HN Gopher Feed (2017-11-29) - page 1 of 10 ___________________________________________________________________
What I'm Telling US Congress about Data Breaches
181 points by robin_reala
https://www.troyhunt.com/heres-what-im-telling-us-congress-about...___________________________________________________________________
ChuckMcM - 1 hours ago
It is unfortunate that he uses "date of birth" and "home address"
as exemplars of information that is "of no use to the service."
That is because these two pieces of information are most frequently
used to establish that the user is of the age of majority (an
adult) and under which set of licensing regimes is the product
operating. Both of which may be critical to the function of the
service.Much better examples would be "Gender" and "telephone
number".I completely agree with the notion that data maximization
(or aggregation of meta data associated with a unique ID) are the
roots of many evils and risks.
dingoonline - 1 hours ago
The data doesn't need to be kept though. It can be requested,
checked, verified and erased.
feelin_googley - 2 hours ago
"4. An attitude of "data maximisation" is causing services to
request extensive personal information well beyond the scope of
what is needed to provide that service. That data is usually then
retained for perpetuity thus adding to an individual's overall
risk."And HIBP is an example of this attitude because it collects
data dumps and then (at least) collects and retains user-submitted
email addresses and a record of presence/absence of such "live"
email addresses in the data dumps. This is beyond the scope of
what is needed to provide the service, namely, copies of the data
dumps available for download. The user need not share their search
terms with any third party, such as HIBP. A means to search these
dumps locally (offline) without sharing the searches with third
parties such as HIBP exists. "Online tools" are vectors for
gathering the sort of data that is later the subject of "data
breaches". Offline tools do not suffer from this problem."6. Data
breaches are redistributed extensively. There's an active trading
scene exchanging data both for monetary gain and simply as a hobby;
people collect (and thus replicate) breaches."HIBP is collecting
and thus replicating data breaches for "monetary gain" or "simply
as a hobby"? Or is it something else?As above, HIBP does not
provide users with the data dumps they need to check them locally
(offline) without submitting contributing more data to third
parties in the process (e.g., working email addresses, associated
search terms, associated originating IPs, etc.).Further, users are
not provided with transparency into what HIBP is doing i.e., what
it is storing and how and where it is stored. Users cannot
evaluate the security practices of HIBP as yet another online
repository of sensitive user data that by virtue of its existence
could be a target.In summary, what he is not telling US Congress is
that 1. "online services" or so-called "online tools", HIBP being
one, are a major part of the problem and 2. there are alternative
solutions, i.e., offline service and offline tools, and what HIBP
provides is an excellent example of where an online service is
unnecessary and is collecting large amounts of user data,
unnecessarily.Addendum: "What I'm telling you" is that I believe
the problem is data collection. Any "solution" which collects
data, and in this case data it is not supposed to have (e.g., a
data breach), then collects more data (e.g., metadata) from users
and finally asks users to trust the "new collector" is not a
solution, IMO. Especially where the new collector shares no
technical details about his operation (e.g. storage of user data).
This practice ignores simple, obvious solutions to the problem of
data collection, such as performance of tasks offline which if
performed online would likely lead to the collection of user data.
It reinforces the mindset that perpetuates the problem: that data
collection and trusting third parties is always necessary.
[deleted]
rrix2 - 1 hours ago
> This is beyond the scope of what is needed to provide the
service, namely, copies of the data dumps available for
download.you're telling us that you'd rather that HIBP act as a
clearing house for credentials and user information as a result
of a data breach rather than exposing a single bit of information
per user ("have i been pwned?")I, at least, completely disagree
with you, regardless of Troy's motives or any "monetary gain" he
receives through HIBP. Troy has been incredibly transparent, and
in fact talks about this very issue on his blog
https://www.troyhunt.com/here-are-all-the-reasons-i-dont-mak...
