- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Lsat
Admin
E_TOO_MANY_WTF = 📠
Admin
The biggest WTF about SSN isn't that it is an identifier, the WTF is trying to use an identifyer as an authenticator. The SSN identifies a person, there should be no need to keep an identifier secret. Knowing the SSN of a person should not entitle anybody to impersonate that person, just identify that person.
Knowing my address doesn't entitle you to settle in my house, does it?
Admin
They say you learn something new each day.
Truth of that aside, it seems every month or so you certainly DO learn another reason to never move to the USA.
Admin
This is beyond a WFT. Equifax is either criminals, or criminally stupid, and I'm leaning toward the latter for the IT folks and the first for the executives.
Admin
So... as a non-Merkin... explain to me, why has no-one in your famously litigious country sued the ever-burning pants off every single one of these C*Os, yet? And that both corporately and privately?
Admin
I assume because your chances of wining such a claim are proportional to difference between your wallet and the wallet of those you are trying to litigate rather then the amount of evidence you have.
Admin
It's worse than that, actually.
"And all of that, all of that, isn’t the biggest WTF. The biggest WTF is the Social Security Number, which was never meant to be used as a private identifier, but as it’s the only unique data about every American, it substitutes for a national identification system even when it’s clearly ill-suited to the task."
I don't know if it's still true, but when I lived in the US (1981 to 1990), it was ILLEGAL to use the SSN as a private identifier.
And "it's the only unique data about every American" is the biggest line of bullshit I've seen in a long time.
For starters, the number space contains a healthy quantity of foreigners, not all of whom even live in the US. I have one, and it's 27 years since I last lived in the US. (I have no plans to resume my status as resident alien. I'm currently trying to remove my status as the French equivalent of resident alien, if the bureaucrats ever get off their duffs and do something useful with the inch-thick stack of paper I sent them.)
For nexters, there are people with more than one SSN.
For next nexters, there are SSNs with more than one person. Yes, the SSN fails the uniqueness test in both directions!
For next next nexters, there are people resident in the US - US citizens, ffs! - who don't have one. Newborn babies don't have one, and it isn't unheard of for kids to get theirs when they are early teens.
Admin
It's sad when the WTF isn't funny story or terrible code but the knowledge that this WTF CAN DESTROY YOUR CREDIT AND IDENTITY. I want my WTFs to happen to someone else. Or better yet not happen ever again, if you want a fantasy. This one screws us all, unless you are not in the US in which case you may find it amusing, as usual.
Admin
Times have changed. I was given the SS forms to fill out for all of my children at the hospital right after they were born. I'm not sure if it's law, but it sure is policy.
Admin
TRWTF is this article, Equifax has been covered to death, and in much more detail and better quality all over the IT press, I've read all this and more on TheRegister, Troy Hunt, Krebs, et al. Nothing added here, apart from a few over-simplifications, generalisations and errors.
Oh and Steve's point, I turfed out an old IDAnalytics article from 2010 (unfortunately gone from their website);
Even I knew that and I've never been to the states or dealt with a USain dataset.
Admin
Because it takes 10 years to go through the court system
Admin
That web site you use to check if you were on the list that was hacked? You have to put in the last 6 digits of your SSN. Might as well put the other three digits in, save the next hackers a very little time guessing what it is. This is starting to smell like a false flag for a really, really big breach.
Admin
The government doesn't require a SSN at birth, but it's required if the parents are going to claim the tax deduction for the child. They made the change to the tax law around 1990.
Admin
In this whole affair, the MOAWTF is that if someone claims to be you, and secures a loan in your name, the creditor does not bear the full burden of proving that it really was you who applied for the loan. Change that and ID theft will go away. (So will most consumer credit, but that's a feature, not a bug.)
Admin
Not Everyone Gives Birth in a Hospital, I read a news article about a poor teenage (18/19 year old) girl from Texas with no paper trail at all. Her parents had given birth at home with a midwife who never filed the paperwork and she was home-schooled by bat-shit crazy parents and was trying desperately to get out from under their thumb and start a new life.
