
Two top Equifax execs to retire after security breach - bifrost
https://www.wsj.com/articles/two-top-equifax-executives-to-retire-1505510863
======
yebyen
I was pretty sure it was true that the CISO had no experience at all after
listening to the first two or three minutes of the video interviews that were
available here[1], but apparently they don't want anyone to see interviews
with the CISO from before the breach (as they have been scrubbed from the
internet.) I have never seen anybody say cloud so many times in two minutes.

By the end of the interview, I felt sorry for her. I have no idea if she had
relevant experience or not, she just sounded like someone who has been
conditioned to argue that delays in new development are unacceptable, and that
the cloud is inevitable, and if it costs more to do it right then you'll have
to make do with less, and cetera and so forth. I'm not terribly shocked that
they've taken down these interviews, but I am very sorry I didn't save a copy
when I found them.

The interviews were still available for viewing as of 12:31pm Eastern Time on
Sept 10, and there are transcripts that you can find following the links in
the article, which has been updated to note the videos were scrubbed from the
internet.

[1]: [https://www.hollywoodlanews.com/equifax-chief-security-
offic...](https://www.hollywoodlanews.com/equifax-chief-security-officer/)

"The full interview videos went far in explaining what may have been the
eventual cause of the massive leak of information now gravely affecting 143
million Americans."

Serious question, is there any way this might actually count as destroying
evidence?

It says the interviews were removed by user, but I saw them and they were
briefly still playable after they were first reported on. Someone must have
been keen enough to snag a copy. They were _eye opening._

The transcript does not include the quote that really brought it home for me,
"resistance to the cloud is futile" – I wonder what else it does not
include...

[https://archive.is/Je7Yi](https://archive.is/Je7Yi)

[https://archive.is/6M8mg](https://archive.is/6M8mg)

------
mgleason_3
I think we're looking at this all wrong. It doesn't matter what the technical
details are. If you're controlling something dangerous it's your
responsibility to ensure it doesn't do damage or hurt anyone.

Take a car for example. If you're driving and you allow the car to hit someone
and they die, you are charged with manslaughter. It's your responsibility to
operate it safely. It doesn't matter if the conditions were difficult. In fact
it's worse - you shouldn't have operated the car.

It's the same concept here. They were operating something dangerous and did
not take the necessary steps to ensure our safety.

They should go to jail.

~~~
paulddraper
Agreed.

Though I think it's debatable whether leaking SSNs is comparable to
manslaughter.

~~~
djKianoosh
It might be worse. But I dont know how anyone can weigh destruction of one
life vs ruining thousands of people's lives (or at the very least increasing
the general angst among society at large).

------
rdtsc
Ah deploy those golden parachutes and sail off to the Bahamas while giving
140M American a big fat middle finger.

I can see the justification for those large compensation packages for CxO only
when something like this happens they would bear the corresponding
responsibility - maybe even forced to sell a few yachts or a few summer homes
here and there maybe to offset the investigation costs even.

------
kernelman
I wonder how much they get in their retirement package ?

------
patcheudor
They need to take a look at their software development area as well.

[https://www.fastcompany.com/40468811/heres-why-equifax-
yanke...](https://www.fastcompany.com/40468811/heres-why-equifax-yanked-its-
apps-from-apple-and-google-last-week)

~~~
JonMR
Do they not get their apps security scanned? In my experience checking all
requests go over HTTPS is the first thing that the security teams check. You'd
think since Equifax works with banks they'd force them to adhere to some kind
of security testing.

~~~
patcheudor
Exactly! This is so bad. Way worse IMHO than a failed patch or default
admin/admin password in terms of showing a lack of competence. Those are ops
issues. This showed core issues in their ability to architect and develop
secure code. This wasn't a missed patch or config file, it was flat out not
knowing how to write an even remotely secure (on the wire) application.

------
dv_dt
If the credit history data of many people have been copied from Equifax, then
the effectiveness and value of credit identity verification measures using the
exact same data from the other two agencies and any company relying on those
services severely drops. One wonders how that aspect of the industry will
change going forward...

