Skip to content

Protecting yourself after the Equifax personal information leaks

The Equifax leak of our personal information is particularly harmful; it makes identity theft of most credit holding Americans trivially easy for the rest of their lives. Not for just one year, but until we pass away. The problem is that the information leaked is all the personal details that do not change. Steve Rubin of Pheonix, AZ wrote about the best step by step guide to how we should react that I have seen so far; I have made a few edits based on my own experience.

Here it is, in ten steps (follow them in order). The first few won’t seem to be directly related, but they create the foundation for what you need to have in place in later steps.

1. Don’t get angry (that comes later). Find a comfortable place to work and maybe get yourself a snack.

2. Set up a password manager, if you don’t already use one. I’m not going to get into password theory too much, but you should be using passwords of at least 16-20 characters long and thus you won’t be able to remember them all. Steve uses 1password and is happy with it. I use KeePassX and MiniKeePass from the KeePass family. KeePass (http://keepass.info/) or 1Password (https://1password.com/) are best of all; and LastPass (https://lastpass.com) is also very good but be aware it’s encryption is private and may or may not be secure (though may people and organizations I trust swear by LastPass). Any of the three is vastly better than no having secure passwords in a vault/manager.

3. Secure your primary email address(es). You have to be sure that you can receive communications safely. Set a strong password. Enable two factor authorization (2FA). Save the credentials in your password manager. A secure email address where you can receive verification codes is needed later; you need to prevent anyone else taking control of your email address long enough to intercept verification codes sent to the email address(es).

4. Secure your mobile phone. Set a strong password. Use Touch ID if you have it. This is where those 2FA codes are going to be sent, so you have to be sure that is completely safe too. Save the credentials in your password manager. Edit: I do not recommend any biometrics as a credential, as it is way too easy to spoof them, strong passcode to get into the phone is much better. A secure phone number where you can receive verification text messages is needed later; you need to prevent anyone else taking control of your mobile phone long enough to intercept verification codes sent to the phone number(s).

— the next few steps will need the prior ones completed first, so review 1-4 and make sure you have that all in set up —

5. Make sure you have control of your Social Security account. Go to https://www.ssa.gov/ and create an account. Choose every security option it gives you. Save the credentials in your password manager. This agency is likely to use texts, emails, and US postal mail to verify you are who you say you are; plan on it taking several days, but you can press on while you wait…

6. Make sure you have control of your IRS account. Go to https://www.irs.gov/individuals/get-transcript and create an account. Choose every security option it gives you. You don’t actually need to get the transcript at the end (but you can); you just want the account controlled. Save the credentials in your password manager. This agency is likely to use texts, emails, and US postal mail to verify you are who you say you are; plan on it taking several days, but you can press on while you wait…

7. For every bank account, credit card, or other financial account you have, log in and make sure you have a strong password set. Save the credentials in your password manager. Then, go through all the alert options and use them! Get used to receiving lots of emails confirming that transactions are actually yours. That’s your new normal. Assume any bank issued PINs are compromised and change them. Don’t forget 401K, IRA, Stock Trading Accounts, and even Airline/Hotel frequent flier programs.

8. Are there any new credit cards that you NEED to apply for, insurance policies you are planning to open, or utilities you have to set up? Want a new phone? Anything else that might at all trigger a credit check. Do it now. Then come back to this list. I’m not suggesting doing anything you wouldn’t have done anyway, but if you were two days away from applying for a fancy new credit card, it will be easier to deal with before you lock things down.

9. Set up a schedule for getting your free annual credit reports. Look them over for errors and report any that you find. You get one free from each major agency per year. A possible schedule might be SEP 10 Experian, JAN 10 Transunion, MAY 10 Equifax (and fee free to hope that Equifax doesn’t exist in eight months…). Set annual calendar alerts and act on them when they come up. The official site is https://www.annualcreditreport.com – be wary of spoof sites and even sites run by the credit reporting agencies themselves that do nothing but try to pressure you into buying their commercial offerings (most of which are a rip-off).

10. Set up fraud and security alerts. The upside is that this should mean that a credit agency has to contact you (preferably by phone) before taking an action on your credit history. So if someone tries to use your information, you’ll receive a phone call, thus it should be obvious if the inquiry is on your behalf or not.
The downside is that you have to renew it every 90 days. At the moment, there is no way around this hassle.
You need to contact one of the three major agencies and they will inform the other two. You want an Initial Fraud Alert. It should be obvious that Equifax is a lost cause, so use Experian or Transunion:
https://www.experian.com/fraud/center.html
https://www.transunion.com/fraud-victim-resource/place-fraud-alert
You also should contact ChexSystems. They deal with new checking/savings accounts, and you don’t want someone else opening one in your name. You want to Place A Security Alert. https://www.chexsystems.com

11. BONUS ITEM. Contact your state’s Attorney General and/or members of Congress. Equifax has to be brought to task for this failure (AG), and the rules about how credit works and identities are verified need to be completely rebuilt (Congress).