GrinningFool - 3 hours ago
Something I would have liked to see - but perhaps this letter
wasn't the right place.Let's talk about how the ubiquitous use of
SSN and credit reports puts a massively unfair burden on every US
citizen.Right now, it's all on me. I need to safeguard everything
related to my government-issued nine digit ID that I never asked
for - yet is somehow accepted as my financial identity, well beyond
its intended scope.If I fail to do so, or if I fail to aggressively
identify fraudulent use of it by monitoring reports from 3-4
different agencies, it's on me. It's my credit that's screwed.It's
hard to emphasize enough how unreasonable that is. This isn't a
house or other peace of real property that's in my control - it's 4
bytes of data that is assigned to me, but that I fundamentally have
no control over.In spite of that, I am accountable for any and all
uses of that data. It's hours of my life each time a breach occurs
- more if it's actually misused. The assumption of 'bad credit risk
unless and until you convince the reporting agencies that fraud has
happened' is a fundamentally flawed one.I can't opt out. I can only
keep spending my time and money to play the game - because it's the
only one in town.
greenhouse_gas - 2 hours ago
Just curious, how do other countries do it? For example, can I
get a loan in Canada online or over the phone (not in person)?
adekok - 2 hours ago
> Let's talk about how the ubiquitous use of SSN and credit
reports puts a massively unfair burden on every US citizen.In
France, private credit bureaus don't exist. It's up to banks to
track these things.The country seems to work fine.
csa - 2 hours ago
> In France> The country seems to work fine.I hope you realize
the joy you have brought to many people's day by writing this.I
would pay a large sum of money to see all of the replies that
will go unwritten.
maxxxxx - 1 hours ago
In Germany life is also not dominated by the credit agencies
like in the US but there is a thing called "Schufa" that does
some credit reporting. Not sure how it works though.
chokma - 1 hours ago
The Schufa (https://en.wikipedia.org/wiki/Schufa ) provides
data for their partners/customers on your credit rating and
credit score.Banks will usually not give you an account and
shops won't give you credit if your rating is bad. For
example, you are so late to pay your bills that the creditor
has involved collection agencies or the courts to get their
money.Landlords will more often than not demand a document
from the Schufa (supplied at your own expense) to consider
you eligible for renting a flat or a house.edit: grammar
tpolzer - 13 minutes ago
The important distinction is that Schufa is heavily
regulated and cannot e.g. give banks disputed information
as long as the dispute is not resolved.
softawre - 1 hours ago
You can freeze your credit to "opt out"
jaredandrews - 3 hours ago
Indeed! I have recently been trying to come up with a new term to
use instead of "identity theft" (open to suggestions). As the
term itself seems almost Orwellian to me.My identity wasn't
stolen! You gave a loan/credit card/whatever to someone and
didn't verify who they were. How is your organization not doing
the proper work a "theft" of my identity? I'm not involved and I
don't want to be!
LambdaComplex - 1 hours ago
"Identity theft" isn't real. It's a term the banks et al. use
so that they can have less responsibility.Example: Someone
opens a bank account using your information. That's fraud.
Someone lied to the bank, and the bank believed them. That's
the bank's problem. But by pointing at you and saying "Your
identity was stolen" (using the term "stolen" to make it seem
like this is similar to the theft of a physical object), it
suddenly seems like it's your problem.
LeifCarrotson - 1 hours ago
> It's a term the banks et al. use so that they can have less
responsibility.I agree that it's misleading, but have to
concede that whoever first came up with that term must have
been an expert in framing and spin. There are few words that
so effectively distort the discussion as "identity theft".
greenleafjacob - 3 hours ago
I?ve heard ?bank fraud? used here.
losteric - 1 hours ago
Fraud is the one and only word needed.Via
https://en.wiktionary.org/wiki/fraud: The crime of stealing or
otherwise illegally obtaining money by use of deception
tactics.Legally speaking> Fraud must be proved by showing that
the defendant's actions involved five separate elements:> (1) a
false statement of a material fact ["I am John Doe"],> (2)
knowledge on the part of the defendant that the statement is
untrue [they are not John Doe],> (3) intent on the part of the
defendant to deceive the alleged victim [they want money],> (4)
justifiable reliance by the alleged victim on the statement
[bank credit approves access based on identity], and> (5)
injury to the alleged victim as a result [bank loses customer
money].(https://legal-dictionary.thefreedictionary.com/fraud)
anubisresources - 1 hours ago
Credit fraud. The banks were defrauded, not you.
