As part of an ongoing legal battle to get the New York City Police Department to track money police have grabbed in cash forfeitures, an attorney for the city told a Manhattan judge on October 17 that part of the reason the NYPD can't comply with such requests is that the department's evidence database has no backup. If the database servers that power NYPD's Property and Evidence Tracking System (PETS)—designed and installed by Capgemini under a $25.5 million contract between 2009 and 2012—were to fail, all data on stored evidence would simply cease to exist.
Courthouse News reported that Manhattan Supreme Court judge Arlene Bluth responded repeatedly to the city's attorney with the same phrase: “That’s insane.”
Last year, NYPD’s Assistant Deputy Commissioner Robert Messner told the City Council's public safety committee that “attempts to perform the types of searches envisioned in the bill will lead to system crashes and significant delays during the intake and release process.” The claim was key to the department’s refusal to provide the data accounting for the approximately $6 million seized in cash and property every year. As of 2013, according to the nonprofit group Bronx Defenders, the NYPD was carrying a balance sheet of more than $68 million in cash seized.
City attorney Neil Giovanatti continued that line of argument. He claimed that the NYPD doesn’t have the technical capability to pull an audit report from its forfeiture database—because the system wasn’t designed to do that.
But an expert witness for Bronx Defenders, which is suing for access to the data, undercut claims that the system could not produce a report on the cash. Robert Pesner, former chief enterprise architect for New York City’s Department of Housing Preservation and Development, told the court, “Based on the information I have reviewed about the technical specifications of PETS’s hardware and software, it is my opinion that it is technologically feasible to retrieve much of the data sought from PETS by running queries directly on the underlying [IBM] DB2 database.”
When it was activated in 2012, Capgemini vaunted PETS—which was built using SAP’s enterprise resource planning (ERP) software platform as well as IBM DB2 databases—as a flagship public sector project. The company went as far as submitting PETS as a nominee for the 2012 Computerworld Honors awards. But the system was apparently designed without any scheme for backing up the database or any sort of data warehouse to perform analytics on the data.
When told by Giovanatti that the police department’s IT department did not keep backups and only knew that the database “is in IBM," Judge Bluth responded, “Do you want the Daily News to be reporting that you have no copy of the data?... That deserves an exposé in the New York Times.”
We generally don’t do news roundups when yet another major company gets hacked and leaks personally compromising data about the public. We know that “big company hacked” isn’t news, it’s a Tuesday. So the Equifax hack didn’t seem like something worth spending any time to write an article about.
But then new things kept coming out. It got worse. And worse. And worse. It’s like if a dumpster caught on fire, but then the fire itself also caught on fire.
If you have been living under a rock, Equifax, a company that spies on the financial behavior of Americans and sells that intelligence to banks, credit card companies, and anyone else who’s paying, was hacked, and the culprits have everything they need to steal the identities of 143 million people.
That’s bad, but everything else about it is worse. First, the executives kept the breach secret for months, and then sold stock just before the news went public. That is a move so utterly brazen that they might as well be a drunk guy with no shirt shouting, “Come at me bro! Come at me!” They’re daring the Securities and Exchange Commission to do something about it, and are confident that they won’t be punished.
Speaking of punishment, the CEO retired, and he’ll be crying about this over the $90M he’s collecting this year. The CIO and CSO went first, of course. They probably won’t be getting huge compensation packages, but I’m sure they’ll land cushy gigs somewhere.
Said CSO, by the way, had no real qualifications to be a Chief Security Officer. Her background is in music composition.
Now, I want to be really clear here: I don’t think her college degree is actually relevant. What you did in college isn’t nearly as important as your work experience, which is the real problem- she doesn’t really have that, either. She’s spent her entire career in “executive” roles, and while she was a CSO before going to Equifax, that was at First Data. Funny thing about First Data: up until 2013 (about when she left), it was in a death spiral that was fixed after some serious house-cleaning and restructuring- like clearing out dead-weight in their C-level.
That’s the Peter Principle and corporate douchebaggerry in action, and it certainly starts getting me angry, but this site isn’t about class struggle- it’s about IT. And it’s on the IT side where the real WTFs come into play.
