Hacker News new | past | comments | ask | show | jobs | submit login
Equifax’s Maddening Unaccountability (nytimes.com)
477 points by aaronbrethorst on Sept 11, 2017 | hide | past | web | favorite | 229 comments

There's something very disturbing about the fact that they can collect my personal information (without my approval); profit on that info (without compensating me); and then get hacked and I have no reasonable recourse for what they've done??

How can they not be liable? How is this not negligence?

I still hold that this shouldn't matter to consumers.

My priority of problems is

* When fraud happens, banks can pass the pain and burden of proof onto consumers.

* Banks use insecure SSNs for authorization; some data is used for validating eligibility, authenticating the application, and authorizing the loan.

* There are minimal regulations on storing different classes of personal information (We need sarbanes-oxley for auditing/accountability of aggregated personal information).

If 1. was addressed, banks would have an incentive to fix 2., and force credit reporting agencies to improve 3.

At some level I think the banks are stuck in a conflict of interest with regard to risk. The reason we need banks and credit agencies is precisely because there is risk. If transacting parties could trust each other without an intermediary we could all just trade directly and all would be fine. So banks are actually disincentivised to create a world where risk is very low. They also don't want it to be very high. They need just enough risk that it is both (a) too big a problem for us to ignore and (b) small enough of a problem that they can solve it (for a fee, of course), but finally (c) still big enough of a problem that they are relatively insulated from competition.

I think it's no coincidence that the current state of affairs sits right at the sweet spot of these intersecting interests. And the problem is that the model requires an element of risk which is quite hard to control. Every now and then it flares up and becomes much bigger than they want. So we have incidents like this where the insecurities inherent in the system get exploited on a massive scale and the risk threatens to cross from profitable to massively unprofitable.

I suppose at a very high level your thesis might be true, but at a practical level, I don't think it is. The banks have simply seen it's cheaper to eat the cost of fraud (and ensure the victim has the burden of proof wherever possible) than implement stricter security measures.

This goes from the transaction terminal to the bank's server room.

Europe has had chip cards for over 20 years. In the US, it was very recently implemented; only in the past year.

It wasn't that the US banks were occupying some "sweet spot" of retail transaction risk/reward; they simply didn't want to shell out the extra bucks to send people cards with chips in them. Neither merchant nor bank wanted to pay for chip-reading terminals. So, nobody budged until just the past year.

I don't know whether it was legislation, or perhaps the growing cost of credit card fraud (i.e. card skimmers, etc), but for whatever reason, it certainly wasn't a "sweet spot". We've had chip technology for 20+ years, they just didn't want to pay for it.

Well here in europe it didn't happen all at once. It was a gradual rolling of chip based cards, atms and terminals. There was a non-insignificant amount of time where some atms / pos terminals would reject your card because you/it didn't have the right technology.

But ultimately I think its the people themselves that demand more security from their banks. E.g. Bank one introduces chip based cards and more people choose that bank because they want more security. Then gradually some atms start to be "chip only", and banks start to see the chipless ones get all the skimmers and accelerate their replacement to lower costs which forces business to atart getting more pos terminals with chips to meet the demand of people with cards that have mag strip disabled.

Having more security seems to be what everybody wants and benefits from, its just that europe has smaller players which accelerates market forces in that direction, and meybe because european consumers just want more security in general.

How do banks in Europe verify identity? i.e. I call the bank and claim to be "Margaret Thatcher," what's the next step?

Here in the U.S. the next step is usually asking for the social security number. I called VISA/Citi to re-activate my card after traveling and they asked for the associated phone number with my account. Neither of these are especially secure, in my opinion.

Can't talk about the whole Europe, but in my country there aren't many banking services provided via phone and banks keep decreasing their count insisting on their clients to use mobile app, online banking or ATM. I believe you can't even get available balance in my current bank via phone.

Local UK bank after separation from Lloyds (now called TSB) asks for 3 random letters of your security answer which is also used as part of online banking authentication. Additionally, your address and previous transactions if you're calling re. fraud.

I think people would demand more security if they really understood how venerable the technology was. But no one beats that drum. So consumer remain ignorant and just keep shopping.

And even after pushing out chip reader terminals and cards with chips, banks in the US refuse to institute mandatory PIN code entry on all payments with the chip - as its everywhere in Europe. So nothing really changed.

It still amazes that people don't know the chip readers work faster with PINs, too. An argument against PINs I keep hearing is that the chip readers are so slow that PINs would slow things down further. The funny thing is that the chip readers right now are waiting real wall clock time in a "wish-it-were-PIN" system to generate signatures in two different timestamps instead of generate a single signature with a user PIN. It's technically hilarious.

Re: Cost of fraud.

Agreed. It still amazes me how prevalent credit card fraud is. Certainly that's preventable - if they want it to be. The problem is, the banks don't bear that cost, the consumer does. Even if the bank factors the loss into the cost of doing business, that still gets passed on to the consumer.

Consumers are limited by law to a $50 loss for credit card fraud and every bank I know waives even that.

It is merchants (stores, internet sites) that bear the cost of fraud.

But what of the time, stress, etc.?

Merchants don't bear the cost, the consumer does. The merchant might not hand me a bill but that cost is embedded somewhere in the price.

The bottomline is the consumer pays. No matter how you cut it, the consumer always pays.

I see it differently.

It's my meta data. More valuable than phone meta data, and perhaps (to me) more valuable than my medical records. I have a relationship (as well as ethical and legal protections) with my doc. On the other hand, I've never met Equifax. They have no relationship with me other than to exploit my personal info. I never opted into that.

Yes. It lowers risk. But who benefits more? Who carries the risk? Me? Or them? It's the latter, yes. Yet we have no choice in the matter? That's not kosher.

I heard in US if somebody knows your SSN, he can take a loan accounted to you by phone.

It is so strange.

What gives banks right to do that?

There is a huge difference between taking a loan "on someone's behalf" (as their representative, eg by someone with power-of-attorney) versus via impersonating them. The former is rare but legitimate; the latter is fraud.

It may be fraud, but if it's possible, that's still a problem.

SSN can not be used as authorization, because it isn't secret information. And really, the same is true for credit card numbers; they're shared with too many parties to consider them secret.

I mean the latter. Changed "a loan on you behalf" to "a loan accouted to you"

Yes and outside of the US nobody would be able to do a loan with a power-of-attorney without showing evidence of it

Part of it is that even the name of the crime Identity Theft insidiously paints it as something purely between the thief and the end consumer, whose identity was "stolen". Alice stole Bill's identity! But where is the company she stole it from? Where is the bank where she fraudulently used this information? These corporations' lack of accountability is built directly into the name we use for the crime! It's as if they are bystanders, peripheral to the crime.

We need to bury this nebulous "Identity Theft" and call out more clearly the two specific crimes that happened: 1. negligence (the entity that gave up the info) and 2. bank fraud. When you use these terms, the companies don't get a free pass. Just change the words and they're part of the mess.

Something an uncle said:

It used to be called Bank fraud and it was the Banks problem. Now it's called Identity Theft and it's your problem.

