
Equifax’s Maddening Unaccountability - aaronbrethorst
https://www.nytimes.com/2017/09/11/opinion/equifax-accountability-security.html
======
chiefalchemist
There's something very disturbing about the fact that they can collect my
personal information (without my approval); profit on that info (without
compensating me); and then get hacked and I have no reasonable recourse for
what they've done??

How can they not be liable? How is this not negligence?

~~~
cloakandswagger
Common misconception. They actually _do_ need your approval, it's just that
that approval is buried in the mountains of legalese you sign whenever you
sign up for a bank account, credit card or loan.

~~~
bparsons
Yes, but you really have zero choice. Unless you decide that you can live
without a cell phone, rental car, credit card, mortgage or bank account the
rest of your life.

~~~
djsumdog
You can do only burner prepaid sims that don't require a name/personal info
(which is a bit difficult to find) but your general point is still very valid.
You cannot escape the data collection systems in our society without going all
Henry David Thoreau.

~~~
tenpies
> You cannot escape the data collection systems in our society without going
> all Henry David Thoreau.

Or living suspiciously like a drug dealer (without money laundering).

------
mark-r
The author likens this to automotive safety, but I think a better analogy
would be airline safety. When an airplane goes down, an immediate
investigation is done by third parties to find the cause. Then remedial steps
are drawn up and the entire industry is expected to follow them, not just the
company involved in the accident. Data breaches need to be held to this
standard.

~~~
mixmastamyk
This is a great idea I'm afraid will never happen.

~~~
letsgetphysITal
I don't know. One airline disaster is arguably less _economically_ destructive
than this breach. It could end a $70B company, or lead to a bailout, or ruin
credit application processes for years causing the US economy to stumble.

Nothing makes things change faster than disrupting the money flow.

------
keyle
You! You didn't pay a small bill 4 years ago because you changed address and a
debt collector marked you as naughty. No loan for you! Hahaha! ... Oh, we just
leaked all of your information. Ah well, today is a new day, ... dum diddly
dum...

~~~
woogiewonka
Fury!

------
iamleppert
The problem is incompetence in our industry. Anyone who has worked long enough
knows that technical competency is not rewarded (outside a few rare firms) in
software engineering.

~~~
kahnjw
You're oversimplifying. This has more to do with politics than SE technical
competence. Banking software and systems are regulated end to end, because
banking systems are literally the backbone of the global economy.

Equifax? Not so much. This exposure hurts consumers, but it doesn't even put a
dent in the economy as a whole. That is why these firms are allowed to operate
with such shitty security. If they get hacked, whatever, just a few hundred
million customers data exposed to identity fraud. It takes a chunk out of
Equifax stock but they'll probably survive. What is the incentive for congress
to enact laws regulating corporate handling of consumer data?

Put it this way. Who do you think is louder in Washington: consumer advocacy
groups or corporate lobbyists?

~~~
g051051
> What is the incentive for congress to enact laws regulating corporate
> handling of consumer data?

The already did, it's called the Gramm–Leach–Bliley Act:

> In terms of compliance, the key rules under the Act include The Financial
> Privacy Rule which governs the collection and disclosure of customers'
> personal financial information by financial institutions. It also applies to
> companies, regardless of whether they are financial institutions, who
> receive such information. The Safeguards Rule requires all financial
> institutions to design, implement and maintain safeguards to protect
> customer information. The Safeguards Rule applies not only to financial
> institutions that collect information from their own customers, but also to
> financial institutions – such as credit reporting agencies, appraisers, and
> mortgage brokers – that receive customer information from other financial
> institutions.

Note the inclusion of CRAs.

~~~
kahnjw
GLBA was enacted in the 90s and is a vague set of guidelines for financial and
related industries to follow. I'm talking about real system regulation, down
to the level of protocols.

------
cloakandswagger
Now would be a great time to go long EFX in my opinion.

The stock has been slammed while Equifax is being flogged in the court of
public opinion, but I doubt this leak will have any lasting financial impact.

