Equifax Breach via Apache Struts Framework

Equifax Hack via Apache Struts

As reported last Friday, the 2017 Equifax personal credit reporting agency had a data breach of 143 Million people’s identities. It started in May 2017 and is just now (August 2017) being disclosed. It is going to impact all of us. Sources:

  1. Equifax data leak could involve 143 million consumers
  2. PSA: no matter what, Equifax may tell you you’ve been impacted by the hack
  3. Did Lack of Visibility into Apache Struts Lead to the Equifax Breach?

From the second article on the Equifax breach linked above, this portion really galls me:

… not only are none of the last names tied to your Social Security number, but there’s no way to tell if you were really impacted.

It’s clear Equifax’s goal isn’t to protect the consumer or bring them vital information. It’s to get you to sign up for its revenue-generating product TrustID.

Earlier it was revealed executives had sold stock in the company before going public with the leak. We also found TrustID’s Terms of Service to be disturbing. The wording is such that anyone signing up for the product is barred from suing the company after.

The following phrase alone, if true, combined with Equifax literally trying to monetize their security errors, is what gives capitalism a bad name:

The wording is such that anyone signing up for the product is barred from suing the company after.

I have to believe the Equifax PR team is working for PharmaBro or Putin trying to make them look good in comparison.

Note: Equifax has changed the indemnification, but only under duress imho. Furthermore 30 days free credit monitoring by the company that released your data and then you will have to pay monthly still seems wrong. But to be fair, here is their update:

Questions continue to be raised about the arbitration clause and class action waiver language that was originally in the terms of use for the free credit file monitoring and identity theft protection products that we are offering called TrustedID Premier.
(Editor: well ya, duh!?)

We have removed that language from the TrustedID Premier Terms of Use and it will not apply to the free products offered in response to the cybersecurity incident or for claims related to the cybersecurity incident itself. The arbitration language will not apply to any consumer who signed up before the language was removed.
(Editor: but did you fire the person who did it in the first place?)

I get it. Nothing is secure. If the NSAs hacking tools get stolen and OPM loses all of the data on security clearance checks on our own people, then truly nothing is safe. I get it.

What I do not understand is a company as large as Equifax not being prepared for something like this. That Equifax did not announce it promptly. That Equifax executives sold stock before announcing it. That Equifax then attempted to indemnify themselves. That Equifax is using the crisis to sell a monitoring service that you have to pay for after 30 days. A service to monitor YOUR data that THEY lost control of!

This boggles the mind of a PR Professional.

The Internet was not built for e-commerce – it was built for knowledge sharing in a “walled garden”. Therefore keeping sites secure is not possible. Any security professional will tell you best practice is to white-list good guys (selective inclusion) as opposed to trying to find every attack and block it. Therefore the difficulty at a high level is primarily in identifying and blocking bad actors.

I hate to say it folks, but we are playing whack-a-mole with your identity and money.  It will always be an uphill battle to maintain security on the Internet and you will never ever be 100% safe.

As reported by Black Duck (awesome people btw), the specifics of the attack on Equifax are currently easily exploitable on similar sites.

This is like Hurricane Harvey – it’s not even close to over.

I Just Need a Website, That’s All I Need

caller: I was calling about a web site

developer: cool, that’s what we do. how can I help?

caller: I have a simple site and I need some updates. not much really, just a few changes. is that something you do?

developer: yes, what is the url?

caller: well I’ll need you to sign an NDA before I give you the url. can I fax it over?

developer: no (thinks: “do I still have a fax to email gateway working? hmmm”)

caller: what?

developer: we just met and you want to fist bump attorneys?

caller: no, i just don’t know how else to protect my intellectual property!

developer: you have a site now, right?

caller: yes

developer: live on the internet?

caller: yes

developer: …… long pause…..

caller: ok, I see your point.

…. 45 minutes of spec requests and contract pre-negotiation convo takes place here….

caller: so basically that’s it. my brother-in-law said he could build it for $225 dollars but I wanted to call around and get a few options to see if I could reduce the cost. He’s not very good actually.

Thoughts going through your head as the dev:

  1. developer (option 1): so you have a job board and you want to enhance a few features of monster.com to allow for a commission and affiliate structure?
  2. developer (option 2): so you have a great e-commerce idea, have been reviewing amazon.com and found a few ways to improve on their theories to sell widgets?
  3. developer (opti0n 3): so you want to have a self sustaining site that makes you money with no effort invested while you work at your current job realizing the money-for-nothing potential advertised on TV?

Resolution: have you heard of Crowdspring?

#respect #withAllDueRespect

the concept of destiny

After spending a lot of time falling asleep at the library while facing the philosophy books, I determined that the concept of destiny is a construct that allows man a gentle release from facing the terror of his existence, and that… (more)

T3PR: Strategic Views on Technology & PR

Honored to be presenting at PRSA’s T3PR Conference “Strategic Views on Technology and the Changing PR Landscape” this Friday in NYC. Sarah EvansYou really can’t visit NYC often enough. And I definitely appreciate true STRATEGIC PR. Our keynote speaker is none other than Sarah Evans speaking on “What’s Next for PR, Strategy and Technology.”

