Posts by matthew.wilson@pobox.com

That's spectacular.

That CVE was in the weekly US-CERT alert email. It was discussed in the tech media. It was on The Register front page. The initial fix was in April's Quarterly Patch Set, and somebody in the company should have got an email about that. Here's the advisory that I got in my email. It's pretty clear about the risk.

http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html?elq_mid=75866&sh=1426070719220423041815081213153331041230&cmid=SPPT160711P00036#AppendixFMW

Equifax has (or had) 9500 employees, and only ONE person was responsible for keeping an eye on the alerts?

Nah, sorry, it's not that employee's fault. What they have there is a failure to take this stuff seriously.

Hypocrisy is the world's #1 philosophical framework. The trick is to shout "hypocrisy" first.

They should have been reading The Register! I read about this bug on this site, I sent up the balloon and we had it patched overnight. I found a ready-to-use curl command that I could use to show the devs just how serious the problem was, and there were no arguments.

I'm actually a bit surprised by how few international-headlines breaches were caused by that bug.