Me on the Equifax Breach

Testimony and Statement for the Record of Bruce Schneier
Fellow and Lecturer, Belfer Center for Science and International Affairs, Harvard Kennedy School
Fellow, Berkman Center for Internet and Society at Harvard Law School

Hearing on "Securing Consumers' Credit Data in the Age of Digital Commerce"

Before the

Subcommittee on Digital Commerce and Consumer Protection
Committee on Energy and Commerce
United States House of Representatives

1 November 2017
2125 Rayburn House Office Building
Washington, DC 20515

Mister Chairman and Members of the Committee, thank you for the opportunity to testify today concerning the security of credit data. My name is Bruce Schneier, and I am a security technologist. For over 30 years I have studied the technologies of security and privacy. I have authored 13 books on these subjects, including Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World (Norton, 2015). My popular newsletter Crypto-Gram and my blog Schneier on Security are read by over 250,000 people.

Additionally, I am a Fellow and Lecturer at the Harvard Kennedy School of Government --where I teach Internet security policy -- and a Fellow at the Berkman-Klein Center for Internet and Society at Harvard Law School. I am a board member of the Electronic Frontier Foundation, AccessNow, and the Tor Project; and an advisory board member of Electronic Privacy Information Center and VerifiedVoting.org. I am also a special advisor to IBM Security and the Chief Technology Officer of IBM Resilient.

I am here representing none of those organizations, and speak only for myself based on my own expertise and experience.

I have eleven main points:

1. The Equifax breach was a serious security breach that puts millions of Americans at risk.

Equifax reported that 145.5 million US customers, about 44% of the population, were impacted by the breach. (That's the original 143 million plus the additional 2.5 million disclosed a month later.) The attackers got access to full names, Social Security numbers, birth dates, addresses, and driver's license numbers.

This is exactly the sort of information criminals can use to impersonate victims to banks, credit card companies, insurance companies, cell phone companies and other businesses vulnerable to fraud. As a result, all 143 million US victims are at greater risk of identity theft, and will remain at risk for years to come. And those who suffer identify theft will have problems for months, if not years, as they work to clean up their name and credit rating.

2. Equifax was solely at fault.

This was not a sophisticated attack. The security breach was a result of a vulnerability in the software for their websites: a program called Apache Struts. The particular vulnerability was fixed by Apache in a security patch that was made available on March 6, 2017. This was not a minor vulnerability; the computer press at the time called it "critical." Within days, it was being used by attackers to break into web servers. Equifax was notified by Apache, US CERT, and the Department of Homeland Security about the vulnerability, and was provided instructions to make the fix.

Two months later, Equifax had still failed to patch its systems. It eventually got around to it on July 29. The attackers used the vulnerability to access the company's databases and steal consumer information on May 13, over two months after Equifax should have patched the vulnerability.

The company's incident response after the breach was similarly damaging. It waited nearly six weeks before informing victims that their personal information had been stolen and they were at increased risk of identity theft. Equifax opened a website to help aid customers, but the poor security around that -- the site was at a domain separate from the Equifax domain -- invited fraudulent imitators and even more damage to victims. At one point, the official Equifax communications even directed people to that fraudulent site.

This is not the first time Equifax failed to take computer security seriously. It confessed to another data leak in January 2017. In May 2016, one of its websites was hacked, resulting in 430,000 people having their personal information stolen. Also in 2016, a security researcher found and reported a basic security vulnerability in its main website. And in 2014, the company reported yet another security breach of consumer information. There are more.

3. There are thousands of data brokers with similarly intimate information, similarly at risk.

Equifax is more than a credit reporting agency. It's a data broker. It collects information about all of us, analyzes it all, and then sells those insights. It might be one of the biggest, but there are 2,500 to 4,000 other data brokers that are collecting, storing, and selling information about us -- almost all of them companies you've never heard of and have no business relationship with.

The breadth and depth of information that data brokers have is astonishing. Data brokers collect and store billions of data elements covering nearly every US consumer. Just one of the data brokers studied holds information on more than 1.4 billion consumer transactions and 700 billion data elements, and another adds more than 3 billion new data points to its database each month.

These brokers collect demographic information: names, addresses, telephone numbers, e-mail addresses, gender, age, marital status, presence and ages of children in household, education level, profession, income level, political affiliation, cars driven, and information about homes and other property. They collect lists of things we've purchased, when we've purchased them, and how we paid for them. They keep track of deaths, divorces, and diseases in our families. They collect everything about what we do on the Internet.

4. These data brokers deliberately hide their actions, and make it difficult for consumers to learn about or control their data.

If there were a dozen people who stood behind us and took notes of everything we purchased, read, searched for, or said, we would be alarmed at the privacy invasion. But because these companies operate in secret, inside our browsers and financial transactions, we don't see them and we don't know they're there.

Regarding Equifax, few consumers have any idea what the company knows about them, who they sell personal data to or why. If anyone knows about them at all, it's about their business as a credit bureau, not their business as a data broker. Their website lists 57 different offerings for business: products for industries like automotive, education, health care, insurance, and restaurants.

In general, options to "opt-out" don't work with data brokers. It's a confusing process, and doesn't result in your data being deleted. Data brokers will still collect data about consumers who opt out. It will still be in those companies' databases, and will still be vulnerable. It just won't be included individually when they sell data to their customers.

5. The existing regulatory structure is inadequate.

Right now, there is no way for consumers to protect themselves. Their data has been harvested and analyzed by these companies without their knowledge or consent. They cannot improve the security of their personal data, and have no control over how vulnerable it is. They only learn about data breaches when the companies announce them -- which can be months after the breaches occur -- and at that point the onus is on them to obtain credit monitoring services or credit freezes. And even those only protect consumers from some of the harms, and only those suffered after Equifax admitted to the breach.

Right now, the press is reporting "dozens" of lawsuits against Equifax from shareholders, consumers, and banks. Massachusetts has sued Equifax for violating state consumer protection and privacy laws. Other states may follow suit.

If any of these plaintiffs win in the court, it will be a rare victory for victims of privacy breaches against the companies that have our personal information. Current law is too narrowly focused on people who have suffered financial losses directly traceable to a specific breach. Proving this is difficult. If you are the victim of identity theft in the next month, is it because of Equifax or does the blame belong to another of the thousands of companies who have your personal data? As long as one can't prove it one way or the other, data brokers remain blameless and liability free.

Additionally, much of this market in our personal data falls outside the protections of the Fair Credit Reporting Act. And in order for the Federal Trade Commission to levy a fine against Equifax, it needs to have a consent order and then a subsequent violation. Any fines will be limited to credit information, which is a small portion of the enormous amount of information these companies know about us. In reality, this is not an effective enforcement regime.

Although the FTC is investigating Equifax, it is unclear if it has a viable case.

6. The market cannot fix this because we are not the customers of data brokers.

The customers of these companies are people and organizations who want to buy information: banks looking to lend you money, landlords deciding whether to rent you an apartment, employers deciding whether to hire you, companies trying to figure out whether you'd be a profitable customer -- everyone who wants to sell you something, even governments.