The bank the identity thief borrows from does suffer and is the one on the hook for the money at the end of the day. So they are kind of accountable. It's the leakers like Equifax that are not.

Common misconception. They actually do need your approval, it's just that that approval is buried in the mountains of legalese you sign whenever you sign up for a bank account, credit card or loan.

So, if I don't want to give them my approval, I must: not sign up for a bank account, never open a credit card, avoid getting a mortgage, buy only in cash, stop renting [0], only apply to some jobs [1], not take out student loans...

[0] Some landlords require credit approval [1] Some jobs check credit

You also can only buy cars from individuals (dealerships run credit checks, even if you pay with cash/check/direct draft) and you probably can't get power, water, gas or Internet in your name (you'd need a roommate and have to pay them).

Why would a dealership need to do a credit check if I showed up with a briefcase full of money to buy a car?

Because the patriot act. https://www.edmunds.com/car-buying/car-dealership-credit-rep...

I was also very surprised to buy a car with cash, only to have a credit check required. It's a real thing. And according to this article, not required, but dealerships are confused by the language of the law and insist on running a credit check, anyway.

I think they know better, but they use it as an excuse to run your credit thus giving them more information about you as a buyer and an opportunity to sell you on their credit products (which is what they make their money on anyway).

The link you posted shows the exact opposite of what you say. The Patriot Act doesn't mandate a credit check when purchasing a car.

You also cannot buy a house with cash. We had to launder my father's life savings in a bank for six months before we could use it to buy his house, because the seller still had a mortgage on the property when he listed the property. (Why my father's life savings was under his bed is a completely different story.)

They don't. I just bought a car from a dealership on August 1 without a credit check.

The dealership wanted to run a credit check if I were to pay with a personal check, but not if I paid with certified funds. I called my bank to have my debit card limit raised to $40,000 for 24 hours and paid for the car on my debit card with no credit check.

Did you have to do the IRS form stuff?

It's hard to recall all the forms that I signed that day. I don't remember any IRS forms.

Can confirm. I bought a car last week in California with cash. Dealer did a credit check.

The system is rotten and (short of moving country) impossible to avoid.

FYI dealers do this because they want to be able to offer you financing if your check bounces. It's also a way to ensure that you go through with the transaction because now your credit is worse and going somewhere else would lead to worse financing. Put a freeze on your accounts with the credit bureaus before you get serious about buying a car with cash. Tell them that they may not do a "hard pull" against your credit. If they try, complain to the appropriate government officials (not sure who this would be, some consumer protection agency) and take your cash elsewhere. It's a scam to lock you in to buying from them. I brought my own financing to a dealership and they wanted me to sign a thing which among other things authorized a credit check. I crossed that part out and signed it. This caused some back and forth with someone who was not in the room (basically my salesman had to go "get it approved") but they really wanted the sale because I drove a rental car down from 6 hours away just to buy this specific car (I had set the sale up ahead of time over email). I was very close to walking out and they probably knew it, and figured that they'd rather make the sale vs trying to sell me on their financing vs mine (I happened to get an extremely low rate from a credit union).

> It's also a way to ensure that you go through with the transaction because now your credit is worse and going somewhere else would lead to worse financing.

There is no need to spread misinformation. While it is true that a hard inquiry will have a minor effect on your credit score (less than a 5 point hit), multiple hard credit inquiries from car dealerships or mortgage lenders within a period of 45 days only count as a single inquiry.

You're not at all disadvantaged by taking your business elsewhere, you're just making things up to furnish your dubious story.

I have low patience with salesman who prefer to BS me with credit when I have the cash available

What would've happened if your reports were frozen? Would you have been denied the car?

I bought a car by check in CA and I'm 99% sure I didn't get a credit check. I did have to prove to the seller that the account from which the check was written had sufficient funds, but that was it.

I'm pretty sure the credit check is done automatically by the dealership software, as part of entering a person into the system to get their paperwork filled out. It's probably done to save time because 99.9% of the time it's necessary. The credit check won't stop the sale if you're paying with a briefcase full of cash or writing a check.

That said, going in with a briefcase full of cash is going to cause a lot of other problems.

Yes, but you really have zero choice. Unless you decide that you can live without a cell phone, rental car, credit card, mortgage or bank account the rest of your life.

You can do only burner prepaid sims that don't require a name/personal info (which is a bit difficult to find) but your general point is still very valid. You cannot escape the data collection systems in our society without going all Henry David Thoreau.

> You cannot escape the data collection systems in our society without going all Henry David Thoreau.

Or living suspiciously like a drug dealer (without money laundering).

You can get a rental car, prepaid credit cards, and prepaid cell plans without providing your SSN. Although I'm sure a mortgage and bank account wouldn't be possible.

Is it really a choice if it's necessary to participate in our economy? No bank or loan will offer terms that don't involve the use of one of these credit reporting agencies.

It is effectively not a choice, and they take advantage of that

Although, in the case of identity fraud, they don't have your approval. Someone else signed the paperwork.

A choice you can't say no to is no choice.

These fake contracts are the bigger problem.

Recourse? Of course there are! You can subscribe to paying them protection fee that's very vague on what it actually does and that you can't unsubscribe without faxing and snail mailing them forms.

Totally reasonable.

We have all agreed. We gave permission to any company that extends credit. They give our information to these credit reporting agencies on an on-going basis, personal information, including what our payment behavior and history is.

All of this comes down to trust. We trust our banks and credit card companies. They trust Equifax. Equifax's customer is your bank or credit lending company, not us. It's actually very similar to Google, et al. We aren't the consumer. They collect our personal information, vastly more than credit agencies. And the real customer are the advertisers who pay Google. The difference is, we probably trust Google more than Equifax (even before all of this).

A month ago, my mom said she wanted to start using Uber on her phone. I explained how to install it, and when she did (as well as the Lyft app for that matter) it wanted access to her camera, photos, contacts, a list of information on her phone. And she said fuck no. And refused to give permission. So she still uses cabs and pays cash.

If an app wanted all that just to call a cab, I’d say “fuck no”, too. (Not an Uber/Lyft user, can’t confirm.) GPS, that’s all you need, and that’s all you’ll get. If you need more, ask me directly instead of digging through my shit.

Android, at least until very recently, had no way of asking at the point of use, despite being a feature in Symbian S60 since before the iPhone :|

If she still wants to use Uber, you can add a link to https://m.uber.com to her homescreen, no app needed. It also avoids the tracking after leaving the car (assuming she closes the site).

Since when does Uber ask for use of your camera or access to photos? And for what?

You can take a picture of your payment card instead of typing the digits in.

It should ask for permission if you try to do that, not when you install the app.

It might be an android thing. In iOS you can ask when you need it, and still use the app if you say no. I've gotten the impression that Android asks everything up front at installation time and doesn't install if you say no, but I'm not an android user/dev so I don't know for sure.

That used to be true but the permissions model changed to just-in-time a couple versions ago.

We don't trust them. We are forced to say we do, because the other option (to go without all the services gated on that answer) is so uncomfortable as to be non-viable for most.

