Page 101 of 380 FirstFirst ... 519199100101102103111151201 ... LastLast
Results 4,001 to 4,040 of 15173

Thread: Inauguration Day, Inauguration Hooooooraaay!

  1. #4001
    There was some uproar about the Equifax website TOS including a clause that has you agree to binding arbitration, but the NY AG has said that this is unenforceable, and Equifax had also added a section to their FAQ page that this doesn't apply to this security breach.

    Not sure if I trust that reassurance to go check through their site just yet, though.
    Last edited by Reverend Jones; 09-08-2017 at 03:59 PM.

  2. #4002
    LMAO. From the Equifax FAQ on the breach.

    Name:  well_thank_god_for_that.png
Views: 66
Size:  5.2 KB

  3. #4003
    So I was thinking I ought to freeze my credit file, as is required to be possible under CA law, for a nominal fee.

    But get a load of this: "Equifax allows you to get a new PIN to unfreeze with if you provide personal identification, such as (seriously) the info that was stolen. I would not be shocked if the other two allow the same."



    In other words, everyone is ****ed.

  4. #4004
    Ahahahah: "The 10-digit PIN that Equifax assigns is NOT random. It is the date and time stamp from when the freeze was submitted. Literally every person who submits a freeze today will get 090817xxxx."

  5. #4005
    Admiral of Awesome
    Posts
    18,117
    Let me tell you how it will turn out, because it's how these things always turn out.

    Equifax will ask for all of the class action lawsuits to be consolidated. This will be granted. They will settle out of court for low tens of millions in legal fees and free vouchers for two credit freezes. They will deduct this cost from their taxes and it will cost them nothing.

    The criminal investigation will find that information security is hard, and that Equifax did everything reasonable to protect confidential information. The hackers were just too good.

    The government will advance legislation that limits the damages corporations can pay arising from security breaches.

  6. #4006
    Apparently the beach wasn't the fault of Equifax. An open source Java framework, Apache Struts, contained a remote execution vulnerability. The REST API of Struts let's you feed it XML that contains Java objects, but which are supposedly checked to ensure nothing is allowed to execute. However, during the decoding of the XML data, there also existed crafted forms of XML that would silently execute code as a side effect of the decoding, so that it might not even be detected, let alone discovered soon enough in the pipeline to sanitize....

    The moral of the story, I am reading, is to simply use JSON instead of XML, but I am sure there are even better lessons here.
    Last edited by Reverend Jones; 09-08-2017 at 08:17 PM.

  7. #4007
    Admiral of Awesome
    Posts
    18,117
    CVE-2013-0333.

  8. #4008
    (Just to be clear, the relevant CVE for this particular breach is CVE-2017-9805.)

  9. #4009
    Ah I see what you mean.

    Yeah, just switching to JSON and crossing your fingers didn't sound like a good strategy to me. I suggest taking a sledgehammer to the machine instead.
    Last edited by Reverend Jones; 09-08-2017 at 08:18 PM.

  10. #4010
    I wonder if all these interpreted languages that people are using (apparently) with evals inside parsers of serialized data (in the example of the CVE that Jon`C mentioned, the Ruby YAML parser, which allows the execution of Ruby code under certain circumstances by design) might benefit from just spawning another execution context (doesn't have to be an entire VM, but why not). Let arbitrary code run, but without any side effects allowed.

    Of course, taken literally to the extreme, "no side effects" means the computation is pretty much useless, so in a way this just begs the question.
    Last edited by Reverend Jones; 09-08-2017 at 08:29 PM.

  11. #4011
    At any rate, why was a public REST API connected to the central database of people's private information? At best, querying it should have permitted firing off existing programs that do stuff with that data. Not query it directly, or change the recipient.

    It seems that, from a security point of view, it is a bad idea to treat the computer as a black box if you use externally developed libraries. Or even internal libraries.

  12. #4012
    At the end of the day, though, if companies aren't punished for this, they aren't going to hire the kind of security experts that could have figured this out, and instead are going to use off the shelf open source stuff connected in a haphazard way just to save costs. And this example probably wasn't even necessarily among the worst examples of poorly configured servers, since it seems that they used the software the way it was intended, but had a bug upstream.

  13. #4013
    Admiral of Awesome
    Posts
    18,117
    Quote Originally Posted by Reverend Jones View Post
    At any rate, why was a public REST API connected to the central database of people's private information? At best, querying it should have permitted firing off existing programs that do stuff with that data. Not query it directly, or change the recipient.

    It seems that, from a security point of view, it is a bad idea to treat the computer as a black box if you use externally developed libraries. Or even internal libraries.
    This is the important take-away. Security requires robustness. If your security strategy completely falls apart because of a remote execution bug in vendor code (edit: i.e. a single network intruder), you are doing it wrong, and it is your fault.

