Message boards :
Politics :
Computers & Technology 3
Message board moderation
Previous · 1 . . . 15 · 16 · 17 · 18 · 19 · 20 · 21 . . . 25 · Next
Author | Message |
---|---|
Gary Charpentier Send message Joined: 25 Dec 00 Posts: 30937 Credit: 53,134,872 RAC: 32 |
We will see how well that holds up in court.Lawyers peg blame on deep pockets, it pays for their lifestyle. |
Mr. Kevvy Send message Joined: 15 May 99 Posts: 3797 Credit: 1,114,826,392 RAC: 3,319 |
The short list. Equifax IT was a sleep at the wheel. Gosh, I wonder how they could have been with such a qualified CSO. 😀 Eventually I am going to find them in the dictionary under "incompetence". Have better. But, having been involved in past Class Action Lawsuits, which resulted in compensation. Awaiting, sometime in the future, more compensation. The DoNotPay chatbot, which has successfully issued defenses against thousands of tickets, has been set up to automate filing small claims lawsuits on anyone's (in the U.S.) behalf if they have been affected by this (ie costs related to loss of data.) It's free to use DoNotPay (there of course is probably a filing fee with the courts though) and small claims courts don't involve lawyers. Compensation could be up to $25K. |
Gary Charpentier Send message Joined: 25 Dec 00 Posts: 30937 Credit: 53,134,872 RAC: 32 |
|
Siran d'Vel'nahr Send message Joined: 23 May 99 Posts: 7379 Credit: 44,181,323 RAC: 238 |
Equifax confirms Apache Struts security flaw it failed to patch is to blame for hack Gary, Equifax is tasked with securing the personal data they receive from consumers that use their service. It is their IT departments responsibility to make sure that that security measures up. They did NOT update Struts; the blame falls to Equifax, not the software. Siran CAPT Siran d'Vel'nahr - L L & P _\\// Winders 11 OS? "What a piece of junk!" - L. Skywalker "Logic is the cement of our civilization with which we ascend from chaos using reason as our guide." - T'Plana-hath |
Gary Charpentier Send message Joined: 25 Dec 00 Posts: 30937 Credit: 53,134,872 RAC: 32 |
You misread. I don't blame the software, I blame the design of the software. Humans. The concept of open source. Equifax's IT department should not have allowed open source that doesn't self update, if you insist on blaming Equifax. But that applies to every user of open source! As I said, humans forget. You design systems to look out for human error and prevent it. Same as input validation which every program should do. Basic programming standards are being forgotten in a rush to lazy.I hope you can. Blame seems to lie is systems like open source that can't automatically go out and get a security patch and self apply it. Humans forget or get distracted and humans know this so smart ones design systems to prevent this. |
Siran d'Vel'nahr Send message Joined: 23 May 99 Posts: 7379 Credit: 44,181,323 RAC: 238 |
You misread. I don't blame the software, I blame the design of the software. Humans. The concept of open source. Equifax's IT department should not have allowed open source that doesn't self update, if you insist on blaming Equifax. But that applies to every user of open source! As I said, humans forget. You design systems to look out for human error and prevent it. Same as input validation which every program should do. Basic programming standards are being forgotten in a rush to lazy.I hope you can. Blame seems to lie is systems like open source that can't automatically go out and get a security patch and self apply it. Humans forget or get distracted and humans know this so smart ones design systems to prevent this. Gary, I have been using open source software for many, many years and have yet to have a problem with them. The problem I'm starting to have is with self-updating software such as Windows 10. That may be slightly off-topic, but I believe it will help make my point: We have a PC with Windows 10; not my PC. After the Creators Edition (or whatever it is called) came out, that PC started doing BSODs and would not stay running for more than a few minutes. We rolled it back and the BSODs went away. Now, we have a new problem that cropped up after the PC was updated just this week. It has a voice chat program that will not stay running for more than 5 minutes before it crashes. The program worked fine before the update, after, not so much. There is another voice chat program that is also having a problem after the Windows 10 update this past week. We don't use it. We see it in googling to try to fix our own problem. So you see, even software that self-updates can screw up. I don't blame Apache Struts since the hole used by the hackers was fixed and Equifax's IT department did not patch the software. I blame Equifax's IT department for the hack job. Siran CAPT Siran d'Vel'nahr - L L & P _\\// Winders 11 OS? "What a piece of junk!" - L. Skywalker "Logic is the cement of our civilization with which we ascend from chaos using reason as our guide." - T'Plana-hath |
Mr. Kevvy Send message Joined: 15 May 99 Posts: 3797 Credit: 1,114,826,392 RAC: 3,319 |