Markets work because buyers choose from a choice of sellers, and sellers compete for buyers. None of us are Equifax's customers. None of us are the customers of any of these data brokers. We can't refuse to do business with the companies. We can't remove our data from their databases. With few limited exceptions, we can't even see what data these companies have about us or correct any mistakes.

We are the product that these companies sell to their customers: those who want to use our personal information to understand us, categorize us, make decisions about us, and persuade us.

Worse, the financial markets reward bad security. Given the choice between increasing their cybersecurity budget by 5%, or saving that money and taking the chance, a rational CEO chooses to save the money. Wall Street rewards those whose balance sheets look good, not those who are secure. And if senior management gets unlucky and the a public breach happens, they end up okay. Equifax's CEO didn't get his $5.2 million severance pay, but he did keep his $18.4 million pension. Any company that spends more on security than absolutely necessary is immediately penalized by shareholders when its profits decrease.

Even the negative PR that Equifax is currently suffering will fade. Unless we expect data brokers to put public interest ahead of profits, the security of this industry will never improve without government regulation.

7. We need effective regulation of data brokers.

In 2014, the Federal Trade Commission recommended that Congress require data brokers be more transparent and give consumers more control over their personal information. That report contains good suggestions on how to regulate this industry.

First, Congress should help plaintiffs in data breach cases by authorizing and funding empirical research on the harm individuals receive from these breaches.

Specifically, Congress should move forward legislative proposals that establish a nationwide "credit freeze" -- which is better described as changing the default for disclosure from opt-out to opt-in -- and free lifetime credit monitoring services. By this I do not mean giving customers free credit-freeze options, a proposal by Senators Warren and Schatz, but that the default should be a credit freeze.

The credit card industry routinely notifies consumers when there are suspicious charges. It is obvious that credit reporting agencies should have a similar obligation to notify consumers when there is suspicious activity concerning their credit report.

On the technology side, more could be done to limit the amount of personal data companies are allowed to collect. Increasingly, privacy safeguards impose "data minimization" requirements to ensure that only the data that is actually needed is collected. On the other hand, Congress should not create a new national identifier to replace the Social Security Numbers. That would make the system of identification even more brittle. Better is to reduce dependence on systems of identification and to create contextual identification where necessary.

Finally, Congress needs to give the Federal Trade Commission the authority to set minimum security standards for data brokers and to give consumers more control over their personal information. This is essential as long as consumers are these companies' products and not their customers.

8. Resist complaints from the industry that this is "too hard."

The credit bureaus and data brokers, and their lobbyists and trade-association representatives, will claim that many of these measures are too hard. They're not telling you the truth.

Take one example: credit freezes. This is an effective security measure that protects consumers, but the process of getting one and of temporarily unfreezing credit is made deliberately onerous by the credit bureaus. Why isn't there a smartphone app that alerts me when someone wants to access my credit rating, and lets me freeze and unfreeze my credit at the touch of the screen? Too hard? Today, you can have an app on your phone that does something similar if you try to log into a computer network, or if someone tries to use your credit card at a physical location different from where you are.

Moreover, any credit bureau or data broker operating in Europe is already obligated to follow the more rigorous EU privacy laws. The EU General Data Protection Regulation will come into force, requiring even more security and privacy controls for companies collecting storing the personal data of EU citizens. Those companies have already demonstrated that they can comply with those more stringent regulations.

Credit bureaus, and data brokers in general, are deliberately not implementing these 21st-century security solutions, because they want their services to be as easy and useful as possible for their actual customers: those who are buying your information. Similarly, companies that use this personal information to open accounts are not implementing more stringent security because they want their services to be as easy-to-use and convenient as possible.

9. This has foreign trade implications.

The Canadian Broadcast Corporation reported that 100,000 Canadians had their data stolen in the Equifax breach. The British Broadcasting Corporation originally reported that 400,000 UK consumers were affected; Equifax has since revised that to 15.2 million.

Many American Internet companies have significant numbers of European users and customers, and rely on negotiated safe harbor agreements to legally collect and store personal data of EU citizens.

The European Union is in the middle of a massive regulatory shift in its privacy laws, and those agreements are coming under renewed scrutiny. Breaches such as Equifax give these European regulators a powerful argument that US privacy regulations are inadequate to protect their citizens' data, and that they should require that data to remain in Europe. This could significantly harm American Internet companies.

10. This has national security implications.

Although it is still unknown who compromised the Equifax database, it could easily have been a foreign adversary that routinely attacks the servers of US companies and US federal agencies with the goal of exploiting security vulnerabilities and obtaining personal data.

When the Fair Credit Reporting Act was passed in 1970, the concern was that the credit bureaus might misuse our data. That is still a concern, but the world has changed since then. Credit bureaus and data brokers have far more intimate data about all of us. And it is valuable not only to companies wanting to advertise to us, but foreign governments as well. In 2015, the Chinese breached the database of the Office of Personal Management and stole the detailed security clearance information of 21 million Americans. North Korea routinely engages in cybercrime as way to fund its other activities. In a world where foreign governments use cyber capabilities to attack US assets, requiring data brokers to limit collection of personal data, securely store the data they collect, and delete data about consumers when it is no longer needed is a matter of national security.

11. We need to do something about it.

Yes, this breach is a huge black eye and a temporary stock dip for Equifax -- this month. Soon, another company will have suffered a massive data breach and few will remember Equifax's problem. Does anyone remember last year when Yahoo admitted that it exposed personal information of a billion users in 2013 and another half billion in 2014?

Unless Congress acts to protect consumer information in the digital age, these breaches will continue.

Thank you for the opportunity to testify today. I will be pleased to answer your questions.

Posted on November 8, 2017 at 6:33 AM • 81 Comments

Comments

AlejandroNovember 8, 2017 6:47 AM

Complete, thorough, supported and well said.

And, might I say the recommendations are sound and obvious to most everyone.

Except Congress.

It's very disappointing to anticipate once again Congress will fail the American people in regards to electronic security and privacy.

AlexT November 8, 2017 6:54 AM

I'd recommend watching the video as it contains much more material than the written testimony.

Also, was the Dell laptop product placement? :)

AndrewNovember 8, 2017 7:25 AM

Bruce, I think your communication here was poor. You need to be far less abstract when talking with non-technical people -- no jargon about 'security authenticators' -- and don't be afraid to repeat, repeat, repeat.

For example, you were asked about how non-financial information could lead to financial harm. You acted like everyone had absorbed your previous point and went onto something else. Instead, you should have repeated your previous point more clearly: "Someone could get these details, and phone up your bank and pretend to be you. They say they've forgotten the password, then the bank says 'Okay, what's the name of your first school?', 'what's the name of your pet?', and they know these answers! So then they go in, and they can empty your account."

Another example: you were asked "Are you telling me that, unbeknownst to a bunch of American citizens, that companies like Equifax are having signs on their personal information and using it and making money off of it, unbeknownst to the average American?".

Your response should have been "Yes, exactly!"

Instead, you came out with some Trump-esque sentence "And that's the business model, the data broker business model is they collect information, either... they'll buy it, they'll buy it from the government, you know, states will sell them drivers' license information..."