    This story is about Equifax not using fine grained permissions, not throttling users with suspicious access patterns, etc., but thanks to a ~carefully timed disclosure~ it's gonna be about a single software bug instead. Bravo, Equifax PR.

  14. #4014
    ^^vv<><>BASTART
    Posts
    8,767
    Quote Originally Posted by Jon`C View Post
    If your security strategy completely falls apart because of a remote execution bug in vendor code (edit: i.e. a single network intruder), you are doing it wrong, and it is your fault.
    I'm sure Equifax's lawyers will imply hacking is basically wizardry that only Russian cyber-military intelligence is capable of, and they'll buy it because people are idiots.

  15. #4015
    ^^vv<><>BASTART
    Posts
    8,767


    This is why I dislike how the U.S. handles so many things militarily. Because North Korea isn't wrong to have fears here.

  16. #4016
    Admiral of Awesome
    Posts
    18,117
    Just posting this in case you heard about the Equifax breach and wondered what you can do to protect yourself.

    Nothing.

    The information that was stolen is the information Equifax uses to authenticate you. As Reverend Jones posted, credit freezes can be lifted using this information. Equifax has no other way to confirm your identity, which means as of this Friday no firms in America have any way to reliably confirm your identity either.

    This is an apocalypse level information security event.
    Last edited by Jon`C; 09-09-2017 at 03:40 PM.

  17. #4017
    DONT WORY JON WE CAN JUST PUT IT ALL ON THE BLOCKCHAIN
    sniff

  18. #4018
    Admiral of Awesome
    Posts
    18,117
    Might as well put it on a public ledger.

  19. #4019
    Admiral of Awesome
    Posts
    18,117
    Fuuuuck, no way the idiots in power even understand the implications of this breach yet.

  20. #4020
    This is like the September 11th of identity theft.
    sniff

  21. #4021
    ^^vv<><>BASTART
    Posts
    8,767
    So I guess if a bounty hunter comes for me, I'll know what happened.

  22. #4022
    Ahahah wtf:

    Name:  wtf.png
Views: 45
Size:  38.2 KB

  23. #4023
    All I can think of is following the /r/personalfinance Equifax breach megathread to simply put a 90 day alert on your credit file with any (⇒ all) of the three bureaus.

    If you do nothing else, place an initial 90 day fraud alert on your file. This is free and will require lenders to contact you if someone (including yourself) tries to apply for credit.

    You only have to do this with one bureau in order for the alert to be placed on all three, and it should take less than 5 minutes:

    Equifax OR 1-888-766-0008
    Experian OR 1-888-397-3742
    Transunion OR 1-800-680-7289
    https://www.consumer.ftc.gov/article...ce-fraud-alert
    Last edited by Reverend Jones; 09-09-2017 at 05:10 PM.

  24. #4024
    ^^vv<><>BASTART
    Posts
    8,767
    If I've never ordered a credit report, am I safe? Or am I ****ed for having any credit?

  25. #4025
    Admiral of Awesome
    Posts
    18,117
    Your information was shared with Equifax by your financial institution and other information brokers without your knowledge or express consent. You are ****ed for having any credit.

  26. #4026
    Admiral of Awesome
    Posts
    18,117
    Sometimes governments even use Equifax to authenticate their own citizens. Canada Post uses Equifax to authenticate mail forwarding requests.

    Everybody is ****ed by this. Everybody. This is no joke a world ending disaster for all kinds of service providers that need to confirm your identity or background. "Name/DOB/SSN" is dead and there is nothing to replace it.

  27. #4027
    Now would be a good time for the government to show some forward thinking and come up with a comprehensive replacement for "Name/DOB/SSN" and nuke Equifax et al.

    Hmm... well, maybe at least can you help come up with something for us Peter Thiel? We're in the libertarian utopia now right?

  28. #4028
    ^^vv<><>BASTART
    Posts
    8,767
    So then, uh, basically now I'm permanently vulnerable to identify theft and there's nothing anybody can do about it.

  29. #4029
    ^^vv<><>BASTART
    Posts
    8,767
    Maybe we can let 90's technofuturist dream finally die, and realize that computer systems should not be used for certain things.

  30. #4030
    It's certainly a huge cost imposed on society for a really stupid reason.

    The day that somebody does open a line of credit in your name, you're gonna want to be aware of this fact ASAP (sign up for credit alerts, you can put a 90 day alert on all three bureaus with the phone #'s I linked to, which can probably be extended, and I believe CreditKarma also has this feature).

