
Equifax CEO to Congress: Not Sure We Are Encrypting Data - boyd
https://www.wsj.com/articles/equifax-ceo-to-congress-not-sure-we-are-encrypting-data-1510180486?mod=yahoo_hs&yptr=yahoo
======
tptacek
Encryption wouldn't have mattered here. To a pretty good first approximation,
none of the "encryption" done at scale at any Fortune 500 company in the US is
more than a speed bump for attackers. Unless you're using moon math --- nobody
is --- enterprise backend encryption is hamstrung by the fact that you're
keeping the data because _automated business processes need to use it_ , which
means automated systems need to decrypt it.

~~~
girvo
We’re using spooky moon math (semi-homomorphic encryption in a rather
restricted case, mind you) for exactly this reason for the 4 biggest companies
in a huge industry here in Australia. These companies are starting to
understand why it might be needed, which is super exciting. And hell, even if
the prototype gets killed, it’s been fun as hell to work on.

~~~
tinco
What kind of operations are you able to do on the data?

~~~
girvo
Solely addition on integers, currently. I’m having a lot of fun exploring
pattern matching with semi-homomorphic encryption for the larger project,
though I have my reservations, but it’s hopefully possible.

One of the more interesting bits of the project is that soft-real-time is not
a requirement, so some simpler, slower and older algorithms become feasible
(interactive ZKPs, even fully-HE systems perhaps). A very specific use case
has allowed for the possibility. But it’s amazing to work on :)

------
mrguyorama
I don't know which is worse: That Equifax is straight up lying about their
infrastructure to hide malpractice, or that they don't even know

~~~
sova
Encrypt your secrets in plaintext, the hackers will never see it coming

~~~
nobodyorother
I just use double-ROT-13 as my TPM, that way I can invoke the DMCA too!

~~~
ajr0
Double-Rot-13 is a cost effective alternative to Rot-52 but of course only
half as secure.

------
markarichards
If encryption is enriched with appropriate identity, authorisation and
authentication systems then...

Encryption at network level is a must. Corporate routers/firewalls have been
very vulnerable before and the risk of grabbing everything is a lot easier if
you've comprised the network.

Encryption at rest is a must, as at some point you need to replace those disks
and it's a lot easier if you can be cavalier with the handling afterwards
because you know it is unreadable.

Encryption at application level (object encryption and between services) is a
must. Which means if a service is hacked or you dump the dB you may not be
able to read any of it or only those records accessed whilst the hack happens.
You replicate access control patterns, like in a secure building... These may
come down to one or more common denominators (can you trust the security
receptionist), but better that than the whole chain is vulnerable... You then
only have one set of alarms, logs, metrics, etc to keep an eye on and to test
very thoroughly.

In the physical world: for security scenarios we have very strict procedures
with locks, boxes, safes, multiple security door/gate entry systems, multiple
participants and signatures involved in every action, etc to mitigate internal
and external error, failure or attack - all of these can have an electronic
information system equivalent and we should start designing security in web
systems with these ideas in mind when it as significant as Equifax.

------
jdavis703
Well I heard from the FBI that only criminals encrypt data using these fancy
counting machine things. So it seems like Equifax may have actually done the
right thing here. /sarcasm>

On a serious note, we really need to make encryption a part of high school
mathematics. What teenager doesn't want to write secret messages?

When I took an intro to security course in college we spent a couple of
classes building a very elementary understanding of how encryption works with
plenty of hands on examples (using laughably insecure algorithms, but still
enough to get the points across). I think most students found it the most
interesting part of the course since most everything else was more about
security policy (a MBA could've probably easily taken the course
successfully).

~~~
Balgair
Taking a chance of derailing the thread here, sorry:

SO taught HS freshmen in _physics_ (close, but still). I'd say we need to make
math a part of HS mathematics. ~60% of the kids can't do algebra in any way.
Really. Trying to make encryption a part of it is essentially useless. I hear
from time to time that a 'basic-adulting' course would be great to have had.
HA! You think mortgage interest rates and basic car maintenance would be
learned? Most HS students in the US can barely keep from snaping their
genitals at each other _during_ class. Find me a cell-phone jammer that the
FCC will approve of for under $200 and EVERY teacher in the US will buy five
that very same day. You'd make billions.