It will also be great to see our conference co-chair Deirdre Breakenridge, the moderator of the #techprsa Tweet Chat and the author of PR 2.0! We were lucky enough to have Deirdre chair SchipulCon09 last year and I assure you she is a great speaker and “gets it.”

From the official T3PR Conference Web Site:

Achieve your organizational goals with T3PR’s panels, networking events and tactical sessions developed by the industry’s premier thought leaders, including:

“Driving Your Online Footprint: PR Experts as Influencers” — Christine Perkett, CEO and founder, PerkettPR

“Storytelling in the Changing Digital Space” —  Nick Bilton, technology reporter and lead writer, Bits Blog, The New York Times; author of the upcoming “I Live in the Future & Here’s How It Works”

“The New Era of Blogging” — Joe Ciarallo, editor, PRNewser; manager, PR Initiatives at MediaBistro (moderator);Adam Ostrow, editor-in-chief, Mashable; Sara Polsky, editor, Curbed; Frederick Mwangaguhunga, founder,MediaTakeOut.com

“Facebook Marketing and the Word of Mouth Campaign” — Justin Levy, general manager, New Marketing Labs; author of “Facebook Marketing: Designing Your Next Marketing Campaign.”

“B-to-B Tech Firms and Murphy’s Law: Anticipating Communications Crises” — Harjiv Singh, co-founder and co-CEO, International, Gutenberg Communications

If your schedule permits and you can join us in NYC – THIS  – Friday, June 11, 2010. Ping me for a discount code!

Google “God in Houston” and you won’t find a church

In the process of explaining SEO (search engine optimization) over the years I frequently demonstrate that if you Google “God in Houston” the top results are not churches. Now I’m not talking about the local results that show the churches, but the actual search results below that that lists KSBJ as the top result for “God in Houston” when searched on Google. And the only paid search result is for “Houston Gold” – like the shiny stuff you make jewelry out of. Here is a screen shot:

From a technical perspective, this makes perfect sense. Because the largest churches in Houston do not mention the word “God” on their web sites. Yes really. Using a search engine keyword analyzer, a test of second.org shows the following.

Note the title is “Second Baptist Church, Houston, TX.” Thus they will likely rank for “Churches in Houston” but not for “God in Houston.” A simple fix would be to update the title to “Second Baptist Church, Serving God in Houston TX”.

I mention this because exactness of speech matters. It means that some of our largest churches have zero (0) possibility of being returned if a downtrodden person googles for them in the middle of the night. It means missed connections when a bible study group at a particular church might be the perfect connection for a fellow Houstonian. But we will never know because of a failure of exactness of speech.

On the flip side, a tip of the hat to Braeswood Assembly of God church which comes up for both the physical location and second natural ranking after KSBJ in the search results. And all because they mention the word “God” in their title.

So be specific. Be exact. And I’ll leave it to you to search for the ministers’ names – they rank a bit higher than God.

Social Media for Public Relations Pros at PRSA Charlotte

Thanks to the Charlotte North Caroline Chapter of the Public Relations Society of America for the opportunity to address 160 pros yesterday. Attendee Jason Keath of Charlotte already has a wrap up post from my talk here. Thanks Jason!

And of course the slides are available on slideshare.net/eschipul as well as embedded below. Thanks!

The Tricksters of Social Media; Fakesters vs Avasters

“So much seems possible at the beginning of a trip, so many  things seem brimmed with meaning.” pg 5hat trick by cayusa on flickr cc license

“…trickster is a boundary-crosser. Every group has its edge, its sense of in and out, and trickster is always there, at the gates of the city and the gates of life, making sure there is commerce.” Trickster, pg 7

Reading about fakesters led me to this post on fake twitter accounts varying from Fake Steve Jobs to Fake Seth Godin to my favorite, Chuck Norris. Chuck throws down the tracks like

When google has a question, they “norris” it.

And some fakester parodies are richly deserved like rahodeb of Whole Foods (In)Fame(ity).

Motivations for fakester accounts based on famous people might include a desire for attention, satire, performance art, hatred of what a person represents, desire to be in on a “secret”, or admission into a Goffmanesque “back room” to blatant monetary goals. But there is a motivation of some kind that piggy-backs on top of someone else’s fame.  Every invention of a new namespace opens up opportunities for these reputation barnacles.

But there is a different type of “fake account” in the form of a completely made up person or object. A persona. And this type of fakester account is lumped in with the impersonators, and this is a mistake. I submit they are entirely different.

In disparaging terms, these are called “sock puppets.” Wikipedia clarifies

“The key difference between a sock puppet and a regular pseudonym (sometimes termed an “alt” which is short for alternate, as in alternate identity) is the pretense that the puppet is a third party who is not affiliated with the puppeteer.”