------
Overtonwindow
Perhaps with enough heat they'll start clawing back some of that money.

------
desireco42
Only in jail as far as I am concerned, why would be the only one to suffer.

------
sillysaurus3
I think it's important to take a step back, take a breath, and look at this
rationally.

Look at what actually happened. Equifax was using the Struts framework. This
is a very safe, popular choice. They were using what everybody else uses.

There was a critical vuln in the framework, and they failed to update their
box for N months. But we're talking only a few months. N is very small --
maybe four? And yeah, you can argue that four months is an absurdly long time
to have a known critical vuln in production. But I guarantee you that most
people reading this work at companies that are similarly vulnerable. Attacks
are simply rare.

Whatever company you work for, if you do not have regular pentests, you are no
better off. And even if you do, it's overwhelmingly likely that you've
overlooked some lonely outdated server that's still running on your network
because Bob set it up a year ago and forgot about it and oh look now you have
a pivot into your whole network.

It seems very strange to choose this one company and crucify them just because
they lost your data. Everybody is insecure everywhere always, and we've
learned to tolerate this by pretending it's not true or that it doesn't exist
or that it's not a big deal. But you know what? It is true. That truth will
continue to manifest itself in the years to come. No matter how much you'd
like it not to be true, your stuff will still get stolen. Usually you just
don't hear about it.

Yes, it was stupid for them to have everybody's PII attached to that one
webserver. A single point of failure should never result in compromising the
whole system. But think about how that architecture would work in practice. A
customer service rep still needs to get at most of your data. It's a credit
bureau. Where would the data be stored in a way that a remote code exec
wouldn't be able to snag it?

Equifax's crime boils down to "they failed to run the equivalent of sudo apt-
get upgrade on their framework." When you're managing a fleet of hundreds or
thousands of machines, this is a situation that almost all of us have wound up
in. If we can't get it right, why do you want the execs' heads to roll? Are
you sure you won't be next on the chopping block?

Think about it this way: the time between "someone discovered a vuln in
Spring" and "the attackers stole 150M credit reports" was just a few months.
Are you sure Equifax wasn't a victim here? Someone threw a cinderblock through
their window and made off with their trove of data.

Except of course, it wasn't a cinderblock through a window. It was completely
silent. Even if your firewall is great, you can still smuggle data out of a
network using DNS alone.

Food for thought.

~~~
kibwen
_> But I guarantee you that most people reading this work at companies that
are similarly vulnerable._

We hold Equifax to a higher standard because of the nature of the data that it
collects.

 _> Everybody is insecure everywhere always_

Some of us think that's neither necessary nor inevitable.

 _> If we can't get it right, why do you want the execs' heads to roll? Are
you sure you won't be next on the chopping block?_

In some professions, including many engineering ones, gross negligence is
punished with the removal of one's ability to practice professionally. It's
imaginable that if there were consequences for one's actions, things wouldn't
be "insecure everywhere always".

Really, how am I still finding people taking time out to defend the incredible
ineptitude of a privacy-oblivious company in a hated industry?

~~~
sillysaurus3
The point is, you can hold them to whatever standard you want to. We
collectively have not figured out _any techniques_ to achieve the goal: to be
impervious, always. And that's what you demand (or "require," as patio is fond
of saying).

You can disagree with that, but you'd be hard-pressed to justify that
position. Six decades of computing history would contradict you. And as
someone who saw the landscape of real-world codebases and deployments at
nearly a hundred companies, there is almost always a way in. People are smug
thinking their code is great till you show them an SQL injection that works,
or pop up an alert(1) on their favorite front end framework.