Leonardo HerreraNovember 8, 2017 9:04 AM

My favorite moment:

1:35:00 Ms. Matsui: (very long question that takes a full minute to formulate)
1:36:00 Mr. Schneier: Yes (BIG GRIN)

MikeNovember 8, 2017 11:03 AM

the recommendations are sound and obvious to most everyone.


Except Congress.

It's very disappointing to anticipate once again Congress will fail the American people in regards to electronic security and privacy.

To paraphrase Schneier's testimony,

The American people are not congress's customer.

They'll do what their customers tell them.

Peter PearsonNovember 8, 2017 11:06 AM

Oh, the solution is more regulation. Did anybody not see that coming?

It seems that as a commentator's influence on Washington grows, he or she grows more enthusiastic about expanding Washington's power. Presumably there's positive feedback at two points in the cycle: first, Washington is more likely to provide an audience to such commentators, and second, a commentator who wields influence in Washington is more likely to judge that Washington is guided by Good People, thereby tending to underestimate the threat of abuse of power.

TatütataNovember 8, 2017 11:11 AM

Everyone seems to be testifying on Capitol Hill these days.

Good stuff, but I'm afraid Carter Page had much better entertainment value. ;-) Proposing "more" regulation and essentially demanding that lawmakers use their brains (or whatever they have) probably won't go anywhere, judging by the every-day-is-Groundhog-day like headlines oozing from your country.

Regarding the "credit freeze", there are already similar measures in place for some contexts. A bank I dealt with in the past required prior notification for using their cards abroad. There are already some fraud control measures implemented for credit cards, where something like a gasoline purchase beyond your usual perimeter (especially if you don't own a car) would trigger a phone call from customer service.

On US TV I saw a pretty strange ad. Two cheery twentysomething idiots are discussing a service where they can at every moment check their "credit rating" on their "smart" phone. WTF?

hmmNovember 8, 2017 11:13 AM

"Oh, the solution is more regulation. Did anybody not see that coming?"

What's your solution?

Magic bootstraps? Shaming them into security? Whinging about government until banks improve?

Honestly you're going after "commentators" now as if regulating BANKS and title companies to maintain adequate security isn't in the general best interest of the market?

Get a grip.

hmmNovember 8, 2017 11:14 AM

"thereby tending to underestimate the threat of abuse of power."

Exactly WHAT abuse of power are you seeing here?

Mandating safeguards to prevent fraudulent transactions is "tyranny"?

Honestly I think you're commenting on the wrong article somehow.

Sergey BabkinNovember 8, 2017 12:59 PM

I've recently attended a talk about the fraud detection at the local IEEE section, and I've learned there that Equifax and other reporting agencies openly sell in bulk the personal information without the credit score, they call it the "header files". They don't sell it to quite anyone but the banks and companies in the fraud prevention field can buy it.

This I think explains why they didn't care much about the breach: it's the data that they already sell, so the only downside from their standpoint is that someone has got it for free. And in this respect they're probably right, if an organized crime organization wants this data, the easiest way to obtain it is probably to just buy it.

From everyone else's standpoint, the more interesting thing should probably be, should they be selling this data in the first place?

hmmNovember 8, 2017 1:18 PM

"The hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people"

Nobody is legally selling SS#'s and Driver's licences, credit card #'s and including their entire financial/address history and all their personal details in a tidy package.

Your point that too much is for sale is valid of course but it's not quite this data, although it may exist for a lot of people on the dark web broker networks.

albertNovember 8, 2017 1:33 PM

I think Bruce did an outstanding job.

Here's the thing, when Bruce did his 5 minutes, he was the only speaker (that I saw) who actually -believed- what he said, and said it with -passion- and -conviction-. He's an expressive, and very articulate speaker, even in his answers. This is important, especially for a non-tech audience. He's an acknowledged expert, and even if they don't understand the details, they might be convinced by what he says.

BTW, most of the panel did a pretty good job.

. .. . .. --- ....

EdNovember 8, 2017 2:05 PM

Bravo, Bruce - bravo! Unfortunately, I can't say the same for the young lady who followed you with her testimony. The contrast would have been even starker had Bruce been allotted the time to read his full statement. Had I been given the opportunity to question Ms. Fortney (and goodness knows that will never happen, as these days if you want to be a politician, you probably should not be a politician), here is some of what I might have asked:

- Ms. Fortney, can you explain to the committee why Equifax hired a music major to be their head of security?

- Ms. Fortney, if Equifax were doing 'all it could' to keep data safe, why for years did they use sequential time-stamps as passwords for security freezes?

- Ms. Fortney, since I don't recall you mentioning it in your testimony, how do you personally go about monitoring whether or not someone has a)filed a tax return in your name; b)uses your personal information to get healthcare; c)give your identification to the police when they get arrested; or d)filing bankruptcy in your name?

Thank you for your time Ms. Fortney...

Rick LobrechtNovember 8, 2017 3:16 PM

I only read the transcript, but I thought it was well thought out and articulate. Thank you.

Ergo SumNovember 8, 2017 4:20 PM

@Ed...

- Ms. Fortney, can you explain to the committee why Equifax hired a music major to be their head of security?

Just because the head of security has a music major does not mean that she had not been qualified to have that position. There are people, who change their careers after college, or around mid-life crises... I've came across security people, some of them in my department, from all walk of life and they had been excellent.

Without knowing what was going on internally, it would be hard to blame her just because of her major...

Ergo SumNovember 8, 2017 4:42 PM

The testimony is well structured and covers all aspects of the facts. On the other hand, it's a bit on the technical side and mixes in other issues, such as data brokers in general.

I am not certain what the expectations are after the hearings? The way things work in the US, there will be a new regulation that will legalize Eguifax and others, including data brokers, collecting all of our life related data.

Keep in mind that LEOs love to have private companies sharing their collected data with them and access it in a pinch, or just replicate the database in real-time. The LEOs will not give up this access and they will convince the congress that a new regulation is necessary.

Financially, Equifax is doing just fine. This data breach is just a temporary set back, until another big data breach comes along for a different company. Just like Anthem Blue Cross that more than recovered from their data breach...

handle_xNovember 8, 2017 5:35 PM

"I am not certain what the expectations are after the hearings?"

Expect nothing to be done.

The current administration is in sellout-and-deregulate mode in every area, and the current crop of spinelessness that calls itself our representation is happy to go along provided they get their pound of each American citizen's flesh.

They put mining and oil interests in charge of environmental protection administration.
They put anti-education trolls in charge of national education standards.
They put their PR people in charge of Housing and Urban development.
Their FCC appointee is a lobbyist for the fat telecoms directly.

If you expect these literal traitors to their office to enforce tighter measures that don't directly enrich them, their pet investments, or a foreign national paymaster?

You can just forget it, because they certainly will.

OneFrameNovember 8, 2017 6:03 PM

I watched the hearing and the questions that were put to you Mr. Schneier. I am absolutely amazed at the level of ignorance of the panel. This is unbelievable. Every website collects data the system within its code base allows. There is nothing stopping anyone from collecting data, scraping data etc. It's as if there are no rules of engagement at all, an open book. Other countries are slowly waking up but this could have been thought about decades ago.

