Karl nails it on mirroring my thoughts about this CF.
http://www.theburningplatform.com/2017/09/09/where-are-the-damned-handcuffs/#more-158729
WHERE ARE THE DAMNED HANDCUFFS?
Guest Post by Karl Denninger
It’s time to start locking people up and destroying businesses with federal criminal indictments.
The Internet has made many things very easy — and fast. But it has also made many things quite-insecure, especially when corners are cut.
I can design and implement extremely secure internet-connected data facilities and services. I not only have done so they’re in active use right now. Some are more-important than others, but all are important to me. Among other things my home is connected via same, never mind the work product I’ve developed for the last, oh, 30ish years when working on various pieces of computer-technology.
It has never been penetrated.
Do you know why? Because to get in you need cryptographic keys that you don’t have, and as technology has advanced so has my willingness to regenerate said keys to keep step with same, along with taking proper security precautions with the necessary components to issue said credentials.
In other words I do my ****ing job.
Equifax did not. Nor did all of the other places that have had ridiculous data breaches over the last few years. Nor did the people who called me a couple of years ago in a panic because one of their “senior” IT people stripped the protection from their master key and stuck it on a network volume that was backed up to the cloud for convenience purposes. For the record, that person was not fired and the firm in question did not immediately re-generate all the keys issued by same.
So far I haven’t read anything in the paper about them being compromised, but that doesn’t mean they haven’t been. It just means it didn’t hit the papers.
Yet.
Equifax, along with Trans-Union and Experian, hold data on virtually every US Citizen over the age of about 18 and a large number of those who are not adults. If you have any sort of credit relationship with anyone they have a file on you. That file is indexed by something that until about 20 years ago was stamped on the face of said card “Not for Identification” — your Social Security number.
Congress has permitted these firms to pervert that which it designated not for identification use, but only for the use of the Federal Government in administering retirement and disability benefits under the Social Security program, with the IRS having access to it so as to make sure your contributions to same were accurately recorded. Since deliberately turning its back on the outrageous abuse of same by private industry Congress has then gone even further and not only allowed and mandated its use by other firms, such as banks, for identification purposes it has effectively barred you from having any such account or access without same.
This, despite the fact that on the face of said cards until fairly recently it was explicitly stated: NOT FOR IDENTIFICATION as that was written into the original law that resulted in the issuance of same.
But what’s even worse than that perversion for which every Congresscritter and Executive Branch member should be tried and imprisoned for the rest of their lives is what Congress and the Executive have not done since — on purpose.
They have not enforced the law with regard to intentional and willful misconduct when it comes to cyber security in these large data stores nor do they give a damn about the material and incalculable harm these large firms inflict on consumers when your data is either stolen or misused because of their intentionally lax security. Further, the Congress and Executive allow effective extortion of every consumer in the nation by allowing these companies to charge you to freeze your credit, thus denying scammers access, they can charge you again to “unfreeze” it temporarily if you wish to obtain new credit and they deem said data “theirs” instead of “yours” which means you can’t insist that they either not collect and store it or delete it.
See, proper security costs money and can be inconvenient. Having access to such data only when properly-secure machine certificates are used to encrypt same and all communication all the way back to a traceably-secure device would mean that “instant credit” decisions at millions of cash registers (e.g. to sell you a credit card while in the checkout line) could not be made.
Forcing these companies to allow consumers to turn “on” and “off” access to their credit files whenever they want, without cost, would mean that these companies couldn’t sell your data to anyone and everyone who has a few bucks, and they’d have much smaller businesses than they have now. And prosecuting and jailing the executives of firms who put convenience for their customers, which are businesses — not consumers — ahead of security would mean they’d have no business at all. But at the same time it would make defending against someone opening a credit account in your name and stealing your identity very easy since you could disable access to your credit information any time you wish without having to pay to turn it on and off.
Because of how these firms operate and their business practices, choices they have voluntarily made, you get screwed — again. This breach is so large and so egregious that no amount of “monitoring” and “credit watching” will do a damn thing. You’re going to get ****ed as a consequence of this and your obsession with posting crap on Facesucker, Twatwaffle and Instrascrew instead of immediately demanding that strong, effective action be taken to put a stop to this crap.
The solution is to force Equifax to eat the cost of ANY fraud that ensues and all costs of its cleanup including liquidated damages for your time and effort on a permanent basis since they, and not you, decided to use an identifier never intended for that purpose and in addition they, and not you, were grossly negligent in failing to secure said data. In addition forcing all of these firms to allow no-cost lock and unlock options for consumers where locking your file at one bureau does so at all of them and can be done at zero cost at any time for any reason on a permanent basis would actually mitigate said risk. Finally, deeming any credit opened while you have locked your file as conclusively fraudulent and uncollectable with liquidated damages payable to you if someone does it anyway would shift the burden from you for said incidents to them.
And finally we can start by indicting right now the executives at Equifax who sold stock after the breach occurred and before it was reported along with indicting the company itself under federal Racketeering statutes — they claim they didn’t know but I call bull**** on that and demand an immediate felony criminal investigation of both the executives and company including but not limited to the immediate seizure of every single electronic device owed by said executives and the company that might hold evidence documenting that they’re lying.
But instead of doing the right thing what we get is more mealy-mouthed bull****, and you, America, sit for it.
The breach is Equifax’s fault.
The lack of immediate prosecutorial and policy response by the government is your fault, America, because you refuse to demand that it happen right damn now backed up by immediate and no-holds-barred protest, up to and including destroying all credit-issuing businesses through lawful economic action until the above occurs.