Posted: 2017-11-15 07:37
On safety side, let''s look at DO-678B (now C) for aerospace. They require carefully documented requirements, design, and so on with code proven to match it with code review and rigorous testing. It has to pass certification with no problems for them to make money on it. Re-certification is expensive. That led to vendors throwing as much QA as possible at their code which they simplified as much as possible. A whole ecosystem sprang up for safe languages, drivers, protocols, and so on. Also, tools for automating testing, supporting reviews, semi-automated generation of code, etc. The quality of all of this is much, much higher than typical of mainstream proprietary or FOSS apps. So, again, the sensible regulations worked.
The "rotten burough" of the way the law is currently operating is a huge part of the problem. We see in many areas, the law is made for people who harm others on a large scale, but who get away free with their bonuses and often job intact. People and organisations playing fast and loose with other people''s information without consent, and harming them by their carelessness, to make money. Color me old fashions, that used to mean fraud, these days, it''s corporate profit.
If I am going to have someone lie to me, let it be an organization that bears some liability to the people. This is not just some corporation, it is a credit bureau. Federal agents from some forensic unit could at least nod their heads for the record. You can not obviously use a second security firm without non-disclosure and more doubt. The client, Equifax, gets to pick words. Federal agency needs to bear part of this liability.
I have read Threatpost for a while now, and know them to be guilty of feeding readers speculation in order to pretend they are on the leading edge of the story when no one has official statements. None of the people referenced in that news post were close to the situation. That means they were not in the Equifax cubicles when this went down, even if someone from Apache said EFX did not update their servers for months. That does not mean that is what really happened. Logic games.
The most useful thing the government could do at this point is a new law on identity theft that shifts all responsibility for fraudulent accounts to the company that opened them. So a person who finds an account that isn''t theirs do no more than declare "not my problem", and it is then up to the business to find out if it is. While they investigate the account shouldn''t be reported in any way that would negatively affect the victim.
Market failures like this can only be solved through government intervention. By regulating the security practices of companies that store our data, and fining companies that fail to comply, governments can raise the cost of insecurity high enough that security becomes a cheaper alternative. They can do the same thing by giving individuals affected by these breaches the ability to sue successfully, citing the exposure of personal data itself as a harm.
If we are dreaming, then a good place to start would be to repeal the stupid laws that allowed the SSN to become a universal identifier. Return the number to its original function as an account number for the individual''s Social Security account. Then make it illegal to even ask for it outside the context of Social Security. Then do the same with the Driver''s License number. Then make it absolutely illegal to use *any* government issued number as an identifier outside of its original context.
The US justice system is one where both sides pay their own costs, which would normally alow a large corporate to flick away claims from ordinary people by a whole load of legal tactics repeated over and over for each case. Thus the point about a class action suit is to "redress the balance" to give more "equity at arms" as well as providing the individuals with a degree of protection and importantly not tie the slender resources of the court system up for an indefinate period.
GDPR states that data controllers (FI’s and EFX) must protect the data from unauthorized access. This is clearly stated. Using technical and organisational means, also clearly stated. EFX saying that core systems were not affected seems like a strategy to comfort people their core systems are rock solid, yet it shows culpable practices in the non-core. Have it any way Rick wants, they infringed something, period
Looking at the history of electronic bank and smart cards, they have not been a resounding success longevity wise either. Their greatest success realy is demonstrating just how little attention gets paid by politicians, civil servants, managment and even engineers to the design of security systems. Likewise as we know from the usage of credit cards and checque cards, those responsible for checking the card against the person holding it will for a multitude of reasons fail to make adequate checks. Likewise we know that passport checking is actually quite a failure for similar reasons, hence the push to biometrics that are hoped will be a little bit more reliable.
In my opinion, the FTC should regulate them right out of business and prove that "too big to fail" is no longer an option. However, I''m enough of a realist to know that big data and big money are big power and in the long run nothing will improve this situation in the current sociopolitical climate. Fixing what''s wrong with America will probably have to wait until enough people are sufficiently fed up that emphatically invoking the Second Amendment resets the status quo. If the founding fathers were here today they would already be busy refreshing the tree of liberty with the blood of patriots fighting tyrants.
