Slashdot Mirror
Equifax CEO: All Companies Get Breached (fortune.com)
An anonymous reader quotes Fortune:There are two kinds of companies, according to a saying that former Equifax CEO Rick Smith shared in a speech at the University of Georgia on August 17. "There's those companies that have been breached and know it, and there are those companies that have been breached and don't know it," he said. Though it was still 21 days before his company would reveal that it had been massively hacked, Equifax, at that time, had been breached and knew it...
Smith's fastest growing area of security concern was state-sponsored hacking and espionage, he said. "It's countries you'd expect -- you know it's China, Russia, Iran, and Iraq -- and they're being very aggressive trying to get access to the know-how about how companies have built their capabilities, and transport that know-how back to their countries," said Smith. "It's my number one worry." he added.
"In a speech at the University of Georgia last month, he described a stagnating credit reporting agency with a 'culture of tenure' and 'average talent", reports Bloomberg, adding that the Equifax CEO also bragged that the company's data-crunching business nonetheless earned a gross profit margin of 90%.
Smith's fastest growing area of security concern was state-sponsored hacking and espionage, he said. "It's countries you'd expect -- you know it's China, Russia, Iran, and Iraq -- and they're being very aggressive trying to get access to the know-how about how companies have built their capabilities, and transport that know-how back to their countries," said Smith. "It's my number one worry." he added.
"In a speech at the University of Georgia last month, he described a stagnating credit reporting agency with a 'culture of tenure' and 'average talent", reports Bloomberg, adding that the Equifax CEO also bragged that the company's data-crunching business nonetheless earned a gross profit margin of 90%.
My cousin runs a company and they build houses. He keeps all his business on ledgers and note books. Not a efficient way to run a business but it is his way. He has never been hacked.
I read at +2. If your post doesn't reach that level I will not see or respond to it.
There are many things to criticize about Equifax, and their handling of this breach. This is not one of them. People in the security industry (such as myself), talk about "breach mentality" vs "castle mentality". Castle mentality is the old style of thinking where companies think that if they just build a strong enough wall, they will never be breached and they can leave their internal network a mess. Breach mentality is to assume you are already breached or will be breached at sometime in the future. This is the sensible approach to security, and the most realistic/practical approach. The goal is to secure everything as best you can to help withstand and catch a hack. It remains to be seen if Equifax actually took reasonable steps to secure their network from breach, or not. I am betting they did not, given their crappy response times and apparent total compromise.
As he stated, all companies get breached. But we are not criticizing all other companies. We are criticizing his. He just appears to be deflecting blame, and pivoting things against his company, by stating "all companies get breached".
This was a big fuck up, no doubt about it. Mr Smith: what did your company do about it? You delayed reporting it for several weeks. You had executives who have been accused of insider trading as a result of this breach. And now you give me this pathetic excuse? Is that the best you've got?
Go get fucked.
It's holding data. If a company wants to risk my security by profiting from amassing data on me I should be able to have some finiacial recourse when they injur me with their breach. If they can't secure my data then they should not hold it. If one really feels that all companies will be breached then that person should actually know what they are doing is going to cause an injury and therefore should be liable for it.
liability is the key here. Until companies have a dear cost associated with lack of security there will be no security.
But that's not enough. we can't have companies who are good citizens, paying money to protect others, masking data so it is stored more anonymously, and so forth incurring higher costs that some jackass comapny willing to pay fast and lose. Those risk taking companies will have lower costs of operation and put the conscientious companies out of bussiness. When they fail sometimes we respond by crippling the whole industry rather than punishing the shareholders of the bad companies.
So we need not just damages but 10 fold punative damages that reach to the stock holders that invest. Currently stock holders just lose their investments. They should be informed that if they invest in a company that holds data they will be held personally liable for injuries of the company beyond their stock ownership.
then we'd see some good data practices. We'd see companies clamoring to be regulated. we'd see a lot less naked storage of raw data behind single passwords.
it's not the breach. It's the gathering of data without direct consequences for it's loss.