Equifax's IT department should not have allowed open source that doesn't self update. I suspect that you don't work in IT (I do)... that is a recipe for disaster especially in a web service or other public-facing platform. It is absolutely the responsibility of the server support and data security teams to inventory all applications and components tracking version numbers and last update dates, and either get on the developer's mailing lists so that they are informed of patches, or check the developer's versioning regularly. For a public-facing intrusion-prone enterprise protecting a large volume of confidential information this should be daily. When a patch or other update is available it is then tested in a UAT environment, ie on a UAT server which is a clone of the production server(s) that will be patched, to ensure it doesn't break anything, otherwise the enterprise could grind to a halt. Once this is done it is deployed. If there are functionality changes there is notification beforehand. For a security patch with a risk to the data security of the enterprise this should be of course be prioritized to, say, one to two business days, and data security should be engaged to monitor and/or mitigate the vulnerability that will be patched in the interim. Equifax hadn't installed this highest criticality patch five months after it was released. They are a complete and utter laughingstock, especially their pathetic attempt to blame open source for their laziness and incompetence. For example 498 of the top 500 supercomputers on earth run Linux, and Apache is still the most popular web server suite... I think OSS just might be used by people who know what they are doing! |
j mercer Send message Joined: 3 Jun 99 Posts: 2422 Credit: 12,323,733 RAC: 1 |
Equifax's IT department should not have allowed open source that doesn't self update. Trying to explain the color red to a blind person is a challenge. Har... ... |
Gary Charpentier Send message Joined: 25 Dec 00 Posts: 30937 Credit: 53,134,872 RAC: 32 |
Equifax's IT department should not have allowed open source that doesn't self update. 99% of companies can't even audit how much or what open source code is in their organization. How the heck do you expect them to be on every update list? Yes, using dodgy code, like open source where you have no control over it and had to disclaim any ability to sue over fitness of purpose is stupid. But wall street is all about short term profits over long term. Now Equifax is finding out the buck is going to stop with them and not with Apache where it belongs. After all they wrote the bug in the first place. But let's put it this way, if struts was a car and it had a safety recall, say an airbag, isn't it the manufacrurer's duty (Apache) to inform, snail mail not an opt-in email, the owner to get it fixed and supply the fix. Ah, the bug in open source is revealed, no one is responsible. Lawyers soon are going to get on this and when they do orders are going to come from above to scrub open source out of projects because the company can't take liability for others mistakes. I'm actually surprised with the data protection laws in the EU that some case like this hasn't sunk a large enterprise. It will happen. Remember you are looking at it from IT, not from the perspective of a bunch of lay people sitting in a jury box. I can almost hear the lawyer now, Name the person or persons who are responsible for fixing bugs, not applying updates, in struts. So you are telling this court that there is no one who is responsible for fixing struts? Do you think it is wise to use software that has no person responsible for it? Actually I wonder if using open source because no one is responsible isn't a clear violation of EU data protection laws? There are ways to handle the auto-update. Just because you can only think inside the box that Doze is the only way doesn't mean it is. Critical syslog, A critical update has been issued to xyz, your license to use this un-patched version vv.vv expires in ten days, nine days, eight days, ... 23 hours ... 1 hour ... . |
j mercer Send message Joined: 3 Jun 99 Posts: 2422 Credit: 12,323,733 RAC: 1 |
There are ways to handle the auto-update. Just because you can only think inside the box that Doze is the only way doesn't mean it is. Critical syslog, A critical update has been issued to xyz, your license to use this un-patched version vv.vv expires in ten days, nine days, eight days, ... 23 hours ... 1 hour ... . Name a software license that expires if not updated in days. ... |
Siran d'Vel'nahr Send message Joined: 23 May 99 Posts: 7379 Credit: 44,181,323 RAC: 238 |
-[ snip ]--[ snip ]--[ snip ]- Gary, it is just too obvious that you do not think highly of Open Source software. tsk tsk It was stated in one or both of those articles that the security issue was patched LONG BEFORE the hack on Equifax. Apache has been around for as long as I can remember any computer history. It runs, what, 99.9% of every web server on the planet? Even Microsoft uses Apache, probably because they cannot come up with anything better. The Struts security issue was resolved. Equifax's IT department did NOT apply the patch, which is their job to do. Hackers took advantage of this lack of security on Equifax's IT part, and Equifax and you are saying it is the fault of the software because of the security issue. IT WAS FIXED before the hack, long before. The company, not the software, is at fault. Open Source has NOTHING to do with who is at fault. Siran CAPT Siran d'Vel'nahr - L L & P _\\// Winders 11 OS? "What a piece of junk!" - L. Skywalker "Logic is the cement of our civilization with which we ascend from chaos using reason as our guide." - T'Plana-hath |
Gary Charpentier Send message Joined: 25 Dec 00 Posts: 30937 Credit: 53,134,872 RAC: 32 |