Look at the result of the Target and Home Depot breaches: whether you like it
or not, the companies are still technically the _victims_ here and no court is
going to bankrupt them for data breaches that are more and more becoming the
norm.

~~~
bob1029
>but I doubt this leak will have any lasting financial impact.

I am going to have to stop you there. As someone who works in the financial
sector, I have quite a different view of this situation. Best case scenario
(for the organization) is that it is fined directly into bankruptcy and
someone like FIS acquires them for pennies on the dollar. I am still waiting
for CFPB to drop a nuclear bomb over this issue. There will be new PII
regulations around the corner for sure.

I also question the extent of the leak... I keep hearing it was just basic
PII, but if someone got a dump of the entire credit history database, a huge
range of financial products (e.g. Knowledge-Based Authentication) become
entirely compromised.

~~~
cloakandswagger
Equifax has an $18B market cap. Can you name one instance of a government
imposed fine for improperly stored PII exceeding even $100M?

Furthermore, do you have evidence that the PII was improperly stored, or that
Equifax's security practices were lacking in any way? The vulnerability
provided full RCE, and I know of no info-sec magic that inoculates you against
that.

~~~
empath75
Having root on a web server shouldn't give you access to 147 million customer
records.

~~~
cloakandswagger
I'm eagerly awaiting the technical details of the attack. If it turns out that
their web server has 100% unfettered access to the database then I'll gladly
pick up a pitchfork as well.

I'm wondering if Equifax is using Struts-provided REST for its entire
architecture. If that's the case, gaining access to the web server was only
the first step. From there the attacker could perform RCE on sensitive
services.

~~~
sillysaurus3
_If it turns out that their web server has 100% unfettered access to the
database then I 'll gladly pick up a pitchfork as well._

You may want to think twice. Try to design an architecture that doesn't have
that. If you think it through, you'll realize the best you can do is not to
deny access, but to monitor access so that any statistical deviation in
requests-per-hour will trigger an alarm. Yet nobody does that, so why should
Equifax have been a pioneer in this method?

This is the uncomfortable truth that everyone is obscuring here. There wasn't
a solution. Equifax got owned, and they happened to have a trove of data.
Everyone now wants to see their heads roll, but you too would find yourself in
the same situation if you have an RCE on your servers.

~~~
kelnos
> You may want to think twice. Try to design an architecture that doesn't have
> that.

We have an architecture like that where I work. It's not that hard. Our web
applications have very little direct access to databases; most of it is
mediated by services downstream of the web app. That's certainly not a silver
bullet, but it makes it impossible to exploit a RCE vuln in the web server in
such a way that it lets you have arbitrary access to the database.

~~~
jeremyjh
And let me guess. Those services give the webservers...the data that they ask
for?

Once you've compromised a server, learning how to ask for the data you want is
not hard. You have access to all the webserver's code, can make full dumps of
communications occurring normally in the app, etc.

~~~
kelnos
It's different, though. If my web server has direct database access, and it
gets compromised, an attacker can go in and directly do "SELECT * FROM users"
and get all my data in one go. If the database is behind a restrictive
service, and they compromise just the web server, then they have to sit on the
web server and pull each user record one at a time. And they might not even be
able to, depending on search options -- like they might just be able to do
"GET /users/{userId}", and if you don't know the user IDs, you get nothing
(our user IDs happen to be randomly-generated 128-bit numbers, so searching
through that space would take a while). Even if they _can_ get past that
hurdle, the extra traffic it would require to pull down the full database with
one request per user would certainly set off alarms, and doing it slowly
enough to _not_ set off alarms would just take too long.

Of course, another option would be to use the web server compromise to then
jump to the database service and compromise that box as well, but, again, more
hurdles to jump means less of a chance of success.

Nothing is perfectly secure, but you can design systems with defense in both
breadth and depth, and you can slow down or defeat many attackers that way.
It's not about making Fort Knox, it's just about making breaking in more
expensive than they can handle.

------
wyager
We have the technology to manage credit in ways that are vastly more private
and secure than a giant, poorly run, insecure personal data repository.