My problem with the “sock puppet” term is that the pejorative nature overrides the trickster legitimacy and social commentary conveyed. Hence I suggest a new term for those that have passed a social acceptance threshold within the community. For lack of a better word I’ll call these characters Avasters.

Avasters – an character created by a person or persons that is not based on a specific person living or dead. An invented character that acts and behaves with a unique personality. And earns the right to be considered a “person” within the community.

Continue reading “The Tricksters of Social Media; Fakesters vs Avasters”

Speaking Engagements for this Week

Three different speaking engagements this week. All in Houston for a change!

  1. TSPRA (Monday)Web 2.0 Trends for Public Relations Professionals on Mon 18-Feb-08 11:00 AM
  2. BMA (Thursday luncheon) What Social Media Means for B2B Marketers on Thu 21-Feb-08 11:30 AM
  3. Sullivan Group (OTC Marketing seminar) OTC Marketing Seminar on Thu 21-Feb-08 2:00 PM

Also note that tomorrow night, Tuesday, is Refresh Houston with Stephen P. Andersen.
The Force Behind Star Wars: Turning Design Ideas into Reality on Tue 19-Feb-08 6:30 PM

Link Post


  Washington Monument 
  Originally uploaded by eschipul

Link Post:

  1. Ben on why Associations should NOT be on wikipedia (although overall he is for it). I agree, the culture on wikipedia is rough. We put a ton of energy into getting this amazing man into wikpedia and the community could have been more helpful IMHO)
  2. Google slammed for privacy and Battelle’s defense of google
  3. Rubel’s attention crash – and he has cut way back on blog posts since going to Edelman. Can’t blame him.
  4. Spin and ChrisPirillo making WAY too many reference to the interminably long Charlie the Unicorn goes to Candy Mountain youTube video. (9 Million + views! = earbug warning.)

The photo of the Washington Monument? No bearing on the link post, just a photo from my walk about in DC yesterday. Here as a speaker for the Bulldog Reporter Media Summit.

Thinking About Reverse Salients (Still)

"A salient is a protrusion in a geometric figure, a line of battle, or an expanding weather front. As technological systems expand, reverse salients develop. Reverse salients are components in the system that have fallen behind or are out of phase with the others"

A reverse salient simply means that through no particular action, there is a huge demand for a particular invention. There is a portion that is out of phase. Identify and solve it. Fun stuff. 

Thanks Marc!

Presidential Candidate Web Sites Reviewed on Slashdot

Slashdot, the largest geek oriented site in the world, has a post comparing the presidential candidates web sites.


Reviewing the Presidential Campaign Websites

Yes slashdot (also shortened to /. ) is alpha geek focused. But it is a definite lead in to NYT and the Post. So it is worth the time if you are interested in politics.  One last note – if you are not used to the slashdot site, flaming is …er… somewhat normal behavior.

BarackObama – This Campaign is About You!

BarackObama.com – with the social networking component at my.barackobama.com – is the best political web site I have seen yet. No, it does not focus on the corporate donor. But it sure as heck does focus on individuals who want to get involved in his campaign.

I know very little about this candidate. I do know from a geek perspective that he just made a very bold move.

Joost, Wikiseek and Zoominfo

Joost_screenshot
Interesting items from bloglines:

  1. Joost – the guys who do skype do TV. So this should be fun! Currently in beta. Via bb.
  2. Wikiseek – I like this as I regularly search google with "term term wikipedia" so that the top result is from wikipedia. Same with Amazon searches through google. Maybe wikiseek can help.
  3. Zoominfo – this one is showing up more and more. They aggregate information about PEOPLE. Not always accurate but still interesting.

Only Services in an Online World – the copybot cometh

Running a primarily web based biz I spend a lot of time reading and studying economics. Not the formula laden macroeconomics studies, but the real world version. How do we help our clients make a profit while we also make a profit to pay our people more. That version. So I find the copybot threat to product sales in Second Life very interesting. (SL is a virtual world where people interact).

CopyBot Roils SecondLife Economy

… Somebody in SecondLife, a popular multiplayer virtual world, created a
gadget called the CopyBot, which can make a perfect copy of any object
in the SecondLife world. (Here’s a Reuters story.)  This raises some interesting technical issues, but I want to focus today on how it effects SecondLife’s economy.

and O’Reilly’s restates the summary in his post on copybot (where I saw this first) as:

Raph’s conclusion is that infinite copying should be accepted as part
of the online world and products can’t be businesses, only services.

and from the reuters story, Revolution (who offered copies of copybot for sale) suggests this economic revision to your business plan

“Even if I pull this program, plenty of other people out there have it
or have the knowledge to create something bigger and better,”
Revolution added. “My advice is to offer the whole package when you
sell something. Don’t just offer a couch, but a couch that has several
custom poses … work one-on-one with people to create unique things, and
offer customization services instead of throwing up some prims for sale
and forgetting about it.”

Not sure where this is all going, but it will be interesting to watch. And now I will go back to selling services. (note – I emphasized the word "services" in both quotes).