I sure hope I'm not affected. Don't think I ever used any credit reporting systems.
[QUOTE=TheNerdPest14;52747610]I sure hope I'm not affected. Don't think I ever used any credit reporting systems.[/QUOTE]
If you owe any debts (have a credit card or a loan?) or pay bills, its likely there was something in that database about you. That's kinda the scary thing about it. You indirectly consent to that info being gathered. You are not the customer, you are the product. Everyone that wants to know your credit history is the customer.
[QUOTE=Snapster;52746490]Someone was dressed as the monopoly guy during the hearing. :v:
[img]http://fm.cnbc.com/applications/cnbc.com/resources/styles/skin/monopoly_guy_360.gif[/img][/QUOTE]
But the monopoly guy doesn't have a monocle
[editline]4th October 2017[/editline]
Damnit, replies to that tweet are already full of that. Guess I'm late.
[QUOTE=Snapster;52746490]Someone was dressed as the monopoly guy during the hearing. :v:
[img]http://fm.cnbc.com/applications/cnbc.com/resources/styles/skin/monopoly_guy_360.gif[/img][/QUOTE]
Wish I could find the gif of her wiping her forehead with an oversized dollar bill.
[QUOTE=TheNerdPest14;52747610]I sure hope I'm not affected. Don't think I ever used any credit reporting systems.[/QUOTE]
Have you ever applied for a job?
[QUOTE=Alice3173;52746496]Please do tell why there is no point in encrypting important personal data so that even if it gets stolen the thief will have trouble retrieving your data.[/QUOTE]
[QUOTE=Zang-Pog;52746695]Yeah dude why do you lock your doors when you just have to open them anyways? Haha, how [I]stupid[/I][/QUOTE]
But this is like locking your doors to stop someone who is already in your house and already has all your keys and can unlock the doors at will. I absolutely agree that personal data should be encrypted since there's no reason [i]not[/i] to, but I don't see how it would have helped here at all. Anyone who has access to a system designed to retrieve and decrypt encrypted data obviously has the ability to decrypt the data. It doesn't look like the fact that the data was unencrypted had any bearing on the attacker's ability to access it.
[QUOTE=catbarf;52749404]But this is like locking your doors to stop someone who is already in your house and already has all your keys and can unlock the doors at will. I absolutely agree that personal data should be encrypted since there's no reason [i]not[/i] to, but I don't see how it would have helped here at all. Anyone who has access to a system designed to retrieve and decrypt encrypted data obviously has the ability to decrypt the data. It doesn't look like the fact that the data was unencrypted had any bearing on the attacker's ability to access it.[/QUOTE]
Reread his post. He's not saying that it was pointless only in this case. He's saying it's pointless to encrypt it at all because you have to decrypt it later which is an incredibly stupid thing to say. In [I]this[/I] case, yes. Encryption wouldn't have helped since Equifax is laughably incompetent. In most cases, however, encryption would be a big help.
[QUOTE=Sombrero;52747062]The incompetence of these asshole giant tech companies is just unbelievable these days. How did we go from making things secure to "uh oh! accident! whoops!" and blowing serious shit off? I find it insulting that these assholes who will take their sweet ass time to add a handful of points to your credit but will gladly slash it in half for [I]one[/I] late payment can't even have basic fucking security.[/QUOTE]
Because special interests and politicians are in bed with each other and are always looking for ways to make red tape which ensures private citizens have no recourse for getting fucked over. The end result is no one has to be held accountable for anything until a riot starts, and even then sometimes they can just wait it out until the outrage is over.
[QUOTE=Alice3173;52749431]Reread his post. He's not saying that it was pointless only in this case. He's saying it's pointless to encrypt it at all because you have to decrypt it later which is an incredibly stupid thing to say. In [I]this[/I] case, yes. Encryption wouldn't have helped since Equifax is laughably incompetent. In most cases, however, encryption would be a big help.[/QUOTE]
Better safe than sorry.