Some drink at the fountain of knowledge. Others just gargle.
The level of incompetence in corporate IT at times is staggering!!! https://thedailywtf.com/articl...
Until there are -real consequences- to management (personally and individually) from getting hacked, CxOs of all stripes (CEO, CIO, CISO, etc) will continue to get away with this.
This is leftist propaganda, trying to give businesses a bad reputation for security. The real problem here is the use of a nine digit government issued ID that the government doesn't allow you to change and requirea you to share with financial institutions as proof of identification. The problem here is not the private sector but that the government has failed to use secure methods of authentication such as two factor authentication and public key encryption. Let the private sector create industry standard secure methods for identification and authentication, and get the government out of our lives. We don't need the left giving businesses a bad name when the government is the problem. However, the Democrats are too busy stopping business in the Senate like addressing the Obamacare implosion so they can move on to fixing the fact that we're stuck in the 1930s when it comes to proving the identity of citizens. Provide a secure methods of proving identity and all of the stolen social security numbers are pretty much worthless.
- snruter rotsac
If all companies get breached, then no company should be allowed to keep data on a scale like that that can be so damaging if it gets stolen.
"Remember, there never were pineapple-almond cookies here."
Those that we know we should fire out of a cannon and those that we don't know we should yet.
There's the third kind: The kind that doesn't store personal information unnecessarily.
Hint: You're not the third kind.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
A single word makes all the difference.
He's correct when the company does not maintain their Internet facing platform. Which is exactly what Equifax did.
I guess they decided to save money in IT. And perhaps had poorly qualified personnel. Because management doesn't understand IT, so it must be "easy" and something that should be cheap.
Equifax says: "Breaches are a cost of business!" Sorry, non-customer that we lost all of your data and our incompetence will cost you for years to come!!!
Given the vast negative effects of this breach Equifax should be given the "Corporate Death Penalty" like Anderson Accounting. Their continued attempts at 'deflection" will hopefully fail.
Facebook is billions of individual "Skinner Boxes." And if you use it you are the pigeon!
... the clue train is slow in coming to equifax ... companies who ignore basic security practices get breached, the rest don't
Immutable data should not have any value at all.
My name and SSN are assigned to me. I cannot choose or change them. Thus, they should have no business value, esp no value in the credit / financial context.
My address, my employment, my family are essentially fixed as well. Again - this data could be public. It should have no value.
"Identity theft" as perceived in the US must disappear.
Stopping the criminals won't work - as long as there is anything of value, there will be intent and crime to get it.
The value itself must change.
All Companies Get Breached
Well that means we can stop patching software we know has open security holes/backdoors. Nice, makes our jobs much easier. I guess that means it was not Equifax's fault /s
>> All Companies Get Breached
This is not even slightly true. It is just a blatant attempt at blame avoidance through lying and misdirection.
...so maybe we should not allow companies to store vast repositories of personal data that is very bad if breached?
It's a whole paradigm shift that needs to happen. Similar to best-practices with passwords today: you should never be storing your clients' passwords. Hash them, salt them, (I don't have all best practices off the top of my head) - but the end result is if the password database is breached, it is not catastrophic. We need to make personal data the same.
One way I think is interesting is through homomorphic encryption- it is possible to do arbitrary operations on data without the server ever knowing the plaintext. This is the future.
No, he's so wrong.
What he's trying to do here is add "loss of privacy" to the once-exclusive fraternity of "death and taxes".
In medicine, if you come up with a dumb, risky implant don't do it in America. You will get sued. Leaky boob bags are not a good long-term business model.
But this guy thinks that the credit rating industry doesn't need to think long and hard about their business model, because "all implants fail".
Here's another point of view: if you know up front that you can't secure the information, perhaps your business model should not depend upon amassing all this information in the first place, get out of the way, and allow the vaunted creativity of American free enterprise find a different solution to the credit-worthiness problem.
