I feel accomplished a bit this year, I’ve made it to two SQLSaturdays in the same calendar year. This SQLSaturday was put on by the Denver SQL Users group and was hosted at the University of Denver. There were a number of sessions I wanted to attend, and they all seemed to be in the same block, I hate when that happens. I’m hoping I can catch a youtube of some the ones I missed. Sadly, Idera wasn’t there this time, so I didn’t get a new duck like the last one. What’s up with that Idera?
In the mean time, here are the sessions I did make it to
How to Build Your Brand and Become a Thought Leader – Patrick LeBlanc (b/t)
If you ever get the opportunity to see Patrick deliver a session in person, do it. Not only was the information good, but Patrick has a great speaking style that makes the session fun. Patrick gave a great presentation on personal branding and how becoming a thought leader ties into that. The greatest take away from this session was Patrick’s advice about not letting your brand get swallowed up by the company you work for. You have to keep working on your brand, your resume, your career, because to the company you’re just an expense that can be eliminated at will. Having personally been through that kind of downsizing, it really struck a nerve with me.
SQL vs NoSQL – Eric Peterson
At this SQLSaturday, the organizers tried out something different. Instead of doing a box lunch with a $10 donation upfront, they built in 90 minutes for folks to go get offsite and get food. It was kind of a nice change. I ended up eating with current and former coworkers, so it wasn’t bad. As opposed to the previous SQLSaturday where I just quietly ate my box lunch alone.
Becoming a Master by Giving it All Away – Michael Wall (b/t)
This is was a good presentation on why you should be sharing your knowledge. In fact, you should be sharing that knowledge in the form of teaching other people what you know. Why? Because by learning the material well enough to teach it, you’re reinforcing what you already know. More importantly, someone is going to ask you a question about the material from a perspective you hadn’t considered forcing you to learn even more about the material. I thought this was a nice complementary session to the branding session earlier in the day.
Profiler is Dead! Long Live Extended Events – Keith Tate (b/t)
I struggle with Extended Events, and not because I prefer Profiler. I struggle with Extended Events because the UI is clunky and not very intuitive, which come to find out is why a lot of people struggle with it as well. At least I’m not alone. This was a good beginner session but I had hope to get a little more in depth with it than just setting up a basic trace. I still learned a couple of things I wasn’t aware of, so it gives me hope the next time I try to use it.
End of the day
There were 3 or 4 session in this block I wanted to check out, but as it always is at these events you have to pick one.
Tame your Data with Constraints – Rob Volk
This was a really good session with lots of information. While it was geared towards beginners, it reminded of some points I hadn’t thought about since I was in school. And lets face it, I don’t get the opportunity much at the moment to work with development stuff. So I found a lot of useful information in this session.
Like every SQLSaturday, there is a raffle at the end of the day. Vendors and sponsors put up prizes to win, the only catch is you have to be present to win. At the Colorado Springs I won a free copy of SQL Toolbelt. I can’t tell you how much I love that tool. So I wasn’t upset I didn’t the quad-copter…..lol. No really, it’s a good time to show your appreciation for the sponsors and organizers. They are just like you, giving up a free Saturday to put on an event for you.
Afterwards I guess there is a social event, but I wasn’t able to attend. The wife wanted to see me a little bit
I’m going to start off this post with an apology, I am sorry for the rant that is to come. I don’t like posting rants on this blog site, I usually do that on my personal blog. So why break protocol and post it here? Well, because this rant is directed at the data professional community and management of every company that holds some sort of personal data. Whether it is PCI, HIPAA, or some other sort of personal data like financial information.