jacquesm - 3 hours ago
> identity theftImpersonation.
mrhwick - 2 hours ago
https://www.youtube.com/watch?v=CS9ptA3Ya9E
CoolGuySteve - 2 hours ago
If the credit agency is harming your reputation with an
incorrect credit report then the proper term for what they're
doing is libel and you can sue them for it.I'd like to see a
startup or non-profit that automates libel civil lawsuits
against the reporting agencies. At least then maybe we'd get
some responsibility from them.
seanp2k2 - 1 hours ago
IANAL but banks have a lot of cash to throw at legal teams.
AFAIK you?d have to show evidence of material damages. Seems
very hard to automate...might be better for class-action.
CoolGuySteve - 1 hours ago
Ya I agree. It seems these firms are relying on the fact
that each individual suing them would have to put up
considerable time and money, and so most don't .But if some
economy of scale could be provided in filing these
lawsuits, like those boilerplate will in a box products,
then the business of credit reporting in its current form
may be made non-viable.
njarboe - 1 hours ago
I like the term "bank slander"[1]. The company that gave a loan
to fraudster (a bank) lies to the credit bureau (slander) and
now you have to spend a bunch of time trying (and usually
failing) to get those lies off your credit report.[1]previous
HN comment - https://news.ycombinator.com/item?id=15657887
hammock - 2 hours ago
Negligence
FiveSquared - 3 hours ago
I have a amazing idea. Why not let the companies be liable for
their own data breaches. Wow, what an amazing idea! /s
jacquesm - 3 hours ago
The EU is well underway to establishing this.What would be even
better is to move the lack of reporting of a breach to the
criminal branch of the law.
syshum - 2 hours ago
Liable how? And to what extent, the idea "let the companies be
liable for their own data breaches." sounds good until you think
about for more than 10 seconds.Identity Fraud is not normally
carried out using just 1 breach, so it is several breaches
combined that give a criminal what they need to commit full
Identity fraud.Credit Card Fraud can almost never be traced back
to a single breach.Are you holding the company that collected the
data, or the company that the data was stolen from liable, often
times these are not the same entities.I can probably come up with
about 1000 other things to bring up in relation to "let the
companies be liable for their own data breaches."
cabaalis - 3 hours ago
I hope some good comes from this testimony. I help run a product
that works with a tremendous amount of data. I welcome additional
accountability as well as the security that would come from knowing
that any regulatory requirements are properly met.On a second note,
will this be the historic first time anyone says the word "Pwned"
before congress?
kinkrtyavimoodh - 5 hours ago
I don't mean to sound cynical (as in, this is a genuine question)
but do these hearings amount to anything more than political
grandstanding so that the relevant Congresspersons can claim to
have been 'tough' on whatever topic was discussed?
advisedwang - 4 hours ago
Hearings like this are part of the process towards actual action,
and if the process continues, then it's not grandstanding.
However if they do hearings and no more, it's worthless. We can't
tell from the hearings themselves whether they will lead to
action... which is why it's such effective way to grandstand!
komali2 - 3 hours ago
Hard to say in 2017 :/I'm of the opinion that the US is
irretrievably lost in the hole of plutocracy / oligarchy. Recall
during the election Donald Trump bragging he can buy politicians
[1].I'm finding "hero politicians" to be less and less common,
and dare they raise their head, the establishment usually does
everything in their power to mow the lawn. See - Bernie Sanders,
alongside a couple other rare US Federal politicans, an actual
good egg that appears to not be bought and paid for by corporate
lobbyists.There's lots of people trying to paint in black in
white how obvious it is you can pay a politician to pass laws to
protect you - we can go on for hours about Big Telecom minging
about in local jurisdictions to prevent new providers, Big Oil
essentially preventing a nuclear revolution in the USA, etc, but
this site[2] paints a pretty clear picture in my opinion: Given
that a corporation is expected to generate profit on dollars
spent, why would BlueCross BlueShield and UnitedHealthcare be
dumping money onto politicians? What reason could there possibly
be other than to protect their profits?I dunno man, other people
are better than espousing the problem of money in politics than
me, I just am cynical as hell after seeing time and time again
obviously anti-WeThePeople votes bought for mere thousands.So, to
answer your question, in my un-professional opinion, the reason
these hearings are good is they can inform the media and general
public. They can get something on the record. We still reference
hearings from decades ago - and can use that to apply pressure.