I suspect it will become a priority soon. Somebody is likely to pastebin the data for some cabinet members, Congresspersons, etc. Then the matter will make it to the front of the queue.

Which sadly makes it a very short list of people they actually have to compensate for their troubles.

It would be nice if people actually owned all their own data (credit, medical, etc.) instead of for-profit corporations. A valid service would be to authenticate/notarize the data, perhaps, and then you'd have actual competition.

> How can they not be liable? How is this not negligence?

The elements of negligence are:

1. Duty

2. Breach of Duty

3. Cause in Fact

4. Proximate Cause

5. Damages

You probably haven't suffered legally cognizable damages (yet). If and when you do, they might well be liable.

I'm not a lawyer, but I think it's pretty crappy that you have to show damages in order to nail someone for negligence. Shouldn't it be enough that they engaged in risky behavior? If I go out on the road and drive in a risky manner, I can end up guilty of all sorts of things without hurting anyone or damaging any property. But give up personally identifiable information (which we know leads to bank fraud) and somehow it's "show damages or GTFO".

Treating my identity (aka personal privacy) as my personal property would help remedy this imbalance. Make a buck off my data (property), give me my cut. Allow someone to steal some portion of my identity, pay me damages.

Don't want to be liable? Then don't store my data.

The credit system sucks. But has anybody created a better alternative yet?

Yes! Germany and I presume other European countries have a much better system.

The main difference is that there is no magic number that any one can use to borrow money in your name. Lenders have to verify a person's identity using ID.

Further more, to get loan you don't have build up a score first. You could get a margage if you have never borrowed money in your life but have a stable income.

For remote identification we have for example post ident:

Article is in english: https://www.deutschepost.de/en/p/postident/identifizierungsv...

> You could get a margage if you have never borrowed money in your life but have a stable income.

Same in the US, although it's a bit of a pain in the ass. It's my understanding, though, (correct me if I'm wrong!) that Germany is a bit less thrilled about credit than most other countries—even in Europe.

Credit management is big in Germany through SCHUFA and other companies and queried much more liberally. E.g. every time you purchase something online the store will likely check your credit and determine available payment instruments (this is pre-purchase) based on the response.

I don't think so? Germans have less credit cards, but they are still borrow money in the form of overdraft loans on their bank accounts.

No, they don't, just as most Americans will always pay their credit cards in full. Overdraft loans have terrible APR, as does credit from credit cards.

Most countries don't have credit scores at all.

There's typically a single public entity that holds insolvency records within the legal framework. In some countries nobody can query it but yourself; you're therefore asked to submit a copy of your record in some occasions.

As for solvency, when you sign a lease or contract a mortgage, you're asked to submit proof of income.

(Someone mentioned Germany earlier, it's a terrible example in my opinion, Schufa isn't much different than the US credit agencies, albeit more accountable hopefully).

Yes, many times. It is not that hard to not base your entire banking system on a single number anyone can use.

What gives banks right to consider SSN an authenticator?

Is there a law allowing that?

Common sense suggests it should only be possible if user explicitly accepted "I agree that knowing my SSN is enough to prove it's me and I agree to be liable to any debts created with just my SSN presented".

But isn't your SSN given by the government? Does the US government require anyone to sign such an agreement before they get an SSN? Without it, a bank claiming I owe them money because "we got your SSN" is fraudulent, plain and simple. Report the bank to the FBI.

But that's probably far too sensible European thinking.

I regularly keep hearing reports of how the US handling of money is basically medieval with some badly thought out insecure bits pasted on top. And some of that gets exported! It sucks that I need to own a credit card to be able to make international purchases on the internet. Why is there not an international version of iDEAL?

You misunderstand US law. Yes, someone can use my SSN (along with other private information) to create a debt. That doesn't make me liable. If it shows up on my credit report, I can disclaim responsibility using existing legal protections. As long as I truly didn't create the debt, it is the debt holder's problem.

But the problem has been created; which you've got to fix by paying at least in your time spent solving this.

What you're saying is probably true in any country; but in reality imo it's way easier not to allow that to happen in the first place.

Note that this is a great question to ask about all the f*ed up things in the USA. Hardly ever asked though for some reason. Having been the country that landed people on the moon seems to have removed the option to ask if other countries have better ways of doing things.

As far as I know, USA is the only country that uses such terrible credit system. In most other countries credit rating is controlled by the government itself or is at least heavily regulated. I haven't encountered any problems with my credit system -- nobody can check my credit rating without my prior written (or digitally signed) permission and I can login online anytime to see who has checked it. Furthermore, once in a year I can get a complete, free report to explicitly see how my credit rating is calculated.

If you're looking for a model for better regulation, take a look at the EU's General Data Protection Regulations. It just makes sense to have a single piece of legislation that regulates the use of personal data and a single statutory regulatory agency with powers of enforcement.


The author likens this to automotive safety, but I think a better analogy would be airline safety. When an airplane goes down, an immediate investigation is done by third parties to find the cause. Then remedial steps are drawn up and the entire industry is expected to follow them, not just the company involved in the accident. Data breaches need to be held to this standard.

This is a great idea I'm afraid will never happen.

I don't know. One airline disaster is arguably less economically destructive than this breach. It could end a $70B company, or lead to a bailout, or ruin credit application processes for years causing the US economy to stumble.

Nothing makes things change faster than disrupting the money flow.

You! You didn't pay a small bill 4 years ago because you changed address and a debt collector marked you as naughty. No loan for you! Hahaha! ... Oh, we just leaked all of your information. Ah well, today is a new day, ... dum diddly dum...


The problem is incompetence in our industry. Anyone who has worked long enough knows that technical competency is not rewarded (outside a few rare firms) in software engineering.

You're oversimplifying. This has more to do with politics than SE technical competence. Banking software and systems are regulated end to end, because banking systems are literally the backbone of the global economy.

Equifax? Not so much. This exposure hurts consumers, but it doesn't even put a dent in the economy as a whole. That is why these firms are allowed to operate with such shitty security. If they get hacked, whatever, just a few hundred million customers data exposed to identity fraud. It takes a chunk out of Equifax stock but they'll probably survive. What is the incentive for congress to enact laws regulating corporate handling of consumer data?

Put it this way. Who do you think is louder in Washington: consumer advocacy groups or corporate lobbyists?

> What is the incentive for congress to enact laws regulating corporate handling of consumer data?

The already did, it's called the Gramm–Leach–Bliley Act:

> In terms of compliance, the key rules under the Act include The Financial Privacy Rule which governs the collection and disclosure of customers' personal financial information by financial institutions. It also applies to companies, regardless of whether they are financial institutions, who receive such information. The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions – such as credit reporting agencies, appraisers, and mortgage brokers – that receive customer information from other financial institutions.

Note the inclusion of CRAs.

GLBA was enacted in the 90s and is a vague set of guidelines for financial and related industries to follow. I'm talking about real system regulation, down to the level of protocols.