Because your solution sucks in a way that can't ever be fixed, by your own admission.
>> the actual subject matter is almost completely irrelevant.
Sorry but thats utter bullshit. I've interviewed and hired enough software developers to know how important a good CS education and background really is.
Apart from the lack of knowledge that an undergrad degree gives you, the best developers etc, are just hardwired that way and wouldn't dream of doing anything else. If you weren't interested enough in CS to do a CS degree when you had the chance, that tells me you're just in it for the money not the subject itself, so are already not what I'm looking for.
I worked for European companies in the past. They same the same shit about "security has no ROI" as their American counterparts.
Equifax CEO also bragged that the company's data-crunching business nonetheless earned a gross profit margin of 90%.
Wow, and did he brag about being an oligopoly who automatically receives everyone's data whether they want to allow that or not?
Getting to that position is a much neater trick than having a profit margin of 90%. The person who got them there deserves a big bonus indeed.
I'm not about to defend parent, because you're right, blaming another country for a terribly secured network is a terrible reason, but don't generalize and act like European companies are any more secure than American ones are. Two things you should consider before opening your mouth: (1) American companies are a bigger target, politically and economically. (2) It was primarily European and Asian countries that were the victim of the WannaCry ransomware. You can tout all you want about "Europe being more secure" (whatever that means), so don't act like your companies are more security-conscious. (3) Pointing to Americans being slow on adopting chip-and-pin credit cards shows how ignorant you are on the topic. Easily skimming credit cards has little to do (if at all) with what actual identity thieves do.
Let's get a little more granular... There are companies who get breached and don't know it There are companies who get breached and know it and tell those effected There are companies who get breaching, know it, and conceal it while execs cash out
"a stagnating credit reporting agency with a 'culture of tenure' and 'average talent'...earned a gross profit margin of 90%."
Wait, don't tell me, let me guess...you spend all your obscene profit on equally obscene executive bonuses and therefore you can't afford anything more than "average" talent?
Not that parachute-lined CxOs will start giving a shit anytime soon, but this is what happens when coddling top management becomes THE priority above all else.
It's been said a million times but companies always want the magic bullet solutions.
He's right that you should expect being compromised, but no safeguards were in place for what he said was inevitable.
Looking at the timeline of events it's clear that getting past the endpoints meant free reign in their network.
https://medium.com/@thegrugq/e...
Over the years the focus of the security industry has changed and it is no longer considered sufficient to have a crunchy shell with a soft interior. From behavioral analysis, to canary systems and binary whitelisting/flagging. There are so many things they could have done differently it's astounding.
By publicly asserting the unavoidability of a breach, and then having no plan of action prepared for that, he's admitting that their security plan is negligent.
In other words ''Cars crash, people die... seatbelts are useless''
Cwm, fjord-bank glyphs vext quiz
Sure, but only some of them dump stocks illegally, hire arts majors to run tech security, attempt to take away the rights of victims, send their customers to illegal phishing sites, wait months to report to the public, get into a tiff with their hired outside security consultants, and otherwise completely mishandle the aftermath.
Europeans are just better at hiding their problems, Europe is a contentment with people who just stick their heads in the sand, unless they really have too.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Comment removed based on user account deletion
All companies do get breached, but not because of sheer incompetence due to not patching a widely publicized vulnerability. The day after publication we told our product teams to update and the teams that had it did so in weeks, not months - and that was in on-prem products. Yet, Equifax couldn't patch their website in three months? That's incompetence.
Sorry, but security is almost purely a reactive thing.
And worse, HUMANS are tossed into the mix.
As such, security is a delaying action, at best.
If someone really and TRULY wants in, they're getting in. And pretty much nothing short of destroying your computing assets wholesale will prevent it.
