I was saying this[0] in the other thread, but I'm not sure this ends with laughs and `aw shucks`es for Nick. Equifax has been remarkably ham-fisted in every regard, from their initial exposure, to their inability to patch, to their getting breached, to their mishandling of disclosure, to their lax and callous response, etc etc etc. Nick's site looked and acted like a real phishing site. Equifax, as well as the court of public opinion and an actual court, might not be able to detect the nuance here and a reasonable case could be made that this was an attempt to phish off of Equifax's debacle.
The NYT writing it up certainly helps his case, but there were probably more tactful ways of going about this.
No way. There is no better or more tactful way to show how roundly incompetent the company is, and continues to be, than to put up a domain name that is confusingly similar to the already confusing, pointless, dangerous domain that they put up as a response to their breach... and then proceed to watch them as they tweet it out to half dozen or more of their customers, as if on cue.
There just isn't! It's perfect. Many people who are professional security types said on Day 1 that this would happen, and sagely advised that it might be unwise for anyone to put part of their SSN into a two-day old website on a previously unknown domain that looked like Baby's first PHP, just as news of the breach was still breaking.
And that it was similarly unwise to ask them to do so! So can we just unplug Equifax already? Please? It should be clear who the guilty party is here, and it starts with an Equifax.
Thoroughly disagree. While I do think Equifax should be raked forcefully over the coals for their gross and pervasive misconduct, setting up something that is virtually equivalent to a phishing site does not punish them or create relief for exposed parties. It just sows more confusion, and creates a distraction that Equifax could conceivably use to divert attention away from their own fiasco.
That's understandable. I just don't see how anything good comes from this breach unless we can get eyeballs on poor security practices. Because nobody else between you, me, and the wall seems to be paying any attention to this at all.
There's no relief forthcoming that is possible. The only way things get better now is if we dismantle the entire credit system as we know it, the cat is out of the bag. I'm not interested in punishment. I want to see more serious attention given to prevention.
First, I want to see the license and the keys taken away from the repeat offending drunk driver. Who gave them keys anyway? I sure as hell didn't sign up for this, I want to get off Mr. Bones Wild Ride.
If he hadn't collected any info posted to that site, it'd be at least reason to dig deeper into motivation. Saving people's names and SSNs really would look bad but if the site was just static HTML with no backend and no plausible way for him to see the data entered then it's some evidence that he was honestly trying to prove a point, not phish.
I honestly believe that he was trying to prove a point and not phish. I'm cautioning that I think it's a dangerous game to play.
A website doesn't need to have a "backend" or make a POST request or use a submit button to transmit data that you enter on it to another party. You should assume that ANY ACTION you take on any website is being transmitted to the server or to any third party. Key strokes, mouse moves, time on page, info about your browser and location, all of it.
A bad actor could mimic this sort of "prove a point" site and actually harvest information from unwitting people, all while feigning concern and saying they're proving a point, but carefully disguised JS could be encrypting page events and sending them in cookies to other parties. If we normalize this kind of security grandstanding, we open the the door a little bit wider to phishers.
Browser maintainers were right to mark the site as a phishing site. Because it is. It doesn't matter if it transmitted data or not. I guess you could call that "catch and release".
I was very careful to remove any scripts loaded on the page, and I both disabled the FORM submitting and pointed it to localhost.
That being said, your concern is warranted, I think Cloudflare and browsers did the right thing by blocking my site. It served its purpose, and as of 4pm CT today I took it down and destroyed the droplet it was running on. I collected no analytics while it was running off Cloudflare, and kept no logs.
Hopefully Equifax doesn't sue me in the next few months.
Thank you for being forthcoming about all this. I don't mean to be a pain in your ass and I know your intentions are good. I hope this all ends up being a force for good and that things like the NYT coverage help avoid legal issues with Equifax. Good luck to you in that regard.
For the record, the favicon requests that went out after "submitting" your site's data did not appear to transmit any form data to that server. I just noticed that it'd be trivially easy to do that if someone else emulated this as a bad actor.
I think we can all agree that Equifax chose extremely poorly with a separate domain name, one that is just crassly phishy-sounding already, and opening itself up to actual bad actors.
Sorry to say that I do think you should talk to a lawyer before you do anything else. An initial free consultation would be worthwhile.
I’m not sure it’s Equifax suing you that you should be most concerned about. Equifax’s giant fuckup has already stirred up the prosecutorial wasps, they’re all looking for something to sting.
The NYT writing it up certainly helps his case, but there were probably more tactful ways of going about this.
[0]: https://news.ycombinator.com/item?id=15297877