[QUOTE=KillerLUA;52746045]I'm not sure if this is clickbait or not, because there's no point encrypting the actually stored data. Since no matter what you do at some point you're gonna have to decrypt the data to be able to access it on demand. Or do they mean not hashing/salting passwords or something?[/QUOTE]
[video=youtube;8ZtInClXe1Q]http://www.youtube.com/watch?v=8ZtInClXe1Q[/video]
[video=youtube;yoMOAIzBSpY]http://www.youtube.com/watch?v=yoMOAIzBSpY[/video]
this is just for passwords. You need to apply this for all secure data, universally
[QUOTE=J!NX;52749878]This has to be the most ignorant post I've seen yet
[video=youtube;8ZtInClXe1Q]http://www.youtube.com/watch?v=8ZtInClXe1Q[/video]
this is just for passwords. You need to apply this for all secure data, universally[/QUOTE]
That very video mentions that it's only slightly less naive to encrypt passwords than to store them in plaintext. Encrypting the data doesn't 'fix' the problem, it just delays the hacker. By the time you find out that the system is compromised, the hacker will have already made off with the data and the key, and nothing is prevented.
[QUOTE=Jcw87;52750299]That very video mentions that it's only slightly less naive to encrypt passwords than to store them in plaintext. Encrypting the data doesn't 'fix' the problem, it just delays the hacker. By the time you find out that the system is compromised, the hacker will have already made off with the data and the key, and nothing is prevented.[/QUOTE]
It might not do much but it still would have been far better than just straight up storing it in the raw
I mean shit, if they at [I]least[/I] encrypted it, it'd give people a little bit more time to secure their info, you know what I mean? It'd still be better.
[editline]5th October 2017[/editline]
I won't claim its the ultimate solution but saying its pointless is a bit moot since its still... something I guess?
[QUOTE=J!NX;52750337]It might not do much but it still would have been far better than just straight up storing it in the raw
I mean shit, if they at [I]least[/I] encrypted it, it'd give people a little bit more time to secure their info, you know what I mean? It'd still be better.[/QUOTE]
True, but there are other things that they could have done that would have actually prevented an attack. Complaining about not encrypting the data in this scenario is like complaining about the type of lock used on the front door while there's a gaping hole in the wall. There's bigger problems that need addressing first. It is likely that one of those problems is convincing management that security audits have value.
[QUOTE=Jcw87;52750439]True, but there are other things that they could have done that would have actually prevented an attack. Complaining about not encrypting the data in this scenario is like complaining about the type of lock used on the front door while there's a gaping hole in the wall. There's bigger problems that need addressing first. It is likely that one of those problems is convincing management that security audits have value.[/QUOTE]
Honestly, I curious to see what other gaping holes-in-the-wall Equifax has
if this didn't happen now... would this have happened 1 year from now with a totally different flaw?
I mean shit they have a music teacher for a security lead don't they
After scanning through my latest posts I realise I got pummeled pretty hard for my post, but I think you all completely missed my point. At no point did I say not to hash passwords, hashing is not encryption.
Encrypting data is *mostly* pointless if an automated service needs access to it. Let's say I have a customer data stored in a database, and I decide to encrypt it with AES or something. It's security theatre. Your systems need to be able to access that data on demand, meaning they need to have the key in memory. It's incredibly unlikely I'm going to be able to hack into your system, gain access to the raw data but somehow not be able to touch the software that's accessing that data and extract the key.
You can use some hardware encryption module, but that only protects the keys. If the software can access it to encrypt/decrypt data so can a hacker.
Also I'd love to change my username, I haven't worked with Lua for years now. But a username I chose 8 years ago doesn't reflect my technical knowledge today.
you'd think data theft due to negligence from large scale corporations would equate to the corporation being charged with theft of data for each individual compromised
probably over the top but something needs to be done to kick people up the ass when they fuck up this bad over simple data practices
Honestly my takeaway from this situation has nothing to do with equifax in particular. It's two things:
A. How we use credit ratings in the US. It's honestly goddamn insane, unreliable, and it focuses so much dangerous information into certain places that it's honestly to be expected that something like this would happen.
B. We really need to stop using social security as an ID card. They're horribly insecure, and not replaceable. If you want to get a new social security number you basically have to have your life threatened or constantly provably being damaged by identity theft. The social security administration used to warn companies not to do this until they gave up on trying to stop them. Were this fixed, it would be quite easy to just get your ID card replaced much like a debit/credit card. It'd be a bit annoying, but you'd be more than likely fine.