Security has become so full of snake-oil salesman they they've forgotten that their primary purpose is hardening to the point where your average 6 year old with an iPhone can't get root on your production servers. And their secondary purpose is monitoring the network, both proactively and in the event of a breach.
So, even if someone gets in, you SEE it and you have a log trail.
This idea that security will keep your assets totally and completely hack-proof is utter nonsense. DANGEROUS utter nonsense.
Chas - The one, the only.
THANK GOD!!!
"You don't hear about European companies having data breaches."
Of course. With the way the data breach laws are constructed, it's simply cheaper and easier buy off whoever discovers/exploits the breach and then pretend it never happened while locking down.
Chas - The one, the only.
THANK GOD!!!
Like salt and vinegar?
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Wow, that's quite a chip you've got on your shoulder there, mate.
For the record, an undergraduate CS degree has almost nothing to do with the kind of technical expertise you'd want working in IT security professionally and absolutely nothing to do with the kind of management expertise you'd want to hire and direct such professionals.
Also, I see little evidence of any correlation between interest in and aptitude for doing good technical work and having taken CS at undergraduate/college level. Some people took CS because they thought it would open the door to a high-paying career, yet couldn't program their way out of a wet paper bag. Some people were very interested in computers but took something like math or engineering, perhaps because they didn't want to spend the next year doing Java 101 when they'd been writing games since their early teens.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Also European companies are not allowed to store much data about persons. For example the credit rating agency in the netherlands is not allowed to store much identifiable in their database, pretty much only the name and birth date of the person and which they have credit information on.
They are not allowed to store the equivalent of the social security number, not even the address where the person lives.
I'd prefer an introverted comp sci that lives and breathes computers managing my security, when that is literally all my company does is manage crucial data.
What I don't want is a music major who says "herpy derpy there's money in computers and I know people" and that person become my CSO.
Defending this woman is a weird hill to die on conseriding she failed spectacularly and then ran away. Yeah, I'm sure there are outliers of people getting a lib arts degree, switching to a comp sci career, and succeeding...but they are outliers. This woman should have been grilled to death and at least have certs that prove she knows what she's talking about.
Saying that all companies will eventually get breached is, in my opinion, correct. The unfortunate thing is that nothing will ever be done to even try to improve the situation, because it's too easy for companies to just buy "cyber-insurance" as opposed to playing cat and mouse with "security researchers." In this situation, they don't even have to have the insurance company pay for credit monitoring, because they can give it away for free by just providing the same service they used to sell.
Unless you put nothing on the Internet and have a strict, enforceable we-will-fire-you-immediately policy for people who inadvertently leave the doors open, there's very little chance companies can stay ahead of attacks forever. The bigger the company, the worse it is. Outsourced IT makes security response many times slower as well because the problem has to filter down two reporting chains before it gets fixed (assuming anyone notices.) Even the NSA wasn't able to keep a lid on their information and exploit vault...that should tell you something. All the security in the world is nothing when you have humans in the loop.
What will be interesting to see is what happens when more companies start looking to put core systems into the public cloud. Obviously cloud providers have a huge incentive to keep things safe, but nothing's perfect. And the more complex things get, the more surface area an attacker has to work on. I'm sure there are more than a few "don't be like Equifax" FUD-laden sales calls being made in CIO offices all over the world lately.
The truth is that security has zero ROI in an environment where you can just say "oops," write a small check and move on like nothing happened. So far, nothing bad has happened to any company that has lost customer data. People still shop at Target, Home Depot, etc. and still keep their money in banks that have experienced data loss incidents. People just assume that these things happen and nothing can be done about it, and I agree to some extent.
(Please notice that I wasn't defending anyone here, just challenging a variation on the old cliche that you need to have a formal CS degree to be any good at anything to do with technology.)
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
That's condiment.
Even average attackers can get in. Also, when you make really stupid mistakes, in a working legal system that is called "gross negligence" and you become liable for the damage you did. Of course, Equifax being really large, they do not need to fear the law.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Always wear a condiment.
