[Dailydave] Equitablefax

Chuck McAuley cmcauley at ixiacom.com
Wed Sep 27 18:00:50 UTC 2017

In the US, the roads are owned by someone (Private Individual, Town, State, Country). They can set the rules for driving on them as they see fit.

Who owns the Internet? In the US, definitely not the government. I guess you could argue it would be ISPs. They could govern who peers. But why would they care?

More noise should be made that the current credit scoring model cannot be trusted after this PII data has been leaked. I can't see a reliable means to protect 'your' score after this breach.


From: Dailydave <dailydave-bounces at lists.immunityinc.com> on behalf of Kristian Erik Hermansen <kristian.hermansen at gmail.com>
Date: Wednesday, September 27, 2017 at 1:32 PM
To: Dave Aitel <dave at immunityinc.com>
Cc: dailydave <dailydave at lists.immunityinc.com>
Subject: Re: [Dailydave] Equitablefax

If Equifax had a public bug bounty program, someone would have reported the Java RCE in March 2017 and picked up $10K or more for it. But no, Equifax did not have a public bug bounty program. Say what you will about the pros and cons of a bug bounty program, especially for financial institutions which "know better than the public how to protect themselves", but at least in this case a known issue would have been well documented much earlier. We should encourage other credit and financial companies to consider public or at the very least private bug bounty programs. It's a mess to operate them, but not patching a known critical web flaw ASAP that allows RCE is precisely the legal definition of negligence. Equifax should pay dearly for it.

Perhaps it's time to consider federal Cyber Security Insurance laws for such companies which forces them to pay fees to operate on the Internet just like everyone that drives a car on the road? If you crash your car every time you get on the highway, or you damaged 140 million cars while driving, you would lose your license for some time. Why hasn't Equifax lost their license to operate on the internet for some time? How about a 2 year hiatus on their annual revenue to punish them? Just a thought. Maybe Halvar can chime in on why Cyber Security Insurance regulation like that is OR is not the answer. He has been working on that lately...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20170927/93ed4b7c/attachment-0001.html>

More information about the Dailydave mailing list