"Senator, weren't you in x hearing, why then did you not do
anything about y?" It can also inform the select few Hero
politicians who can actually do good work for us with this new
information - they're busy as fuck and this is one hell of a way
to get data to them.Ancillaries include giving new ammunition to
Word Wars - various politicians can use buzzlines from the
hearing to further their own goal, which might help us, might
not, god only knows.So my opinion, I'm glad these happen, but I
think afterwards it'd be cool if people like Troy Hunt used their
position to drum up donations to buy a couple of the politicians
in the hearing, or at the very least throw more money at Twitter
so that the Comcast and BroadBandForAmerica lobbyist propaganda
promoted tweets can be buried under pro-WeThePeople
material.[1](https://www.washingtonpost.com/politics/trump-
bragged-that-h...)[2](https://www.opensecrets.org/lobby/issuesum.
php?id=HCR&year=2...)
iiiete22 - 3 hours ago
You are right to point out the extent of how corrupt our
political system is. It's understandable that you've become
cynical after all this. But I hope your cynicism doesn't
discourage you from trying to make things better. The
corruption is allowed to exist because so many people, who
should be outraged, simply throw up their hands and say that
nothing can be changed.Troy is doing what he can to make a
difference. We shouldn't have unrealistic expectations of what
this can accomplish. But we should applaud the effort.We can
force companies and governments to change their approach to
security. But we need to start talking about these issues
outside of HN. We need to get organized. We need to force
change in our own companies.
komali2 - 3 hours ago
I feel you. I do my part, writing my congressfolks, kicking
up shitstorms in their voicemails occasionally.My end-game
though is to become Really Goddamned Rich and start swinging
my big cash dick around. I'm kind of curious why folks like
Musk don't do that more often. Gates did it once and nearly
irradiated an entire species of virus (polio).EDIT: Btw, this
is a great tool for pestering all your reps at once:
https://democracy.io/#!/
cmurf - 4 hours ago
It depends very much on the particular Congresscritter in
question.
ndesaulniers - 3 hours ago
Very cool to see Troy use my suggestion:from
https://www.troyhunt.com/im-testifying-in-front-of-
congress-...:"Troy, to your point "Data breaches can take years to
discover," I think it's helpful to put in layman's terms that
breaches are closer to making photocopies where there are now two
people in possession rather than a theft where the owner is
deprived of access. How do you detect that a document has been
photocopied?"In the final (this link):"However, unlike a physical
commodity, the trading of data breaches replicates the asset as
each party retains their original version, just like making a
perfectly reproduced photocopy.":)To expand on my point and> We
Often Don?t Know Until Years LaterYou notice someone's stolen
physical property from you, because you are deprived of it.You
don't notice someone's stolen digital property from you, because
now there are more copies of it.(maybe "stolen" and "property"
aren't the correct terms to use for digital assets?)
severine - 1 hours ago
> maybe "stolen" and "property" aren't the correct terms to use
for digital assets?Indeed. See, for example,
https://www.stallman.org/articles/ft-response.html
dragonwriter - 1 hours ago
> (maybe "stolen" and "property" aren't the correct terms to use
for digital assets?)Stolen is rarely the right word (that is,
it's possible to steal digital assets, notably if also stealing
the physical medium on which they are stored, but usually the
term is used in only a loosely figurative sense), but ?property?
is often correct; there are all kinds of nonphysical property
that share important features with physical property, and there
are equally important distinctions within classes of tangible
property as between tangible and intangible property.
thisisit - 6 hours ago
In case someone is wondering, the previous post - "I'm Testifying
to Congress about Data Breaches ? What Should I Say? " was
discussed here:https://news.ycombinator.com/item?id=15751344Some of
the replies really touch upon what can go wrong with government
regulation.That said, I do really want something done about this:>
An attitude of ?data maximisation? is causing services to request
extensive personal information well beyond the scope of what is
needed to provide that serviceStop collecting information which is
not required. Most of this information ends up in some form of
advertisers/advertisement in guise of creating "more engagement
with users".