Banks learned long ago that security measures had to be escalated along with the pile of money being kept. If a small branch only had a few $100K in cash, it didn't need the same security as a big bank with several $Million in the vault. When you have so much gold that it requires dump trucks to carry it in and out, you need the security of Fort Knox. Any bank that had $Billions stored in a file cabinet with only a single 80 year old security guard watching it, should be held responsible when it gets robbed. It sounds like that was the case at Equifax.
This was absolutely hilarious.I'm certainly no security expert... I'm just a humble programmer who understands how security holes are made (heavens know I make them often enough).
:
:
Let's be 100% true to ourselves... the security crowd is generally full of shit. When I read the headline of an article (a month ago on Slashdot sometime) making some dumb-ass remark like "There have been more hacks already in 2017 than in any previous year". They whole article rambles on non-stop for frigging ages about how bad the attacks are... and it doesn't make the point of the absolute obvious... we are detecting more attacks this year than we had in the past. That means that we are probably responding to more attacks than we had in the past.
There's the issue of
“This wasn't a credit card play," said one person familiar with the investigation. "This was a 'get as much data as you can on every American’ play.” But it probably won’t be known if state hackers—from China or another country—were involved until U.S. intelligence agencies and law enforcement complete their work.
If you read the full article, it goes on and on and on about two major things
1) It absolutely has to be a government... almost absolutely certainly China!
2) It was a long game with lots of people and tiers involved.
I'll add something that concerned me a great deal...
3) "The company's suite of tools included Moloch, which works much like a black box after an airliner crash by keeping a record of a network's internal communications and data traffic. Using Moloch, investigators reconstructed every step."
Ok... let's address #1... if it's a government, then it's for warfare, military, etc... this was a huge investment for China to make to hack like this. In addition, this is 2017 and China has almost total free reign throughout America... and everywhere else. I was working in a highly secure environment the other day and befriended a lovely young Chinese girl who speaks English beautifully. She is a Chinese citizen... not dual anything, 100% Chinese and she loves China and wants to go back. While I'm 100% sure she's the real deal and there's nothing to worry about her... she is currently working in an environment where in less than 1 day of work, she could collapse the entire national economy of one of the world's richest countries. I'll leave the details at that... but this is absolutely not an exaggeration.
Economists will probably happily say that the value of an job this scale to attack and devastate Equifax would be extremely poorly thought out if they were to invest so heavily from operating from the outside. The inside would be far smarter and more effective. And given the resources of a government, Equifax would be a relatively easy target to place someone on the inside. I'm just speculating, but I'd imagine that they have more than their fair share of international workers like every other company over 5 employees.
Then we have #2... the long game. There is lot of noise about how this couldn't be about identity theft or credit card theft... but they also talk about how whoever is doing this seems to be well financed and well organized. Jesus you idiots... pick one or the other. You're suggesting that just because the data hasn't shown up en-mass on the black market (where... Craigslist?).... then it can't be credit card related.
Let's consider... why blow your entire was leaving enormous paper trails back to yourself by selling this stuff immediately? That would be just plain stupid. Instead 99% of the information Equifax has on people can be used to establish new lines of credit. For example, the quick loan websites for people with good or semi-good credit. It would be possible to slowly but surely use the information from Equifax to apply for loans from $1,000 to $50,000 using automated software. It would be possible to draw a few dollars here and there out and move it via PayPal, Western Unio
So - brief summary of timeline:-
Feb 24, 2016 - Annual 10K report - indicates only generic, boilerplate risks that a financial services company like Equifax should include in their SEC filing.
Jly 27, 2017 - Quarterly 10-Q filing with the SEC, indicating "There have been no material changes with respect to the risk factors disclosed in our 2016 Form 10-K."