Using strong cryptography, we can build pseudonymous trust graphs where nodes
in the graph (cryptographic identities) publish cryptographically auditable
trust relationships. Using various graph exploration techniques (e.g.
unrolling the trust graph into a trust DAG with known creditors as terminal
nodes and calculating path properties to those nodes, using proof-of-burn and
non-distributive path combination to disincentivize Sybil attacks on the trust
graph, etc.) we can estimate trustworthiness (or, more specifically,
creditworthiness) of cryptographic identities rather than legal identities. In
the end, you're probably still going to want to link at least one
cryptographic with your bank account, but you would have vastly more control
over the relationship between privacy and public verifiability of
trustworthiness.

If course, just because this is possible doesn't mean it's going to happen.
The primary obstacles to an open, secure trust system are that A) it's harder
to make people manage their own trust network than it is to spy on them B)
trust networks rely on the network effect and C) there's no obvious way to
make money off it. Any extant system that resembles what I've described is
mostly limited to tech nerds. I'm not sure what it would take to
trick/convince the general population to use such a system.

------
tarr11
PII is the nuclear waste of the internet. Incredibly expensive to store
safely, and constantly vulnerable to a catastrophe.

~~~
mi100hael
And once it leaks, it's damn near impossible to clean up.

~~~
sounds
I feel like it's worth pointing out the the internet was a better place before
people started using it for PII.

Credit agencies were about PII before the internet, but internet companies
that collect all this PII toxify the internet.

------
cprayingmantis
So how can I stop using Equifax? Or at the very least how can I find banks or
other agencies that don't use Equifax? Is there any way to stop them from
hoarding all my data without my explicit consent?

~~~
ovao
To my knowledge you can't stop, per se. If you're savvy you can avoid seeking
credit from any institution that pulls Equifax, by asking from what CRA(s)
your report will be pulled and simply walking out if they tell you they pull
Equifax. This doesn't guarantee that they won't _report_ to Equifax, however,
and it certainly doesn't guarantee that Equifax won't come up with the
information by other means.

Unfortunately, also, it's safe to assume that Experian and TransUnion operate
just as badly as Equifax, so attempting to live an Equifax-free existence
probably isn't particularly useful. If Equifax does suffer for this leak,
actually, it's a relatively safe bet that they will take security more
seriously so as to better protect their interests.

------
alexkavon
Will the SSA (social security administration) office be issuing new numbers?

------
orange_county
"Most software failures and data breaches aren’t inevitable; they are a result
of neglect and underinvestment in product reliability and security."

How do we know that Equifax fell into this category? That this was due to
negligence? I see a lot of disdain towards Equifax but yet the breach details
have not been out yet.

~~~
throwawayjava
The 6.66 billion dollar question.

------
Iknowsecurity
Of all vulnerabilities that created massive amount of personal data leaks this
may be the biggest but it is hardly the one caused by the most negligence.

Linkedin using unsalted sha hashes is a lot more maddening. Here you have a
vulnerability being disclosed and not enough time to patch your code.

------
drewmol
Equifax played a slightly different version if this commercial during Monday
Night Football a few times, it takes no accountability, but also doubles-down,
claims your info might* be on the dark-web(*because they just negligently
released it), and offers a "dark-web-scan" service to help find it...

[https://www.youtube.com/watch?v=vjrydnr_pvQ](https://www.youtube.com/watch?v=vjrydnr_pvQ)

~~~
kahnjw
Experian != Equifax

~~~
drewmol
Thanks, that was my mistake I confused the two and didn't even notice before
posting. Too late to delete my inaccurate comment(mods?). It certainly makes
sense for Experian to advertise this service given their competitors recent
leak.

------
gadders
>> I’m still dealing with the damage to my credit rating that resulted when I
forgot to return a library book and a collection agency was called in (for a
paltry sum).

...

>>Zeynep Tufekci (@zeynep), an associate professor at the School of
Information and Library Science at the University of North Carolina

You'd think she of all people would know better.

