[gnso-rds-pdp-wg] Fwd: Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
John Bambenek
jcb at bambenekconsulting.com
Tue Feb 13 17:27:02 UTC 2018
Correct, you CAN have DNS without WHOIS. What you can't have is
voluntarily interconnection of networks. You can't have providers
working with each other to resolve problems. You can't have victim
notification. You can't have investigations that proactively block much
more serious privacy and security risks.
j
On 2/13/2018 11:13 AM, Theo Geurts wrote:
>
>
> Exactly, ICANN should have never mandated registrant data to register
> a domain name in the first place, a big mistake. Technically it is not
> required anyways.
>
>
> On 13-2-2018 18:07, John Bambenek via gnso-rds-pdp-wg wrote:
>>
>> No it doesn't because there are large incentives for institution and
>> individuals to continue to publish information. Businesses, for
>> instance, WANT to be contacted. If you want mail delivered, certain
>> best practices are imposed.
>>
>> If consent is not the solution, YOU are deciding what the rest of the
>> world can and cannot do with their data. Who exactly made ICANN the
>> arbiter of what I can do with my data?
>>
>>
>> On 2/13/2018 11:04 AM, Volker Greimann wrote:
>>>
>>> I am not sure you want that, because that means completely dark whois.
>>>
>>> I'd prefer an approach where we do not need to rely on consent (but
>>> can still offer it as an option). The hard bit is finding the right
>>> principles of who gets access to what and how even when there is no
>>> consent.
>>>
>>> Consent is not the solution.
>>>
>>>
>>> Am 13.02.2018 um 18:00 schrieb John Bambenek via gnso-rds-pdp-wg:
>>>>
>>>> Ok, so you agree with my in principle and we're just haggling over
>>>> the details now. Flip a coin for all I care, opt-in/opt-out and
>>>> move forward.
>>>>
>>>> So let's do that. When can we implement?
>>>>
>>>>
>>>> On 2/13/2018 10:58 AM, Volker Greimann wrote:
>>>>>
>>>>> You are still looking at the wrong end of the horse. Privacy is
>>>>> not the choice, it is the default. Divulging data is the choice.
>>>>>
>>>>>
>>>>> Am 13.02.2018 um 17:57 schrieb John Bambenek via gnso-rds-pdp-wg:
>>>>>>
>>>>>> Exactly right. As far as I'm concerned if we made privacy a free
>>>>>> choice, make the fields optional for all I care, and whatever
>>>>>> they do make is public... we have solved this problem.
>>>>>>
>>>>>> People who ACTUALLY protect society against privacy threats have
>>>>>> the data to do their jobs, consumers who want privacy have a free
>>>>>> option for it, and registrars can be in compliance with the law.
>>>>>>
>>>>>>
>>>>>> On 2/13/2018 10:54 AM, DANIEL NANGHAKA wrote:
>>>>>>> This is just an example but there is a lot of damage that can be
>>>>>>> caused with data being exposed. In our case we have phone
>>>>>>> numbers, addresses, emails which is required to verification.
>>>>>>>
>>>>>>> This takes us to issue of consent.
>>>>>>>
>>>>>>> On Tuesday, February 13, 2018, John Bambenek via gnso-rds-pdp-wg
>>>>>>> <gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>>
>>>>>>> wrote:
>>>>>>>
>>>>>>> Let's be honest here, we're talking about phone numbers and
>>>>>>> email addresses. The threat model is RADICALLY different
>>>>>>> with the data we are talking about.
>>>>>>>
>>>>>>>
>>>>>>> On 2/13/2018 10:45 AM, Stephanie Perrin wrote:
>>>>>>>>
>>>>>>>> Undeterred by the fact that noone has responded to my last
>>>>>>>> post, I offer the following update to the Equifax breach to
>>>>>>>> further illustrate my point. As many companies have found
>>>>>>>> out, you don't find out what you've got till it's
>>>>>>>> gone.....a further reason for data minimization and short
>>>>>>>> retention periods.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> To:
>>>>>>>>
>>>>>>>>
>>>>>>>> http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/
>>>>>>>> <http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/>
>>>>>>>>
>>>>>>>>
>>>>>>>> *Equifax hack worse than previously thought: Biz kissed
>>>>>>>> goodbye to card expiry dates, tax IDs etc*
>>>>>>>> Pwned credit-score biz quietly admits more info lost
>>>>>>>> By Iain Thomson in San Francisco 13 Feb 2018 at 02:13
>>>>>>>>
>>>>>>>> Last year, Equifax admitted
>>>>>>>> https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exposed/
>>>>>>>> <https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exposed/>
>>>>>>>> hackers stole sensitive personal records on 145 million
>>>>>>>> Americans and hundreds of thousands in the UK
>>>>>>>> https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/
>>>>>>>> <https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/>
>>>>>>>> and Canada.
>>>>>>>>
>>>>>>>> The outfit already said cyber-crooks "primarily" took
>>>>>>>> names, social security numbers, birth dates, home
>>>>>>>> addresses, credit-score dispute forms, and, in some
>>>>>>>> instances, credit card numbers and driver license numbers.