Aug 1, 2017 - Chief Financial Officer John Gamble sells $946,374 in shares
Aug 2, 2017 - Joseph Loughran, President of US Information Solutions sells $584,099 in shares... and Rodolfo Ploder, President of Workforce Solutions, sells $250,458 in shares
Aug 17, 2017 - Rick Smith gives a presentation to the University of Georgia, discussing cyber security threats - and makes a memorable quote...
Sep 7, 2017 - Equifax admit to a massive data breach, impacting at least 143 million Americans, see here:-
http://www.independent.co.uk/n...
Sep 7, 2017 - On the same day as admitting to the breach, Equifax also admit that 3 executive sold $1.8MM in shares between the breach being detected and the date it was made public. Crucially, despite Equifax claiming that the Executives had no knowledge of the breach, none of the three sales were part of planned, scheduled trading (i.e. were covered by 10b5-1 plans). In other words, these were spontaneous sales. See here:-
https://www.bloomberg.com/news...
The crucial thing is, however, that in the above Independent article, published September 7th, is the statement,
"The Atlanta-based company said that that “criminals” exploited a US website application to access files between mid-May and July of this year - with the weakness said to have been discovered at the end of that month. "
Now, among the pieces of information we don't know are: 1) when, exactly, did the three executives sell their shares?; and 2) what internal discussions - i.e. board meetings, emails - were used to disseminate the information internally.
Obviously we're not told this, but the company will by now have received a "Preservation Order" from the SEC, requiring them to ensure that data pertaining to this event is not destroyed. Backup tapes will be pulled from cycles; current email folders will be locked; individuals will be warned that their documents are subject to such an order. Given the close proximity of events - we're talking days, not weeks or months - it should not be difficult to forensically re-create a very precise time-line.
So whilst the speech that Smith gave a the University of Georgia is going to be hugely embarrassing for him personally - and whilst the acknowledgements he makes in it will be very uncomfortable for the company - the really crucial evidence here is all about the timing. Understanding the truth behind the question, "Who knew what, and when", is going to make the difference between negligence and a criminal act.
Here is the key thing to bear in mind. That statement as reported in the UK Independent newspaper article that the breach came to light "at the end of July" is absolutely crucial. If there is enough evidence to suggest that persons within the company knew of the data breach *before* that 10-Q was filed, then I don't see how Smith and his co-directors can avoid jail time. The deciding factor [for me] is that the actual timing could very easily show conspiracy.
If there was a suggestion that a concerted effort was made to hold back the breach information until after the second quarter 10-Q, then it will not look good for the board. They are on the horns of a dilemma here. Either there was widespread knowledge of the breach and the three executives attempted of
You are dangerously naive and have a pathetically simplistic view of information security.
I mean, even in this one situation the Equifax network wasn't hacked and Microsoft software was not involved, thus invalidating even your shit advice.
I am sure that European countries are as secure as American ones. The difference is the data that they are willing to keep and what they do with that data.
First and foremost: It is illegal to sell customer data.That means that the data I have has no added value, besides what I have.
Not being allowed to trade data makes it more secure.
Secondly: If there is a dispute between a company and a person, the company will start with a disadvantage and will have to prove their innocence, so they will see to it that this is less the case. That makes it more secure of and by itself.
e.g. Even if you get my National Number that identifies me, you won't get a credit and IF you do, it will be the company who gave it that will be responsible, not me. So the company wil be more careful in giving it, because it is them who pay the piper.
You are also only allowed to keep data that you actually need, although that can be a pretty grey area.
Yes, I have worked with peoples data and if you do not need to share data with others, it is much easier to make it secure. It is like having no hole in a boat vs people wanting a hole with glass on the bottom, so they can see through it. The first is easier, even if the second can be made just as secure.
And all this makes them less of a target as you can do less with the information.
You could do identity theft. You would need my ID and my national number. The second is easy if you have the first as it is on my ID and readers are cheap and it is open source. You need to be fast, because I can just call a number and that would block my ID for being used and if a company that needs your ID (e.g. a bank by opening an account) does not do a check at https://www.checkdoc.be/ they will be held responsible.