I'm not sure they actually care in Washington. I was impacted by the OPM breech. I got a form letter and some credit monitoring. All that outrage and, as near as I can tell, not a damned thing has changed.

I might be biased and jaded.

Thats exactly what I'm saying. There is near zero incentive for congress to enact consumer protection legislation.

There's incentive (as it's their job, or is said to be). What there isn't is a downside if they don't.

If we're talking about economic incentive, having no downside for not doing thing A is equivalent to having no incentive to do thing A. Re: opportunity cost.

Yes. In economics that's the context. But in terms of civics, I think the term is: voter apathy.

I was adding to, not arguing with.

especially when they're trying to dismantle what little we have (CFPB)

The problem is lack of commercial incentives. Apple, Google, Facebook, etc all have serious dollars at stake if they don't get security right. Equifax on the other hand...

If only society had some other tools in the box to address problems that market incentives can't cover.

Exactly. And congress can fix it.

Since when is 3 billion dollars in revenue not serious money?

Because they don't lose any of it for the breach. Market value will bounce right back. The company will merrily chug along like nothing happened and collectively the industry will go on working with Equifax because who else will they use?

Because you and I do NOT pay for or directly use the product that contributes to the $3B. I can buy a phone and still avoid Apple. I can use the web and still avoid Google. I can avoid Facebook altogether (some argument as to wether I can actually avoid this). But if I want to use a credit card, buy a house, etc. I cannot escape Equifax.

Thanks. I understand your point now. It's money that will motivate congress but in reality the Equifax breach is more impactful to you or me.

Have you heard the term moral hazard?

It is sometimes a maddening fight to get software quality shipped and not ship a maintenance nightmare in certain orgs. This especially depends on if the company is engineering led or more bizdev/mba led or how much the latter values engineering.

Equifax is a business that is not engineering led today and probably will never be as it is a credit agency and not consumer focused. For a company that has been around since 1899 and through many technological changes, they should have really focused more on cyber security in this age. Then again, Equifax is not a consumer company, they are a credit agency and only answer to their customers that probably don't value spending on securing personal data as the ones that are accessing Equifax want that data.

The question is, should a company that doesn't care (nor their stakeholders) about securing data as a way they make their money, should they be in control of all that data?

To be fair, it's not 'technical competency' but rather a broad range of operational, process, product and engineering competencies.

Also, a lot of companies just don't have a thoughtful process for this.

Think of how much data Google and FB have, and they've never been breached. As much as I loathe them, I actually feel more 'secure' with the data that is supposed to be secure with FB than with my local bank.

FB depends on talent, banks depend on thick process, regulation and massive risk aversion.

Equifax depends on mediocre eng, product, ops etc..

If they have any sense they should outsource the whole thing.

So true, keep your head down and wait for your bonus. Everyone in middle management is too busy with self preservation to bother doing what's best for the company.

Now would be a great time to go long EFX in my opinion.

The stock has been slammed while Equifax is being flogged in the court of public opinion, but I doubt this leak will have any lasting financial impact.

Look at the result of the Target and Home Depot breaches: whether you like it or not, the companies are still technically the victims here and no court is going to bankrupt them for data breaches that are more and more becoming the norm.

>but I doubt this leak will have any lasting financial impact.

I am going to have to stop you there. As someone who works in the financial sector, I have quite a different view of this situation. Best case scenario (for the organization) is that it is fined directly into bankruptcy and someone like FIS acquires them for pennies on the dollar. I am still waiting for CFPB to drop a nuclear bomb over this issue. There will be new PII regulations around the corner for sure.

I also question the extent of the leak... I keep hearing it was just basic PII, but if someone got a dump of the entire credit history database, a huge range of financial products (e.g. Knowledge-Based Authentication) become entirely compromised.

Equifax has an $18B market cap. Can you name one instance of a government imposed fine for improperly stored PII exceeding even $100M?

Furthermore, do you have evidence that the PII was improperly stored, or that Equifax's security practices were lacking in any way? The vulnerability provided full RCE, and I know of no info-sec magic that inoculates you against that.

Having root on a web server shouldn't give you access to 147 million customer records.

I'm eagerly awaiting the technical details of the attack. If it turns out that their web server has 100% unfettered access to the database then I'll gladly pick up a pitchfork as well.

I'm wondering if Equifax is using Struts-provided REST for its entire architecture. If that's the case, gaining access to the web server was only the first step. From there the attacker could perform RCE on sensitive services.

If it turns out that their web server has 100% unfettered access to the database then I'll gladly pick up a pitchfork as well.

You may want to think twice. Try to design an architecture that doesn't have that. If you think it through, you'll realize the best you can do is not to deny access, but to monitor access so that any statistical deviation in requests-per-hour will trigger an alarm. Yet nobody does that, so why should Equifax have been a pioneer in this method?

This is the uncomfortable truth that everyone is obscuring here. There wasn't a solution. Equifax got owned, and they happened to have a trove of data. Everyone now wants to see their heads roll, but you too would find yourself in the same situation if you have an RCE on your servers.

> You may want to think twice. Try to design an architecture that doesn't have that.

We have an architecture like that where I work. It's not that hard. Our web applications have very little direct access to databases; most of it is mediated by services downstream of the web app. That's certainly not a silver bullet, but it makes it impossible to exploit a RCE vuln in the web server in such a way that it lets you have arbitrary access to the database.

And let me guess. Those services give the webservers...the data that they ask for?

Once you've compromised a server, learning how to ask for the data you want is not hard. You have access to all the webserver's code, can make full dumps of communications occurring normally in the app, etc.

It's different, though. If my web server has direct database access, and it gets compromised, an attacker can go in and directly do "SELECT * FROM users" and get all my data in one go. If the database is behind a restrictive service, and they compromise just the web server, then they have to sit on the web server and pull each user record one at a time. And they might not even be able to, depending on search options -- like they might just be able to do "GET /users/{userId}", and if you don't know the user IDs, you get nothing (our user IDs happen to be randomly-generated 128-bit numbers, so searching through that space would take a while). Even if they can get past that hurdle, the extra traffic it would require to pull down the full database with one request per user would certainly set off alarms, and doing it slowly enough to not set off alarms would just take too long.

Of course, another option would be to use the web server compromise to then jump to the database service and compromise that box as well, but, again, more hurdles to jump means less of a chance of success.

Nothing is perfectly secure, but you can design systems with defense in both breadth and depth, and you can slow down or defeat many attackers that way. It's not about making Fort Knox, it's just about making breaking in more expensive than they can handle.

The believe the usual way is to have a separate authentication service, to which you send the user's credentials and you get a token that you can use to request only that user's data.

That means, barring other exploits, you can only access the info from the users who logged in while you had control of the machine.

Have you had a netpen? Give me access to your web server (aka an RCE) and I can probably find a way to pivot to your downstream databases.

That's the point, you have to pivot. If you don't have to jump through another host or two to get unfettered database access from web tier, you're doing it wrong.

It wouldn't have changed Equifax's situation at all. Everyone would still be just as outraged.