------
endgame
Maybe this will finally be the "Three Mile Island Incident of Data" that
Maciej Cegłowski talks about? If not, I don't know what will.

[http://idlewords.com/talks/haunted_by_data.htm](http://idlewords.com/talks/haunted_by_data.htm)

~~~
SmirkingRevenge
The 3-mile island of data leaks will happen when the ISP DNS lookups and
browser history logs get matched up with the credit data and all the other
datasets that are floating around.

------
gwenzek
Naive question from Europe. What's the influence such NYT article may have on
the legislators?

------
running101
One more reason to move away from current financial system to bitcoin.

------
outoftacos
That was so satisfying to read, it's rare that I come across a voice angrier
than my own in the New York Times of all places. Makes me think there is hope
this world won't fall apart after all.

~~~
roywiggins
Tufekci is a national treasure.

------
jamesmattis
Whatever happened at Equifax was disastrous. But I really liked the way that
they are containing it. Their CEO released a statement. They launched a
specific site for security scans for their user for free. They are
communicating it to their customers transparently.

With that I also saw that cyber security is and will be the biggest threats of
the next decade. They are many cyber security companies these days but I
didn't see a single company moving forward to support the Equifax team to
figure out what happened and how it can be prevented. Cyber security companies
should have volunteered for the cause.

~~~
hmhrex
> But I really liked the way that they are containing it.

Please let this be sarcasm...

> They are communicating it to their customers transparently.

They knew well in advance that there was an issue and did not communicate it
well. They have 3 higher managers that look to have sold their stock based on
the knowledge. There are some reports that they knew up to 3 months ahead of
their announcement.

> They launched a specific site for security scans for their user for free.

Things that are wrong with this site:

\- The site screams "phishing" when you look at the URL.

\- Asks for SIX digits of your SSN. If you know the state of the person
filling out the form and they were issued their SSN before 2011, you only need
to try a few numbers to figure out their whole SSN.

\- Gives random results when you fill out the form

\- You possibly forfeit being able to sue them by filling out the form.

\- When you fill out the form they basically advertise their own product to
you.

At this point, as a consumer, it feels like they are doing everything in their
power to get away with not being held accountable for not storing this data
properly.

8 in 10 US credit card holders have their SSN and possibly other information
out there. This means that I'm at high risk to have my identity stolen in the
future, not just the next twelve months that Equifax is offering me free
Identity Theft Protection.

Last but not least, when you freeze your credit score, they give you a PIN to
unfreeze it. But if you were to lose it, you'll only need some identification
to get a new PIN and unfreeze it. But they've already released that
identification and it's being sold around. So no luck there.

~~~
jamesmattis
I accept my mistake in judging the situation. Thanks a lot for elaborating it.
I agree to all your points.

------
codecamper
I just read about how the hack was done. Shockingly stupidly easy!

1\. They realized that Equifax uses Struts. 2. They modified struts!

and 3. Equifax used the updated code on their servers.

DUUUUUHHHHHH!

~~~
Iknowsecurity
It is more: \- Critical remote execution bug was discovered in Struts2. \- The
vulnerability goes public too quickly. \- Hackers start scanning the Internet
\- Equifax is found vulnerable. \- Vulnerability is exploited.

~~~
codecamper
$14 billion company cannot convert what the servlet API gives into a method
call on a certain object + a bit of reflection to update methods & print them
into form elements. Super complicate!

If the $14 billion can't do that then they certainly cannot protect data.

------
ryanmarsh
_Americans woke up to news of yet another mass breach of their personal data._

Americans woke up to news of yet another mass breach of data about them.

FTFY

~~~
herghost
could you elaborate on what you mean by making this distinction, please?

~~~
15charlimit
People are being pedantic about the actual meaning of words as opposed to the
commonly-understood-and-accepted meaning of words.

It's annoying, because it distracts from the immediate issue and causes
confusion.

------
kccqzy
It's a bit funny how it mentions these two things together in the same
article:

> Today, almost every piece of software comes with a disclaimer on its user
> license that basically says that the product may not work as intended […]
> and that’s the user’s problem. It’s a wonder companies don’t insert “nyah
> nyah nyah nyah” into the tiny-print legalese.

