I was/am interested into the whole Equifax hack and how this happened. To this end I posted a brief link yesterday to the Struts teams response. A simple case of failing to patch! Case closed..

But then I’ve been thinking that’s not really very fair.

This was (apparently) caused by a defect that’s been around for a long time. The developers had reacted very quickly when the problem was identified (within 24 hrs) but Equifax – by all accounts – had failed to patch for a further 6 months.

What did we expect? That they’d patch it the next day? No chance. Within a month? Maybe. But if the issue is embedded in some third party product then they’re dependent upon a fix being provided and if it’s in some in-house developed tool then they need to be able to rebuild the app and test it before they can deploy. Struts was/is extremely popular. It was the Spring of its day and is still deeply embedded in all sorts of corporate applications and off the shelf products. Fixing everything isn’t going to happen overnight.

Companies like Equifax will also have hundreds, even thousands, of applications and each application will have dozens of dependencies any one of which could have suffered a similar issue. On top of this, most of these applications will be minor, non critical tools which have been around for many years and which frankly few will care about. Running a programme to track all of these dependencies, patch applications and test them all before rolling them into production would take an army of developers, testers, sys-ops and administrators working around the clock just to tread water. New features? Forget it. Zero-day? Shuffles shoes… Mind you, it’d be amusing to see how change management would handle this…

So we focus on the priority applications and the low hanging fruit of patching (OS etc.) and hope that’s good enough? Humm… anything else we can do?

Well, we’re getting better with build, test and deployment automation but we’re a long way from perfection. So do some of that, it’ll make dealing with change all the easier but its no silver bullet. And again, good luck with change management…

Ultimately though we have to assume we’re not going to have perfect code (there’s no such thing!)… that we’re not able to patch against every vulnerability… and that zero day exploits are a real risk.

Other measures are required regardless of your patching strategy. Reverse proxies, security filters, firewalls, intrusion detection, n-tier architectures, heterogenous software stacks, encryption, pen-testing etc. Security is like layers of swiss-cheese – no single layer will ever be perfect, you just hope the holes don’t line up when you stack them all together. Add to this some decent monitoring of traffic and an understanding of norms and patterns – at least something which you actually have people looking at continually rather than after the event – and you stand a chance of protecting yourself against such issues, or able to identify potential attacks before they become actual breaches.

Equifax may have failed to patch some Struts defect for six months but that’s not the worst of it. That they were vulnerable to such a defect in the first place smells like.. well, like they didn’t have enough swiss-cheese. That an employee tool was also accessible online and provided access to customer information with admin/admin credentials goes on to suggests a real lack of competency and recklessness at senior levels.

Adding insult to injury, to blame an open-source project (for the wrong defect!) which heroically responded and addressed the real issue within 24 hrs of it being identified six month earlier (!?) makes Equifax look like an irresponsible child. Always blaming someone else for their reckless actions.

They claim to be “an innovative global information solutions company”. So innovative they’re bleeding edge and giving their, no our!, data away. I’m just not sure who’s the bigger criminal… the hackers or Equifarce!

Sleep-walking to a Bloody Revolution

According to The Guardian, the EU is about to tighten legislation on user tracking to apply to other means than just cookies.

However, no-one reads those cookie popups or EULAs anyway and you can’t do much on the net if you don’t blindly accept them. And I mean “blindly” since even though you could read them (most of us don’t), you can assume that most users don’t have a combined law and computing degree sufficient to be able to understand the implications of them regardless.

I like to think that I understand the computing aspects of these things but I also know that new techniques are developed daily to try to leverage more revenue from the end-user and place more responsibility on them than I can keep up with (or have the mental capacity to understand).

The  likes of Google, Twitter and Facebook are continually trying to capture more data about us and do so through the development of what appears to be “free” services. These services may seem nice but; as always, there’s no such thing as a free lunch. They’re making a lot more out of the combined mass of data they’re collecting on us than we get out of it – after all, they’re not charities, they’re commercial organisations.

They’re not interested in developing this stuff for your benefit; I wouldn’t expect them to, and whilst we seem to talk about how relaxed sheep people have become about privacy online, at the same time these organisations have become that much tighter in how they share the data they have on us – individually and in aggregate form (anonymised preferably).

They give you free email or chat services, you let them spy on you so they can feed you with the right ad at the right time in the right place to milk the maximum revenue they can out of you. The algorithms are tuned to this model and they’re getting better. We’ll soon be letting them install a camera in the bedroom for the benefit of a free daily cappuccino…

So those seeking to extend existing legislation to cover alternative means of tracking which simply relies on “valid consent from the user” are part of the problem. They provide a façade of transparency where there isn’t any. They are the lawyers and computer experts who understand the scope of the possible and should be defining the law such as to make some of these techniques illegal without sufficient transparency in what data is captured, how it is used and who it will be shared with.