It occurs to me that maybe it might seem like pivoting is a big process that takes months. In reality you can map out an internal network within a few hours. Most people keep the servers at the edge of their network meticulously up to date. Once you're inside, you find way more old software. Not to mention creds just laying around the system in many cases since the devs don't expect anybody to be able to access them.

I feel like the worst offense Equifax could be accused of is not getting regular pentests. A netpen would have caught the outdated Struts issue, and they had money to get monthly tests. But very few of us get regular pentests.

That's one thing the org I work for does right.

We do have monthly tests, scans, and network BGP issues. And our governmental side has a different set of scans, which also include system security scans.

Whomever the oncall is, ends up doing them during the week. It's usually pretty quick, but can turn into a slog.

Oh, and all our machines are updated appropriately, not just the border machines. There are some services we're not able to adequately update, like FreeRadius - but for each of those we review the criticality and determine if we need the resources to make it work (aka: remote priv exploit)

I have done netpens. Almost always it is as you describe. Sometimes someone has their shit together and it is not.

I broadly agree with you, but disagree with your claim that Equifax has no duty to innovate in security. They have one of the biggest databases of PII in private industry. I believe that bestows on them the duty to keep it safe.

The problem is that this information can be used for identity fraud. You should really find a solution for that problem.

There are lots of companies offering software to do exactly what you describe, that is, statistical analysis of telemetry as a way to detect anomalous behaviour e.g. LogRhythm


How about use a WAF, and a good security-centered one, not something off the shelf just to say you have a WAF.

For one.

> The vulnerability provided full RCE, and I know of no info-sec magic that inoculates you against that.

If the vulnerability used turns out to be the Struts one that was announced at the beginning of the year, then the "magic" here would have been quite muggle-like: update the damn dependency. Not doing so is negligence, plain and simple.

(I agree with you, though, that EFX will almost certainly come out of this relatively unscathed.)

The statement released by Apache said that, if the attack did use the REST plugin vulnerability in Struts, then it would have been a zero-day at the time of use.

You will note that Equifax is not a contributor to Struts - cash or code. They are trying to shift the blame onto something they got for free and work other people did for free.

It's my understanding that Equifax is a multibillion dollar org. (Something in the order of 17 billion USD). Since Struts is a major part of their business infrastructure one would expect a contribution to the Struts project and other software they rely on. They could spin it as "Social Responsibility" too.

In retrospect it seems more cost effective to do so too, even if Equifax manages somehow to pay only a few hundred million dollars.

Yet Equifax continues to evade giving details on the attack. That itself is damning evidence they weren't doing everything they should have been to protect their servers and data.

I wonder if the legal concept res ipsa loquitur (the thing speaks for itself) could apply here? It's one foundation of tort law.

The argument would be that the very fact that PII security was breached demonstrates defendant's negligent data storage/security practices. If those practices had been adequate, the breach would not have occurred.

If that's the case then I'd suggest every software developer on this forum immediately switch careers, this one is doomed.

Well, there is that. Maybe reality is that no set of security practices can ever secure PII. If so, that's an even bigger problem than lackadaisical firms like Equifax.

But I think higher expectations, helped along with civil legal machinery that's likely to mete out meaningful punishment, would move us faster to finding out whether the problems are mostly just sloppy practice (which responds to economic penalties) or whether they're more fundamental and need a different fix.

You need to think beyond the fine. There will be costs of new regulations (if passed), increased costs for lobbying against any said efforts, loss of revenue (would you want to have your company name as a partner for Equifax), and finally lawsuits.

Going long may make sense but we've not hit bottom yet.

"The vulnerability provided full RCE, and I know of no info-sec magic that inoculates you against that."

Not really accurate because the exploit name, especially as generic as RCE, does not tell you how it was done. RCE can be a number of things that can be fixed in numerous ways. For example, file upload functionality with path manipulation and no file type validation may lead to RCE. This can certainly be removed with properly crafted file upload handling.

Some RCE, particularly on lower layers of the application stack, may be more difficult to defend against, especially in the case of unknown exploits.

Fair enough. I more meant that after an attacker has achieved RCE, no amount of encryption or other practices can protect sensitive info in your database.

Why does the webserver need access to All of the Datas? Store the data separately, and create use-tokens for webservers to access data once users have authenticated.

The webservers should be treated as if they're potentially compromised, not given arbitrary access to a database...

Encryption can't save you, but other practices can.

Specifically: if you're working with a lot of very sensitive information, you structure your application such that there are multiple layers separating that data from the outside world. In the case of Equifax, that might mean implementing the "credit score check" as an internal service exposed through the public web servers (or whatever).

Exactly. While nothing can completely stop attackers, there are multiple techniques you can layer to slow them down. E.g:

* Credential vaults that allow only-once retrieval on application startup and only keep credentials in memory

* anomaly detectors for request patterns (suspicious payload formats, processing time, CPU/memory usage, etc),

* Honeypot records in sensitive data stores (records you know should never be accessed, if they are you've been breached)

If you're storing information this sensitive you need to be paranoid, because an attacker has a $4B incentive ($30/identity on the black market * 143 million records) to crack your systems.

No you have to use other architectures for defending against that. Equifax sells queries to this data, they also use queries to that data as a trigger to change your credit rating. It seems like you'd want a very tightly audited mechanism for issuing these queries to make sure they are properly billed. Referring to it as a struts issue makes it sound like someone popped a web server, fired up a dub client and started dumping unencrypted tables.

It seems amazing that nothing tripped up some monitoring or something.

> Best case scenario (for the organization) is that it is fined directly into bankruptcy and someone like FIS acquires them for pennies on the dollar. I am still waiting for CFPB to drop a nuclear bomb over this issue.

There is zero chance of that happening. There's been no hint of this from any reputable source (i.e. not clickbait headlines). Will there be financial repercussions? Fines? Loss of stock value? Absolutely. Will Equifax go out of business or get sold? Absolutely not.

New PII regulations sure. Fined directly into bankruptcy? Yeah, ok. Just look to BP, Volvo, or any of the now-dozens of companies responsible for massive data breaches in the last few years.

Seriously? I rarely see these deeply enmeshed financial firms get fined into bankruptcy, since they've effectively reached "too big to fail". Kind of optimistic to call that the "best case" scenario.

If that's true. Then it would encourage a prospective suitor to hack them. Wait for the fallout and then buy in. Certainly it's much cheaper to hire a hacker(s) then pay full price, correct?

Knowledge based authentication is crap and therefore worthless. I look forward to it being marked to market.

I thought about that too but it could also be possible that they may get bankrupted by lawsuits. I don't see Equifax as victim. I hope they will go down and be warning for the rest of the financial industry.

Target lost tens of millions of credit card numbers and paid just over $18 million to settle every lawsuit against them.

People seem to conflate the way they think things should be with the way things actually are.

Exactly. The costs to EFX will likely be <$100M all out, after all the torch-waving and yelling. Equifax net profit in 2016 was $488M.

