Agree. But not necessarily due to ineptitude.
> "...throwing a single sysadmin under the bus for lack of patches indicates they are probably operating in the security stone ages..."
Disagree about the conclusiveness of the indication. Disagree Strongly. Equifax, Experian, & TransUnion are all high-value targets for state-level-actors who are prly pretty good at breaking into things.
If we ever find out that 8-year-old Jimmy from New Jersey broke into Equifax instead of...say...Russia, I'll owe you a dollar.
If a corporation holds data records about people, and those records are leaked in any way, a fine of $100-1000 (depending on severity) per record must immediately be paid to a supervising government agency. The impacted people can then receive their share of the fine upon request.
You can Socrates this whole thing to death (what is a record? what is a leak?) but our legal system is, if nothing else, extremely well-practiced at creating robust definitions for abstract things. The solution presented seems extreme within our current paradigm, but it (or something like it) must come to pass if we are to have any hope of avoiding information dystopia.
Equifax — 1-800-349-9960
Experian — 1-888-397-3742
TransUnion — 1-888-909-8872
Innovis — 1-800-540-2505
A lawyer friend of mine who specializes in identity theft told me this was too extreme a way to go and that I should sign up for Credit Karma. But isn't that just opening up yet another access point to thieves? Plus, I feel that freezing my credit denies these reporting agencies the value of data.
Fortunately 'identity theft' is an imaginary concept, you cannot have your identity stolen - you are still you and no one can ever change that. It's the financial institutions' problem to fix at the end of the day, but there is this expectation that you are obliged to help them understand how they fell for a scam, and you are expected to do this for free or they make your life more difficult.
We do need a better system for expats.
Someone on another HN thread suggested the term "bank slander".
I asked about it in the expats Stack Exchange site and others had the same problem: https://expatriates.stackexchange.com/questions/12104/how-ca...
Same goes for Social Security accounts, they require a US address before they permit you to log in online and monitor your account for fraud.
That's odd. IANAL but everyone I know (including lawyers) says that freezing it is the way to go.
Maybe if everyone froze their credit your friend might be looking for new work? ;)
I don't know if it denies the agencies the value of your data, but maybe so, because they clearly don't want you to do it.
It does. There's a cost per credit file to store/manage, and with a freeze in place, no revenue generation can occur on that file.
Highly recommend US residents freezing their Work Number file , in addition to their credit file at each of the 3 credit reporting agencies.
Why? Is it really that hard getting it unfrozen?
Furthermore, the very existence of these credit agencies should be sincerely alarming to most normal people, and probably already is. These databases should not exist.
Equifax, TransUnion and the others are clearly bombs waiting to explode.
Arrest the bastards and shut them down before they go off!
Especially since consumers have no say in the matter at all.
Immediate dismantlement of the credit-bureaus outside of a police-state would lead to...for example, pissed off sys-admins who want to sell the last valuable thing they have access to: MOAR consumer information that they already have about you.
Additionally, personal-lending would either cease for a period (and break the economy,) or they'd come up with a new way to judge our ability to re-pay & it would undoubtedly be bad/reactionary, & we'd have an version of 2008.
There's a natural tendency to want to "BURN IT DOWN!!!" b/c it's bad; I get that, but we haven't done the work to come up with something better & a transition plan. This is how the Arab-Spring turned into MF Admiral Sisi (or whatever) in Egypt, despite good initial intentions.
We are completely entrenched in this consumer-lending system whether you like it or not.
You need a "what comes after?" plan. I feel like this is common sense????
Meanwhile we have this thread (also on the front page of HN as I write) about how the EU is cracking down on US tech firms data collection activities and the GDPR which is seeking to restrict it. There is much less of a consensus on there that it is a Good Thing. There are accusations that this is a restriction on US trade, or some kind of EU tech envy.
I find it hard to reconcile these two positions? The EU seem to be doing exactly what people on this thread are asking for? The GDPR would enable regulators to impose crippling fines (4% global turnover) if Equifax were to lose EU citizens data after May this year. Do people want similar law in the US or not?
I would assume (but can't be bothered to verify) that those positions are being held by different people.
It's disgusting that the majority of congress are letting this slide.
From what I've seen even previously pro-mass surveillance people and politicians do an 180 degree on their surveillance stand when they discover that data has been used against them and it's impacting their life to a large degree at that point. This again points to the fact that they previously didn't truly understand the implications of mass surveillance and how easily it could be abused.
The ethics of data collection on a mass scale is something which all industries need to take a long, hard look at.
If you really think the "finance industry" as a whole is what's pushing for the Equifax investigation to be shelved, then I expect the same would have happened under Democratic leadership.
It'd be one thing if you got a letter in the mail re: your personal exposure, but there's a very serious assumption that everyone is glossing over:
Do you want EVERYONE to know more about what Equifax lost about EVERYONE &, more importantly, you want it RIGHT NOW?
Well I guess so do I; the easier for me to ruin you and all your friends' credit & then get me a new-new sweeeet new yacht 4 to cruise around in some tropical country without an extradition treaty.
Mass disclosure before adequate protection or remediation measures (assuming any are possible) is IRRESPONSIBLE BC INFORMATION IS REALLY POWERFUL...this includes more metadata about what Equifax lost. You don't know what disclosure right-now will expose you to. This seems pretty clearly like an "err on the side of caution" situation.
That's the real idiocy of the american system (not letting Equifax off the hook here)
If your business is built on causing problems for essentially every American adult, you’ll get away with a lot more if you can exclude lawmakers from that set.
I wonder how much MORE this problem has become / is becoming as we replace sys admins / systems people with developers who play with infrastructure APIs like as with AWS, producing complex infrastructure under deadlines and with self-assurance. I say this because for years sys admins were the bad guys, even slowing down progress because security concerns, stability and best practices were to be considered before speed of delivery and features.
And I say all this because I'm a hybrid sysadmin/developer ("DevOps") consultant with a stronger leaning on the systems side historically; I can tell you that almost no one techs me out on the systems side of things anymore. By systems I mean core Linux and the typical ecosystem around it (including redundancy, performance and infra monitoring), infrastucture architecture and yes, security. There is wisdom and experience that's required here, and no 'bootcamps' can exist to replace that.
With a push to the cloud, is it possible that security has gone out the window? I'm 75% I know the answer, but I admit this would make a great research article.
Edit: although in this Equifax case perhaps that is a bad example. Unpatched systems?
The investors are probably correct in assuming that nothing bad will happen to Equifax over this.
Now those banks give me a worse interest rate because Equifax leaked my info and I have fraudulent activity on my 'record. Seems like everyone is winning in this debacle except for the people's who info was leaked.
Don’t believe? Just look at Uber.