Yet Equifax continues to evade giving details on the attack. That itself is damning evidence they weren't doing everything they should have been to protect their servers and data.
or a digital signature, or a MAC. Something where we could verify against a publicly-known value safely, and without giving that secret part away to anyone else. The secret would be between the Federal Government and the citizen.
They would probably have to through a similar procedure as they do to get a replacement social security card. That is, they would have to present at least a drivers license and US passport at one of the local social security administration offices.
At that point, they can regenerate the key-pair and have the SSA official sign the public key and keep that on file.
Now, presumably, it is possible to forge both documents, but I would think that the government could check their records (federal and state) to verify the authenticity of the provided documentation.
Exactly. You can't have perfect trust in every citizen to keep track of these things. And if it's a government issued ID in the first place, I see no trouble with them having your private key as well. Just don't reuse that key.
This would take a lot of solid investment politically, and technically, to make it even slightly feasible to work for the average Joe.
I suppose the information is hidden to prevent gaming the system. As someone mentioned in another thread, they took out a loan for $1000, sat on it and just paid it off. Credit score goes up with zero risk for just the cost of interest. If the algorithm were exposed, it would be easier to game.
If the things they were tracking are reliable indicators of "credit-worthiness" then it would not matter if you "game the system" or not.
It's like that story about robbing the bank. First, we get jobs at the bank. Then we go in and work the jobs every day... (spoiler: we never actually rob the bank, because we get cushy jobs with benefits, and retirement plans. That's brilliant!)
Anyone with a good credit score can decide to burn their credit at any time. Loss prevention can also step in and cancel your cards at any time if they decide that you've gone off the deep end. They probably won't... but they could.
Any metric is gameable. And, if the current algorithm is the best way to predict "credit-worthiness," publicizing its details will drive consumers toward different behavior, which makes it less powerful
Imagine Google made its own credit score, based on your searches, social contacts, etc. It turns out that someone clicking on ads for product X have a very high likelihood of repaying their debt. This information ends up publicly leaked.
What do people start doing? How does this affect the quality of Google's credit algorithm?
A reliable indicator of whether you will pay your bills in the future might be whether you paid your bills in the past. There is no way to game this metric, other than by paying your bills.
You just chose a metric that would be easily gamed and said that any metric is gameable.
> There is no way to game this metric, other than by paying your bills.
Except the exact situation outlined above, in which a person generated bills that they otherwise wouldn't have needed, for the sole sake of having more bills "paid on time".
So, how does one get over in gaming this metric? Take out a lot of credit accounts once your credit is good and then default on them? What's the end game where they come out ahead? See prior comment about the bank job... that's just called having and ruining your credit.
Taking out loans that you don't need, not spending the money, and paying them back on time (with interest) should be a very positive credit score indicator.
It shows that the person is planning ahead, is careful with not overspending even if they have cash available, is organized enough to make all the monthly payments on time. To me that seems like a better signal than someone who does need the loan.
How would a person who takes out the same loan, but actually spends the money be a better credit risk?
I agree, but in fairness, the way credit agencies use that information is nonetheless gameable. They ignore all of your payment diligence when it comes to bills (utilities, rent, cable, etc) but consider it a positive indicator when you get a credit card that you pay off every month.
This leads people to do something they don't want to do, and is no more informative than paying all those other bills would have been, merely to increase their score. That's a kind of gaming.
I think you do have to consider too, that these companies also want to give you credit (it is their business,) and in many cases they will likely have insurance that pays when you default.
If the way they have allowed you to "game" this metric results in you signing up for some credit in order to improve your credit score, that's nothing but a net win for them. They got you some credit, that's definitely a score for them.
(I'm not saying that credit card companies would prefer all of their customers to default, they would never be able to buy insurance again... I just want to put it out there that maybe the system works exactly this way, 100% deliberately, because it benefits them too.)
But that is an indicator of credit worthiness. Having the financial discipline to spend your money repaying your obligations rather than treating yourself is a worthwhile indicator, regardless of how the situation comes about.
If you're just hashing with SHA2 and a salt, an attacker with a run-of-the-mill GPU could crack any given hashing quite quickly. It might still take quite a bit of time to get all 143 million, but that's fine. Sell off the score in blocks of 10,000 and let the customer know they have to reverse the hashes themselves.
Bankruptcy is the strange other side of the US debt system. In this case, it would be an unfair get out of jail free card, a shirking of responsibility.
When the language permitted a nonsense comparison like this, the spec needs to be complex, and within the logic of the spec, yes it makes sense.
The original error was allowing a nonsense comparison. Which is greater, 10 or fish? If you permit asking this question, you'll occasionally get weird results.
I propose we call Javascript a "quantum mechanical programming language" because the value of a variable can never be determined if it is compared to another by observing it directly.
I can just hear it now: "It helps to think of variable conversions in comparisons as a 'cloud' of value probabilities instead of a discrete value"
Both the > and >= make sense. Having a >= b <=> !(b > a) ensures consistency (though it requires your set is at least weakly ordered, partial ordering is not enough, and NaNs break everything as usual...) This time IMO it's really the == that's broken. Given that it's really lenient with implicit conversions anyway, it should also apply ToNumeric to null, returning 0==0 which is, of course, true. If you want strict equality you'd use === as usual.
It makes sense when you're dealing with real numbers, which I think is what he's getting at. It only falls apart when you try using the operator with other types.
Right, which is where I think the actual return value ought to be "undefined" or something. Or an error. But I'm clearly in the minority on my thoughts of the js type system.
But then again, you can avoid having to make intertype comparisons in the first place by following reasonable guidelines. As funny as this case is, I can't imagine how I'd run into it in practice.