Longer term, this is actually quite possibly revenue-positive for Equifax - they will trick a non-inconsiderable number of people into signing up for their credit monitoring service, and everyone who wants a credit freeze gets to pay $10 (in Illinois at least). That's $1.45B in potential revenue right there! Once Transunion and Experian see the success of this ploy, they may have strangely poorly secured border networks of their own set up invitingly for the retail hacker...

While I agree with your second statement, losing SSN and financial information is vastly different from losing credit card numbers. If my credit card number is stolen, I have to get a new one, and call the bank if any transactions show up before the new card comes.

If my SSN and financial history is stolen, someone can impersonate me. They can sign up for bank accounts, loans, credit cards, etc.

This data is far more valuable and damaging than a credit card. Credit cards are easily canceled and the public has zero liability.

How many warnings do they need?

Well, the other two credit agencies would be a good start...

> The stock has been slammed

Equifax's stock hasn't been this low since... oh, last November. Hm. Not really sure I'd call that slammed.

> whether you like it or not, the companies are still technically the victims here

Wait, what?!

What does whether I "like it or not" have to do with Equifax's profound negligence?

Now would be a great time to go long EFX in my opinion

I agree with the sentiment, and I’m keeping my eye out for an opportunity. But I don’t think they’ve been hammered enough. I mean, it’s not like they’ve hit a 52 week low or anything. Maybe if I can find some in-the-money calls for a reasonable price...

Doesn't seem low enough to me, at least not low enough to warrant the risk. It has hit a lower price in a 1yr term... Just saying I've been burned with that kind of thinking, sometimes it's best to wait for the anger to settle out and buy into the curve up then try to guess the bottom.

Did you use that strategy with United Airlines after they injured that guy when bouncing him from the flight?

There's an important difference: consumers choose to fly with UA just like they choose to walk into Chipotle and buy a burrito.

The vast majority of EFX's profits come from services that consumers (effectively) don't choose to participate in.

I get your point but, in this case, the consumers are banks and the likes. You aren't, probably, their customer.

I'm not suggesting that's right, but it is how it is.

What impetus do the banks have to change credit rating providers, especially when it would come at massive cost to themselves and probably take months if not years?

The only one I can think of would be consumers refusing to open bank accounts or credit cards with them because they run Equifax checks, which seems improbable.

Right? I don't think they will change. I am biased and jaded, however.

I did. I made bank on that one (I bought calls, but same difference.)

The only viable path forward now is to dissolve these three agencies and reform how we manage identity and credit in the United States. It might take a few years, but shareholders and employees of these three companies should start making other plans if they haven't wisely started to already.

We have the technology to manage credit in ways that are vastly more private and secure than a giant, poorly run, insecure personal data repository.

Using strong cryptography, we can build pseudonymous trust graphs where nodes in the graph (cryptographic identities) publish cryptographically auditable trust relationships. Using various graph exploration techniques (e.g. unrolling the trust graph into a trust DAG with known creditors as terminal nodes and calculating path properties to those nodes, using proof-of-burn and non-distributive path combination to disincentivize Sybil attacks on the trust graph, etc.) we can estimate trustworthiness (or, more specifically, creditworthiness) of cryptographic identities rather than legal identities. In the end, you're probably still going to want to link at least one cryptographic with your bank account, but you would have vastly more control over the relationship between privacy and public verifiability of trustworthiness.

If course, just because this is possible doesn't mean it's going to happen. The primary obstacles to an open, secure trust system are that A) it's harder to make people manage their own trust network than it is to spy on them B) trust networks rely on the network effect and C) there's no obvious way to make money off it. Any extant system that resembles what I've described is mostly limited to tech nerds. I'm not sure what it would take to trick/convince the general population to use such a system.

PII is the nuclear waste of the internet. Incredibly expensive to store safely, and constantly vulnerable to a catastrophe.

And once it leaks, it's damn near impossible to clean up.

I feel like it's worth pointing out the the internet was a better place before people started using it for PII.

Credit agencies were about PII before the internet, but internet companies that collect all this PII toxify the internet.

So how can I stop using Equifax? Or at the very least how can I find banks or other agencies that don't use Equifax? Is there any way to stop them from hoarding all my data without my explicit consent?

To my knowledge you can't stop, per se. If you're savvy you can avoid seeking credit from any institution that pulls Equifax, by asking from what CRA(s) your report will be pulled and simply walking out if they tell you they pull Equifax. This doesn't guarantee that they won't report to Equifax, however, and it certainly doesn't guarantee that Equifax won't come up with the information by other means.

Unfortunately, also, it's safe to assume that Experian and TransUnion operate just as badly as Equifax, so attempting to live an Equifax-free existence probably isn't particularly useful. If Equifax does suffer for this leak, actually, it's a relatively safe bet that they will take security more seriously so as to better protect their interests.

You might be able to find a credit Beaureu that does not report to equifax. Might be better off calling your representatives in Washington and telling them we need better consumer data protection regulations. Good luck.

You can't, you're the product not the user unfortunately.

Will the SSA (social security administration) office be issuing new numbers?

"Most software failures and data breaches aren’t inevitable; they are a result of neglect and underinvestment in product reliability and security."

How do we know that Equifax fell into this category? That this was due to negligence? I see a lot of disdain towards Equifax but yet the breach details have not been out yet.

The 6.66 billion dollar question.

Of all vulnerabilities that created massive amount of personal data leaks this may be the biggest but it is hardly the one caused by the most negligence.

Linkedin using unsalted sha hashes is a lot more maddening. Here you have a vulnerability being disclosed and not enough time to patch your code.

Equifax played a slightly different version if this commercial during Monday Night Football a few times, it takes no accountability, but also doubles-down, claims your info might* be on the dark-web(*because they just negligently released it), and offers a "dark-web-scan" service to help find it...


Experian != Equifax

Thanks, that was my mistake I confused the two and didn't even notice before posting. Too late to delete my inaccurate comment(mods?). It certainly makes sense for Experian to advertise this service given their competitors recent leak.

For sufficiently weak notions of equality.


So convenient to offer the problem AND the solution.

>> I’m still dealing with the damage to my credit rating that resulted when I forgot to return a library book and a collection agency was called in (for a paltry sum).


>>Zeynep Tufekci (@zeynep), an associate professor at the School of Information and Library Science at the University of North Carolina

You'd think she of all people would know better.

Maybe this will finally be the "Three Mile Island Incident of Data" that Maciej Cegłowski talks about? If not, I don't know what will.


The 3-mile island of data leaks will happen when the ISP DNS lookups and browser history logs get matched up with the credit data and all the other datasets that are floating around.

Naive question from Europe. What's the influence such NYT article may have on the legislators?

One more reason to move away from current financial system to bitcoin.

That was so satisfying to read, it's rare that I come across a voice angrier than my own in the New York Times of all places. Makes me think there is hope this world won't fall apart after all.

Tufekci is a national treasure.

Whatever happened at Equifax was disastrous. But I really liked the way that they are containing it. Their CEO released a statement. They launched a specific site for security scans for their user for free. They are communicating it to their customers transparently.

With that I also saw that cyber security is and will be the biggest threats of the next decade. They are many cyber security companies these days but I didn't see a single company moving forward to support the Equifax team to figure out what happened and how it can be prevented. Cyber security companies should have volunteered for the cause.