AndersNovember 8, 2017 6:26 PM

Anyone who reads mr Bruce Schneier book Data and Goliath will understand that those "data brokers" are the new kind of evil.

I think regulatory here won't work - our data is so valuable that they don't care - they will risk with fines because they earn from our data much, MUCH more.

What we need here is more hacking into those "data brokers" systems like Equifax hack was, but without disclosure of the data. Instead, i hope there will be "data privacy" hackers who will break into those "data brokers" companies and delete all those data warehouses, for good, including all backups. Or infect their system with ransomware that encrypt their data for good and throw out the key so that it's impossible to decrypt it.

As a information security expert i hate what i suggest here but i think in the long run it's the only option we will have left. The only way to prevent data disclosure is to stop collecting it - any collected data will leak sooner or later.

Sorry.

hmmNovember 8, 2017 7:42 PM

"our data is so valuable that they don't care - they will risk with fines"

You're absolutely right that the current piddling fines are accomplishing nothing.

Mandate a bounty for successful *hat penetrations : 1 million bucks per pwn.
They either spend the money up front to secure their stuff or drown in payouts.

If they're big enough to have thousands of users' data then they're big enough to afford security that represents the value of that data. If not mandated and built into the marketplace then everyone will ignore it. The invisible hand needs some grip strength.

IggyNovember 8, 2017 8:41 PM

Baa ram eww.

That's what Equifax and Congress hears when We The Livestock protest being mined, harvested and herded.

Long ago, it was ruled that your name and address is public information. You are not allowed to give or withhold that information on just a face to face, per transaction, per government sniffer/business stalker basis. You are not allowed to restrict the sharing of that information by each seeker once your transaction with them is concluded. You are not allowed to be told who else has your name and address, and more, and whom you didn't know existed.

Changing the balance of power can be fast tracked by changing the law: your name and address is no longer public information and it cannot be obtained from anyone except you personally. Once obtained, it is stored only long enough to complete the transaction, and under all circumstances no longer than five calendar days.

Sadly, far too many of us are all too willing to hand it over, without negotiation, without question, to anyone who asks, often without even asking to see THEIR ID. Those people are who reset the position of power in negotiating for the rest of us because now the data seeker behaves as if they are entitled to that data and you are who is out of order for daring to refuse to capitulate.

Have any of you filled a prescription at Walgreen's or CVS? Have you moved from one state to another? Watch what happens when you fill a prescription at Walgreen's in your new state. The minimum wage clerk will instantly see what Equifax knows about you: all your past addresses used while sick. No matter how long ago you lived there.

When that happened to me, I decided that under no circumstances will I do business with Walgreen's or CVS, or any other chain pharmacy, ever again. I will not have a new prescription filled with them, no matter what. Unless I am suffering so hard an OTC will not do, I will not trade my security for a prescription. That is not a choice I should be forced to make.

Apparently pharmacies have special protections from our Congresscritters which allows them not only to collect and keep your name, address and much more intimate details, it allows them to permit their minimum wage non-pharmacy clerks to know said details and talk about it to whoever with impunity. For their convenience. That's it. For their convenience.

When I hear the marketing mumbo jumbo speak by Francis Creighton, CEO of CDIA, Consumer Data Industry Assn (lobbyist), that he and the finance industry want to bring new consumers "out of the financial shadows and into the regulated financial system" I nearly puke. Bull. Consumer snitch-- er, reporting is about one thing: putting as many of us into debt as easily and smoothly as possible, such that what info they collect that would rightly alarm us just slides past our noses like snot on WD-40.

All in the name of increasingly instant creation of debt, for the sake of our instant gratification-- er, convenience, and theirs.

Credit bureaus make the KGB look like toddlers. No, the government isn't supposed to build dossiers on us, but so what. All it needs is a warrant.

Now add Facebook, Alphabet, etc, etc, where we are charmed into self-snitching. When they start by appealing to our kids, who have no natural sense for protecting their privacy because they don't think about criminals or predators, they instantly gain a pass into our homes via the weakest link. Now that they got to the kids first, in the millions, we feel obligated to join too just to keep up. We are constantly reassured by design that sharing more and more about ourselves is just fine, no worries, they'll keep it "safe."

Problem is, their version of "safe" is not the real version. Only the immature will automatically trust that very loosely used word. For far too long, we've let our kids lead the way on "cool tech" that has no strict respect of our privacy and the laws protecting it, no accountability, cosmetic transparency or wealth amassed from our very existence and essence without giving us a cut.

Long comment a little less long, Ms Fortney was paid to appear and lie her head off. No, it is not easy for the individual consumer to interact with the Credit Snitches. It's been so long since I've seen a copy of my own credit dossier, when I'm asked questions to verify that I am who that dossier belongs to, I end up guessing, unable to remember. As a result, I am denied a copy. Seriously.

Bruce's testimony was on point and far too brief. Congresscritters really do need a master class from just him.

IggyNovember 8, 2017 8:47 PM

@Anders, exactly. Time for 4chan and their peers to really slay the beast and what you suggest is an excellent start. After that, We the Livestock must break the tag off our ears and never again simply hand over such info merely upon being asked. We must learn how to tell what info a lender demands really must be given to them and what does not. And we must pass the laws that will prevent, as in actually prevent, the storage of said info after transaction completion. No more shadow sharing of any kind.

IggyNovember 8, 2017 9:13 PM

@Ed • November 8, 2017 2:05 PM, said:

- Ms. Fortney, if Equifax were doing 'all it could' to keep data safe, why for years did they use sequential time-stamps as passwords for security freezes?

- Ms. Fortney, since I don't recall you mentioning it in your testimony, how do you personally go about monitoring whether or not someone has
a) filed a tax return in your name;
b) uses your personal information to get healthcare;
c) give your identification to the police when they get arrested; or
d) filing bankruptcy in your name?

Mr Creighton also claimed CDIA/EquiSnitchCo is doing all it can when clearly, they can't, didn't and don't. I, too, would have been thrilled to hear her asked those questions. Lawyers are trained to lie out of both sides of their faces while wearing a veneer of sincere. That's why so many end up politicians.

ExperianForgottenNovember 8, 2017 9:30 PM

It seems that Experian has already got away with their breach, didnt even tarnish their great image of honesty.

15 million peoples personal information, floating around the internet in a compressed files ready for torrenting by anyone.

The volumes of data leaked just gets bigger.

Too much collection of personal information everywhere for as long as anyone likes.
But it seems general public are just apethetic. Perhaps through feeling of powerlessness to make shops, companies and government agencies change or demand it stops.

IggyNovember 8, 2017 9:50 PM

@Bruce, just now getting to the questioning by Mr Cardenas from CA where you just gave him an excellent example of how non-financial info can be used to access financial info, and he proceeds to ask you to give him an example of how non-financial can harm financial.
*godzillafacepalm*
#TermLimits

IggyNovember 8, 2017 9:58 PM

Another thought: one way bad actors can learn all about you, such as the name of your pet, is to ask your neighbors, your friends, your relatives under seemingly benign circumstances.