Organizations that store personal data have an obligation to be good stewards of that data. Please do not misunderstand me, I’m not calling out the entire community of data professionals or their managers. I believe deep in my being that 99% of the folks working with data protect it like it is their child. Ya, Data Professionals are weird like that. But apparently there are some who are not as vigil as they should be. How do I know this? I give you the Equifax debacle…(which in case, you weren’t aware, 143 million identities were hacked from Equifax)
Forgive me, because I am still struggling to wrap my mind this……gross misconduct. How does one of the three largest credit agencies get hacked for essentially three months without anyone noticing? The better question is, why was it so easy? They can’t say they didn’t expect this. They can’t say they didn’t have anything worth stealing. Hell, they certainly can’t say they weren’t aware of the implications if this data was breeched. It is expected that these type of organizations should be LEADERSin data security. But I don’t see it in this case. In fact, all I see is one failure after another. From Equifax’s PR page
..Criminals exploited a U.S. website application vulnerability to gain access to certain files. – Equifax
This single statement leads me to the following assumptions:
The hackers were foreign based, possibly Russian, Chinese but most likely an organized group like Anonymous (using them as an example of an organized group of hackers, not that they did it)
The files were not encrypted
The data was not masked
Equifax was poorly monitoring access to this data
Which makes me wonder, why was this data in a file in the first place? Why was none of it masked? And for the love of God, why was it NOT encrypted while the data was at rest? Now in fairness, I suppose the data could have been in a database and the PR folks are using the word “files” because it’s easier to convey. I don’t know that I believe that. It could have been in a flat file system like Hadoop. Where it was isn’t the point, the point is the lax security surrounding the data.
While the technical questions are numerous and it’s going to be interesting to learn how this happened. The bigger concerns lie with the response to the scenario and how Equifax “leadership” choose to handle it, or as far as I’m concerned…didn’t handle it.
That’s not the worst part
In fairness, Equifax as one of the three major credit agencies, has a target painted on its back. Every IT professional under their employee should KNOW hackers are gunning for them. If they didn’t think that, know that, or believed that, then those IT folks are complacent. Actually, worse yet, they are incompetent. The so called leaders should have known this though. However, as IT people and Data Professionals, we understand there is a delicate balance between security and usability. We can completely secure the data, the problem is the business won’t be able to use it, or anyone else for that matter. But I digress and that’s beside the point
What’s worse than allowing a data breach to go one from mid-May to the end of July? Waiting until September to tell people who will be directly affected. Ya, I get it, there was an ongoing investigation and announcing there was a breech on July 30th or August 1st might have compromised that investigation. Investigation be damned, 143 MILLION identities have been compromised and Equifax, along with the authorities investigating the breech, continued to allow the hackers to mobilize on the data for another month before telling anyone. Let that sink in for just a few moments. Equifax and the investigating agencies were COMPLACENT notifying the public. One also has to wonder if some one in the government wasn’t aware of this fiasco.
143,000,000 people’s lives will forever change with this single lapse in security
From this point forward, until they day they pass from this world, they will have this hanging over their head. They (the 143 mill) will have to proactively monitor their identity to fend off attacks. The systems so victims have to jump over hurdles to prove they are innocent. The costs and time associated with having your identity restored can wreak havoc on the victim’s life. Emotional and financial stress could be overwhelming. Negative credit can affect housing, jobs, and god help you if the thieves use your identity in a crime. Don’t believe me? Google it.
Oh and stop for a minute and realize that at the same time this is being dropped in our laps, how many people in Houston and Florida are aware of this news because of the hurricanes? Fantastic timing Equifax. If only you had known sooner…..
Equifax comes out and says they’ll give everyone one free year of credit monitoring to help monitor their credit. Seriously? Why on Earth would I trust you to protect me from the very mess you created? Honestly, what makes Equifax think I would trust them? why would anyone trust them now? I didn’t want them to have my information in the first place, but hey the world revolves around credit right? Someone has to have a dossier and monitor aspects of our lives to make sure we are worthy. Oh, and the agreement to this monitoring service reads like you have to give up your right to sue.
So first Equifax throws you under the bus, then they back it up over you a few times to make sure it really hurts.
But wait, there’s more
I swear, this like a horrible Greek tragedy. It is so absurd you want to cry but all you can do is laugh….
Equifax did such a lack luster job of communicating after the breech, that shortly after the news hit mainstream news outlets their website crashed. Customer service was overwhelmed, and some reports state customer service wasn’t aware of the breech at all. And because this isn’t crazy enough, they aren’t telling people if they’ve been compromised until a later date. If you do get through, you have to enter 6 digits of your SSN and trust them with more personal data. Are you kidding me right now? They think they should b trusted with more personal data? Also, the website was setup off their main page so it intentionally looks like a phishing scam. Oy vey….