The moment the world freaks out about this lack of security, we've all lost.
Imagine a dystopian future where the only way to write consequential software
is to have it approved by three committees. You might think that's how it
already is, but we can move way farther in that direction. Just look at how
hard it is to run a simple medical study.

~~~
kibwen
_> We collectively have not figured out any techniques to achieve the goal: to
be impervious, always._

What? It takes vigilance, training, competence, and a culture of security. Oh,
and lots and lots of money backing it up. If your company isn't willing to
make that commitment, then your company shouldn't legally be allowed to handle
any sensitive data at all. The legal consequences of a leak will be moderated
if it is proven, by fellow professionals, that a company took every standard
precaution necessary based upon the sensitivity of the data in question.
Nobody (except for perhaps yourself) seems to be claiming that Equifax's
technical chops were anything but inept.

 _> Six decades of computing history would contradict you._

Feel free to actually cite anything at all supporting your position, rather
than glibly appealing to inevitability.

 _> The moment the world freaks out about this lack of security, we've all
lost._

As if we haven't already lost? The Equifiax leak is a privacy disaster of the
highest order.

 _> Imagine a dystopian future where the only way to write consequential
software is to have it approved by three committees._

I welcome this dystopia with open arms, if it means it can save us from
defeatists who have given up on the idea that software doesn't have to be
completely terrible.

~~~
sillysaurus3
_What? It takes vigilance, training, competence, and a culture of security.
Oh, and lots and lots of money backing it up. If your company isn 't willing
to make that commitment, then your company shouldn't legally be allowed to
handle any sensitive data at all._

I have personally breached companies that fit this description. That was my
job, and it's why I was hopefully the last person to breach that particular
facet of their landscape.

But pentests can't catch everything. That's the dirty secret that is also
somehow not a secret. The very next commit could make that pentest obsolete.
Ditto for spinning up a server.

 _As if we haven 't already lost? The Equifiax leak is a privacy disaster of
the highest order._

Well, what do you think will happen from this? That may be true, yet the world
will go on. We've been trained to accept the current system as inevitable, but
SSNs aren't a security mechanism. The underlying absurdity is that we view
leaking them as a disaster rather than recognizing and replacing the fact that
we all rely on their secrecy.

If someone wants to impersonate your identity, they can usually find a way.
This breach will certainly make that easier, but I'm not sure it will affect
the actual fraud rate. Time will tell.

(I'm aware far more than SSNs were leaked. The point is that it was a bad idea
to have this central point of failure in the first place. If it wasn't
Equifax, it would've been someone else.)

~~~
kibwen
_> The very next commit could make that pentest obsolete. Ditto for spinning
up a server._

This is addressed by "vigilance". And no, we still aren't asking for perfect
security. Even on human-scale timeframes, the odds of a single exploitable
vulnerability being introduced in any aspect of the software, for even a
moment, are 100%. But if it takes only a single vulnerability to completely
exfiltrate the whole of a company's sensitive data, then you're going to be
hard-pressed to find anyone calling that a securely-designed system. I'm
sincerely sorry that a career spent in the trenches has left you so jaded and
cynical, but we _can_ do better, and hopefully we as an industry do so before
the government looks at our inability to self-regulate and imposes double-
secret-hyper-SOX on all of us.

------
justinzollars
This isn't enough.

------
tamersalama
Retire is the new fire

------
wkimmel
"Retire?" Do they mean like retire to a federal prison?

~~~
leeoniya
no, that's where the poor and disadvantaged retire to. and the occasional
disgraced public servant.

------
ransom1538
"Why did you leave your last job?"

~~~
kitotik
“I felt I had contributed all I could and felt undervalued so I’m seeking a
new opportunity”

------
ohazi
paywall:

[http://www.facebook.com/l.php?u=https://www.wsj.com/articles...](http://www.facebook.com/l.php?u=https://www.wsj.com/articles/two-
top-equifax-executives-to-retire-1505510863)

------
miguelrochefort
TIL their Chief Security Officer is a music major...

~~~
rb2k_
Some of the best engineers that I worked with have been Linguists,
Music/Composition majors or Physicists.

~~~
rasz
name three

------
frandroid
NOT SO FAST!!1

------
quuquuquu
If you retire, how do the dynamics of a criminal prosecution change?

What is the chance that these executives flee to a non-extradition country
such as Russia or China for a bit, "just in case"?

Some people flee to the EU because they can make a plea against extradition
based on the appalling human rights abuses in the US prisons.

I hope Lauri Love wins on that front.

~~~
twinkletwinkle
The EU is way more serious than the US is about consumer privacy though. Might
not help them in this case.