loeg - 1 hours ago
The information has already been collected and breached, or will
be breached eventually. Data minimalism isn't going to put the
horse back in the barn, so to speak. (It may help anyone too
young to have a credit card, and younger generations.) So we
need to do something about identification not relying on
knowledge factors for everyone currently over 16.
ashark - 5 hours ago
IMO there should be expensive data breach bond/insurance
requirements for any company storing data about people, scaled by
how much and possibly which kinds of data are stored. Discourage
holding a bunch of stuff "just in case".And FFS, at least outlaw
the required arbitration BS for data breaches. Let the bond or
insurer pay out when it happens, then jack up their prices on the
breached company until they cry.
pc86 - 4 hours ago
By "until they cry" I assume you mean "until they can no longer
continue passing the costs directly to the consumer, at which
point they simply go into bankruptcy and reincorporate 6 months
later at the lower insurance rate?"
curun1r - 2 hours ago
One would hope that insurers would start proactively setting
the rates for their policies based on several factors and not
just in response to breaches and payouts. For instance, an
insurers exposure would be greatly affected by the types of
information collected, so they could offer a lower costs to a
business that was only collecting email addresses than to one
that collected many more types of PII. You'd also hope that
insurers would start to give preferential rates to companies
that complete (and resolve) periodic security audits from
trusted auditors.The benefits of insurers getting involved is
that they can de facto mandate these kinds of security audits
and practices by making insurance policies unaffordable
without them. And, unlike government regulation, the
requirements from insurers can evolve rapidly over time in a
way that's difficult for laws to evolve. Insurers will hire
security experts to advise on best practices and each have
their own ideas of what security means. If a business finds a
single security practice onerous, they can shop for an
insurer that doesn't require it.
ashark - 3 hours ago
1) if they have competitors, they can't do much "passing
along to consumers" to begin with, and 2) I thought insurance
companies were supposed to be really good at assessing risk,
and markets are magically efficient and all that, so
shouldn't the better insurers unravel such schemes? Plus it's
not like losing, you know, brand recognition and such is
nothing. Point is it should hurt a lot to leak personal data,
and it's this or directly regulate (this sort of thing used
to be the right-wing way of doing things, but now doing
anything at all about these problems, no matter the
mechanism, is "left", at least in the US?see also health
care)
abakker - 3 hours ago
If the data you hold as a business is so valuable that the
insurable risk of loss is too expensive for your business,
then ask, "do we really need to hold that data?" If your
business needs to pass that on to consumers because you can't
afford the hit to your margins, then consumers need to ask,
"is [service/product] really worth that much to me?"The
downside is that the most critical components of information
which tie to identity itself, are the ones that businesses
most commonly need to hold to verify identity. More
challenging is that without a way to modify identity data
(i.e. change your SSN), the insurable risk is huge because it
needs to include a discounted cost of identity monitoring
forever, and the cost of the individual losses that someone
might encounter for the loss of that data. Then of course, if
a person's identity is compromised more than once, how do you
discount the responsibility across multiple careless
parties?IMO it all comes down to never using immutable
information (Name, DOB, etc) to firmly define identity
online. That information should be for display purposes only.
At the backend, we need an identity that is tolerant of
change, and can easily be updated if it is ever lost. In
reality this will probably mean that instead of an ID, we
have ID probability, which would include photos, addresses,
ID numbers, Credit card account access, and companies that
needed to verify it would be able to evaluate how certain
they were the identity was real, and to insure against
mishandling of the individual components of information.
ashark - 2 hours ago
> The downside is that the most critical components of
information which tie to identity itself, are the ones that
businesses most commonly need to hold to verify identity.
More challenging is that without a way to modify identity
data (i.e. change your SSN), the insurable risk is huge
because it needs to include a discounted cost of identity
monitoring forever, and the cost of the individual losses
that someone might encounter for the loss of that data.