If you live in a multi-family dwelling, such as condos or apartments, your neighbors know a boat load about you, just through casual, proximity acquaintanceship and are frighteningly eager to divulge such knowledge to anyone who asks nicely. Your neighbor won't even ask to see a badge. Thoughtlessly. Unwittingly. Far, far too easily.

They'll apologize, if you catch them at it. But even then, they're likely to act peeved that you're giving them a hard time about it. And: they'll act like you're who they should be suspicious of for protesting.

*lights a spleef*

ALNovember 8, 2017 11:08 PM

"Oh, the solution is more regulation"
There is another solution, triple damages plus attorney's fees owed to the damaged party. Congress could adjust the damages as necessary to deter the unwanted conduct.

Status quo is not an option.

hmmNovember 9, 2017 12:53 AM

Schakowski seems to understand the frustration of being charged $10 when she didn't want it.
She then asks Bruce to explain who the customer is and my hand covers my face completely.

keinerNovember 9, 2017 1:53 AM

Best data is NO data. Teach this these idiotic companies.

And to the USA: Stop killing the sparse-data approach in Europe.

WillNovember 9, 2017 2:49 AM

Mrs Dingell Michigan was on planet earth; the other members didn't seem to be :( No surprises.

The 'freeze app' from each bureau is a horrid idea! Its the credit bureaus trying to make credit 'opt out' rather than 'opt in' and make it diffuse. There are N bureaus and you're supposed to have an app from each? When you have to enable it to allow a lookup to buy the car, does that suddenly mean that everyone else can scrape and buy that data in the short window you've enabled it? Etc.

Bruce's reply that he was pleased with it and it was in the right direction was at odds with him then saying about him imagining an 'opt in' system.

In Sweden, each time someone looks up my credit, I get a letter in the post afterwards. It happens very rarely.

AlreadyLostNovember 9, 2017 2:49 AM

I like how MR. Schneier was trying to "hold" the point there.
- business should care about securing the Data. We should just say, what outcome we expect.
- if they are not protected enough, they should pay fines ... and not something like $10 per person.
- stored should be only what is really necessary and only for some period of time.
- allow people to request our PI deletion. I do not care if it would be hard for the business to do this. You want collect and store users data? OK. But you must to allow them to be deleted. If not, just stop collecting PI's (or anything else).

ChaseNovember 9, 2017 6:49 AM

Bruce superb testimony shows the glaring excess of unbridled American capitalism. The lobbyist and revolving-door corruption turns daily living into a vicious Survival of the Fittest mode.

For example Ex-DEA executives turned pharmaceutical lobbyists, along with a clueless Congress are largely responsible for the Chinese sourced opioid addiction crisis. In 2016 more Americans died (62K) than in ALL of the Vietnam war. They authorized this attack. In shame many are retiring.

To reduce the chances of being monetized, data mined and addicted:
Become a real person again and emphasize the rewards of interacting with real people both a work and at home. As a family exercise count the number distracted people and how it degrades their mental capacity.

Stay off social media, don’t log-in to Internet sites (and especially make comments) then surf elsewhere, pay cash, use paper billing, use a dumb phone and use human bank tellers. Manage your own PC computing devices with VPN, and uBlock Origin using a sanitized browser. Don’t buy a car with infotainment (tracking) centers. Use OTA TV/DVR and rent discs. Use your public library to checkout materials. Never input medical data into a tablet at the doctors office.
Expect new challenges on a daily basis.

Clive RobinsonNovember 9, 2017 7:23 AM

@ Ergo Sum, ALL,

Just because the head of security has a music major does not mean that she had not been qualified to have that position.

Actually given the seniority of the position, it is extreamly unlikely anybody could have majored in any "security related" subject...

Because such subjects were not commonly available to take untill very very recently (in which case they would lack the seniority the role required).

When we look at the security folks prior to the recent rash of cobbled together security courses, they nearly all had a strong maths or engineering educational background. But such people also havr a very disproportionately large number of amature musicians that play at or above proffessional levels.

If you go and read David Khan's book and more recent books that document the lives of cryptographers at Bletchly and the like, you will find not just Chess Grand Masters, top flight mathmeticians and the cream of the top universities you will find many top flight musicians.

So I would suspect those who are drawn to music are also likely to be drawn to security... So the music major could actualy be seen as a positive point not a negative on that someone was trying to portray it as to score political points.

LevitiaNovember 9, 2017 7:55 AM

@Bruce Schneier:

Bang on! All eleven points hit the nail on the head. We need more presentations like this to policy makers and media outlets in order to drive in the message strongly and clearly.

Leonardo HerreraNovember 9, 2017 8:17 AM

I reckon a $1,000 fine and jail time for every person whose personal records are leaked should be a good enough incentive to keep such records safe.

"Do it right or face bankrupcy and jail time" seems to be the only way to fix this.

EdNovember 9, 2017 10:22 AM

@Clive Robinson: "So the music major could actualy be seen as a positive point not a negative on that someone was trying to portray it as to score political points."

I stand corrected; both you & @Ergo Sum are right. So it's puzzling then that instead of Equifax & Ms. Mauldin making the argument(s) that you've done, they chose (and while I don't know exactly who did the scrubbing, who else could it have been?) to do the exact opposite - censoring her Linkedin profile page, and removing most all traces of interviews she'd done in the past from the internet.

So, why?

woof998November 9, 2017 11:26 AM

Thanks for this, concise and on point. Thanks especialy for calling out the economics of the situation.

albertNovember 9, 2017 12:59 PM

@Anders, Iggy,
It's not wise to suggest or hope for illegal activities online, especially here. The Bad Actors are already doing that, and those cases may be the tip of the Data-Theft Iceberg. The type of activities you suggest are ideologically driven, as opposed to financially driven, although both may apply to some nation-states. The question is: How bad will it get, before it gets worse:)
..
@Will,
The problem is the same for all businesses with an online presence. Each acts like they're the only one you need to deal with. It's funny that the Congress Folks have to deal with the same problem Ordinary Folks deal with. A little of that was exposed in the questions. It's take a lot of time to juggle a dozen of more websites, each with it's own 'authentication' system, navigation layout, and feedback procedure. It's hard for users, and it's expensive for companies. I find it almost impossible to imagine this system getting better, safer, and easier to deal with.

. .. . .. --- ....

justina colmenaNovember 9, 2017 1:19 PM

The "breach," or rather leak, was deliberate.

The more of our personal and financial information that floats around the criminal underworld, the more money is made by the Experian / Equifax / Transunion trinity of the Holy Student Loan, the Holy Car Loan, and the Holiest of all, the Home Mortgage. It's a cult, and like any cult, far more dangerous, influential, and subversive than most people realize. They worship debt and roll their eyes backward in their heads to call it "credit." It's like the landlord with keys to the gun safe in your bedroom.

JohnNovember 9, 2017 1:59 PM

Bruce's face at 1:27:30 or so when Mr. Norton proposes changing passwords weekly or monthly...