> But I really liked the way that they are containing it.

Please let this be sarcasm...

> They are communicating it to their customers transparently.

They knew well in advance that there was an issue and did not communicate it well. They have 3 higher managers that look to have sold their stock based on the knowledge. There are some reports that they knew up to 3 months ahead of their announcement.

> They launched a specific site for security scans for their user for free.

Things that are wrong with this site:

- The site screams "phishing" when you look at the URL.

- Asks for SIX digits of your SSN. If you know the state of the person filling out the form and they were issued their SSN before 2011, you only need to try a few numbers to figure out their whole SSN.

- Gives random results when you fill out the form

- You possibly forfeit being able to sue them by filling out the form.

- When you fill out the form they basically advertise their own product to you.

At this point, as a consumer, it feels like they are doing everything in their power to get away with not being held accountable for not storing this data properly.

8 in 10 US credit card holders have their SSN and possibly other information out there. This means that I'm at high risk to have my identity stolen in the future, not just the next twelve months that Equifax is offering me free Identity Theft Protection.

Last but not least, when you freeze your credit score, they give you a PIN to unfreeze it. But if you were to lose it, you'll only need some identification to get a new PIN and unfreeze it. But they've already released that identification and it's being sold around. So no luck there.

I accept my mistake in judging the situation. Thanks a lot for elaborating it. I agree to all your points.

Since they are being so thoughtful, maybe they could offer to pay the charges to freeze affected accounts.

I just read about how the hack was done. Shockingly stupidly easy!

1. They realized that Equifax uses Struts. 2. They modified struts!

and 3. Equifax used the updated code on their servers.


It is more: - Critical remote execution bug was discovered in Struts2. - The vulnerability goes public too quickly. - Hackers start scanning the Internet - Equifax is found vulnerable. - Vulnerability is exploited.

$14 billion company cannot convert what the servlet API gives into a method call on a certain object + a bit of reflection to update methods & print them into form elements. Super complicate!

If the $14 billion can't do that then they certainly cannot protect data.

Do you have a source for 2? I'd like to read more about it.

a $ 14 billion company gives away the only secret data that they exist to protect. Why? Because they used Struts. How difficult is it to write a slimmed down, secure version of Struts?

Americans woke up to news of yet another mass breach of their personal data.

Americans woke up to news of yet another mass breach of data about them.


could you elaborate on what you mean by making this distinction, please?

People are being pedantic about the actual meaning of words as opposed to the commonly-understood-and-accepted meaning of words.

It's annoying, because it distracts from the immediate issue and causes confusion.

I think the idea is that "personal" implies ownership and the second one doesn't.

It's a bit funny how it mentions these two things together in the same article:

> Today, almost every piece of software comes with a disclaimer on its user license that basically says that the product may not work as intended […] and that’s the user’s problem. It’s a wonder companies don’t insert “nyah nyah nyah nyah” into the tiny-print legalese.

> No software system can be free from bugs […]

I read a consistent argument. Expecting perfection is wrong. Expecting consumers to shoulder the vast majority of the costs of that imperfection is also wrong.

Expecting perfection is wrong.

There's 120 millions of lines of code in an A380, and planes don't crash due to software bugs. Why is it wrong to expect perfection in critical infrastructure?

Something went wrong somewhere in software engineering. My HP42s calculator has about 6 insignificant bugs that you need to get out of your way to trigger. Your new cellphone on the other hand, when you turn it on it downloads a gigabyte of updates! That's an outrage.

You're comparing a relatively cheap credit report to a $400 million dollar airplane with a 15-25 billion euro program cost. Not to mention aerospace has a 100 years of innovation and has actual lives at stake. The internet, what 30ish years? Not to mention network security is a relatively new concern.

With a market cap of $18 billion for Equifax, it seems like they had the resources to get this right. I see the difference as who shoulders the cost. If you pay $400 million for a defective plane, you have one company whose toes you will hold to the fire. If you lose data worth $400 million for 138 million people, you have about $2.89 average per compromised person, so no single person will really go that far out of their way to crucify you, and if one does, they have perhaps tens of thousands of dollars to use in the legal system holding you accountable, not the millions one large wronged party may spend on it. In aggregate economic terms, in actual loss and negligence, I don't see that much difference. If you want to steal a lot, steal a small amount from a large number of people. It looks to me more like a matter of the feasibility of getting away with it.

At the end of the day it's a liability issue. If a plane crashes due to a software issue there's going to be civil suits to recover damages, very possible they'll also sue for criminal negligence.

Why is software immune? You ask yourself about cost of the Office of Personnel Management hack from two years ago, and before that it was the biometrics database from the USCIS.

The Internet was a DARPA project originally. Why shouldn't it be up to Military or Aerospace standards?

One way or another, I think that consumers are bound to shoulder those costs.

No economical product manufacturing process can be free from defects. And yet we enforce strict liability for defects leading to injury.

"I’m not unsympathetic to the needs of software developers."

Yes she is. I read this as completely unrealistic expectations from the author. Struts is maintained by one person.


"Most software failures and data breaches aren’t inevitable; they are a result of neglect and underinvestment in product reliability and security."

The attack happened in late July. The bug was fixed/reported in early September. It was a zero day. That's not neglect.

> Struts is maintained by one person.

I see nowhere in the op-ed piece where Tufekci mentions Struts or implies that she holds Struts responsible for this. She is clearly laying this at Equifax's feet, and their responsibility in their choice of software and the industry as a whole for actively pushing against better software practices and responsibility.

The section you quoted is followed by:

> Some number of unexpected errors — bugs — are unavoidable in computer programs. It would be unreasonable to allow a consumer to sue a software company every time a program suffered a glitch.

She's laying out a much more nuanced argument than you're given her credit for. You're right in that this seems to be zero-day which are more difficult to defend against, but there are practices (among them, defense in depth, and pen tests) which can limit the attack surface. Also actively looking for known exploit types (rather than specific exploit instances). For example, buffer overflows are a known attack vector in C, so people harden their code against buffer overflows. Deserialization attacks are known in Java, so people harden their code against deserialization attacks. SQL injection attacks are a known exploit type, so people learn to parameterize their SQL queries.

It's clear that this is something you care about and are passionate about. For topics that affect me like this, I consciously take a breath and re-read what I've reacted to, to see if my second (or third) read matches up with my first.

She's blaming the software industry and software failure. That's Apache, and Struts.

If she wanted to lay it on Equifax, she might go into the fact that the Chief Information Security Officer at Equifax holds a masters in music,


The people that actually "do" are Chief Peon of Cube Farms, doing whatever the boss with a music degree tells them is priority.

>You're right in that this seems to be zero-day which are more difficult to defend against

There's no nuance. It is under-reporting the facts to make her hit piece look stronger. It's never the leadership's fault when there's a failure in the US, but they happily take credit when there is success.

>but there are practices

Which don't help at all against a zero-day in a dependency.

> She's blaming the software industry and software failure. That's Apache, and Struts.