Then of course, if a person's identity is compromised more
than once, how do you discount the responsibility across
multiple careless parties?If it gets expensive enough,
maybe banks and CC companies and such will finally get off
their asses and fix the whole "identity theft" issue.
That's a feature, not a bug.I think the US is too allergic
to anything with even a whiff of "secure national ID" for
us to let the government fix it, so this is the next best
(or, better, depending on your perspective) option. I
frankly don't care how we do it, but it's really stupid
this is still a thing people have to worry about, and
making it cheaper for the banks to fix it than not to fix
it seems like the most politically viable solution.
abakker - 22 minutes ago
Agree completely. Personally, I was hoping that Visa, MC,
and Amex together could just create a new standard
"financial ID number" or "Credit ID Number" that they
could collectively agree on and we could all just kind of
ignore the government. CC numbers themselves are almost
good enough in the first place, they just need to get a
little more self-referential.Hell, maybe they could even
use a distributed ledger to do it and bring in the credit
reporting agencies too.
[deleted]
sbov - 2 hours ago
What data about people would apply? What about public records?
Note that if you own property, your name and address are
already public.
syshum - 2 hours ago
"Public Records" is part of the maximization problemThe
Government is more guilty than any business on collecting,
hoarding, and making public all kinds of personal information
about you.If the government wants to curb data breaches it
needs to start cleaning its own house. 90% of "public data"
should not be public at all
glitcher - 5 hours ago
While he presents a great overview of all the problems with static
knowledge based authentication, I get the feeling that the very
fact that this hearing was called for implies there is already a
strong consensus that the current status quo is a big problem. To
me it falls a bit short because he primarily elaborates on the
details of the problem without offering any suggestions on how to
move forward towards a solution. I mean, the details may help
understanding which could inform improved policy, but these
politicians also need guidance on what actions to consider.
bklaasen - 4 hours ago
From the article: "I've had some great suggestions around
tackling the root cause of data breaches and I'd love to have
another opportunity in the future to talk about that, but it goes
beyond the specific focus of this hearing. That said, who knows
what I'll be asked by congressmen and congresswomen on the day
and they may well question what can be done to combat the
alarming rise in these incidents. I've now got a lot of great
references on hand to go to should that happen so once again,
thank you!"
mtgx - 5 hours ago
Indeed, and if impartial security experts won't offer them, the
politicians will have to rely on corporate lobbyists to write
their own rules and penalties affecting those companies.
kbenson - 4 hours ago
I believe the scope of what he was asked to address might not
have included suggested solutions, beyond the obvious "don't
suggest all the stuff I'm saying is causing a problem."He does
specifically go out of his way to say, in bold and isolated
text, Do keep in mind that the context here is the impact on
identity verification in "a post-breach world".
rrggrr - 5 hours ago
Nice overview, but more importantly, what will Troy say when
members ask him for solutions. Notably absent are details on whom
to hold accountable, how to hold them accountable, and what
penalties should be in-place.
maxxxxx - 4 hours ago
I hope they won't use the hearing for blaming foreign adversaries
that need to be fought with offensive capabilities. It should be
made clear that the problems are homegrown.
dstroot - 2 hours ago
Troy: HUGE kudos for how you managed such an open and transparent
process. Don?t recall any other examples of such inclusiveness and
openness for a senate testimony. Bruce Schnier did a good job
sharing his testimony after the fact but you went all in.
sova - 2 hours ago
I'm glad you hit the main points, but you did not offer any
solutions, and I think partial encryption is one that is really
important to lay out. Our social security numbers and valued
information (that cannot be changed, like where you were born) need
to be encrypted all the time, not just when convenient.
loeg - 1 hours ago
Encryption doesn't really help when 1/3 of Americans' SSNs have
been publicized already. It's shutting the barn doors after the
horses are long gone. SSN needs to be at most a username, rather
than a credential.
Nomentatus - 1 hours ago
Encryption is good. Even better, for credit cards, use reference
numbers from the CC company instead that identify an individual
account (to the CC company) but aren't the number can't be used
for obtaining credit, just discussing the account. Encryption
fine, but better not to store volatiles at all if you don't have
to.