Breach at Equifax May Impact 143M Americans
Equifax Breach Response Turns Dumpster Fire
Lots to read, but it’s necessary to do so before you do anything. For instance, there seems to be no point and some risk just in checking the site Equifax put up to see if your information has been compromised.
UPDATE: The title of this post, “Equifax hacked,” might be a bit misleading. I don’t know exactly what happened in this case. Consider a hypothetical. If Japanese agents killed the guards, drilled into Colonel Blimp’s safe, and made their getaway in an ultra-light helicopter they assembled from parts they carried in, then the Post could report “Japanese Agents Steal War Plans.” If Colonel Blimp left the war plans at McDonald’s, and an opportunistic thief picked them up and sold them to the Japanese, the Post wouldn’t say “Japanese Agents Steal War Plans.”
What are they?
Airbnb canceled the accounts of
people Nazis attending the recent rally in Charlotte. Twitter and Facebook regularly shut down the accounts of the more odious haters. Will Google do less? They scan users’ email to identify people interested in, say, Ford trucks; surely they can scan to spot white supremacists.
Current law might not let them publish contact information and probable employers (though they might be able to share information with selected NGOs); but it does seem like Google would feel obliged at least to close the accounts of people whose email or blogging clearly shows they are white supremacists, racists, misogynists, homophobes, Islamophobes, or transphobes. Twitter can do that, and does. Fascists, white supremacists, and Nazis shouldn’t be allowed to legitimize their hate with a gmail address or Blogger account. Isn’t Google, famously not evil, obliged to use at a minimum all legal means to resist evil?
Until we know more clearly what Google sees as their moral obligations, it might be better to look elsewhere for web searches and email.
UPDATE 19 August 2017: ProPublica, Working with Google to ‘Document Hate,’ Threatens Conservative Bloggers. The perenial challange of satire is to stay ahead of reality.
Virtual private network
It’s been in the news that President Trump is to sign a law rolling back a recent privacy regulation:
“As shocking as this sounds, virtually nothing has changed about the privacy of the average American’s connection to the Internet as a result of this action by Congress, except perhaps a greater awareness that ISP customers don’t really have many privacy protections by default. The FCC rules hadn’t yet gone into effect, and traditional broadband providers successfully made the case to lawmakers that the new rules put them at a competitive disadvantage vis-a-vis purely Web-based rivals such as Facebook and Google.” — Post-FCC Privacy Rules, Should You VPN?, by Brian Krebs
So people are thinking about using a virtual private network to have more privacy. The linked article is the thing to read about VPNs.
A security researcher was able to guess the answer to the secret question on the hacker’s email account, and reset the hacker’s password. Bian Krebs observes,
Finally, as I hope this story shows, truthfully answering secret questions is a surefire way to get your online account hacked. Personally, I try to avoid using vital services that allow someone to reset my password if they can guess the answers to my secret questions. But in some cases — as with United Airlines’s atrocious new password system — answering secret questions is unavoidable. In cases where I’m allowed to type in the answer, I always choose a gibberish or completely unrelated answer that only I will know and that cannot be unearthed using social media or random guessing.
Hackers can break in to systems and leak the documents they find. Hackers can also edit the documents they find, and present those files as authentic.
Maybe ten thousand of the documents are authentic, one is edited to add Joe Biden’s name to a list of attendees at a meeting, and one is a completely made-up document about Huma Abedin’s tax returns.
“Imagine trying to explain to the press, eager to publish the worst of the details in the documents, that everything is accurate except this particular email,” says Bruce Schneier.
Fortunately, he continues, “Major newspapers do their best to verify the authenticity of leaked documents they receive from sources. They only publish the ones they know are authentic. The newspapers consult experts, and pay attention to forensics.”
So at least there’s that.
How to stop car thieves? “If they think you’re crude, go technical; if they think you’re technical, go crude.”