    The next thing to do should you actually be victimized is to file a police report, and in the mean time, do not talk to debt collectors. Do everything in writing and keep a paper trail, which apparently is like shoving Kryptonite in the CRA's faces.

  31. #4031
    Admiral of Awesome
    Posts
    18,117
    Quote Originally Posted by Reid View Post
    So then, uh, basically now I'm permanently vulnerable to identify theft and there's nothing anybody can do about it.
    Yep

  32. #4032
    ^^vv<><>BASTART
    Posts
    8,767
    Their site claims my data wasn't exposed. But I'm still going to treat my information as though it was. Being American sucks for this reason.

    Quote Originally Posted by Reverend Jones View Post
    It's certainly a huge cost imposed on society for a really stupid reason.

    The day that somebody does open a line of credit in your name, you're gonna want to be aware of this fact ASAP (sign up for credit alerts, you can put a 90 day alert on all three bureaus with the phone #'s I linked to, which can probably be extended, and I believe CreditKarma also has this feature).

    The next thing to do should you actually be victimized is to file a police report, and in the mean time, do not talk to debt collectors. Do everything in writing and keep a paper trail, which apparently is like shoving Kryptonite in the CRA's faces.
    I had fraudulent charges on my ebay account once that ended up in collections.. fortunately ebay was great and handled it, but yeah, I've heard collectors can get nasty. I suppose I'll put in a freeze on my accounts anyway.

  33. #4033
    ^^vv<><>BASTART
    Posts
    8,767
    Ted Kaczynski was right. Except for the parts about mailing bombs, that was wrong. But the other stuff, that was pretty smart.

  34. #4034
    ^^vv<><>BASTART
    Posts
    8,767
    After his arrest in 1996, Kaczynski tried unsuccessfully to dismiss his court-appointed lawyers because they wanted to plead insanity in order to avoid the death penalty, as Kaczynski did not believe he was insane.
    Hell. Kaczynski was a baller.

  35. #4035
    Good to hear it wasn't affected, but keep in mind the shoddy organization that is telling you this.

    For example, if you type in a bogus name and a bogus SSN, apparently they will claim that your information was stolen, and prompt you to sign up for their protection service. The whole thing is a racket.

  36. #4036
    Quote Originally Posted by Reid View Post
    Ted Kaczynski was right. Except for the parts about mailing bombs, that was wrong. But the other stuff, that was pretty smart.
    ehh, the man is not normal. Shy but nice kid, but he was socially dysfunctional as an adult. His students at Berkeley said that he never made eye contact and dismissed class early just to get away from them. You can say that the CIA did it to him at Harvard (see the same Atlantic article), but it's clearly a symptom of the same extreme desire to get away from civilization that he would later express violently.

  37. #4037
    Admiral of Awesome
    Posts
    18,117
    Quote Originally Posted by Reverend Jones View Post
    Good to hear it wasn't affected, but keep in mind the shoddy organization that is telling you this.

    For example, if you type in a bogus name and a bogus SSN, apparently they will claim that your information was stolen, and prompt you to sign up for their protection service. The whole thing is a racket.
    This. By all accounts, Equifax's site is simply returning a random result.

    They probably don't even KNOW. They've probably guessed it's only half of the US based on how long it takes to download from their servers.

  38. #4038
    ^^vv<><>BASTART
    Posts
    8,767
    Quote Originally Posted by Reverend Jones View Post
    ehh, the man is not normal. Shy but nice kid, but he was socially dysfunctional as an adult. His students at Berkeley said that he never made eye contact and dismissed class early just to get away from them. You can say that the CIA did it to him at Harvard (see the same Atlantic article), but it's clearly a symptom of the same extreme desire to get away from civilization that he would later express violently.
    I mean, I'm not that bad, but I can't say I don't relate to the feeling. Students are a huge pain in the butt, and if you're already prone to anxiety, lecturing can be really stressful.

  39. #4039
    ^^vv<><>BASTART
    Posts
    8,767
    Quote Originally Posted by Jon`C View Post
    This. By all accounts, Equifax's site is simply returning a random result.

    They probably don't even KNOW. They've probably guessed it's only half of the US based on how long it takes to download from their servers.
    This is why I'm just straight assuming my stuff was stolen still.

  40. #4040
    Quote Originally Posted by Reid View Post
    I mean, I'm not that bad, but I can't say I don't relate to the feeling. Students are a huge pain in the butt, and if you're already prone to anxiety, lecturing can be really stressful.
    No, I'm talking about not even being able to make eye contact, at all. Unless you are on the autistic spectrum, most people are capable of this. He was seriously traumatized. It may also have something to do with being crazy intelligent (youngest full professor at Berkeley at the time).

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •