Dailydave mailing list archives

Re: Equitablefax

From: Chuck McAuley <cmcauley () ixiacom com>
Date: Wed, 27 Sep 2017 18:00:50 +0000

In the US, the roads are owned by someone (Private Individual, Town, State, Country). They can set the rules for 
driving on them as they see fit.

Who owns the Internet? In the US, definitely not the government. I guess you could argue it would be ISPs. They could 
govern who peers. But why would they care?

More noise should be made that the current credit scoring model cannot be trusted after this PII data has been leaked. 
I can't see a reliable means to protect 'your' score after this breach.

-chuck

From: Dailydave <dailydave-bounces () lists immunityinc com> on behalf of Kristian Erik Hermansen <kristian.hermansen 
() gmail com>
Date: Wednesday, September 27, 2017 at 1:32 PM
To: Dave Aitel <dave () immunityinc com>
Cc: dailydave <dailydave () lists immunityinc com>
Subject: Re: [Dailydave] Equitablefax

If Equifax had a public bug bounty program, someone would have reported the Java RCE in March 2017 and picked up $10K 
or more for it. But no, Equifax did not have a public bug bounty program. Say what you will about the pros and cons of 
a bug bounty program, especially for financial institutions which "know better than the public how to protect 
themselves", but at least in this case a known issue would have been well documented much earlier. We should encourage 
other credit and financial companies to consider public or at the very least private bug bounty programs. It's a mess 
to operate them, but not patching a known critical web flaw ASAP that allows RCE is precisely the legal definition of 
negligence. Equifax should pay dearly for it.

Perhaps it's time to consider federal Cyber Security Insurance laws for such companies which forces them to pay fees to 
operate on the Internet just like everyone that drives a car on the road? If you crash your car every time you get on 
the highway, or you damaged 140 million cars while driving, you would lose your license for some time. Why hasn't 
Equifax lost their license to operate on the internet for some time? How about a 2 year hiatus on their annual revenue 
to punish them? Just a thought. Maybe Halvar can chime in on why Cyber Security Insurance regulation like that is OR is 
not the answer. He has been working on that lately...

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

Current thread:

Equitablefax dave aitel (Sep 27)
- Re: Equitablefax Steve R. Smith (Sep 27)
- Re: Equitablefax Kristian Erik Hermansen (Sep 27)
  - Re: Equitablefax Chuck McAuley (Sep 27)
  - Message not available
    - Re: Equitablefax Kristian Erik Hermansen (Sep 27)
    - Re: Equitablefax Katie M (Sep 28)
  - Re: Equitablefax Katie M (Sep 27)
    - Re: Equitablefax the grugq (Sep 29)