The Daily Parker

Politics, Weather, Photography, and the Dog

The second-most disgusting thing you'll read today

While not quite as viscerally grotesque as a 140-tonne fatberg, new details about the failures at Equifax that led to its massive data breach are still pretty disgusting:

Equifax has confirmed that attackers entered its system in mid-May through a web-application vulnerability that had a patch available in March. In other words, the credit-reporting giant had more than two months to take precautions that would have defended the personal data of 143 million people from being exposed. It didn't.

As the security community processes the news and scrutinizes Equifax's cybersecurity posture, numerous doubts have surfaced about the organization's competence as a data steward. The company took six weeks to notify the public after finding out about the breach. Even then, the site that Equifax set up in response to address questions and offer free credit monitoring was itself riddled with vulnerabilities. And as security journalist Brian Krebs first reported, a web portal for handling credit-report disputes from customers in Argentina used the embarrassingly inadequate credentials of "admin/admin." Equifax took the platform down on Tuesday. But observers say the ongoing discoveries increasingly paint a picture of negligence—especially in Equifax's failure to protect itself against a known flaw with a ready fix.

(Emphasis mine.)

Whenever people conservatives say that private industry is better at solving problems than government, I just think about some of the companies I've worked for, stir in crap like this, and laugh out loud.

Predictable and sad

Credit reporting agency Equifax reported last week that thieves had made off with 143 million customer records:

According to a person familiar with the breach investigation, Equifax appears to have been targeted initially because the company keeps on file millions of active cards, belonging to people who pay $19.95 or more per month to have Equifax monitor their credit reports and alert them to potential fraud. The hack, which the company says took place in late July, put as many as 143 million consumers -- or half the U.S. population -- at risk.

The person, who requested anonymity to discuss the ongoing investigation, said the web application the attackers used to breach Equifax’s corporate network granted access to both the credit card files and back-end systems storing the exhaustive data profiles on consumers. Those profiles include Social Security numbers, driver’s license numbers and other sensitive information, Equifax said Thursday in a statement.

Criminals took advantage of a “U.S. website application vulnerability to gain access to certain files” from mid-May through July of this year, Atlanta-based Equifax said. The intruders also accessed dispute documents with personal identifying information for about 182,000 consumers. Credit card numbers for about 209,000 consumers were also accessed, the company said.

“You would expect these guys to have compartmentalized this data far enough away from a web server -- that there would not be any way to directly access it,” said Tim Crosby, senior consultant with security-assessment firm Spohn.

Knowing how large companies work, and knowing about the diffusion of responsibility principle, and having a healthy belief in the power of governments to correct for bad incentives, I can't say I'm surprised. Neither is the Atlantic's Ian Bogost:

There are reasons for the increased prevalence and severity of these breaches. More data is being collected and stored, for one, as more people use more connected services. Corporate cybersecurity policy is lax, for another, and sensitive data isn’t sufficiently protected. Websites and apps, which are demanded by consumers as much as they serve the interests of corporations, expose paths to data that should be better firewalled. Software development has become easy and popular, making security an afterthought, and software engineering has failed to adopt the attitude of civil service that might treat security as a first-order design problem. And hacking and data theft have risen in popularity and benefit, both as an illicit business affair and as a new kind of cold warfare.

Of course Equifax, as would be expected of a normally-functioning American corporation, bungled the response:

On Thursday night, I entered my last name and the last six digits of my Social Security number on the appropriate Equifax web page. (They had the gall to ask for this? Really? But I digress.) I received no “message indicating whether your personal information may have been impacted by this incident,” as the site promised. Instead, I was bounced to an offer for free credit monitoring, without a “yes,” “no” or “maybe” on the central question at hand.

By Friday morning, this had changed, and I got a “your personal information may have been impacted by this incident” notification. Progress. Except as my friend Justin Soffer pointed out on Twitter, you can enter a random name and number into the site and it will tell you the same thing. Indeed, I typed “Trump” and arbitrary numbers and got the same message.

So, yes, your worst suspicions are now confirmed. Equifax may actually make money on this breach. We would expect nothing less from the credit reporting industry, with which few of us would choose to do business but nearly everyone has to sooner or later.

The solution many people recommend is to freeze your credit reports—for a fee, multiplied by 4 to make sure you get all of the credit-reporting agencies. (Everyone has heard of Equifax, TransUnion, Experian...and Innovis. You've heard of Innovis, right? The one that doesn't offer a free annual report?)

Almost immediately, a team of lawyers including a former Georgia governor filed a class-action lawsuit. So have a group of plaintiffs in Oregon. We can also expect an action from the SEC relating to at least three Equifax managers selling their stock right before the announcement.

This situation is why we have government. The incentives for credit-reporting agencies run directly counter to the incentives of the hundreds of millions of people whose data they store. (You're not Equifax's customer; commercial enterprises are.) Without government regulation and higher liabilities for data breaches, this will just keep happening. But that's not "business-friendly," so the right-leaning American and British governments will dither for another few years until someone publishes the leaders' own data. Because their incentives are bad, too.

Software frustrations

I'm on the Board of Directors for the Apollo Chorus of Chicago, and information technology is my portfolio. Under that aegis, I'm in the process of taking all of our donor and membership spreadsheets and stuffing them into a new Neon CRM setup.

So far, it's going well, and it's going to make the organization a lot more effective at managing membership, events, and donations.

That said, in the last 24 hours I've logged five bug reports, including one of the most frustrating user experience (UX) bugs possible: a broken back button. This UX failure is so well-known and so irritating that we were talking about it when I started developing Web apps in the late 1990s. Jakob Nielsen called it the #1 web design mistake...of 1999:

The Back button is the lifeline of the web user and the second-most-used navigation feature (after following hypertext links). Users happily know that they can try anything on the web and always be saved by a click or two on Back to return them to familiar territory.