> No software system can be free from bugs […]

~~~
JumpCrisscross
I read a consistent argument. Expecting perfection is wrong. Expecting
consumers to shoulder the vast majority of the costs of that imperfection is
also wrong.

~~~
HarryHirsch
_Expecting perfection is wrong._

There's 120 millions of lines of code in an A380, and planes don't crash due
to software bugs. Why is it wrong to expect perfection in critical
infrastructure?

Something went wrong somewhere in software engineering. My HP42s calculator
has about 6 insignificant bugs that you need to get out of your way to
trigger. Your new cellphone on the other hand, when you turn it on it
downloads a gigabyte of updates! That's an outrage.

~~~
wil421
You're comparing a relatively cheap credit report to a $400 million dollar
airplane with a 15-25 billion euro program cost. Not to mention aerospace has
a 100 years of innovation and has actual lives at stake. The internet, what
30ish years? Not to mention network security is a relatively new concern.

~~~
theonemind
With a market cap of $18 billion for Equifax, it seems like they had the
resources to get this right. I see the difference as who shoulders the cost.
If you pay $400 million for a defective plane, you have one company whose toes
you will hold to the fire. If you lose data worth $400 million for 138 million
people, you have about $2.89 average per compromised person, so no single
person will really go that far out of their way to crucify you, and if one
does, they have perhaps tens of thousands of dollars to use in the legal
system holding you accountable, not the millions one large wronged party may
spend on it. In aggregate economic terms, in actual loss and negligence, I
don't see that much difference. If you want to steal a lot, steal a small
amount from a large number of people. It looks to me more like a matter of the
feasibility of getting away with it.

------
danjoc
"I’m not unsympathetic to the needs of software developers."

Yes she is. I read this as completely unrealistic expectations from the
author. Struts is maintained by one person.

[https://github.com/apache/struts/graphs/contributors](https://github.com/apache/struts/graphs/contributors)

"Most software failures and data breaches aren’t inevitable; they are a result
of neglect and underinvestment in product reliability and security."

The attack happened in late July. The bug was fixed/reported in early
September. It was a zero day. That's not neglect.

~~~
grzm
> _Struts is maintained by one person._

I see nowhere in the op-ed piece where Tufekci mentions Struts or implies that
she holds Struts responsible for this. She is clearly laying this at Equifax's
feet, and their responsibility in their choice of software and the industry as
a whole for actively pushing against better software practices and
responsibility.

The section you quoted is followed by:

> _Some number of unexpected errors — bugs — are unavoidable in computer
> programs. It would be unreasonable to allow a consumer to sue a software
> company every time a program suffered a glitch._

She's laying out a much more nuanced argument than you're given her credit
for. You're right in that this seems to be zero-day which are more difficult
to defend against, but there are practices (among them, defense in depth, and
pen tests) which can limit the attack surface. Also actively looking for known
exploit types (rather than specific exploit instances). For example, buffer
overflows are a known attack vector in C, so people harden their code against
buffer overflows. Deserialization attacks are known in Java, so people harden
their code against deserialization attacks. SQL injection attacks are a known
exploit type, so people learn to parameterize their SQL queries.

It's clear that this is something you care about and are passionate about. For
topics that affect me like this, I consciously take a breath and re-read what
I've reacted to, to see if my second (or third) read matches up with my first.

~~~
danjoc
She's blaming the software industry and software failure. That's Apache, and
Struts.

If she wanted to lay it on Equifax, she might go into the fact that the Chief
Information Security Officer at Equifax holds a masters in music,

[https://www.hollywoodlanews.com/equifax-chief-security-
offic...](https://www.hollywoodlanews.com/equifax-chief-security-officer/)

The people that actually "do" are Chief Peon of Cube Farms, doing whatever the
boss with a music degree tells them is priority.

>You're right in that this seems to be zero-day which are more difficult to
defend against

There's no nuance. It is under-reporting the facts to make her hit piece look
stronger. It's never the leadership's fault when there's a failure in the US,
but they happily take credit when there is success.