What about identity/credit monitoring? Equifax is going to be giving away a year of monitoring. That’s standard procedure for these breaches, and when it’s a standard breach that’s a mediocre response. Remember the difference in the type of information, though? This is not a standard breach, so it’s a nearly irrelevant response. You also may (it’s unclear) forfeit your right to join a class action lawsuit if you accept it.

Identity monitoring is really insurance. They promise lots of things, but they can’t prevent anything. They can only react. If you feel more comfortable having that insurance, so that you have a team available to help you in case your identity is compromised, then feel free to get one of these products. But you may want to look for one that isn’t run by one of the credit agencies or their subsidiaries. That seems like a conflict of interest to me.

What about credit freezes? Unless you live in a state that has laws making these free, I don’t recommend them. The biggest problem is that all of the information needed to call a credit agency and unfreeze has been leaked, so you’ll probably just be wasting your money! You can read more about what these are at https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs

Freedom of speech and public access

I had to stop and think about the possibility of my own hypocrisy today…

I have been casually following the story of Dreamhost (full disclosure, I’ve been a happy Dreamhost webhosting customer for many years) fighting attempts by the US government to collect detailed information on visitors to sites organizing protests against Trump.

While I am fine with specific search warrants pulling data about specific criminal acts, I have become more and more concerned about the abuse of broad search warrants being used to cast a wide net and determine later whom to prosecute; and even more so, given the government’s inability to protect it’s own data, what happens to the collected data when it falls into the wrong hands. I have been cheering Dreamhost on for this specific issue because I think this search is too broad.

On the other hand, I have also cheered when Cloudflare (full disclosure, I am employed by a Cloudflare competitor) dumped their customer “Daily-Stormer” a white supremecist’s website, because, like most Americans, I am disgusted by the hate speech and vile rhetoric of NAZI’s and CSA apologists and racists.

Matthew Prince, CEO of Cloudflare has an interesting explanation of why they dropped their paying customer, Daily Stormer:

Other tech companies are having this same conundrum:

It’s a tough call to make; once you start moderating or censoring; where do you draw the line? Traditionally most large companies have absolved themselves of decision making and hid behind US legal policy; then tried to push that policy one direction or another via lobbying activity. That process lends itself to corruption, but it also provides a thin layer of something like due diligence via the process of public discussion held before the law makers sign or reject a bill.

I am all for freedom of expression and speech; but hate speech clearly needs to have a cost or consequences… but at what point are we silencing opposition? Who decides what is opposition and what is the incitement of violence?

I’ve been applauding DreamHost for standing up to Trump’s attempts to collect detailed logs on people critical of Trump – but cheered when CloudFlare dumped DailyStormer… does that make me a hypocrite?

I think confusion over what is public and what is private is widespread.

I do not think I am a hypocrite for cheering both the resistance of DreamHost to US Government demands for the data of Trump critics and the decision of Cloudflare to cancel their customer. One is a private transaction, the other is abuse of public power, potentially compounded by the potential for harm if one of the haters gets their hands on the list of Trump critics… We’ve already seen them send death threats to the parents of the victim murdered in Charlottesville; why should we assume good intent for people critical of the president by that president’s supporters?

Who really was guilty in the death of Thomas Becket?

Career Change

Friday, March 31st, was my last day at a job I have absolutely loved for three amazing years. Cvent is a great place to work, and they will have an opening for a Linux/Windows systems engineer. I highly recommend this position with a great team and many excellent learning opportunities in a truly integrated DevOps environment. It is with some sadness that I leave to tackle a career change and exciting opportunity.

Today, April 3rd is my first day as a Senior Advanced Services Architect with Limelight Networks – and for the first time since December 1989 I am not directly responsible for any UNIX/Linux servers/services and not on an on-call roster.

Position at the old company needs to be filled:
Senior Linux Systems Engineer

Both Cvent and Limelight are hiring… so if you are looking for work yourself…

No wonder American voters are so poorly informed

I am usually very lucky to mostly be sheltered in a wonderful cocoon that is essentially free of commercial television. When I travel I get disgusted at the number of places that have the propaganda, sensationalist, and fake news channel Fox News on and blaring loud all the time. I don’t get that crap at home, nor any of my usual places I do business; I did not make a conscious effort to do so, but my mechanics, my doctors, my usual places of business either have no TV at all or have real news media (CBS/NBC/ABC/BBC) on if they do. One, my dentist, has daytime TV. When I travel I run into what I expect is more typical for most of America, and everywhere the lounge or lobby or waiting room TV is always on, always way too loud, and always tuned to Fox News spreading deliberate lies and misinformation; using titillating or sensationalist news to attract viewers to watch the behavior modification programming called commercial advertisements (eat more SUGAR, SUGAR, SUGAR, CORN, CORN, CORN) and to watch their horrifically bad “journalism” and non-stop fear-mongering. It is no wonder American voters are fat and so poorly informed. I am disgusted. I want to hack the TV-B-Gone to turn the channel to CBS news or BBC news and drop the volume to half in nearly every lobby I visit.