Ultimately, we need to be paid for the value of the data we provide to these organisations to offset what is becoming a serious discrepancy between the data-rich and the data-poor. The use of vast amounts of data by so few is increasing the imbalance between rich and poor and ultimately will be a disaster for the real economy. That intelligence organisations across the world want to make use of this data themselves and that market leaning governments are ideologically crippled to the point of inaction means we’ll not do anything about this until it becomes a real problem – yet another bloody revolution is on the horizon. To address this the law needs to change and no popup is going to help.


I don’t necessarily think it’s a bad thing that your offline and online identity are intertwined – at the naive level that the Zuckerberg marketing machine operates it sounds fair enough – and, ultimately it’s true; for most of us we are the same person online as offline, physically if not behaviourally.

However, one of the reasons the internet is so liberating is precisely because you can maintain a number of alter-egos, you too can be a warrior at the weekend! It also forces the innate prejudices we have to be put to one side due to the historic interaction limitations that existed on the net – that a 15yr old geek can stand as an authority on something online where they’d be laughed off stage offline is evidence of this.

Zuckerberg and those of his ilk are riding on the back of this wave. They were born into a time where anonymity online was the norm and created the likes of fb to capture this herd of anonymous sheep desperate for somewhere to mingle and conjoin with friends and other like minded folk. But they’ve gradually lifted the shroud of privacy and pushed our online and offline selfs together, not for any other philosophical ideology than to drive bigger and bigger profits by selling this data on for advertising.

What’s worse, they’re destroying the historical limits of the physical world (as it was) where a rant in a pub, a one night stand or an off the cuff comment on the state of your bosses hygiene, could be forgotten in short order and in any case was unlikely to reach the ears of any more than a few dozen people. Now, any transgression, no matter how minor, is likely to be recorded for the next 100 years and available for anyone – at a price.

It’s a sad day when the reason the net has been so successful for mankind (in part) is so easily being eroded away without any significant objection being raised. It’s worse though when who we are as human beings is being abused for the sake of profit with no political will to stand against it. There will be a back-lash at some point, the only question is how much we are prepared to lose in the meantime.

Rant triggered by Guardian podcast – Founder of 4Chan Chris Poole, the ‘anti-Zuckerberg’.


eDNA – The next step in the obliteration of privacy online?

How your electronic DNA could be the secure login of the future (but let’s hope not).

More big-brother stuff over at The Guardian with eDNA (Electronically Defined Natural Attributes). I suspect that the NoMoreCaptchas product isn’t terribly strong as it feels like it could easily be subverted by introducing more natural delays into bots but it should help  slow them down which can often make it not worth the bother.

More worryingly though is that it’s all too easy for a website to capture this information without you knowing. Many sites already capture key presses, mouse movements, hover overs etc., some for legitimate functional use but many are just to help the marketing guys spy on you. What if the next time you google something they can tell if you’re drunk, stoned, had sex or are just plain tired… Do you really think they wouldn’t want to use that information to push more targeted ads at you?

Drunk => Show ads for porn sites.

Stoned => Show ads for local pizza companies.

Had sex => A combination of babies clothing, pharmacies and the most direct escape route… And of course Facebook would just auto post “Jamie just shagged Sally” in some pseudo scientific experiment on social behaviour.

As I said before, if you want your privacy back then lie! To subvert eDNA we’ll need something to inject noise between fingers and keyboard. Joy.

Is lying the solution to a lack of privacy online?

I do wish social networking sites like G+ and FB would stop advertising peoples birthdays. Your birth date is one of those “known facts” used by many organisations (banks, government departments etc.) to verify your identity. Providing this data to social networking sites can result in information leakage and contribute to identity theft and security incidents. Combine this with all the other bits of information they capture and it would be quite easy for someone to bypass those security questions every call centre asks as a facade to security – they only need to gleam a little info from many sources.

This morning G+ asked me if I wanted to say happy birthday to Peter. I know Peter slightly but not well enough to be privy to such information and I have no idea whether it really is his (or your) birthday today, if it is… Happy Birthday! If it’s not then congratulations on lying to Google and Facebook – it’s good practice (so long as you can remember the lies you tell).

In a world where privacy is becoming impossible, lying may be our saviour. What a topsy-turvy world we’re living in…