Equifax spies on you and sells the results. The US government put a mild restriction on this behavior: they can spy on you, but you have the right to demand that they stop selling the results. This is a “credit freeze”, and every credit reporting agency- every business like Equifax- has to do this. They get to charge you money for the privilege, but they have to do it.
To “secure” this transaction, when you freeze your credit, the credit reporting companies give you a “password” which you can use in the future to unfreeze it (because if you want a new credit card, you have to let Equifax share your data again). Some agencies give you a random string. Some let you choose your own password. Equifax used the timestamp on your request.
Even if they didn’t apply the fix, Apache provided workarounds- some of which were as simple as, “Turn off the REST plugin if you’re not using it,” or “if you ARE using it, turn off the XML part”. It’s certainly not the easiest fix, especially if you’re on a much older version of Struts, but you could even patch just the REST plugin, cutting down on the total work.
Now, if you’re paying attention, you might be saying to yourself, “Hey, Remy, didn’t you say that they were breached (initially) in March? The month the bug was discovered? Isn’t it kinda reasonable that they wouldn’t have rolled out the fix in time?” Yes, that would be reasonable: if a flaw exposed in March was exploited within a few days or even weeks of the flaw being discovered, I could understand that. But remember, the breach that actually got announced was in July- they were breached in March, and they still didn’t apply the patch. This honestly makes it worse.
Even then, I’d argue that we’re giving them too much of the benefit of the doubt. I’m going to posit that they simply don’t care. Not only did they not apply the patch, they likely had no intention of applying the patch, because they assumed they’d get away with it. Remember: you are the product, not the customer. If they accidentally cut the sheep while shearing, it doesn’t matter: they’ve still got the wool.
As an example of “they clearly don’t care”, let’s turn our attention to their Argentinian Branch, where their employee database was protected by the passwordadmin/admin. Yes, with that super-secure password, you could log in from anywhere in the world and see the users usernames, employee IDs, and personal details. Of course, their passwords were obscured as “******”… in the rendered DOM. A simple “View Source” would reveal the plaintext of their passwords, in true “hunter2” fashion.
Don’t worry, it gets dumber. Along with the breach announcement, Equifax took to social media to direct users to a site where, upon entering their SSN, it would tell them whether or not they were compromised. That was the promise, but the reality was that it was little better than flipping a coin. Worse, the site was a thinly veiled ad for their "identity protection" service, and the agreement contained an arbitration clause which kept you from suing them.
That is, at least if you went to the right site. Setting aside the wisdom of encouraging users to put confidential information into random websites, for weeks Equifax’s social media team was directing people to the wrong site! In fact, it was directing them to a site which warns about the dangers of putting confidential information into random websites.
And all of that, all of that, isn’t the biggest WTF. The biggest WTF is the Social Security Number, which was never meant to be used as a private identifier, but as it’s the closest thing to unique data about every American, it substitutes for a national identification system even when it’s clearly ill-suited to the task.
I’ll leave you with the CGP Grey video on the subject:
is a light card game about software and the people who make it. Play with 2-5 people, or up to 10 with two copies - only $9.95 shipped!
By popular demand, the Atlantic Avenue - Barclays Center print is finally ready! After four visits and God knows how many sketches. Check it out in our gallery and shop!
This is Project Subway NYC's second attempt to look into stations in Brooklyn, hope to do more soon. Let me know in the comment which stations you want to see, and don't forget to follow us on facebook and instagram (@projectsubwaynyc) for updates!
If you superimpose the Mediterranean Sea (and the Black Sea) over a map of the United States — creating geographic landmarks like the Confederate Sea, the Great Salt Islands, the Straits of Pismo, and a coastal Las Vegas — you get a real sense of how big each of them is. I confess, I didn’t think the Mediterranean Sea was this large. The other surprising thing is that the latitudes of the superposition are pretty accurate…only a degree or two off, if that.
Equifax division TALX has a product called The Work Number, where prospective employers can verify job applicants' work history and previous salaries (it's also used by mortgage lenders and others): you can create an account on this system in anyone's name, provided you have their date of birth and Social Security Number. The former is a matter of public record, the latter is often available thanks to the many breaches that have dumped millions of SSNs (the latest being Equifax's catastrophic breach of 145,000,000 Americans' data).