[QUOTE=KillerLUA;52746045]I'm not sure if this is clickbait or not, because there's no point encrypting the actually stored data. Since no matter what you do at some point you're gonna have to decrypt the data to be able to access it on demand. Or do they mean not hashing/salting passwords or something?[/QUOTE]
Why even put a lock on a military storage depot? You're gonna have to unlock it to get any guns on demand!!!
[QUOTE=Jcw87;52747480][...] The only way they will have access to the database, but not the rest of the machine (and thus, the encryption key), is if you have an SQL injection vulnerability, in which case, you should fire your programmers for using string concatenation to build their queries. SQL injections are a [i]solved problem[/i], so long as the programmers always use prepared statements.
Remote execution exploits seem to be how these major breaches are performed most of the time, so the encryption becomes a feel-good measure.[/QUOTE]
Considering how often it still happens, I'd say that many programmers are unfortunately not nearly reliable enough to properly avoid SQL-injection.
Then again, I wouldn't trust someone who doesn't secure that part of the program to properly enable encryption either.
[editline]11th October 2017[/editline]
[QUOTE=J!NX;52749878][videos about hashing]
this is just for passwords. You need to apply this for all secure data, universally[/QUOTE]
This is unfortunately not possible. Salted hashing is very secure, but can only be used in situation where you only need to compare input to the existing value.
It's impossible to properly use this scheme for retrievable data (which kinda is the point of it in the first place).
[editline]11th October 2017[/editline]
[QUOTE=KillerLUA;52763586][...]
Also I'd love to change my username, I haven't worked with Lua for years now. But a username I chose 8 years ago doesn't reflect my technical knowledge today.[/QUOTE]
Slightly off-topic, but I wonder if it'd be possible for name changes to be made available again now that the community fund exists. It's currently not an available reward, but all of the other old Boostar upgrades (that I know of) are available.
[QUOTE=Chris Morris;52768930]Why even put a lock on a military storage depot? You're gonna have to unlock it to get any guns on demand!!![/QUOTE]
But the guard has the keys (server), so if you manage to break into the base (system) and get to the depot (database) it doesn't matter how secure that door is if you can overpower the guard (hacking).
[QUOTE=KillerLUA;52770781]But the guard has the keys (server), so if you manage to break into the base (system) and get to the depot (database) it doesn't matter how secure that door is if you can overpower the guard (hacking).[/QUOTE]
Are you fucking stupid?
[QUOTE=KillerLUA;52770781]But the guard has the keys (server), so if you manage to break into the base (system) and get to the depot (database) it doesn't matter how secure that door is if you can overpower the guard (hacking).[/QUOTE]
Like the guard is gonna give up easily.
And that's also the point with a good encryption scheme, worst case it buys time to detect the attack.
[QUOTE=KillerLUA;52770781]But the guard has the keys (server), so if you manage to break into the base (system) and get to the depot (database) it doesn't matter how secure that door is if you can overpower the guard (hacking).[/QUOTE]
So, kinda like going up to the guard and saying "admin,password" and the asshole opens the whole damn depot for you. lol.
Do you work in IS by any chance?
[QUOTE=Richard Simmons;52772753]So, kinda like going up to the guard and saying "admin,password" and the asshole opens the whole damn depot for you. lol.
Do you work in IS by any chance?[/QUOTE]
The point is if you have an automated web service, eg: an API, website, etc that has access to data. It doesn't matter how many layers of encryption you add to the data, you have to decrypt the data when you read it. So it's security theatre. It's incredibly unlikely you can break into somebody's system, accessing the raw encrypted data, but can't break into any of the systems inbetween.
I don't work in IS but after porting over a bunch of legacy systems that encrypted the stored data I started to realise how pointless it would be. It pleases investors and clients because we can say our data is encrypted, but in a realistic scenario it won't count for shit.
[QUOTE=Van-man;52772477]Like the guard is gonna give up easily.
And that's also the point with a good encryption scheme, worst case it buys time to detect the attack.[/QUOTE]
Encryption schemes shouldn't be used to "slow" an attacker, if it does any good job it's way too slow for practical use.
I don't see why I need to write out an explainer video to demonstrate this. My original point
Sorry, you need to Log In to post a reply to this thread.