MoeNovember 9, 2017 2:24 PM

@John

I just seen that. I nearly peed my pants. Funny reaction by Bruce. Once a week? Get real.


Also, why the heck is asking about a users personal computer security when Equifax was hacked.

RyanNovember 9, 2017 2:48 PM

We'll give Mr. Norton a pass on the "change your password once a week" garbage for the simple fact that he was probably starstruck sitting to the security man himself.

gordoNovember 9, 2017 4:51 PM

Decal sticker on @ Bruce Schneier's laptop lid [02:07:49]:

⚠ THIS MACHINE KILLS FASCISTS

LouisNovember 9, 2017 5:28 PM

Great oration, the words used, the structure of ideas too.

Thanks for going out there and expressing what most of us believe; that security (and privacy) can be done well and within appropriately sized budget.

Most especially, thank you for mentioning GDPR.

While some may disagree to its content, it is the latest in privacy laws, and hopefully other nation states will march to the same beat.

Every day, I am confronted to the GDPR requirements, and I spent most of September relating the Equifax incident to what GDPR requirements had been failed, there were so many.

Clive RobinsonNovember 10, 2017 12:00 AM

@ Ed,

So, why?

Is a reasonable question to ask about any action a sentient entity takes.

However you have two problems to consider, "Perspective" and "hidden variables". Because of the latter the former can appear bizarre at times.

So when we look as you have done at the actions of,

they chose (...) to do the exact opposite - censoring her Linkedin profile page, and removing most all traces of interviews she'd done in the past from the internet.

As a "first guestimate" I see the "hidden hand" of "Corporate lawyers" at work as incompetent managment go into "damage control" mode. The usuall Corporate Lawuer mode of operation is to think how they would attack a competitor and then advise defensive activities as they think appropriate[1].

The first rule of defensive war is "Don't give aid to the enemy". It's the logical response to the advice of "Know your enemy" given in a four thousand year old book usually called "The Art of War". Because those thinking up the stratagies are actually not that bright they often try to do the impossible of "Deny All" in effect they try to remove history that has been already written and distributed beyond their control... As Oliver North found out with the Iran-Contra issue under the Ronald Reagan Administration that approach not only fails, you also end up looking "Guilty as charged".

As the old saying of "When life gives you lemons, make lemonade" points out, you sometimes have to make the best of what may at first appear a bad hand. Contrary to what incompetent managment and their Corporate Lawyers often think, the best tactic when dealing with a potential P.R. disaster is not to make sudden changes to policy and try to hide things. The best policy is usually to not be defensive and await attack but to be proactively offensive and take control of the agender by setting it before others do. That way you tend to "wrong foot" potential opponents, before they even think about the first step.

However to play that game well you need to have experience and knowledge which is what the "Know your enemy" advice is realy about. It is akin to the "Walk a mile in the other man's shoes" advice, which "scary monster" thinking is not realy all about, as that almost always comes up with the "walk barefoot over hot coals / through fire" ideas. Which give rise to the idea of "steal the coal before they light it" as the major defence... The problem with that is it's "Magic thinking".


[1] So in effect the Corporate Lawyers are paid by incompetent mamagment to dream up responses to the "scary monster" attacks the lawyers think up as the Armageddon attacks... Which is also the primary reason why Generals who won the last war tend to dream up defences to the last enemy's methods of attack and the politicians just give them the resources to do so, usually without realistic oversight. So the Generals "fight the last war again" but end up losing the next war. To see just how badly that can go wrong have a look at the French fortification building prior to WWII and how the Germans defeated them.

GJNovember 10, 2017 3:48 AM

If you want to reduce the amount of speeding, it is more effective to increase the chances of getting caught than it is to increase penalties.

My point is, that the incentives are currently pushing the data brokers into the wrong direction. As a data broker, it is too easy to just hope and pray you won't get hacked. And if you do, to just handle it then. Since these hacks are low occurrence high impact events, market pressure drives those companies to not adequately address them.

Regulation is needed to correct the market.

A set of best practices should be determined and regulation should make them mandatory. Verification by authorities should happen during normal operation (and fined when necessary) instead of fining the broker after a breach.

After a breach, if it is determined that these best practices were not followed, the people responsible should not be allowed to run a data collection company anymore.

Richard H CaldwellNovember 10, 2017 5:34 AM

I would very much like to have you expand on and explain this section of your testimony -

"On the other hand, Congress should not create a new national identifier to replace the Social Security Numbers. That would make the system of identification even more brittle. Better is to reduce dependence on systems of identification and to create contextual identification where necessary."

What might that look like?

AlreadyLostNovember 10, 2017 7:13 AM

@Richard G Caldwell

But in fact the possibility to dismiss your leaked SSN and have a new one would be great. Something like Cert. revocation.

mostly harmfulNovember 10, 2017 8:51 AM

@Clive Robinson writes:

As the old saying of "When life gives you lemons, make lemonade" points out, you sometimes have to make the best of what may at first appear a bad hand. Contrary to what incompetent managment and their Corporate Lawyers often think, the best tactic when dealing with a potential P.R. disaster is not to make sudden changes to policy and try to hide things. The best policy is usually to not be defensive and await attack but to be proactively offensive and take control of the agender by setting it before others do. That way you tend to "wrong foot" potential opponents, before they even think about the first step.

However to play that game well you need to have experience and knowledge which is what the "Know your enemy" advice is realy about. It is akin to the "Walk a mile in the other man's shoes" advice, which "scary monster" thinking is not realy all about, as that almost always comes up with the "walk barefoot over hot coals / through fire" ideas. Which give rise to the idea of "steal the coal before they light it" as the major defence... The problem with that is it's "Magic thinking".

In the comment above Clive addresses @Ed's follow up question about Equifax's clumsy choice of tactic in trying to blank out Mauldin's public record.

Having read the following Motherboard article, I wonder whether Equifax's PR team is not using precisely the method Clive recommends, to deflect the aggrieved public's attention away from the utterly inexcusable "primary cause" of the reported data loss by directing attention towards an arguably less damning, but potentially redundant, oversight:

Equifax Was Warned - Motherboard | Lorenzo Franceschi-Bicchierai | Oct 26 2017
https://motherboard.vice.com/en_us/article/ne3bv7/equifax-breach-social-security-numbers-researcher-warning

Does the following excerpt maybe indicate the primary cause of the reported data loss, instead of the loudly lamented unpatched Apache Struts vulnerability?


Late last year, a security researcher started looking into some of the servers and websites that Equifax had on the internet. In just a few hours, after scanning the company's public-facing infrastructure, the researcher couldn't believe what they had found. One particular website allowed them to access the personal data of every American, including social security numbers, full names, birthdates, and city and state of residence, the researcher told Motherboard.


"All you had to do was put in a search term and get millions of results, just instantly—in cleartext, through a web app."


The site looked like a portal made only for employees, but was completely exposed to anyone on the internet. It displayed several search fields, and anyone—with no authentication whatsoever—could force the site to display the personal data of Equifax's customers, according to the researcher. Motherboard saw multiple sets of the data they were able to access.