Admin
Hmm. OK. That's reassuring. I spent a couple of years after arriving in the US in 1981 (I was 15 that year) without one. Doesn't change that at the instant they emerge into the world, newborns don't have one. (No point in issuing one then finding that the child was still-born, for example.)
I also think it's interesting that the number space, even if it is undifferentiated, is now around just three times the population of the country. How long before they have to reuse dead people's SSNs or find a new format? (Searches)
Hmm. Well. The Unreliable Source says that over 450 million have been issued (implying that around 125 million holders are now deceased) and the rest are issued at a rate of around 5.5 million a year. BUT, the remaining space is only around 450 million more numbers since the first three digits have never-used ranges that amount to about 100 out of 1000 (000, 666, and 900-999), leaving 900 million valid numbers. But they still have around 80 years at current rates of use.
Admin
I have a simple solution that protects me from Identity theft: My credit is sooo terrible that no one would want to steal my identity. LOL
True story though... My sister's close friend "should" have had terrible credit right out of college. When he got ready to buy a house, he found out his credit was, strangely, stellar. After a little investigation, it turns out that somebody stole his identity, took out several loans in his name, but had never missed a payment. Because of the identity thief, his credit was so good the bank said he could have bought whatever house he wanted and gotten a loan. Ultimately, he decided to not do anything about the "theft". Eventually they thief paid off all the loans they had taken out and never did anything else with his identity. He never found out who it was.
Admin
Way to go Remy. This is the kind of article I come to the DailyWTF to read -- an in depth, thoughtful look at both the human side and the technological side of a truely spectacular WTF. There is so much wrong here, on so many levels, by a company (and people working in the company) that should have known better; or that just didn't care.
By calling it out, showing the issues that were involved, and calling out the people who screwed up and should be held accountable, you made this a great piece. Thanks for making my day.
Admin
https://slashdot.org/recent
This article is probably the best article I have read on this site and it really highlights how badly Equifax F'ed up. Everyone should read it!
Admin
I bet the database was not encrypted either.
Admin
Wonder why no packages of stolen Equifax 'identity information' have not appeared for sale on the underground forums? It's likely that it was a 'state actor' who just wants to collect personal information on everyone for other uses.
Admin
Social Security Numbers are usernames, not passwords. Credit card numbers are usernames, not passwords. Fingerprints are usernames, not passwords. Faces are usernames, not passwords. Etc...
It's amazing how many people screw this up.
Admin
500 - Internal Server Error
Admin
Equifax doesn't exactly spy on people. The banks report their accounts each month. Equifax deserves everything coming to them as a result of this shitshow, but being cunty and calling them spies isn't productive.
Admin
Equifax doesn't exactly spy on people. The banks report their accounts each month. Equifax deserves everything coming to them as a result of this shitshow, but being cunty and calling them spies isn't productive.
Admin
Having worked at Equifax around the time Rick Smith took over, I can assure you that, from the top down, Equifax is run by people willfully ignorant of technology essentially looking to pillage as much money as possible. The public stories on poor security barely scratch the surface. Rick Smith and his cronies came in around 2005 and immediately started offshoring as much IT work as possible, not in the good "We need to look overseas because we can't hire enough talent" way, but in the "We want to go scrape the absolute bottom of the barrel, cost-wise, so we can save as much cash as possible and give ourselves huge bonuses" way.
Were it not for the fact that it negatively impacts so many people, in such a profoundly bad way, I'd be cheering. It couldn't have happened to a more deserving company.
Admin
Quite possible that this wasn't "identity theft", but some mixup. Like one genuine John Smith getting five loans and paying back nicely, and everything gets credited to another John Smith.