>but there are practices

Which don't help at all against a zero-day in a dependency.

~~~
grzm
> _She 's blaming the software industry and software failure. That's Apache,
> and Struts._

I interpret her differently:

> _There are technical factors that explain why cybersecurity is so weak, but
> the underlying reason is political, and it’s pretty simple: Big corporations
> have poured large amounts of money into our political system, helping to
> create a regulatory environment in which consumers shoulder more and more of
> the risk, and companies less and less._

> _This is a general feature of our lopsided world, but software businesses
> (and the technology sides of other companies) have acquired perhaps the
> greatest degree of impunity. Information technology arrived on the scene
> only recently, so it has faced fewer of the kinds of regulations that
> consumers and citizens, in more progressive eras, managed to impose on other
> industries._

To me, that reads as taking corporate interests and business motives to task,
not software practices. Software development (like any other work) is a cost,
and businesses need to balance those costs against business revenues. I'd
argue who's chosen for C-level positions is a business decision, not a
software practice one. If the costs of failure in production due to bugs were
higher, businesses would make different decisions in hiring and how much time
was dedicated to security and bug fixing. Do you disagree? Testing and quality
control is expensive. If we can roll out a feature (or just continue business)
spending as little as possible on testing and QA, it can certainly be an
understandable decision (whether or not you agree) to do as little QA and
testing as possible: you're not providing any new features (which may increase
revenues): you're just increasing cost.

> _It 's never the leadership's fault when there's a failure in the US, but
> they happily take credit when there is success._

It's not clear to me which leadership you're referring to here. The
government? The corporate leadership? Someone else? If the corporate
leadership, I think that's entirely the point Tufekci is making.

~~~
danjoc
>software businesses (and the technology sides of other companies) have
acquired perhaps the greatest degree of impunity.

TIL: No warranty == impunity.

Nobody MADE Equifax use Struts. The source is open to inspection. The bug
existed there for 8 years. Let's see how many audits Equifax did on the source
code with no warranty.

>If the costs of failure in production due to bugs were higher, businesses
would make different decisions in hiring and how much time was dedicated to
security and bug fixing. Do you disagree?

If the costs were higher, the one poor guy working on Struts would do a better
job? No, I think that guy would probably not write the software. He'd find a
different line of work. If he did write it, he would never release it for the
world to use for free. Who would do that? "Here's this thing I worked on for
over a decade. You can use it for free. Please sue me if you have any issues.
Thanks."

~~~
grzm
I'm sorry. I really think we're talking past each other. At this point I'm
having a really hard time figuring out what you're trying to say.

I see you equating Struts and software practices with the businesses that use
software. I see those as two separate things.

> _Nobody MADE Equifax use Struts._

Yup.

> _The source is open to inspection._

Yup.

> _Let 's see how many audits Equifax did on the source code with no
> warranty._

I'm not sure why you're including this. I think they should have done source
code audits in accordance with how they weighed the costs/revenues. Do you
disagree? I personally tend to lean towards more tests and code analysis, but
I understand others weigh this differently.

> _If the costs were higher, the one poor guy working on Struts would do a
> better job? No, I think that guy would probably not write the software._

I place the responsibly with the company _using_ Struts in their product, not
the Struts dev. I'm not sure how you're getting the impression I (or Zufrekci,
for that matter) place this on the Struts dev. I'm responsible for the results
of the applications I put into production, including the libraries I choose to
use in that application. I don't hold generally hold the devs who wrote those
libraries responsible.

Like I said, I think we're talking past each other. I still think you're
reading too much into (and too little close reading of) Zufrekci, but I'm not
sure how better to express what I'm trying to say. I've now read the piece
through 3 times fully and I really don't see her making any of the points
you're arguing against.

If you've got specific questions about what I've written, please ask.
Otherwise, I'll sign off. Have a good evening!

~~~
danjoc
>I place the responsibly

Nobody cares where you, or I, place it. You don't write for the NYTimes. You
don't have that sort of sphere of influence.