~~~
tlrobinson
Business idea: Faraday cage classroom kits.

~~~
icebraining
Then some kid has a medical emergency, people take 5m extra to call an
ambulance due to having to go outside or find a landline, and the school gets
sued.

~~~
Balgair
Get in line? The schools (in CO at least) are getting sued all the time. Most
of them are frivolous (I want my kid to play on varsity, the school lunch
smells bad so I need to bring my dog to class, I have ADHD but am allergic to
plastic(?) so give me an A) . Some are legitimate and mostly about classroom
sizes and racism/sexism. Some kids bring guns and knives to school,
attempt/commit murder and then snapchat themselves doing it. Most of the
district's caseload is made of 'slam-dunk' cases, but they do add up and
funding for the legal department here is not going up. Classes are now about
37 students/room. They aren't teachers, they are wardens.

Faraday Cages may not be a bad idea though. Copper is fairly cheap. It's
making new windows and certifying that the door to the classroom is closed and
that no signals can get in. Heck, with the way battery life is going, maybe
just take away electrical outlets and power-strips. Only 1st period would be
effected with a bit of kids after lunch.

------
ineedasername
At this point I think there is literally nothing about Equifax incompetence
that would surprise me. I mean nothing.

They could reveal tomorrow that their data center fire protection protocols
mandate the use of printed backups, feeding them to the flames with hopes the
god of data destruction would be appeased and leave their servers alone. I
would not be surprised. Nor would I be surprised if the paper backups were
only available as printouts on toilet paper, 1000 miles away, in the CEO's
office.

No, my reaction would be, "sounds about right for them, though I guess it's +1
point for effort on keeping any backups at all"

------
jve
I would like to quote PostgreSQL Experts (this applies to all DBs): FULL DISK
ENCRYPTION IS USELESS. [1]

FDE protects against… • … theft of the media. • That’s it. • That is about
0.00000002% of the actual intrusions that you have to worry about. • Easy
rule: If psql can read it in cleartext, it’s not secure. • (It’s a great idea
for laptops, of course.)

And then it recommends: "Always encrypt specific columns, not entire database
or disk"

However encrypt your backups.

I think it is fairly sensible.

[1] Securing PostgreSQL [PDF], Page 31 :
[http://thebuild.com/presentations/pgconfeu-2016-securing-
pos...](http://thebuild.com/presentations/pgconfeu-2016-securing-
postgresql.pdf)

------
swalsh
Not a lawyer, curious if this would be a violation of
[https://www.law.cornell.edu/uscode/text/15/6801](https://www.law.cornell.edu/uscode/text/15/6801)

Equifax themselves are not a financial institution, but as a vendor of one,
would it not apply to them too?

~~~
leggomylibro
Doesn't matter; realistically, laws don't apply to them.

(Also not a lawyer)

------
TylerE
Just give them the corporate death penalty all ready.

~~~
JumpCrisscross
What does that mean? The government just takes investors’ property when it
doesn’t like what they do? That’s called expropriation. It redistributes the
assets to the shareholders? They could just reconstitute the parts. This
concept does not happen because it is silly.

~~~
benchaney
In this context the "Corporate death penalty" could just be allowing them to
get sued for the full amount of the damage they caused without baling them
out. In practice, there is no way that they could survive that.

------
janesvilleseo
Is there any way for me to get my information removed from Equifax?

Do I need to contact all of my line item creditors and ask them to remove
references to Equifax?

~~~
toomuchtodo
> Is there any way for me to get my information removed from Equifax?