Admin
I work for Equifax now (and have since 1999), and I call bullshit on your story. While they did do some offshoring, they certainly didn't offshore a large percentage of IT jobs, and many (if not most) have come back as the cost/benefit ratio turned out to be not as good as they were led to believe. The IT staff are dedicated and hard working people just like all of the people that come to The Daily WTF. The execs are actually good folks, and committed to doing right by customers and consumers.
As far as "Rick Smith and his cronies" are concerned, they took a severely struggling ship (under the previous CEO who I can't recall), and not only righted it but sailed it to huge gains in the industry, and as far as I know had no layoffs during the financial crisis. He consistently invested in IT and system improvements, expanded product offerings, and took the stock price from a low of about $20 during the crisis all the way up to $140 before the breach was reported.
The reality is that no security is perfect...hackers need to be right just once to screw everything up.
Admin
"Or"? Embrace the power of "AND"!
Admin
Yes SSNs are weird. In my case I know the person "one less" and the person "one more" from my SSN. They happen to be my younger brother, and younger sister. There is 9 years of difference here. It seems that back in the 60's my wonderful parents wanted to give us "uniform gifts to minors act" stuff. These required tax returns for us youngun's and the forms were sent in in a bundle. They assigned numbers as the forms were stacked, and I got the one in the middle. It comes in handy when (another) sister wants to know numbers, and for some reason asks me. Go figure.
Admin
Cut the sheep while shearing it, the scarring means the wool won't be as good next time around.
Admin
🤷🤷🤷🤷
Admin
Sure, that's why when I was being asked to integrate my system with some corporate portal, and I questioned a lead architect telling me it was okay to send passwords IN THE CLEAR over an UNENCRYPTED connection between systems, my response was a staggering "It's okay, this is a 'secure internal network'."
You were probably in a position not to see all the "You're going to train your offshore replacement, then we're going to let you go" bullshit that was going on. Or having to work with offshore teams that didn't even know the language in which they were being asked to program. Or being prevented from even properly screening offshore developers that were being assigned to your project. The onshore work largely became a matter of fighting with the offshore coordinator about whether the offshore devs were doing their job correctly, arguing semantics of the contract rather than "This code is poorly written and riddled with problems."
Rick Smith and Rob Webb came in and laid waste to the IT organization, solely in order to bolster the bottom line, and the results frankly speak for themselves. This is the long-term pain finally coming home to roost after all the short-sightedness they had. All the other execs up the chain I dealt with were basically toeing the line, because it was that or get replaced. I watched a number of very competent, motivated people forced out of the company for trying to do the right thing.
Admin
Sure, that's why when I was being asked to integrate my system with some corporate portal, and I questioned a lead architect telling me it was okay to send passwords IN THE CLEAR over an UNENCRYPTED connection between systems, my response was a staggering "It's okay, this is a 'secure internal network'."
You were probably in a position not to see all the "You're going to train your offshore replacement, then we're going to let you go" bullshit that was going on. Or having to work with offshore teams that didn't even know the language in which they were being asked to program. Or being prevented from even properly screening offshore developers that were being assigned to your project. The onshore work largely became a matter of fighting with the offshore coordinator about whether the offshore devs were doing their job correctly, arguing semantics of the contract rather than "This code is poorly written and riddled with problems."
Rick Smith and Rob Webb came in and laid waste to the IT organization, solely in order to bolster the bottom line, and the results frankly speak for themselves. This is the long-term pain finally coming home to roost after all the short-sightedness they had. All the other execs up the chain I dealt with were basically toeing the line, because it was that or get replaced. I watched a number of very competent, motivated people forced out of the company for trying to do the right thing.
Admin
No, I saw and personally dealt with the results of the attempts at outsourcing (or "global sourcing" as they started calling it)...it wasn't just an "Equifax" thing at that time, either. It was a general industry brainfart that led the bean counters to thinking that it was something that could work. It didn't, for exactly the reasons you describe, and they reversed course. Was there some fallout? Yes, but it got cleaned up long ago. Is there still outsourcing? Yes, but much less than anyone expected at the time.
