Here's How Congress Should Respond to the Equifax Breach



  • There is very little doubt that Equifax’s negligent security practices were a major contributing factor in the massive breach of 145.5-million Americans’ most sensitive information. In the wake of the breach, EFF has spent a lot of time thinking through how to ensure that such a catastrophic breach doesn’t happen again and, just as importantly, what Congress can do to ensure that victims of massive data breaches are compensated fairly when a company is negligent with their sensitive data. In this post, we offer up some suggestions that will go a long way in accomplishing those goals.

    A Federal Victims Advocate to Research and Report on Data Breaches

    When almost half of the country has been affected by a data breach, it’s time for Congress to create a support structure for victims at the federal level.

    Once a consumer’s information is compromised, there is a complex process to wade through to figure out who to call, what kind of protections to place on one’s credit information, and what legal remedies are available to hold those responsible accountable. To make it easier for consumers, a position should be created within the executive branch and given dedicated resources to support data breach victims.

    This executive branch official, or even department, would be charged with producing rigorous research reports on the harm caused by data breaches. This is important because the federal courts have made it very hard to sue companies like Equifax. The judiciary has effectively blocked litigation by setting too high a standard for plaintiffs to prove they were harmed by a data breach. Federal research and data analyzing the financial harm Americans have faced will help bridge that gap. If attorneys can point to authoritative empirical data demonstrating that their clients have been harmed, they can make companies like Equifax accountable for their failures to secure data.

    Federal Trade Commission Needs to Have Rule-making Authority

    Speaking of the executive branch, the Federal Trade Commission (FTC) has a crucial role to play in dealing with data breaches. As it stands now, federal regulators have little power to ensure that entities like Equifax aren’t negligent in their security practices. Though Americans rely on credit agencies to get essential services—apartments, mortgages, credit cards, just to name a few—there isn’t enough oversight and accountability to protect our sensitive information, and that’s concerning.

    Equifax could have easily prevented this catastrophic breach, but it didn’t take steps to do so. The company failed to patch its servers against a vulnerability that was being actively exploited, and on top of that, Equifax bungled its response to the data breach by launching a new site that could be easily imitated.

    To ensure strong security, Congress needs to empower an expert agency like the FTC, which has a history and expertise in data security. This can be accomplished, by restoring the FTC’s rule-making authority to set security standards and enforce them. The FTC is currently limited to only intervening in matters of unfair and deceptive business practices, and this authority is inadequate for addressing the increasingly sophisticated technological landscape and collection of personal data by third parties.

    Congress Should Not Preempt State Data Breach Laws

    While empowering executive agencies to address data breaches, Congress should take care in ensuring that states don’t lose their own laws dealing with data breaches. Any federal law passed in response to the data breach should be the foundation—not the ceiling— upon which states can build upon according to their needs.

    States are generally more capable of quickly responding to changing data collection practices. For example, California has one of the strongest laws when it comes to notifying people that their information was compromised in a data breach. Among other things, it prescribes a timeline to notify victims and the manner in which it should be done. By the time a company has to comply with California’s laws, the company has infrastructure in place to notify the rest of the country. Given this, Congress should not pass a law that would gut states’ ability to have strong consumer friendly data breach laws.

    Create a Fiduciary Duty for Credit Bureaus to Protect Information

    Congress must also acknowledge the special nature of credit bureaus. Very few of us chose for our most sensitive information to be hoarded by an entity like Equifax that we have no control over. Yet the country’s financial infrastructure relies on them to execute even the most basic transactions. Since credit bureaus occupy a privileged position in our society’s economic system, Congress needs to establish that credit bureaus have a special obligation and a fiduciary duty to protect our data.

    Ultimately, companies like Equifax, Experian, and Transunion serve a purpose, but they lack a duty of care towards the individuals whose data they have harvested and sell because they are not the bureaus’ customers. Without obligations to adequately protect consumer data, we will likely see lax security that will lead to more breaches on the scale of Equifax.

    Give People their Day in Court

    The first big problem for those seeking a remedy for data breaches is just getting into court at all, especially in sufficient numbers to make a company take notice. For too many people impacted by data breaches, they learn to their great dismay that somewhere in the fine print they agreed to a mandatory arbitration clause. This means that they cannot go to court at all or must engage in singular arbitration, rather than a class-action lawsuit.

    After the Equifax breach, a lot of the focus has been on binding arbitration clauses because of the company’s egregious attempt to use it to deny people their day in court. Companies like Equifax shouldn’t be able to prevent people from going to court in exchange for weak assistance like credit-monitoring services given the scale of the breach and harm

    As Congress debates how to protect Americans’ legal rights after a breach, the focus should go beyond just prohibiting mandatory arbitration clauses. Congress should preserve, protect, and create an unwaiveable private right of action for Americans to sue companies that are negligent with sensitive data.

    We Don’t Need Additional Criminal Laws

    A knee-jerk reaction to a significant breach like Equifax is to suggest that we need additional criminal laws aimed at those who are responsible. The reality is, we don’t know who was behind the Equifax breach to hold them accountable. More significantly, knowing their identity does nothing to ensure that Equifax actually applies crucial security patches when they are available. We don’t need increased criminal penalties—we need to incentivize protecting the data in the first place.

    Another good reason for this is that these additional criminal anti-hacking laws more often end up hurting security researchers and hackers who want to do good. For instance in Equifax’s case, a security researcher had warned the company about its security vulnerabilities months before the actual breach happened; yet the company seemed to have done nothing to fix them. The security researcher couldn’t go public with the findings without risking significant jail time and other penalties.