I interpret her differently:

> There are technical factors that explain why cybersecurity is so weak, but the underlying reason is political, and it’s pretty simple: Big corporations have poured large amounts of money into our political system, helping to create a regulatory environment in which consumers shoulder more and more of the risk, and companies less and less.

> This is a general feature of our lopsided world, but software businesses (and the technology sides of other companies) have acquired perhaps the greatest degree of impunity. Information technology arrived on the scene only recently, so it has faced fewer of the kinds of regulations that consumers and citizens, in more progressive eras, managed to impose on other industries.

To me, that reads as taking corporate interests and business motives to task, not software practices. Software development (like any other work) is a cost, and businesses need to balance those costs against business revenues. I'd argue who's chosen for C-level positions is a business decision, not a software practice one. If the costs of failure in production due to bugs were higher, businesses would make different decisions in hiring and how much time was dedicated to security and bug fixing. Do you disagree? Testing and quality control is expensive. If we can roll out a feature (or just continue business) spending as little as possible on testing and QA, it can certainly be an understandable decision (whether or not you agree) to do as little QA and testing as possible: you're not providing any new features (which may increase revenues): you're just increasing cost.

> It's never the leadership's fault when there's a failure in the US, but they happily take credit when there is success.

It's not clear to me which leadership you're referring to here. The government? The corporate leadership? Someone else? If the corporate leadership, I think that's entirely the point Tufekci is making.

>software businesses (and the technology sides of other companies) have acquired perhaps the greatest degree of impunity.

TIL: No warranty == impunity.

Nobody MADE Equifax use Struts. The source is open to inspection. The bug existed there for 8 years. Let's see how many audits Equifax did on the source code with no warranty.

>If the costs of failure in production due to bugs were higher, businesses would make different decisions in hiring and how much time was dedicated to security and bug fixing. Do you disagree?

If the costs were higher, the one poor guy working on Struts would do a better job? No, I think that guy would probably not write the software. He'd find a different line of work. If he did write it, he would never release it for the world to use for free. Who would do that? "Here's this thing I worked on for over a decade. You can use it for free. Please sue me if you have any issues. Thanks."

I'm sorry. I really think we're talking past each other. At this point I'm having a really hard time figuring out what you're trying to say.

I see you equating Struts and software practices with the businesses that use software. I see those as two separate things.

> Nobody MADE Equifax use Struts.


> The source is open to inspection.


> Let's see how many audits Equifax did on the source code with no warranty.

I'm not sure why you're including this. I think they should have done source code audits in accordance with how they weighed the costs/revenues. Do you disagree? I personally tend to lean towards more tests and code analysis, but I understand others weigh this differently.

> If the costs were higher, the one poor guy working on Struts would do a better job? No, I think that guy would probably not write the software.

I place the responsibly with the company using Struts in their product, not the Struts dev. I'm not sure how you're getting the impression I (or Zufrekci, for that matter) place this on the Struts dev. I'm responsible for the results of the applications I put into production, including the libraries I choose to use in that application. I don't hold generally hold the devs who wrote those libraries responsible.

Like I said, I think we're talking past each other. I still think you're reading too much into (and too little close reading of) Zufrekci, but I'm not sure how better to express what I'm trying to say. I've now read the piece through 3 times fully and I really don't see her making any of the points you're arguing against.

If you've got specific questions about what I've written, please ask. Otherwise, I'll sign off. Have a good evening!

>I place the responsibly

Nobody cares where you, or I, place it. You don't write for the NYTimes. You don't have that sort of sphere of influence.

>with the company using Struts in their product, not the Struts dev.

They don't.


It's very easy to explain to the public. "Those software hacker people did this to you. Look, here he is. He made the faulty software. Burn him at the stake."

Zufrekci is with them, blaming the developer.

Developer licensure, here we come. Illegal to write open source software. Another one of those crazy Richard Stallman predictions that comes true while you guys sleepwalk into the dystopia.


Your line of comments is maddening, because you're clearly in total agreement with the article, yet seem to somehow be reading in almost the precise opposite of what its point was.

The author was not blaming the Struts guy. She was blaming Equifax, 100%. She would blame the decision to use Struts and assume the unavoidable risk associated with such a decision, not the development of Struts itself.

Literally every single point made in the article is about Equifax dodging accountability for their choices, and Struts is never mentioned. What on Earth makes you assert with such total certainty that she's blaming the Struts developer?

"No software system can be free from bugs (or intruders), and users must be mindful of the risks. But the inherent lack of perfect automotive safety doesn’t mean we don’t try to make cars safer. Obviously, people should drive more carefully, but seatbelts, airbags and better car design reduce injury enormously, and that has been great for the industry as well as consumers. The software industry should be no different."

Let me translate that:

Software users, like people who use compilers, should need licenses. Obviously, people need to compile more carefully. Software needs the equivalent of seatbelts, airbags, and other government mandated safety standards. Software cannot JUST ship to github with no warranty or guarantees of safety. These licenses which absolve the developer of responsibility cannot continue to be allowed. Those open source developers should not just produce software for free, but they need to accept responsibility for it. They need to pass government mandated, Apple App store style, approval for all software shipped. Including regulations for safety and compliance with other laws like copyright infringement and decency standards.

She's attacking the foundation of the software freedom movement.

If I build an airbag in my garage, and Honda shows up tomorrow and puts it in their car, and it fails because I don't know how to make good airbags, I would not be legally liable for those failures. Honda, however, would be. Your analogy does not hold up. You're reading some _very_ specific things into what is a very general statement.

I get why you'd be upset if she was attacking the things you say she is, but she is emphatically not doing that. Every single paragraph in the article is about how Equifax should be liable for their software, which includes liability for the decision to use types of open-source software.

>If I build an airbag in my garage, and Honda shows up tomorrow and puts it in their car, and it fails because I don't know how to make good airbags, I would not be legally liable for those failures.


If they have liability, it is assumed as part of their supplier contract with Honda. Open source software does not have this, and nowhere does the author suggest that should be the case -- they _certainly_ do not suggest such an assumption be implied without a license, or forced to be in all OSS licenses, which would be the only way your complaint makes sense.

>Open source software does not have this, and nowhere does the author suggest that should be the case

"the underlying reason is political, and it’s pretty simple: Big corporations have poured large amounts of money into our political system, helping to create a regulatory environment in which consumers shoulder more and more of the risk, and companies less and less."

The author is suggesting a political solution. Regulation. Laws that say "Your open source license can't exempt you from a, b, c, d."

You could then exempt yourself from lawsuit in your open source license, but that will be automatically void, like a non-compete clause in a California employment contract. Struts would be sued for the breach in her imagined world.

"she might go into the fact that the Chief Information Security Officer at Equifax holds a masters in music,"

To be fair, I would say a third of the Infosec professionals I know have backgrounds in the ARTS (myself included). While the CISO is definitely suspect, having an arts degree doesn't make one less of an effective INFOSEC practitioner. In fact, the creative nature of those drawn to the arts has proven valuable finding creative solutions to problems within our organization.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact