to the machine instead.
2017-09-08, 6:27 PM #4010
I wonder if all these interpreted languages that people are using (apparently) with evals inside parsers of serialized data (in the example of the CVE that Jon`C mentioned, the Ruby YAML parser, which allows the execution of Ruby code under certain circumstances by design) might benefit from just spawning another execution context (doesn't have to be an entire VM, but why not). Let arbitrary code run, but without any side effects allowed.

Of course, taken literally to the extreme, "no side effects" means the computation is pretty much useless, so in a way this just begs the question.
2017-09-08, 6:34 PM #4011
At any rate, why was a public REST API connected to the central database of people's private information? At best, querying it should have permitted firing off existing programs that do stuff with that data. Not query it directly, or change the recipient.

It seems that, from a security point of view, it is a bad idea to treat the computer as a black box if you use externally developed libraries. Or even internal libraries.
2017-09-08, 6:37 PM #4012
At the end of the day, though, if companies aren't punished for this, they aren't going to hire the kind of security experts that could have figured this out, and instead are going to use off the shelf open source stuff connected in a haphazard way just to save costs. And this example probably wasn't even necessarily among the worst examples of poorly configured servers, since it seems that they used the software the way it was intended, but had a bug upstream.
2017-09-08, 6:48 PM #4013
Originally posted by Reverend Jones:
At any rate, why was a public REST API connected to the central database of people's private information? At best, querying it should have permitted firing off existing programs that do stuff with that data. Not query it directly, or change the recipient.

It seems that, from a security point of view, it is a bad idea to treat the computer as a black box if you use externally developed libraries. Or even internal libraries.


This is the important take-away. Security requires robustness. If your security strategy completely falls apart because of a remote execution bug in vendor code (edit: i.e. a single network intruder), you are doing it wrong, and it is your fault.

This story is about Equifax not using fine grained permissions, not throttling users with suspicious access patterns, etc., but thanks to a ~carefully timed disclosure~ it's gonna be about a single software bug instead. Bravo, Equifax PR.
2017-09-08, 6:59 PM #4014
Originally posted by Jon`C:
If your security strategy completely falls apart because of a remote execution bug in vendor code (edit: i.e. a single network intruder), you are doing it wrong, and it is your fault.


I'm sure Equifax's lawyers will imply hacking is basically wizardry that only Russian cyber-military intelligence is capable of, and they'll buy it because people are idiots.
2017-09-09, 7:30 AM #4015
[https://pbs.twimg.com/media/DJMi_nnUQAEgI25?format=jpg]

This is why I dislike how the U.S. handles so many things militarily. Because North Korea isn't wrong to have fears here.
2017-09-09, 1:37 PM #4016
Just posting this in case you heard about the Equifax breach and wondered what you can do to protect yourself.

Nothing.

The information that was stolen is the information Equifax uses to authenticate you. As Reverend Jones posted, credit freezes can be lifted using this information. Equifax has no other way to confirm your identity, which means as of this Friday no firms in America have any way to reliably confirm your identity either.

This is an apocalypse level information security event.
2017-09-09, 1:48 PM #4017
DONT WORY JON WE CAN JUST PUT IT ALL ON THE BLOCKCHAIN
Epstein didn't kill himself.
2017-09-09, 1:52 PM #4018
Might as well put it on a public ledger.
2017-09-09, 1:53 PM #4019
Fuuuuck, no way the idiots in power even understand the implications of this breach yet.
2017-09-09, 2:15 PM #4020
This is like the September 11th of identity theft.
Epstein didn't kill himself.
2017-09-09, 2:43 PM #4021
So I guess if a bounty hunter comes for me, I'll know what happened.
2017-09-09, 2:52 PM #4022
Ahahah wtf:

2017-09-09, 2:55 PM #4023
All I can think of is following the /r/personalfinance Equifax breach megathread to simply put a 90 day alert on your credit file with any (⇒ all) of the three bureaus.

Quote:
If you do nothing else, place an initial 90 day fraud alert on your file. This is free and will require lenders to contact you if someone (including yourself) tries to apply for credit.

You only have to do this with one bureau in order for the alert to be placed on all three, and it should take less than 5 minutes:

Equifax OR 1-888-766-0008
Experian OR 1-888-397-3742
Transunion OR 1-800-680-7289


https://www.consumer.ftc.gov/articles/0275-place-fraud-alert
2017-09-09, 4:15 PM #4024
If I've never ordered a credit report, am I safe? Or am I ****ed for having any credit?
2017-09-09, 4:21 PM #4025
Your information was shared with Equifax by your financial institution and other information brokers without your knowledge or express consent. You are ****ed for having any credit.
2017-09-09, 4:23 PM #4026
Sometimes governments even use Equifax to authenticate their own citizens. Canada Post uses Equifax to authenticate mail forwarding requests.

Everybody is ****ed by this. Everybody. This is no joke a world ending disaster for all kinds of service providers that need to confirm your identity or background. "Name/DOB/SSN" is dead and there is nothing to replace it.
2017-09-09, 4:31 PM #4027
Now would be a good time for the government to show some forward thinking and come up with a comprehensive replacement for "Name/DOB/SSN" and nuke Equifax et al.

Hmm... well, maybe at least can you help come up with something for us Peter Thiel? We're in the libertarian utopia now right?
2017-09-09, 5:42 PM #4028
So then, uh, basically now I'm permanently vulnerable to identify theft and there's nothing anybody can do about it.
2017-09-09, 5:44 PM #4029
Maybe we can let 90's technofuturist dream finally die, and realize that computer systems should not be used for certain things.
2017-09-09, 5:50 PM #4030
It's certainly a huge cost imposed on society for a really stupid reason.

The day that somebody does open a line of credit in your name, you're gonna want to be aware of this fact ASAP (sign up for credit alerts, you can put a 90 day alert on all three bureaus with the phone #'s I linked to, which can probably be extended, and I believe CreditKarma also has this feature).

The next thing to do should you actually be victimized is to file a police report, and in the mean time, do not talk to debt collectors. Do everything in writing and keep a paper trail, which apparently is like shoving Kryptonite in the CRA's faces.
2017-09-09, 5:53 PM #4031
Originally posted by Reid:
So then, uh, basically now I'm permanently vulnerable to identify theft and there's nothing anybody can do about it.


Yep
2017-09-09, 6:04 PM #4032
Their site claims my data wasn't exposed. But I'm still going to treat my information as though it was. Being American sucks for this reason.

Originally posted by Reverend Jones:
It's certainly a huge cost imposed on society for a really stupid reason.

The day that somebody does open a line of credit in your name, you're gonna want to be aware of this fact ASAP (sign up for credit alerts, you can put a 90 day alert on all three bureaus with the phone #'s I linked to, which can probably be extended, and I believe CreditKarma also has this feature).

The next thing to do should you actually be victimized is to file a police report, and in the mean time, do not talk to debt collectors. Do everything in writing and keep a paper trail, which apparently is like shoving Kryptonite in the CRA's faces.


I had fraudulent charges on my ebay account once that ended up in collections.. fortunately ebay was great and handled it, but yeah, I've heard collectors can get nasty. I suppose I'll put in a freeze on my accounts anyway.
2017-09-09, 6:06 PM #4033
Ted Kaczynski was right. Except for the parts about mailing bombs, that was wrong. But the other stuff, that was pretty smart.
2017-09-09, 6:12 PM #4034
Quote:
After his arrest in 1996, Kaczynski tried unsuccessfully to dismiss his court-appointed lawyers because they wanted to plead insanity in order to avoid the death penalty, as Kaczynski did not believe he was insane.


Hell. Kaczynski was a baller.
2017-09-09, 6:15 PM #4035
Good to hear it wasn't affected, but keep in mind the shoddy organization that is telling you this.

For example, if you type in a bogus name and a bogus SSN, apparently they will claim that your information was stolen, and prompt you to sign up for their protection service. The whole thing is a racket.
2017-09-09, 6:19 PM #4036
Originally posted by Reid:
Ted Kaczynski was right. Except for the parts about mailing bombs, that was wrong. But the other stuff, that was pretty smart.


ehh, the man is not normal. Shy but nice kid, but he was socially dysfunctional as an adult. His students at Berkeley said that he never made eye contact and dismissed class early just to get away from them. You can say that the CIA did it to him at Harvard (see the same Atlantic article), but it's clearly a symptom of the same extreme desire to get away from civilization that he would later express violently.
2017-09-09, 6:25 PM #4037
Originally posted by Reverend Jones:
Good to hear it wasn't affected, but keep in mind the shoddy organization that is telling you this.

For example, if you type in a bogus name and a bogus SSN, apparently they will claim that your information was stolen, and prompt you to sign up for their protection service. The whole thing is a racket.


This. By all accounts, Equifax's site is simply returning a random result.

They probably don't even KNOW. They've probably guessed it's only half of the US based on how long it takes to download from their servers.
2017-09-09, 6:28 PM #4038
Originally posted by Reverend Jones:
ehh, the man is not normal. Shy but nice kid, but he was socially dysfunctional as an adult. His students at Berkeley said that he never made eye contact and dismissed class early just to get away from them. You can say that the CIA did it to him at Harvard (see the same Atlantic article), but it's clearly a symptom of the same extreme desire to get away from civilization that he would later express violently.


I mean, I'm not that bad, but I can't say I don't relate to the feeling. Students are a huge pain in the butt, and if you're already prone to anxiety, lecturing can be really stressful.
2017-09-09, 6:29 PM #4039
Originally posted by Jon`C:
This. By all accounts, Equifax's site is simply returning a random result.

They probably don't even KNOW. They've probably guessed it's only half of the US based on how long it takes to download from their servers.


This is why I'm just straight assuming my stuff was stolen still.
2017-09-09, 6:33 PM #4040
Originally posted by Reid:
I mean, I'm not that bad, but I can't say I don't relate to the feeling. Students are a huge pain in the butt, and if you're already prone to anxiety, lecturing can be really stressful.


No, I'm talking about not even being able to make eye contact, at all. Unless you are on the autistic spectrum, most people are capable of this. He was seriously traumatized. It may also have something to do with being crazy intelligent (youngest full professor at Berkeley at the time).
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401

↑ Up to the top!