Remember, this vulnerability is in the Struts stack, before you even get down into the app layers. Per the CVE analysis I've read, all that has to happen is that one dependency get missed and pull in the wrong jar in a front-facing web app somewhere for this vulnerability to be exploitable in any Struts based application.
Rick Smith and Rob Webb (and Dave Webb after him) came in and did the job they were hired to do, and it did not in fact, lay waste to the IT organization. It's currently stronger than it's ever been. In spite of this enormous blow that's been dealt to our reputation, it's staffed by smart, competent developers. In spite of the wild allegations, the execs aren't negligent or incompetent. It's like any big company, where you sometimes have a few bad people here and there. You just hope that they don't last very long.
Admin
Wow, I just finally got access to read the original post here, and I'm staggered at the poor quality of the post. It's full of misinformation, to a level that can only be classified as "willful". I urge everyone who read the article to actually go out into the media and research the claims that are being made, because this article is so full of distortions that it's impossible to list and rebut them all in the limited space for comments. I know...I tried and ran out of space about halfway down.
Admin
Sounds like a certain S. Mauldin has been on the vanity googles again. I guess we all need our retirement hobbies!
Admin
A few things come to mind here...
Everyone was not using offshoring. Large companies making sort-sighted strategy decisions to cut costs were using offshoring. I've consulted in a number of industries. It's not normal across the board. It's normal in companies where executives are compensated based on stock valuation rather than being good stewards and taking their responsibility seriously.
To your point about "the hackers only have to be right once", that's why we have security standards and best practices, like applying security patches in a timely manner. Hire competent people, give them the support they need, and breaches like this don't happen. Maintain a barely adequate level of funding for infrastructure and chase talent out the door, and well, we see how that turned out.
Equifax was still widely using offshore labor in 2012. Even if that was the year they stopped the practice entirely, they did not "clean it up" a "long time ago". It hasn't been "a long time" and companies the size of Equifax move at glacial speeds. The damage done by their offshoring strategy will continue to linger for years.
In no way am I implying Equifax is worse than Experian or TransUnion. The only difference is they haven't been breached yet. Yes, they all followed the same short-sighted playbook.
Equifax doesn't get to claim "everyone else does it" because they have to be better. "Everyone else" doesn't hold the mass of sensitive financial data about nearly all households in the country, data that can be used to literally ruin people's lives. As someone who has suffered from identity theft, I know the damage and the pain of this first hand. So don't go defending Equifax because they were holding to the same barely adequate standard of IT system maintenance "everyone else" was maintaining. They're not stewards to cat memes, recipes, how long you spent playing clicker games. They're literally holding the keys to the kingdom. They dropped the ball and it was totally foreseeable.
Admin
Isn't that the joke?
Addendum 2017-09-30 06:45: Edit: Oh, refreshing and I got a page. I guess it's not that funny to simulate a server error!
Admin
You've had a very different experience than I had. At the time Rick Smith came on board, outsourcing was all the rage in the industry. IT news was full of stories, and many of my friends at other large companies saw the same thing. It was absolutely normal and expected, and it was a surprise to the execs (but not any of the tech people) that it turned out so poorly.
They (like pretty much everyone) still do use some offshore resources. However, the practice of trying to outsource entire major projects was stopped before that because of the dismal results. Now offshore is used to augment capabilities. Offshore resources do not design or lead any projects that I'm aware of.
I don't. I'm defending them being held to, and regularly audited that they hold to, the much higher standards mandated by government regulations for financial institutions. The bloomberg article, while quite damning in some ways, also points out that Equifax had top quality tools, so they weren't skimping on security spending. I actually think that there was some degree of complacency at the executive level about security, because they were paying top dollar, and probably bought into the sales hype from the vendors of the security tools. This led to pressure on Security to stop being a "bottleneck", and the chain of failures leading to the breach.