Pausing for a deep breath…..and to let my blood pressure come down a few notches…
Equifax was not only compromised, Equifax took over a month to say anything but people are being told they have to wait to sign up for the free monitoring service? As well as their own customer service staff wasn’t briefed on situation on the day of the announcement. Excuse me, but did you think was going to happen when you made this announcement? Did they not think people would not freak out? See what I mean by Greek tragedy? Not to suggest Equifax is anything like Zeus, but I think 143 million Prometheus(es) will be crying out for a long, long time.
And for the Grand Finale…
As if all of this wasn’t all bad enough, the press reports that days after the hack was discovered the CEO Rick Smith, the CFO John Gamble, and Rodolfo Ploder sold shares of their Equifax holdings. But….and wait for it….because this reads like the dog ate my homework…..
The three “sold a small percentage of their Equifax shares,” Ines Gutzmer, a spokeswoman for the Atlanta-based company, said in an emailed statement. They “had no knowledge that an intrusion had occurred at the time.”
I apologize again, because I can’t hold it in any longer…..
Are you EFFIN kidding me?
The largest data breech in the history of the organization, over 143 million identities compromised, and the reputation of the one 3 largest credit agencies destroyed and you’re trying to tell me the CEO, the CFO, and another executive didn’t know. One word.
No way does this not make it up to the CEO’s desk hours after the breech is discovered. No manager is keeping this from their boss. Doesn’t work that way folks. Hell, I promise you the CIO knew within the first hour of the discovery. Maybe they don’t know the full extent in those first few hours, but they knew they had been compromised. And as political as organizations are in the management ranks, the CIO is trying to CYA and report up this discovery. So, no way do I believe for a second these three execs didn’t know what was going on. By the next day, they had a really good idea how ba the situation was. Now maybe they (the executives) already had the sale in the works, but they had plenty of time to stop it to save face.
To sum up
Equifax was breeched, 143 million identities are now in the wild and fully compromised. Equifax took their sweet time disclosing the hack, they offered an ineffective response to the situation, and they have offered to monitor their mistake with a crappy service. Then it comes out that 3 execs sold off stock days after finding out about the hack, but release a public statement that they didn’t know about it.
You better believe this is will cause a reckoning. The New York State Attorney is already looking into this. Congress will have to get involved. And for the 143 million affected, this is going to be a life time of headaches. I personally do not see the credit industry not being completely overhauled, I also do not see Equifax surviving as a company. In the coming weeks, this is only going to get worse. The lawsuits will destroy Equifax. I personally can’t wait to hear where the security flaws were. This is also going to server as a wake up call to people regarding just how important this data is (as if they didn’t know already). This is will be a teaching moment on the scale of Enron.
And finally, to completely sum up the entire situation I leave with this clip from Clark Griswald, because we may as well have a good laugh….the audio is prolly not safe for work though.
Obviously in the video, Equifax is Shirley.
Just in case someone needs a guide on Identity Theft protection, I’ve included one here.
Maybe I’m just old school, or maybe I just suck at business in general, but I don’t think it’s asking much to respect your customers. I certainly understand there decisions that need to be made to keep a company afloat, and in business. I mean you have to worry about the bottom line and the employees (hopefully the employees come first, but that is a different rant). Recently Code42, the company behind Crashplan the backup service, announced they were no longer going to offer Crashplan to regular consumers, i.e. you and me.
Here’s a screen shot of there announcement here:
So what, why does piss you off?
It’s not my business right? I shouldn’t care how they purse revenue. Ya, you’re right, I shouldn’t. The problem is, as a 20 year career IT guy…I have recommended their service time and again. Both personally and professionally. So it sticks in my crawl so to speak, that they would just throw out an entire business model. Again, not my business or my revenue stream, but it was my recommendation and my reputation that suggested you could trust these people. They abused that implied rust. Maybe I’m the only who sees it that way and I should just get over it. On the other hand, maybe that’s what’s wrong with the world today…no one cares about anything but there bottomline, and they’ll get the most money with any means necessary.
Because after all, when you tell me your focus is solely your enterprise customers, you’re telling me you are focusing on greater revenue streams. And as an IT professional, you screwed me over at home, do you think I’m going to let you have that opportunity at my place of employment.