>>>>>>>> Now the credit-checking giant reckons the intruders
>>>>>>>> snatched even more information from its databases.
>>>>>>>>
>>>>>>>> According to documents provided by Equifax to the US Senate
>>>>>>>> Banking Committee,
>>>>>>>> and _revealed this month by Senator Elizabeth Warren (D-MA)_,
>>>>>>>> https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc
>>>>>>>> <https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc>
>>>>>>>> the attackers also grabbed taxpayer identification numbers,
>>>>>>>> phone numbers, email addresses, and credit card expiry
>>>>>>>> dates belonging to some Equifax customers.
>>>>>>>>
>>>>>>>> Like social security numbers, taxpayer ID numbers are
>>>>>>>> useful for fraudsters seeking to steal people's identities
>>>>>>>> or their tax rebates, and the expiry dates are similarly
>>>>>>>> useful for online crooks when linked with credit card
>>>>>>>> numbers and other personal information.
>>>>>>>>
>>>>>>>>
>>>>>>>> *Contradictory*
>>>>>>>>
>>>>>>>> "As your company continues to issue incomplete, confusing
>>>>>>>> and contradictory statements and hide information from
>>>>>>>> Congress and the public, it is clear that five months after
>>>>>>>> the breach was publicly announced, Equifax has yet to
>>>>>>>> answer this simple question in full: what was the precise
>>>>>>>> extent of the breach?" Warren fumed in a missive late last
>>>>>>>> week.
>>>>>>>> https://www.warren.senate.gov/?p=press_release&id=2317
>>>>>>>> <https://www.warren.senate.gov/?p=press_release&id=2317>
>>>>>>>>
>>>>>>>> Equifax spokeswoman Meredith Griffanti stressed to The
>>>>>>>> Register today that the extra information snatched by
>>>>>>>> hackers, as revealed by Senator Warren, belonged to "some"
>>>>>>>> Equifax customers. In other words, not everyone had their
>>>>>>>> phone numbers, email addresses, and so on, slurped by
>>>>>>>> crooks just some. How much is some? Equifax isn't saying,
>>>>>>>> hence Warren's (and everyone else's) growing frustration.
>>>>>>>>
>>>>>>>> The senator is a cosponsor of the _proposed Data Breach
>>>>>>>> Prevention and Compensation Act, _
>>>>>>>> https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/
>>>>>>>> <https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/>
>>>>>>>> which, if passed, would impose computer security
>>>>>>>> regulations on credit reporting agencies, with mandatory
>>>>>>>> fines that would have led to Equifax coughing up $1.5bn for
>>>>>>>> its IT blunder.
>>>>>>>>
>>>>>>>> Some regulation or punishment is obviously needed.
>>>>>>>>
>>>>>>>> No senior Equifax executives were fired over the attack
>>>>>>>> instead the CEO, CSO and CIO were all allowed to retire
>>>>>>>> with multi-million dollar golden parachutes. The US
>>>>>>>> government's Consumer Financial Protection Bureau promised
>>>>>>>> a full investigation into the Equifax affair, and then gave
>>>>>>>> up. On February 7, an open letter [PDF]
>>>>>>>> https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18.pdf
>>>>>>>> <https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18.pdf>
>>>>>>>> from 32 senators to the bureau asked why the probe was
>>>>>>>> dropped, and the gang has yet to receive a response. ®
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> gnso-rds-pdp-wg mailing list
>>>>>>>> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
>>>>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>>>>>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>>>>>>
>>>>>>> --
>>>>>>> --
>>>>>>>
>>>>>>> John Bambenek
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>>> Regards
>>>>>>> Nanghaka Daniel K.
>>>>>>> Executive Director - ILICIT Africa / Chair - FOSSFA / Community
>>>>>>> Lead - ISOC Uganda Chapter / Geo4Africa Lead / Organising Team -
>>>>>>> FOSS4G2018
>>>>>>> Mobile +256 772 898298 (Uganda)
>>>>>>> Skype: daniel.nanghaka
>>>>>>>
>>>>>>> ----------------------------------------- /"Working for Africa"
>>>>>>> /-----------------------------------------
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> --
>>>>>>
>>>>>> John Bambenek
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> gnso-rds-pdp-wg mailing list
>>>>>> gnso-rds-pdp-wg at icann.org
>>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> gnso-rds-pdp-wg mailing list
>>>>> gnso-rds-pdp-wg at icann.org
>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>>
>>>> --
>>>> --
>>>>
>>>> John Bambenek
>>>>
>>>>
>>>> _______________________________________________
>>>> gnso-rds-pdp-wg mailing list
>>>> gnso-rds-pdp-wg at icann.org
>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>
>>>
>>>
>>> _______________________________________________
>>> gnso-rds-pdp-wg mailing list
>>> gnso-rds-pdp-wg at icann.org
>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>
>> --
>> --
>>
>> John Bambenek
>>
>>
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
--
--
John Bambenek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180213/16894214/attachment-0001.html>
More information about the gnso-rds-pdp-wg
mailing list