-[ snip ]--[ snip ]--[ snip ]- Apache wrote the bug into the software. They have done that hundreds of times. Would you buy a product from such a vendor? Apparently you would. Apparently a lot of people would. How would you explain that to a jury? Martin's sig is something akin to IT is what we allow it to be. I'll add a stupid decision made by millions of people is still a stupid decision. Apparently you have no clue about validation. Your refusal to understand validation is like writing software for a bank that lets a teller make a deposit for negative amounts. Humans screwup all the time. Make the software validate and that includes itself! It isn't perfect, but it would have caught this screwup. When I started in IT there were times you had to prove software. By prove I mean a rigorous mathematical proof. Not often but enough you knew about it. It can be done on any program because at its core every program is math. I don't know where along the way sloppy became the new standard, but it did. As Martin says, IT is what we allow it to be. Sooner or later, and I expect sooner the lawyers are going to have a field day with IT practices. |
j mercer Send message Joined: 3 Jun 99 Posts: 2422 Credit: 12,323,733 RAC: 1 |
-[ snip ]--[ snip ]--[ snip ]- Name a software license that expires if not updated in days. ... |
OzzFan Send message Joined: 9 Apr 02 Posts: 15691 Credit: 84,761,841 RAC: 28 |
Name a software license that expires if not updated in days. You misread Gary's point and are trying to make him answer your question based upon that misreading. "Gary Charpentier" wrote: Critical syslog, A critical update has been issued to xyz, your license to use this un-patched version vv.vv expires in ten days, nine days, eight days, ... 23 hours ... 1 hour ... . What he is saying here is there should be a log built into the application, maybe call it "Critical Syslog", and add entries saying that a critical update has been issued to your software, and that the old, unpatched software will become an invalid license if you don't patch in X number of days. He never said it currently works this way. He suggested it as an alternative to automatic updates. Just wait until all software has turned into SAS in the cloud solutions. Everyone will always be on the latest version and automatically patched. Hacks will still happen but they can be fixed in seconds. |
betreger Send message Joined: 29 Jun 99 Posts: 11410 Credit: 29,581,041 RAC: 66 |
Just wait until all software has turned into SAS in the cloud solutions. Everyone will always be on the latest version and automatically patched. Hacks will still happen but they can be fixed in seconds. Oh joy |
j mercer Send message Joined: 3 Jun 99 Posts: 2422 Credit: 12,323,733 RAC: 1 |
Thanks OzzFan. Is there software like this? A new concept for me. I would like to read up a little. ... |
OzzFan Send message Joined: 9 Apr 02 Posts: 15691 Credit: 84,761,841 RAC: 28 |
None of them currently invalidate your license that I'm aware of, but that could be used purely for enforcement of patching. |
Gary Charpentier Send message Joined: 25 Dec 00 Posts: 30937 Credit: 53,134,872 RAC: 32 |
None of them currently invalidate your license that I'm aware of, but that could be used purely for enforcement of patching. The invalidation of the license might be for clearly legal reasons, to rid the developer of any liability for whatever is exposed which could be in the trillions of dollars. They don't have to turn the software off, but they could and then use it to extract a brand new license fee if you didn't patch before expiration. |
j mercer Send message Joined: 3 Jun 99 Posts: 2422 Credit: 12,323,733 RAC: 1 |
None of them currently invalidate your license that I'm aware of, but that could be used purely for enforcement of patching. I like the idea of better defined liabilities. Hopefully this event will push for better management of personnel data. ... |
Siran d'Vel'nahr Send message Joined: 23 May 99 Posts: 7379 Credit: 44,181,323 RAC: 238 |
You make it sound like it was a deliberate act by Apache. "Apache wrote the bug..." Give me a break! As reputable as Apache is they are NOT going to deliberately write a bug into their software.Apache wrote the bug into the software. They have done that hundreds of times. Would you buy a product from such a vendor? Apparently you would. Apparently a lot of people would. How would you explain that to a jury?-[ snip ]--[ snip ]--[ snip ]- Martin's sig is something akin to IT is what we allow it to be. I'll add a stupid decision made by millions of people is still a stupid decision. Irrelevant! Apparently you have no clue about validation. Your refusal to understand validation is like writing software for a bank that lets a teller make a deposit for negative amounts. Humans screwup all the time. Make the software validate and that includes itself! It isn't perfect, but it would have caught this screwup. When will you get it through your head that Apache is NOT AT FAULT? A security issue was discovered and it was FIXED by Apache. Equifax's IT department did NOT patch Struts to fix the issue. Hackers discovered it and compromised their server(s). The IT department is at FAULT. By the way: I have an Open Source software suite that just this morning informed me that there was an updated version. WOW!!! Who'd have thunk?!?! What did I do? I downloaded and installed the new version. Simple as that Gary. I highly doubt that Apache would be so negligent that they would not inform the WORLD that a security issue was found and fixed and that the WORLD should install the patch right away. Give me a break Gary. You are just showing your distaste for Open Source software. Nothing more, nothing less. EQUIFAX is at fault, NOT, Apache. Siran CAPT Siran d'Vel'nahr - L L & P _\\// Winders 11 OS? "What a piece of junk!" - L. Skywalker "Logic is the cement of our civilization with which we ascend from chaos using reason as our guide." - T'Plana-hath |
©2024 University of California
SETI@home and Astropulse are funded by grants from the National Science Foundation, NASA, and donations from SETI@home volunteers. AstroPulse is funded in part by the NSF through grant AST-0307956.