Except, of course, for those sites that break Back by committing one of these design sins:

  • opening a new browser window (see mistake #2)
  • using an immediate redirect: every time the user clicks Back, the browser returns to a page that bounces the user forward to the undesired location
  • prevents caching such that the Back navigation requires a fresh trip to the server; all hypertext navigation should be sub-second and this goes double for backtracking

Neon, however, has made some alternative design choices, and even has a FAQ explaining how they've broken the rules.

Seriously, guys. It's a good product, but wow, is that irritating.

Thoughts on a day that seemed cooler earlier

Walking to work is an easy way to hit my step goal before lunch. It's 6.75 km and 8,500 steps. At just over an hour, it takes only about 20 minutes longer than the bus or 30 minutes longer than the train.

The problem is the dewpoint. When I left my house, the temperature was a delightful 19°C...and the dewpoint was a sticky 17°C. By the time I'd gone ten blocks I was already uncomfortable.

Note to self: bring a fresh shirt when you walk to work, no matter what the weather looks like.

Possibly the worst self-inflicted data disclosure in history

It's hard to overstate how bad this is. Via Bruce Schneier, it turns out that the Swedish Transport Ministry outsourced its database hosting to IBM, which subcontracted the work to a Serbian company with ties to the Russian military. And what databases did Sweden wind up hosting in its "Cloud" facility in Serbia? All of them:

Part of what IBM contracted to was run, and which was run from Serbia, was the Swedish government’s secure intranet – the SGSI, the Secure Government Swedish Intranet. This network is in turn connected to the European Union’s STESTA, which is a European Union secure network. This is what the Swedish Transport Agency gave staff in Serbia administrative network accessto, and it is no conspiracy theory that Serbia is a close military ally with Russia. While it can’t be proven in this specific case that high-value military information in Serbia’s hands also comes into Russia’s hands, it’s one of those things that should just be assumed in the general case.

The net effect here is that the EU secure Intranet has been leaked to Russia by means of deliberate lawbreaking from high ranking Swedish government officials. Even if there are additional levels of encryption on STESTA, which there may or may not be, this has “should never happen” written all over it.

Sweden's own data, leaked through this outsourced administration, include:

  • The weight capacity of all roads and bridges (which is crucial for warfare, and says a lot about what roads are intended to be used as wartime airfields);
  • Names, photos, and home addresses of fighter pilots in the Air Force;
  • Names, photos, and home addresses of everybody and anybody in a police register, all of which are classified;
  • Names, photos, and home addresses of all operators in the military’s most secret units – equivalent to the SAS or SEAL teams;
  • Names, photos, and home addresses of everybody in a witness relocation program or who has been given protected identity for other reasons;
  • Type, model, weight, and any defects of any and all government and military vehicles, including their operator, which says a ton about the structure of military support units....

There isn't a desk in the world sturdy enough for the massive head impacts that the rest of the worlds' security forces are perpetrating on them right now.

Stunning.

Reactions to the weekend

Apparently, life went on in the US while I was abroad last week. First, to James Damore:

Of course, that wasn't the big story of the weekend. About the terrorist attack and armed ultra-right rally in Virginia, there have been many, many reactions:

Can we have a discussion about domestic right-wing domestic terrorism now? Before we have another Oklahoma City?

Et tu, Anchor?

The cashing-out consolidation of craft breweries continues with today's surprise announcement that Japan's Sapporo Holdings will acquire San Francisco's Anchor Brewing:

According to Keith Greggor, Anchor’s president and CEO, the move was a year in the making and the result of speaking with “many, many” larger breweries all over the world to find the right fit.

Anchor Brewing Co. is considered the leading pioneer of the craft beer movement, and is credited with reviving and modernizing some of today's most popular American beer styles. The price of the deal was not disclosed. Anchor Distilling, which produces spirits such as Junipero Gin and Old Potrero whiskey, is not involved in the deal and will become a separate company.

Anchor Brewing management said it did not specifically plan for a complete acquisition. However, to support the brewery’s long-term future and further international expansion (it currently distributes to 20 countries), it needed to relinquish full ownership to Sapporo.

When asked whether this deal jeopardizes Anchor’s “craft” designation, a commonly accepted definition dictated by the Brewers Association, the brewery’s executives did not seem concerned about that imminent debate, due to the brewery’s long history.

Well, yes, it jeopardizes the "craft" designation for the simple reason that Anchor won't be a craft brewer anymore, by definition. So, another one bites the dust. That leaves only about 5,300 other craft brewers in the U.S. Time to get drinking.

How to destroy democracy through bad software

Via Bruce Schneier, last week the hacker convention DefCon hosted an event at which every single electronic voting machine tested got pwned within minutes:

Also, organizers revealed that many of these machines arrived with their voter records intact, sold on by county voting authorities who hadn't wiped them first.

While many people at the Voter Hacking Village zeroed in on the weak mechanical lock covering access to the machine's USB port, Synack worked on two open USB ports right on the back. No lock picking was necessary.

The team plugged in a mouse and a keyboard -- which didn't require authentication -- and got out of the voting software to standard Windows XP just by pressing "control-alt-delete." The same thing you do to force close a program can be used to hack an election.

Remember, Russian interference in the 2016 election wasn't designed to throw the election to Trump (though that was a "nice to have" for them), it was designed to reduce the public's faith in the entire Democratic system. I'm glad American voting machine manufacturers are helping them.