    Without a meaningful way for security testers to raise problems in a public setting, companies have little reason to keep up with the latest security practices and fearing the resulting negative publicity. If Congress uses the Equifax breach to enhance or expand criminal penalties for unauthorized access under laws like the Computer Fraud and Abuse Act (CFAA), we’d all be worse for it. Laws shouldn’t impede security testing and make it harder to discover and report vulnerabilities.

    Free Credit Freezes, Not Credit Monitoring Services

    Lastly, Congress needs to provide guidance on the immediate aftermath of a data breach. It’s become almost standard practice to offer credit-monitoring services to data breach victims. In reality, these services offer little protection to victims of data breaches. Many of them are inadequate in the alerts they send consumers, and more fundamentally, there’s little utility in being informed of improper usage of one’s credit information after it’s alreadybeen exploited. Consumers will still potentially have to spend hours to get their information cleared up with the various credit bureaus and entities where the information was used fraudulently.

    Instead, Congress should legislate that victims of data breaches get access to free credit freezes, which are much more effective in preventing financial harm to victims of data breaches, at all major credit bureaus. There are proposals in Congress along these lines and we are glad to see that.

    There’s no question that the Equifax breach has been a disaster. We at EFF are working with congressional offices to pass sensible reforms to ensure that it doesn’t happen again.

    https://www.eff.org/deeplinks/2017/11/heres-how-congress-should-respond-equifax-breach


 



Tmux Commands

screen and tmux

A comparison of the features (or more-so just a table of notes for accessing some of those features) for GNU screen and BSD-licensed tmux.

The formatting here is simple enough to understand (I would hope). ^ means ctrl+, so ^x is ctrl+x. M- means meta (generally left-alt or escape)+, so M-x is left-alt+x

It should be noted that this is no where near a full feature-set of either group. This - being a cheat-sheet - is just to point out the most very basic features to get you on the road.

Trust the developers and manpage writers more than me. This document is originally from 2009 when tmux was still new - since then both of these programs have had many updates and features added (not all of which have been dutifully noted here).

Action tmux screen
start a new session tmux OR
tmux new OR
tmux new-session
screen
re-attach a detached session tmux attach OR
tmux attach-session
screen-r
re-attach an attached session (detaching it from elsewhere) tmux attach -d OR
tmux attach-session -d
screen -dr
re-attach an attached session (keeping it attached elsewhere) tmux attach OR
tmux attach-session
screen -x
detach from currently attached session ^b d OR
^b :detach
^a ^d OR
^a :detach
rename-window to newname ^b , <newname> OR
^b :rename-window <newn>
^a A <newname>
list windows ^b w ^a w
list windows in chooseable menu ^a "
go to window # ^b # ^a #
go to last-active window ^b l ^a ^a
go to next window ^b n ^a n
go to previous window ^b p ^a p
see keybindings ^b ? ^a ?
list sessions ^b s OR
tmux ls OR
tmux list-sessions
screen -ls
toggle visual bell ^a ^g
create another window ^b c ^a c
exit current shell/window ^d ^d
split window/pane horizontally ^b " ^a S
split window/pane vertically ^b % ^a |
switch to other pane ^b o ^a <tab>
kill the current pane ^b x OR (logout/^D)
collapse the current pane/split (but leave processes running) ^a X
cycle location of panes ^b ^o
swap current pane with previous ^b {
swap current pane with next ^b }
show time ^b t
show numeric values of panes ^b q
toggle zoom-state of current pane (maximize/return current pane) ^b z
break the current pane out of its window (to form new window) ^b !
re-arrange current panels within same window (different layouts) ^b [space]
Kill the current window (and all panes within) ^b killw [target-window]
  • Make ISO from DVD

    In this case I had an OS install disk which was required to be on a virtual node with no optical drive, so I needed to transfer an image to the server to create a VM

    Find out which device the DVD is:

    lsblk

    Output:

    NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 465.8G 0 disk ├─sda1 8:1 0 1G 0 part /boot └─sda2 8:2 0 464.8G 0 part ├─centos-root 253:0 0 50G 0 lvm / ├─centos-swap 253:1 0 11.8G 0 lvm [SWAP] └─centos-home 253:2 0 403G 0 lvm /home sdb 8:16 1 14.5G 0 disk /mnt sr0 11:0 1 4.1G 0 rom /run/media/rick/CCSA_X64FRE_EN-US_DV5

    Therefore /dev/sr0 is the location , or disk to be made into an ISO

    I prefer simplicity, and sometimes deal with the fallout after the fact, however Ive repeated this countless times with success.

    dd if=/dev/sr0 of=win10.iso

    Where if=Input file and of=output file

    I chill out and do something else while the image is being copied/created, and the final output:

    8555456+0 records in 8555456+0 records out 4380393472 bytes (4.4 GB) copied, 331.937 s, 13.2 MB/s

    Fin!

    read more
  • Recreate postrgresql database template encode to ASCII

    UPDATE pg_database SET datistemplate = FALSE WHERE datname = 'template1';

    Now we can drop it:

    DROP DATABASE template1;

    Create database from template0, with a new default encoding:

    CREATE DATABASE template1 WITH TEMPLATE = template0 ENCODING = 'UNICODE'; UPDATE pg_database SET datistemplate = TRUE WHERE datname = 'template1'; \c template1 VACUUM FREEZE;

    read more
});