That site is travaille for everybody for free.
So yes, as a whole, Europe is more secure than the US concerning identity theft. Is it perfect? Absolutely not. As everywhere, the biggest issue is the people.
Don't fight for your country, if your country does not fight for you.
He's not defending the woman. He's challenging the stupid thinking that a degree 30 years ago is even remotely fucking relevant to the job you do now.
I don't care how good she was, go get a degree and prove it to the public.
Don't be such a fuckwit. I'm a fucking good dancer, I don't have a degree in it. I'm a bloody good photographer, I don't have a degree in it. I've helped advance global software engineering, I don't have a degree in it. I know how to cut half a billion in cost out of an organisation, I happen to have a degree in it.
Your degree shows that you could get through university. That's pretty much it.
I've interviewed and hired enough software developers to know how important a good CS education and background really is.
I've interviewed, hired and worked with enough great software engineers to know that computer science degrees are a fucking terrible predictor of success.
the best developers etc, are just hardwired that way and wouldn't dream of doing anything else. If you weren't interested enough in CS to do a CS degree when you had the chance, that tells me you're just in it for the money not the subject itself
The best programmers skip a CS degree because it'll teach them fuck all about programming that they didn't already know.
Where do you work, I'd like to make some money shorting their stock.
Have you even got a degree?
She'll have learned how to work to deadlines, how to do research, how to assess, evaluate and understand complex information, how to be given work and negotiate on it, how to balance work against a social life and how to have fun in an adult environment.
She may even at some point have learned something about music.
a significant portion of Equifax Management are utterly incompetent and basically allowed one of the worst data breaches in history to happen on their watch... in which case we can only hope that shareholder lawsuits will follow.
Did you miss this one? The blood is most definitely in the water already.
Those who advocate genocide deserve every protection afforded by law, and none afforded by common human decency.
The reason you signed this post is you need to provide proof to your employer that you're shilling or you don't get paid.
It's very obvious.
Maybe you don't like the USA or maybe you're just poor and need money. But the less stable the US becomes.... and your work does destabilize the USA, the more likely it is that we will find some poor countries to drop bombs on. Probably your country will have it's turn well before there are any revolutions or major shifts in global hegemony.
I want you to spend a few minutes looking at pictures of crying blown up kids in iraq and syria. Are you ready to sign your children up for this life? Because when the republicans take over, and americans get scared. We make jobs by building bombs.. and we sell bombs to drop them on poor people.
Maybe you'd like to get some cheap open heart surgery from a friend of mine who has a social media degree but says they are also interested in biology.
>> For the record, an undergraduate CS degree has almost nothing to do with the kind of technical expertise you'd want working in IT security
Baloney, At least when I did my degree, they were teaching a lot of great knowledge around assembler and C, processor and compiler internals, what the OSI model is all about, ethernet-level comms, TCP/IP, data compression techniques, different CRC algorithms, device drivers, system security models etc, etc.
Knowing the way things go, they're probably only teaching kids how use IDEs to make web pages and phone apps these days, but I can only talk about the degree I did.
>> computer science degrees are a fucking terrible predictor of success.
That maybe true, however the lack of one is quite a good predictor of failure for most SW jobs, especially if they chose to do an arts/humanities degree instead.
the lack of one is quite a good predictor of failure for most SW jobs
That's so wrong it's silly.
CS grads are, on balance, not the best programmers. Not just my view, also that of others. Some people at the very top of the profession do have CS degrees (e.g. Martin Fowler, Linus Torvalds), but others do not (e.g. Grace Hopper, Anders Hejlsberg); it's just not something you should be using in your hiring decisions.