No. (EDIT: If someone has a better idea, please reply!) I filed a complaint
with the CFPB with citations from their breach as well as congressional
testimony requesting my credit file be removed. The response was boilerplate:

"Thank you for contacting Equifax. We remain focused on consumer protection
and committed to providing outstanding service and support. Protecting the
security of the information in our possession is a responsibility we take very
seriously and we apologize for the concern and frustration this cybersecurity
incident causes. We have developed a comprehensive portfolio of services to
support all U.S. consumers. Please refer to our dedicated website,
[https://www.equifaxsecurity2017.com](https://www.equifaxsecurity2017.com),
for the latest information and updates or contact our dedicated call center at
866-447-7559. The call center was set up to assist consumers and is open every
day (including weekends) from 7:00 a.m. – 1:00 a.m. Eastern Time."

> Do I need to contact all of my line item creditors and ask them to remove
> references to Equifax?

Even if you contact your creditors, Equifax is under no obligation to remove
the data. Most credit lines have the possibility of falling off after 10 years
(7 years for negative trade lines), but there is no obligation for them to be
removed.

~~~
existencebox
I'm honestly curious if Equifax would fall under GDPR regulations? I'm sure
there's some overlap of EU citizens who have lines of credit in the US.

We're having to prep for that at my corp currently, and it's VERY explicit
about being able to pull up and remove all personal data, with some very hefty
fines if you don't.

EDIT: thought about this further and peeked at our guidelines, they may be
able to get around this by the "data is integral to the function of the
business" exemption, but I'd still wonder if someone could speak with
authority on this.

~~~
zAy0LfpBZLC8mAC
> they may be able to get around this by the "data is integral to the function
> of the business" exemption

That's probably more of an "integral to fulfilling its contractual obligations
to those the data is about". It's more complicated than that, but the point is
that you cannot simply declare it the purpose of your business to collect
personal information and thus be exempt from data protrection regulation.

------
plandis
This guy needs to be held personally responsible. But he won’t be and that
makes me extremely mad.

It sucks that the rich and wealthy can be as morally bankrupt as they want
without any/many consequences.

~~~
firloop
To be fair, the headline quote is from the interim chief. Richard Smith, the
CEO at the time of the breach, has already resigned.

~~~
FRex
The interim CEO is not a complete newcomer though, he was in Equifax since
April 2010[0] and is former head of the company’s Asia-Pacific business[0].
And considering the huge controversy around the data, it being their main/sole
business and the fact it made his predecessor step down he should take a bit
more interest than random journalists and randoms online to understand crystal
clear what's going on in there, especially when preparing to go to a hearing
in Congress to get drilled about it.

Then there's this gem [0]: "Barros also led the company’s U.S. Information
Solutions (USIS) business, which includes U.S.-based services that provide
businesses with consumer and commercial information and insights related to
areas of risk management, identity and fraud, marketing and a variety of
industry-specific solutions."

[0] - [https://www.equifax.com/about-equifax/corporate-
leadership/](https://www.equifax.com/about-equifax/corporate-leadership/)

------
neurotech1
Non-Paywall version [http://archive.is/ikG4d](http://archive.is/ikG4d)

~~~
pogue
Thanks for this. Also, for future reference, can you just paste wsj article
URLs into archive.is and it will go out and pull the non paywalled article? Or
does archive.is get the cached page from your browser or something?

------
orangepenguin
Can anyone give a summary or point me to another article (not paywalled) with
similar information? I'm very interested, but don't have a WSJ subscription.

~~~
bonestamp2
Non-Paywall version [http://archive.is/ikG4d](http://archive.is/ikG4d)

Source: u/neurotech1
[https://news.ycombinator.com/item?id=15672691](https://news.ycombinator.com/item?id=15672691)

------
crankylinuxuser
So, has the data been actually leaked, or do you still have to pony up a load
of BTC to see this?