So Equifax isn't a company full of corrupt and greedy executives who ran a slipshod and moronic IT and security team, and that no one cared about security. Instead, they thought they were safe...and are now paying the price for that error.
Admin
They have not helped themselves by handling the failure in such a slipshod and moronic manner. You could be right that everything was hunky dory except for one unfortunate mistake, but the chain of subsequent incompetence would suggest otherwise.
Yes, this article is pants, but go read the write up where people have done proper research and do know their stuff with respect to cybersec. KrebsOnSecurity is probably a good starting point, but he does bang on a bit. They may have been paying top dollar, but they either weren't paying it to the right people, or weren't following their advice. I mean they seem to have had a CISO with no relevant experience and then rapidly tried to erase that from view when the spotlight turned to them!
Admin
"Said CSO, by the way, had no real qualifications to be a Chief Security Officer. Her background is in music composition."
Ah, forced diversity in action. Aka, hiring people without the right qualification just because they are of the "right" gender or have the "right" ethnicity that the company "needs" in order to meet some completely arbitrary diversity benchmark.
Don't get me wrong, I am all for diversity: Having proper facilities to accommodate women and men in the workplace. having prayer rooms for many religions, making everyone feel welcome and equal etc This is meritocracy and it's great. What I have a problem with is forced diversity, aka hiring music majors as Chief Security Officers to meet some arbitrary diversity benchmark.
I hope the Equifax gets hit with a major class-action, so they will learn the value of meritocracy. And so investors learn to invest in companies that value meritocracy over identity politics.
Addendum 2017-10-02 06:17: the Equifax gets hit = Equifax gets hit
Admin
As an additional note, is it to late to demand a pause on the whole "cash-less" thing the governments all over the world are pushing 'till all those companies that handle our most private data are forced to follow some procedures and get punished when not following them?
Admin
She had more than 15 years in IT and security roles over her career. She didn't graduate with a music degree and immediately become CISO...she worked her way up the ranks just like everyone else does. Go look up the "#unqualifiedfortech" hashtag on Twitter, and see the kind of people out there who didn't major in CS but are still successful and respected in the field.
Admin
"She had more than 15 years in IT and security roles over her career. "
And I guess that during these 15 years, she simply transferred her ignorance from one post to another. Otherwise, there wouldn't be so many "hack-me" screw-ups in Equifax's security practices. And also guess she got all those jobs during these 15 years thanks to forced diversity.
Admin
Again, nothing wrong with diversity that happens naturally, because it is merioticratic. The place I work for currently is meritocratic, and we have women that can run circles around my experience level and most likely knowledge. What I have a problem with, is music majors hired as Security Specialists just to meet some arbitrary diversity quota, which is what happened here during the last 15 years, kid yourself not. Because it reinforces the bad stereotype of "women can't do tech" and also puts the private data of millions of people at risk.
Admin
No problem with people having other majors, I do also. Personally I think people having a go at her on account of a music background is a bit tight, it's her track record since that counts. I think our industry would be a much lesser thing if we didn't have that mix, in my experience CS majors are a minority around me and seem no more or less capable.
I read an article where a cybersec journo was going through her history and basically making the point she hadn't actually worked up the ranks (ie, didn't have experience at the coal-face) and seemed to come to Equifax from the back of another well known major name cocking things up. Of course, I cannot now find that article, so it may be complete bollocks and got pulled! But then someone put some effort in to quickly scrub her background details once this breach hit the news, that we do know.
Admin
How do we know it was diversity got her hired? surely could just as easily been nepotism, or maybe she's damned persuasive. Assuming she isn't actually good at the job, of course (based on what happened, and what I have read, I think not, but could be wrong).
Admin
And yet, the recent bloomberg article about the breach paints her in a favorable light, indicating that she was trying to do the right thing against upper level executive opposition.
Until you produce a shred of evidence for that claim, then it's just pure guesswork on your part.