Nothing you mentioned from your degree syllabus has much to do with developing modern, production-grade security infrastructure of the kind that would safeguard personal data properly in this sort of situation, other than possibly the vague "system security models" at the end. The rest might be useful as background information, but it won't tell you much if anything about potential attack vectors and standard techniques to defend against them, the state of the art in encryption methods and how to disable any that are now known to be vulnerable in your server software, which AAA and staff education policies actually work, how to write and maintain a systematic list of firewall rules, how to structure large systems for defence in depth and compartmentalisation, or numerous other real world issues you need to address when building secure infrastructure.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
>> CS grads are, on balance, not the best programmers.
I have no idea what planet you're living on, but in the real world, you're full of it.
>> The rest might be useful as background information
That's ridiculous. You do realise that most exploits are actually discovered and capitalised on by people using exactly the in-depth low level knowledge Im talking about right?
You can convince yourself that not knowing that stuff doesn't matter, but it really does. Your cookie-cutter "rely on conventional security policies and proper configuration of 3rd-party tools" approach is hardly creative thinking so eminently predictable to hackers and exactly what makes multiple companies all thinking/doing/following the same identical security trends all vulnerable to the same individual zero-day or other exploit.
You do realise that most exploits are actually discovered and capitalised on by people using exactly the in-depth low level knowledge Im talking about right?
I've worked in and around this field for a long time. I'm sorry to make this a little personal, but what you're writing sounds like you read a textbook once, probably in university, and you're very proud of some of the long words and acronyms you can still half-remember. Nevertheless, what you're described has little to no connection with security management in the real world, as staff as an organisation like Equifax would (should) be doing it.
An organisation like that would have a team of system administrators, network administrators, pen-testers, and other such professionals. They're not going to write their own web server and networking stack in case the industry standard ones have a flaw in their implementation of some elliptic curve math. But even if they were, the knowledge from an undergraduate-level CS degree would barely get them past writing the main function.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Fair point. Let's judge her on her record, then.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
>> the knowledge from an undergraduate-level CS degree would barely get them past writing the main function.
Maybe your degree was that shitty, but mine wasn't. Actually writing my own web server (admittedly just a small one) was pretty easy actually. Certainly one of the easiest things I've developed. But I got my degree in the UK back when/where they take or at least took a different view about learning than the US.
Sure, writing a program that serves text files using a simplified form of HTTP is easy. It's also about a million miles away from writing a modern, full-featured web server. Again, the knowledge included in even the best undergraduate CS course wouldn't get you close to what you need to understand to do that. And this still isn't what industrial IT security is really about anyway.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
>> writing a program that serves text files using a simplified form of HTTP is easy.
Wow, nice ASSumptions without knowing anything about what I acutally wrote.
>> Again, the knowledge included in even the best undergraduate CS course wouldn't get you close to what you need to understand to do that.
Yes it does, or at least mine did. It gave me the basis to go out and find, and more to the point, fully understand, deep technical information about specific software tasks that I don't already know how to implement.. Without the degree I wouldn;t have understood some fundamental concepts that I would need to to properly understand what I was reading (even though like most have-a-go programmers I probably would have thought I did, but would have been wrong).
So what exactly did you mean by "(admittedly just a small one)", then?
How much security-related material that is relevant to the original topic did you learn in your degree and then use in the software you wrote? Feel free to be specific about what was involved, and then the rest of us won't have to make any assumptions.
So far, you've claimed that someone needs to have a CS degree to know what they're doing in this field, yet now you seem to be saying that what your degree actually did was teach you how to study further topics and more detail by yourself, which is kinda exactly the AC's original point that you called bullshit in the first place.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
>> you've claimed that someone needs to have a CS degree to know what they're doing in this field, yet now you seem to be saying that what your degree actually did was teach you how to study further topics and more detail by yourself,
Yes, both are true. They are not mutually exclusive.
And yet you have not answered any of my questions, nor given any other substantial arguments to support your position that I can see, so unfortunately I don't think we're going to get anywhere useful here.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.