"I didn't have to do anything fancy," the researcher told Motherboard, explaining that the site was vulnerable to a basic "forced browsing" bug[1]. The researcher requested anonymity out of professional concerns.


My point is simple, really: Suppose that a store's manager forgets to lock up the store at night before heading home to bed, leaving the lights on and the front doors unlocked. Later that night Person A enters through the open front door and takes whatever they please. Some time after that, on the same night, Person B comes along, picks the lock to the back door and removes the drop safe from the backroom.

In the morning the store manager, rending his breast, explains to the insurance company: "We've been burgled! Some lousy hacker picked the lock on the back door! If only we had installed a better lock, and bolted the drop safe to the floor!"

The media picks up the story, and discusses "The Burglary". Clever bods count themselves among those in-the-know for being able to recite the model number of inadequate lock that was picked. Everyone clucks about how important it is to bolt safes to the floor with heavy tamper-proof bolts.

Meanwhile, Person A chuckles to herself, and the store manager heaves a sigh of relief.

In the case of Equifax, according to the anonymous researcher sourced in the Motherboard article, Equifax were apparently serving up data on misconfigured portals prior to any known exploitation of the Apache Struts vulnerability.

And they continued to serve it up until June of this year:

After discovering all these issues in December [2016], the researcher said they immediately reported them to the company.

"It should've been fixed the moment it was found. It would have taken them five minutes, they could've just taken the site down," they told me. "In this case it was just 'please take this site down, make it not public.' That's all they needed to do."

According to the researcher, Equifax didn't take the site down until June.

Note the potential causal disconnect between "Real sorry guys, all your data of sort Foo Bar and Baz slipped through our butter fingers" and "OMG BUT WE WERE HAXXORED!"

Cooperative interlocutors tend to assume that the admission of lost data of particular kinds is somehow relevant to the disclosure of an intrusion. But recall that PR spokescritters are not cooperative interlocutors (second only to cops in that regard). That is, as far as I can tell the sort of data publicly acknowledged as lost may well have been given away, literally served up.

Regardless, insofar as the talk of the town sticks to the unpatched Apache Struts narrative, Equifax heaves a sigh of relief, its spokespeople look abashed in public, and all the while its board of directors sips their lemonade.

1. https://www.owasp.org/index.php/Forced_browsing

handle_xNovember 10, 2017 12:01 PM

"But in fact the possibility to dismiss your leaked SSN and have a new one would be great. Something like Cert. revocation."

Well if you're going there, why only 9 digits? It's not nearly enough.

Milo M.November 10, 2017 1:18 PM

@AlreadyLost and @handle_x :

There are some provisions for getting a new SSN.

https://faq.ssa.gov/link/portal/34011/34019/Article/3789/Can-I-change-my-Social-Security-number

https://faq.ssa.gov/link/portal/34011/34019/Article/3792/What-should-I-do-if-I-think-someone-is-using-my-Social-Security-number

https://www.ssa.gov/pubs/EN-05-10064.pdf

"Keep in mind that a new number probably won’t solve all your problems. This is because other governmental agencies (such as the IRS and state motor vehicle agencies) and private businesses (such as banks and credit reporting companies) will have records under your old number. Along with other personal information, credit reporting companies use the number to identify your credit record. So using a new number won’t guarantee you a fresh start. This is especially true if your other personal information, such as your name and address, remains the same."

https://www.ssa.gov/employer/randomization.html

The dearth of cybercrime in 1936 made 9 digits seem to be sufficient.

https://www.ssa.gov/history/ssn/firstcard.html

Clive RobinsonNovember 11, 2017 8:43 AM

@ Richard H Caldwell,

What might that look like?

It's a good question.

In the past Bruce and many others havr made the point that the SSN is a single point of failure, or if you prefere "One Ring to own them all" universal identifier.

The SSN was never designed to be a universal identifier and for 80 years politico after politico has ignored the issue that universal identifiers are very bad news for individuals, but for business that extetnalizes risk it makes their costs very very much smaller. So much so agencies can pay organisations to collect them. So you as an individual get coerced or forced into handing it over, or be discriminated against.

Obviously this single number universal identifier (that is not randomly issued) a god send for criminals as well. Which is made worse by the US legal system where proof of identity theft falls on the victim. And the Police usually will do nothing to hunt down the criminal.

Worse in some cases where there is video evidence of who the criminal is it is with held from the victim for various reasons, which boil down to the victim is fealing the pain not us why should we take any of the pain away as there is less than nothing in it for us. That is they see risk so the victim can not even gather evidence in their defence.

What is needed is for each organisation to be responsible for their own risk, and as it was just over eight years ago there be no universal identifier. Thus this decentralises the risk for individuals as the cost and risk for those who try to externalise risk such as the credit rating or loans industry or who are criminals goes up significantly.

One reason that politicos fear this --other than the loss of campaign funds etc,-- is economists say it will kill the credit market which will kill the money supply which will slow down or kill the economy so you get yet another "Great Depression" or worse. For other reasons --faux market genertion etc-- the risk in the economy is already very high as the "Financial Crises" FC1 and FC2 etc showed. Thus actually such changes are more likely to increase stability for industry and other real wealth producers rather than adding instability that faux markets such as hedge funds etc that the financial industry uses as vehicles to extract rent.

The simple fact that "easy credit" is turning people into slaves, bankrupts or criminals which is actually way worse for the economy in general does not appear to occure to people, thus the question does not get asked let alone honestly answered.

The simple fact is the banks etc want an inflationary economy where the real assets are only owned by a very very few who use them to rent seak against the rest of the population. Thereby reducing or eliminate the ability of the general population to get real assets which help them offset the ills of inflation...

The problem with "The Great American Dream" is it is predicated on the easy availability of raw resources at minimal or no cost (ie what most would consider theft or worse after thinking about it). The minute resources develop a scarcity the whole dream colapses as the rent seekers move in just like the "carpet baggers"[1] of old, to steal at the point of a gun (often held by a lawman or othet guard labour).

[1] Whilst many who moved south after the civil war had honest intentions to educate the emancipated etc some most definitely did not. These quite rightly hated northerners used the likes of Sherman's field orders, the Southern Homestead Act and much other Reconstruction-era legislation by Radical Republicans aimed to strip the land, assets, and voting rights of Southerners that were suspected or just falsely accused of having supported the Confederates during the war (whilst quite a few had aided the confederates, history shows that all to frequently this was due to compulsion at the point of a gun). The setup of banks and "share cropping" was carried out by northetners who where mostly ex Unionist Soldiers. The basic plan was to strip out all asset holding and rights and turn the bulk of the southern population into the ewuivalent of tiethed surfs, with the profits going to middlemen such ad the banks and crop agents. Some of the "old families" that managed to hang onto their land, quite chearfully turned to this new form of endentured labour ad it was frequently cheaper than keeping slaves. It was not untill the 1960's that the model got partialy broken.

Clive RobinsonNovember 11, 2017 8:50 AM

@ mostly harmful,

I wonder whether Equifax's PR team is not using precisely the method Clive recommends, to deflect the aggrieved public's attention away from the utterly inexcusable "primary cause" of the reported data loss by directing attention towards an arguably less damning, but potentially redundant, oversight

It's certainly a possibility, the question is of course how to devise a test method to show it as such.