A personal message about the importance of backing up your data

Woo hoo! Time Machine to the rescue.

My personal laptop, work laptop, and Dreamhost shell account all auto-sync a few personal data files of very useful data between them… This morning I corrupted one instance and that corruption was synchronized, wiping out all the work in all three locations…

Thankfully I have two redundant backup plans for my personal laptop:

  • I regularly (about every 2 weeks) do a Carbon Copy Cloner full drive clone to a bootable external USB3 drive… (that gives me a drive I can plug into an emergency rental laptop)
  • I have Time Machine backup my laptop every 2 hours to a Time Capsule (though any Network Storage or external drive should work) – but only copy the changes….

I was able to use Time Machine to delve back to 5am this morning (before I was up) grab a clean copy of the file from then and restore it, and then I had to manually re-apply the few changes I made around 7:40am from human memory; but that was much better than having to recreate all the data.

Remember to back your data up often and in a couple of different ways.

Microsoft Surface Studio, impressive!

Microsoft announced a new desktop computer yesterday, and I confess I usually am in the habit of ignoring Microsoft announcements because they typically offer nothing I am interested in; but yesterday’s announcement is stunning and ground breaking. The new Surface Studio is the first Microsoft product I actually want since Photosynth launched in 2008…

Microsoft Surface Studio

It’s quite expensive, but it is so ground-breaking and such a polished design that I can see it changing the industry and the way we do desktop computing over time as competitors implement some of the features. This is the sort of innovation usually developed by Apple.

Very impressive.

Firefox 49.0.2 update – beware…

So apparently the new Firefox update (49.0.2) overwrites your cert8.db file – for many people that does not matter; but if you have a lot of self-signed certs and internal to your company certificates to trust this is a catastrophe unless you backed up your cert8.db or can get another from your corporate IT folks.

On a Mac it is located in ~/Library/Application Support/Firefox/Profiles/__your_profile__/cert8.db
Backup that file before you update to 49.0.2

The importance of good examples in coding and configuration files

My employer has chosen to use DataDog for some of it’s monitoring, and I have been having a really hard time getting simple process monitoring to work reliably. Turns out that the process.yaml file syntax used by DataDog agents is very dependent on Python language psutil calls, and there is quite a difference between single quotes (used in Datadog’s examples) and double quotes (needed for searching for running processes where the unique string is in the middle of a very long line).

Datadog’s Process check is documented pretty well at Process check and the simple checks are easy and work right away. Checking for a running httpd process or nginx process is trivial using the example, and the PID check works, though I am not sure how useful it is as pretty much no one uses static PID assignment. What the examples need to include are an effective fuzzy search to pull the existence of a specific instance of a Node.js or Java Servlet out of many possible running processes. The simple name search for ‘java’ is not very helpful – as I have as many as a dozen separate Java servers running on a host. Likewise a simple name search for ‘node’ is useless as I have as many as thirty node.js servers running at a time… I spent far too many hours trying to get the exact name match to work until I discovered that the switch to double quotes and the use of the exact_match: False boolean operator make this fairly reliable… given that running node and java are so common, why doesn’t DataDog include examples of that?

Here are mine, /etc/dd-agent/conf.d/process.yaml contents:

init_config:
instances:
name: cassandra
search_string: ["java -ea -javaagent:/usr/share/dse/cassandra/lib/jamm-0.2.5.jar"]
exact_match: False
ignore_denied_access: True

name: nodejs.mu.fuzzyblink
search_string: ["node /full/path/to/nodejs/bin/mu/fuzzyblink.js"]
exact_match: False
ignore_denied_access: True

Run service datadog-agent restart ; sleep 8 ; service datadog-agent info to reset you datadog agent and verify the syntax of your process.yaml file.

Now you can set up a process monitor alert through your DataDog cloud account and look for process:cassandra and process:nodejs.mu.fuzzyblink metrics coming in from the agent. The double quotes are the key.

Tagged ,

3rd generation Ford Focus owner/driver tips

Ford Focus, DCT transmission anomalies explained, and some useful information for 3rd generation Ford Focus owners/drivers.

We’ve been reading loads of useful information and tips at: focusfanatics.com

In particular – this posting makes a a LOT of sense:

Ford Powershift DCT Transmission info use guide new owners look here

Trump, the GOP, and The Fall

This is absolutely brilliantly written and worded; and expresses exactly my feelings on the current election and self-destruction of the Republican party… I confess I never know if I should cheer on that self-destruction, or lament the loss of a reasonable and rational counterpoint to the Democratic party, which does need a healthy check against it often.

http://daringfireball.net/linked/2016/10/12/scalzi-trump

Update: I should also point out the full, original text by Scalzi himself is at http://whatever.scalzi.com/2016/10/11/trump-the-gop-and-the-fall/, I just think John Gruber did such an amazing job excerpting the key portions and commenting that it was worth linking to his review of Scalzi’s text.