Slashdot Mirror

← Back to Stories (view on slashdot.org)

California Hax0red

Posted by michael on from the san-andreas-fault dept.

rochlin writes "200,000 California state workers burned! According to the Sacramento Bee, personal and financial info for 200,000 workers was accessed by a team of hackers "working secretly over the past several months." Stolen info included "the perfect mix of information to allow identity theft" according to the Sacramento Valley Hi Tech Task Force."

10 of 229 comments (clear)

  1. Re:Well done... by Sir+Nimrod · · Score: 3, Insightful

    You missed something: The article said the data included records for politicians and judges, too.

    Hmm.... I can see some interesting wrinkles here:

    • If said crackers mess up the lives of a bunch of CA politicians, will we get better laws, or worse?
    • If the affected employees file a class-action lawsuit against someone (like, let's say, a company that shipped a product with a gaping security hole), won't any California judge have a conflict of interest?
    --
    The United States of America: We mean well.
  2. Proof for an old principle by browser_war_pow · · Score: 5, Insightful

    that has been true since the creation of the civil service if not longer. If you pay ~$15,000 to a worker to handle a $1.5B piece of equipment you need to reevaluate your spending priorities. Putting low paid workers in charge of such information considering the amount of civil and criminal liability the state now faces due to its incompetence is like putting guys with pocket knives as their only sidearm in charge of security at a nuclear power plant or the pentagon.

    1. Re:Proof for an old principle by hey! · · Score: 4, Insightful

      Let's hold off on the rush to judgement until we've got more details. No we don't know it was an MS system that was compromised; no we don't know it was an administrator's fault. Basically, at this point we know absolutely nothing, including how the security problem was discoverd. We'll have to wait a few days. Until now it's all speculation.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  3. Would like to view source by datastew · · Score: 5, Insightful
    The electronic assault on payroll and other records was discovered by the Sacramento Valley Hi Tech Task Force, which determined that none of the information has been used illegally so far.

    I would sure like to see the direct quote which backs up this statement because it seem very presumptuous. Either the writer has misunderstood or the Sacramento Valley Hi Tech Task Force is dangerously overconfident.

  4. Security is impossible by Groucho · · Score: 3, Insightful

    ...when you are dealing with management and end users. It's less about flaws in code than about realizing the importance of patching, strong passwords, encryption etc.

    I do ebusiness consulting and let me tell you, security is a joke: critical servers set up OUTSIDE firewalls, trivial to nonexistent passwords, persons responsible for security with almost no computer experience... oy.

    When I try to encourage people to use good passwords, make things more difficult for crackers, I am shot down. God forbid that anyone should have to remember or type in a password!

    Let me give you an example of the levels of cluelessness: I have the root password for a Unix (actually, Linux) server on which all of a particular business's sales and production data resides. Yet, the person who is most technically adept at said company won't let me have the passwords to the Windows 9x workstations! She insists on typing them in for me! Never mind that I can just hit ESC and have total access to the company's network resources.... AAAAARGHHHH!

    This kind of thing is going to happen continually until people get educated.

    At one time in history, literacy was considered unimportant for the masses and the ruling elite. There were scribes for that. Then it became essential for everyone working to have at least basic literacy skills. Now it has become crucial for all workers to have at least basic computer literacy--by which I mean more than just ability to use a GUI. I'm talking if not programming ability, then at least an understanding of what programming is, what ASCII files are, how computers authenticate users, etc.

    When are managers and end users going to catch up to the infrastructure we've created? It seems that the only large organizations that are even nibbling at the edges of the problem are the MPAA and RIAA!!!!

    G

    1. Re:Security is impossible by karlm · · Score: 3, Insightful
      Ehh... critical servers should stand on their own. There are always inside jobs or ways arround firewalls. Firewalls should be the backup plan. Too many people think "on, no, it's not behind a firewall" and "oh, don't worry about it, it's behind a frewall". If you're not extremely confident that your critiical server could survive outside the firewall, you need to start ripping software components out of the system. MIT Network Security's policy is to never deploy firewalls. They continually port scan all of the machines and run vulnerability checks against the latest bugs.

      Perfect security is impossible, but firewalls are bandaidsfor bullet holes. Don't fool yourselves. A good IDS box is much more usefull than a good firewall, or at least should be if you're doing htings right.

      --
      Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
  5. Re:How seriously do /. reader's take this. by korgull · · Score: 2, Insightful

    20 years ?
    In my country even a murderer wouldn't get that much :-(
    Be realistic, stealing whatever isn't worse than killing someone.
    In some underdeveloped countries they still allow people to own guns. Those countries do have much more serious problems than someone cracking whatever database unless they believe life is worth less than data. Personally I would give someone my ID/credit card nr and bank account etc instead of being killed. My personal data is not worth my life.
    Even though I agree with the fact that these crimes should be punished, I also believe that it should be punished according the crime. Theft like this doesn't really hurt unless the data is used. In that case it would be fraud and should be punished like that (Whatever that may be).

  6. Funny? Not really... by ackthpt · · Score: 3, Insightful
    The combined taxable income for the county I work in, of public school employees is nearly a billion $. (nothing scandalous about mentioning this, as it's all a matter of public record, but I won't mention the county anyway) You still think that's nothing? A thousand here, a couple hundred there, it could easily add up, particularly if used to obtain credit cards. Some joke, once you have a few hundred people trying to put their lives back together after someone trashes their credit rating, etc.

    A friend had something like this happen and spent months sorting it out, over a few hundred dollars charged to a credit card mailed to a different address.

    --

    A feeling of having made the same mistake before: Deja Foobar
  7. Nobody here is upset at the system crackers? by Jayson · · Score: 5, Insightful

    I see all these comments and jokes about the administrators of the systems, the software used, the wages of those who's data was comprimised. However, I do not see any comments condeming the actions of the thiefs.

    These crooks are the people that give you a bad name. They are the criminals here. They are not to be ignored. If somebody breaks into your house, you go after the robber; you don't sit there and think that you should have encased your house in steel and had better locks.

    Please, place the blame where it belong.

    1. Re:Nobody here is upset at the system crackers? by Anonymous Coward · · Score: 2, Insightful

      Oh, but 2600 and every 1337-d00d, h4x0r, security consultant, etc. believes that it's not the cracker's fault, it's the admin's fault for not building up ridiculous amounts of security!

      People, it's completely illogical to believe that just because the admin failed to force users to use 16-character passwords and 1024-bit crypto that those admins are "stupid." It is the cracker's fault, and anybody (but ESPECIALLY anybody in security) who blames stupid admins instead should not be in IT.

      Yes, *some* simple precautions should be taken - 8-character passwords and not downloading files from unknown people should be standard fare, but when security guys blame admins for not having installed Tripwire, shut down all unnecessary services, and firewalled off unneeded ports (although these are trivially-simple to do), I get really inflamed.

      Such people are arrogant, self-centered, idealistic idiots. The crackers are the criminals, and let us never lose sight of that. Crackers don't explore, they break stuff on systems and some become thieves in stealing stuff like credit card #'s and SS#'s...

      Hackers don't break things, and they don't steal anything either... And *true* hackers not only do those things, but typically are too busy writing great software and figuring things out to bother with exploring other people's systems...