Slashdot Mirror

← Back to Stories (view on slashdot.org)

UT Austin Hit By Massive Security Breach

Posted by timothy on from the wonder-if-they-got-mine dept.

mrpuffypants writes "Reported in the Austin-American Statesman: The University of Texas' security was compromised over the weekend, leaking out nearly 60,000 records on students, staff, and faculty. Official word from the school can be found here. Most troubling of all is that, like most schools, UT still uses SSNs for student ID numbers, and that was part of the information taken from them in the attack."

2 of 508 comments (clear)

  1. Re:What's the big panic about SSNs? by joebp · · Score: 5, Insightful
    Should someone get a hold of your SSN they can get a credit card in your name, or whatever.
    I think I see where the problem lies.

    It's like security through the obscurity of these numbers.
  2. crypto is a solution by Anonymous Coward · · Score: 5, Insightful

    There's a solution if you use cryptography. Assign everybody a social security number. Also, give them a private key (or better, let them pick their own). Then, publish everyone's social security numbers and the public keys that match up with their private keys. (The government could even provide a service that allows people to look up public keys based on social security number.)

    Then, everyone's number is out in the open. Whenever you want to do something with it, you create a message along the lines of this:

    My name is John Doe, and my social security number is 987-65-4321. I hereby authorize CreditCards-R-Us to issue me a credit card linked with my social security number.

    Then you sign that message with your private key. Once you've done that, anyone can use your public key to verify the signature. That means they can be assured that, unless someone has stolen your private key or broken the crypto, it could only have been you that wrote that message.

    Thus, your social security number becomes public knowledge, but that doesn't help anybody because they'd need your private key to do anything with it. And, most importantly, there never is any situation where you have to give your private key to anyone. Your secret remains your own. No third-party ever gets a copy of it. This is important for two reasons:

    1. Third-party institutions don't have much incentive to guard your secret well. Many of them will do their due diligence in guarding it, but the bottom line is that it's just not their ass on the line, so they won't try really hard. Even if they mean well, they're a busy corporation or university or whatever, and they have other things to get done.
    2. If you are forced to give out your secret to get anything done (for example, register for classes), over time lots and lots of organizations will get (and store) a copy of it. This is bad, because the probability that information will get stolen is pretty close to proportional to the number of people who have a copy of it!