>with the company using Struts in their product, not the Struts dev.

They don't.

[http://nypost.com/2017/09/08/equifax-blames-giant-breach-
on-...](http://nypost.com/2017/09/08/equifax-blames-giant-breach-on-vendor-
software-flaw/)

It's very easy to explain to the public. "Those software hacker people did
this to you. Look, here he is. He made the faulty software. Burn him at the
stake."

Zufrekci is with them, blaming the developer.

Developer licensure, here we come. Illegal to write open source software.
Another one of those crazy Richard Stallman predictions that comes true while
you guys sleepwalk into the dystopia.

[https://www.gnu.org/philosophy/right-to-
read.html](https://www.gnu.org/philosophy/right-to-read.html)

~~~
gipp
Your line of comments is maddening, because you're clearly in total agreement
with the article, yet seem to somehow be reading in almost the precise
opposite of what its point was.

The author was not blaming the Struts guy. She was blaming Equifax, 100%. She
would blame the decision to _use_ Struts and assume the _unavoidable_ risk
associated with such a decision, not the development of Struts itself.

Literally every single point made in the article is about _Equifax_ dodging
accountability for their choices, and Struts is never mentioned. What on Earth
makes you assert with such total certainty that she's blaming the Struts
developer?

~~~
danjoc
"No software system can be free from bugs (or intruders), and users must be
mindful of the risks. But the inherent lack of perfect automotive safety
doesn’t mean we don’t try to make cars safer. Obviously, people should drive
more carefully, but seatbelts, airbags and better car design reduce injury
enormously, and that has been great for the industry as well as consumers. The
software industry should be no different."

Let me translate that:

Software users, like people who use compilers, should need licenses.
Obviously, people need to compile more carefully. Software needs the
equivalent of seatbelts, airbags, and other government mandated safety
standards. Software cannot JUST ship to github with no warranty or guarantees
of safety. These licenses which absolve the developer of responsibility cannot
continue to be allowed. Those open source developers should not just produce
software for free, but they need to accept responsibility for it. They need to
pass government mandated, Apple App store style, approval for all software
shipped. Including regulations for safety and compliance with other laws like
copyright infringement and decency standards.

She's attacking the foundation of the software freedom movement.

~~~
gipp
If I build an airbag in my garage, and Honda shows up tomorrow and puts it in
their car, and it fails because I don't know how to make good airbags, I would
not be legally liable for those failures. Honda, however, _would_ be. Your
analogy does not hold up. You're reading some _very_ specific things into what
is a very general statement.

I get why you'd be upset if she was attacking the things you say she is, but
she is emphatically _not_ doing that. Every single paragraph in the article is
about how _Equifax_ should be liable for _their_ software, which includes
liability for the _decision_ to use types of open-source software.

~~~
danjoc
>If I build an airbag in my garage, and Honda shows up tomorrow and puts it in
their car, and it fails because I don't know how to make good airbags, I would
not be legally liable for those failures.

[https://en.wikipedia.org/wiki/Takata_Corporation](https://en.wikipedia.org/wiki/Takata_Corporation)

~~~
gipp
If they have liability, it is assumed as part of their supplier contract with
Honda. Open source software does not have this, and nowhere does the author
suggest that should be the case -- they _certainly_ do not suggest such an
assumption be _implied_ without a license, or _forced_ to be in all OSS
licenses, which would be the only way your complaint makes sense.

~~~
danjoc
>Open source software does not have this, and nowhere does the author suggest
that should be the case

"the underlying reason is political, and it’s pretty simple: Big corporations
have poured large amounts of money into our political system, helping to
create a regulatory environment in which consumers shoulder more and more of
the risk, and companies less and less."

The author is suggesting a political solution. Regulation. Laws that say "Your
open source license can't exempt you from a, b, c, d."

You could then exempt yourself from lawsuit in your open source license, but
that will be automatically void, like a non-compete clause in a California
employment contract. Struts would be sued for the breach in her imagined
world.