Hopefully people will discuss it here and in other places such that an unmasking can be achived whilst there is still interest in nailing a few hides to a tree.

handle_xNovember 11, 2017 4:23 PM

"The dearth of cybercrime in 1936 made 9 digits seem to be sufficient."

Yeah exactly, and we're on that standard still ~100 years later?

It's nuts. What does it take to get anything necessary done around here?

A major show-stopping catastrophe. Facepalm.

AnomynousNovember 12, 2017 1:25 PM

Thorough and in-depth. A very good summary about the difficulties for getting privacy and why it is so important. Do you think it will change the law and regulations for the better in the USA and other parts of the world?

mostly harmfulNovember 12, 2017 4:06 PM

@Clive Robinson

https://www.schneier.com/blog/archives/2017/11/me_on_the_equif.html#c6763925

It's certainly a possibility, the question is of course how to devise a test method to show it as such.

You do get right to the point! In the meantime, a postulate (CYA):

Let mistakes M1 M2 M3Mn be committed, resulting in problem P. Then a party r being called to account for P for will claim that Mi is "the" cause of P, where the commission of Mi makes r appear less negligent than any other Mj.

Hopefully people will discuss it here and in other places such that an unmasking can be achived whilst there is still interest in nailing a few hides to a tree.

While I'm sure hunting has its charms, for this particular species of dinosaur perhaps we require climatic developments that will oblige us with an extinction event. Anthropogenic political climate change.

@Anyone else momentarily perplexed by the following passage from Clive's comment in response to @Richard H Caldwell above [bold mine]:

https://www.schneier.com/blog/archives/2017/11/me_on_the_equif.html#c6763924


What is needed is for each organisation to be responsible for their own risk, and as it was just over eight years ago there be no universal identifier. Thus this decentralises the risk for individuals as the cost and risk for those who try to externalise risk such as the credit rating or loans industry or who are criminals goes up significantly.


Unless I am mistaken, the phrase "eight years ago" is Robinsonesque for "eighty years ago":

https://en.wikipedia.org/wiki/Social_security_number#History


Social Security numbers were first issued by the Social Security Administration in November 1935 as part of the New Deal Social Security program.


more time dilationNovember 12, 2017 7:15 PM

It's the logical response to the advice of "Know your enemy" given in a four thousand year old book usually called "The Art of War".

What does 4000 translate to for other observers?

WaelNovember 12, 2017 8:30 PM

@more time dilation,

What does 4000 translate to for other observers?

For observers that forget history it translates to: "Red-shifted into oblivion". Translation varies fior other observers. Your mileage may vary!

Clive RobinsonNovember 12, 2017 11:40 PM

@ Mostly Harmless,

Unless I am mistaken, the phrase "eight years ago" is Robinsonesque for "eighty years ago"
    Oh Y oh Y have thou forsaken me
;-)

Yes you are correct it's a typo on my behalf, there is a Y missing it should be "eighty" not "eight".

Mind you be carefull with calling it "Robinsonesque" it might stick amd people will get their tongue caught around it for many years to come. Likewise a "Cliveism" would only be fractionally better...

Clive RobinsonNovember 13, 2017 1:05 AM

@ more time dilation,

What does 4000 translate to for other observers?

Potentialy off by a millennium and a half...

In a refrence I have in a quite old book (long prior to ISBNs), it says "Sun Wu, 2400 BC, Kingdom of Wu"... Having just looked up on line in a couple of places, other refrences give quite a variety of times.

Some point back to fifth or sixth century BC others 500BC or 400BC and others a three century period starting around 775BC... Oh and a whole bunch of potential authors, with some indicating the book was a much later invention / fabrication...

So take your pick...

WaelNovember 13, 2017 7:49 PM

@more time dilation,

Verily hast thou shewn thy wisdom

I still have my wisdom teeth, really.

justina colmenaNovember 13, 2017 9:35 PM

@Wael

@more time dilation,
Verily hast thou shewn thy wisdom
I still have my wisdom teeth, really.

In the United States, wisdom teeth are required to be removed, along with tonsils, adenoids, appendices, breasts, uteri, foreskins, eyes, hair, nails, the frontal lobe of the brain, and any other organs doctors deem "unnecessary."

WaelNovember 13, 2017 10:27 PM

@justina colmena,

In the United States...

What unfortunate country has been afflicted and disgraced with your citizenship? The asylums there don't have room for another person?

John CampbellNovember 14, 2017 6:58 PM

Comment:

"Today, you can have an app on your phone that does something similar if you try to log into a computer network, or if someone tries to use your credit card at a physical location different from where you are."

I, at one time, worked for the company that implemented this little connection. Mind you, I was caught in the undertow of one of their regularly scheduled RIFtides earlier this year.

John GivensNovember 17, 2017 9:44 PM

>> 7. We need effective regulation of data brokers.
Isn't it time for consumers to be notified upon any financial transaction being made in their name? Permanently, promptly, and at no cost? Three key measures are needed:
1. Consumers may designate a preferred email address and a subject line identifier with any credit bureau, without cost. It must be retained by every credit bureau and displayed in its credit report.

2. Consumers may verify or change their choice, at any time, without cost. However, if it gets changed, the credit bureau must report this deed to the previous address—to warn the consumer in case an imposter with stolen credentials has changed it.

3. Consumers can now be notified: Lenders must send an alert upon opening of any credit line. Banks and similar institutions must send an alert upon any financial transaction. Credit bureaus must report all entries made to a credit file and all requests for a credit report.

Please read The Credit Manifesto:
http://cabjones.com/CreditManifesto.pdf

Rump it UpNovember 18, 2017 4:18 AM

Congress is not good, doing a lot of things some of which are good things and some of which are bad things

Donaald Duck GoNovember 18, 2017 4:26 AM

Look, having computer security — my uncle was a great professor and scientist and engineer, Dr. John Trump at MIT; good genes, very good genes, OK, very smart, the Wharton School of Finance, very good, very smart — you know, if you’re a conservative Republican, if I were a liberal, if, like, OK, if I ran as a liberal Democrat, they would say I’m one of the smartest people anywhere in the world — it’s true! — but when you’re a conservative Republican they try — oh, do they do a number — that’s why I always start off: Went to Wharton, was a good student, went there, went there, did this, built a fortune — you know I have to give my like credentials all the time, because we’re a little disadvantaged — but you look at the computer security deal, the thing that really bothers me — it would have been so easy, and it’s not as important as these lives are — computer security is powerful; my uncle explained that to me many, many years ago, the power and that was 35 years ago; he would explain the power of what’s going to happen and he was right, who would have thought? — but when you look at what’s going on with the four hackers — now it used to be three, now it’s four — but when it was three and even now, I would have said it’s all in the messenger; fellas, and it is fellas because, you know, they don’t, they haven’t figured that the women are smarter right now than the men, so, you know, it’s gonna take them about another 150 years — but the Russians are great hackers, the Russians are great hackers, so, and they, they just killed, they just killed us.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.