The other issue is take a look at the history of Crypto and identity security. The crypto algorithms that get used have not lasted for various reasons DES did not realy make it to "it''s comming of age", various hash algorithms have been found to have problems and the use of them depreciated. We are now scrabling around for "Quantum Computer Proof" algorithms because the PubKey systems we use curently are "assumed" to be vulnerable to Quantum Computing.
"Equifax, however, did just that after Nick Sweeting, a software engineer, created an imitation of , Equifax’s page about the security breach that may have exposed 698 million Americans’ personal information. Several posts from the company’s Twitter account directed consumers to Mr. Sweeting’s version, . They were deleted after the mistake was publicized."
Early March, we got a letter from the IRS. Some helpful stranger was trying to pay it forward by filing our taxes for us. IRS was suspicious and informed us we were able to stop the IRS from any further action on the fraudulent filing. They also filed in a state we don''t live in (but that state sent us a letter acknowledging another fraudulent filing.) I couldn''t file have one stupid investment and that company doesn''t have to get us their final data until March 86.
The root of the problem is that in the US we continue to treat widely used and known identifiers as if they are secret. Especially the SSN is often used in whole or in part as the code for pre-creating or bootstrapping account creation and recovery. Although many in the tech community abhor government administrated ID schemes, such schemes appear to be a better path forward than the futile attempt to make the SSN secret through regulation.
While there are a variety of individuals, institutions, and government entities that can be blamed for problems with the current system, I''m becoming more interested in the variety of large government penalties that are incurred by targeted companies, organizations, etc., the process by which the penalties are determined (equally-applied? / fairly-determined?), and the beneficiaries who receive the proceeds of penalty payments (regulators?).
In my view the biggest risk to the general public from this mess is credit fraud, and on that front maybe the breech might have a silver lining. Now that all the forms of information that creditors generally use to authenticate borrowers is potentially public and untrustworthy, creditors will have to do a proper job of authenticating the borrowers and assessing risk themselves. Just having the DOB, name and SSN of a good risk will no longer be enough to borrow. Lenders will have to see verifiable evidence like actual pay stubs or bank statements -- something that Equifax didn''t have in the first place -- before issuing credit. For someone who doesn''t need or want new credit, I think it may actually decrease the risk, because the info lost by Equifax will simply not be enough to effectively get credit in the future.
The cost of the three credit freezes over 75 years would be $78,855 for two people or $69,955 per person. Let''s say that only 55% of the 698 million accounts had average or above credit (the assumption is that half of the people have less than average credit and might not care enough to put a credit freeze on their accounts). The total revenue generated from the theft of their stored information for the thee credit bureaus would be $6,995 x 77 million or $658 billion PER YEAR. Does anyone, but me smell a rat in the woodpile? In my opinion, this is a gross conflict of interest on the part of the credit bureaus. These companies should not be allowed to make one penny from a criminal act against their company for data that they are responsible for protecting even if they were not the company that was hacked. This, to me, is an absolute outrage. It is in the best interest of the three credit companies to have the data stolen because it is very lucrative.
As obscene as it used to be, there used to be a procedure to post a decapitated head on a pike at the entrance to a town with something describing that which brought about such an indignity. Our culture has fallen out of that kind of notification. Perhaps we should reconsider. I am certain our culture could come up with something with similar effect that would not require decapitation, or, maybe, Trump''s Cabinet Appointee unjustly kicking people out of their houses come to mind. I read that it worked well in the past.
AND DO NOTE: Equifax asks you to provide the last 6 digits of your social security number to see if your a candidate. Leaving only 8 digits for hackers to solve for. And across your computer or cell phone, network, and provider giving them more plausible deniability that if you are identity cloned- proving that Equifax was the sole source will be more complicated. Strict & proportional liability is lengthy discussion.