Slashdot Mirror
UT Austin Hit By Massive Security Breach
mrpuffypants writes "Reported in the Austin-American Statesman: The University of Texas' security was compromised over the weekend, leaking out nearly 60,000 records on students, staff, and faculty. Official word from the school can be found here. Most troubling of all is that, like most schools, UT still uses SSNs for student ID numbers, and that was part of the information taken from them in the attack."
"Those SSNs that matched selected individuals in a UT database were captured, together with e-mail address, title, department name, department address, department phone number, and names/dates of employee training programs attended. It is important to note that no student grade or academic records, or personal health or insurance information was disclosed."
Phew, I feel so much better now!
I wish I had known about it, I would have asked them to change my transcripts to give me a better GPA. :P
::.. check out some Cell Phone Reviews
What legal action may the students and faculty take? In Washington it is illegal to use a students SSN to identify students. There was groaning at every campus in Washington for weeks. I bet there as glad as me that Washington was so on top of this.
OK, so I can see how a university might come to use SSNs as an identifier. They're unique and everyone already has one. Easy.
But why are SSNs so sensitive? It's like a credit card number -- it's printed some places, gets bandied about in others. Not exactly confidential, and no intuitive or documented boundaries on who should be trusted to with it. So it's a scary number that can be used for bad things, but you'll have to give it out in many circumstances where you aren't fully aware of how it'll be used. Makes it tricky to know who has it, or to make an informed decision about where you use it.
Again, it's easy to see how the practice of using it as a credential has continued (and got worse), but when did it start?
I've seen a whole bunch of 'stolen credit card #' type stories on Slashdot lately... the thing is, we never hear about any repercussions of these thefts. Do the thieves ever use the stolen records in large quantities? Follow-up is good :). Any info people have, post it here (I'm thinking of, in response to the Amazon CC# thefts from a few weeks ago, etc.)
Karma: pi (Mostly due to circular reasoning in posts).
A smart cracker would already have lined up the buyer(s) for the information (probably spam companies) before doing the crack. At least one copy of the data would have been made at the time of the crack to insure that it doesn't get captured and lost.
But nothing says that these cracker(s) are smart. Possibly just lucky.
robi
My school still uses SSN's as student id's. I've found that as a student employee I run into thousands of id's a day. I know it's the same way for a lot of student employees on campus. When will schools learn the benefits of a autogenerated key?
Do I contradict myself? Very well, then I contradict myself, I am large, I contain multitudes. -- Walt Whitman
...of UT, I think it's reasonable to assume that I'm among the names taken by the bastards.
Unfortunately, I don't have a clue what to do about potential identity theft. I mean, everything uses your SSN. What steps can one take to protect one's identity?
Is it a sign that I play too many games when I read the title as a security breach in Unreal Tournament ???
Eu4ria
in schools, its very easy to retrieve information, I went round no less than 10 junior schools in my area to get information on the new students that are about to enter the new year in the secondary school I work as the information manager.. NOT ONE of the schools asked me for ID, they showed me to a machine and logged me in and let me walk out of the door with the information on floppy...
Its a very scary.. but what can you do..
moo
Not to adapt a blame-the-victim mindset, but I mean really, why is this stuff on an internet-connected machine to begin with? I work in health care, and with HIPAA coming into effect, we've been moving a substantial part of our network off the internet -- if there's no physical connection, we can't get hacked.
This stuff needs to be taken seriously, and not just in punishing the offenders. Look at it this way: If your bank got robbed tomorrow and all the items in your safe deposit box were made off with, would you blame the bank if you found out that the vault was left open and the deposit boxes were made of cardboard? I sure would.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
Correct me if I'm wrong, but doesn't UT have one of the best CS departments? and this couldn't be prevented?
The UT link appears to be /.ed, but when I read it before it sounded like a simple brute force ssn lookup. The attacker simply generated random ssn and sent them against a page that returned information based on ssn. The attacker then simply harvested "positive" hits. The problem was that this interface was exposed to the public and that it had no means of throttling/preventing multiple requests/failed requests.
On another note, UT is phasing out SSN in many aspects of the students life. My wifes UT ID does not contain her ssn, it has a student # now. Though I assume that there are still many points of interface with the UT system that expects to see ssn.
"The University is currently developing a communication plan and will contact affected individuals as soon as possible. At this juncture, there is no evidence that the data have been further exposed or misused."
I shall now write a script that emails UT random ssn's and asks "was I a affected and what information do you have on me?"
muhahhahaha...
[I can picture a world without war, without hate. I can picture us attacking that world, because they'd never expect it]
Reading the article (as I am sure everyone already has), would tell you that the informatio nwas not tied in to any student grades. Two different systems / databases.
This does mean a spam has a few thousand live accounts of young (read: target audence) college students (read: active email users).
That is bad in more ways that one.
robi
It's amazing how much information you can get kicked back by simply trolling SSN's. This reminds me of the scandal last year with Yale's admissions information, which a Princeton administrator obtained by simply entering SSN's and birthdates on their web site. A brute-force attack like this one, simply adding birthdate to the mix, could have successful results in other places, I'm sure.
Stop by my site where I write about ERP systems & more
Slashdot response: (taken from front page)
"I imagine they will eventually raid some domestic homes and make a scapegoat of some unfortunate teenagers."
Not a difference in my opinion. You might feel different if you were personally affected too. Hackers get what they deserve regardless of age.
My former school, UVSC uses social security numbers, firstname and lastname combinations for user IDs. They then use birthdays for passwords. Talk about insecure. I even saw a teacher who typed his password as "password" (He was in CS) Yea, scared me too.
void
This is NOT the first time, and I do not believe that it will be the last. I work and attend a medium sized college and I happen to know from other employees that our systems have been compromised on several occasions, and in fact they are still being compromised. I do not believe that any critical information has been stolen, but the security of the critical systems at our nations colleges and universities needs to improve. Our college refuses to publicly admit that they have had a serous breach or deny any knowledge of current security problems. It's quit frustrating to be a computer security enthusiast and attend a college that refuses to admit they have a serious problem.
"There are six to 12 ways we could have reduced the risk to the database," Updegrove said. "The sad thing is, we didn't do any of them."
/. has an opinion as to how this happened?
It is good to see the University being so frank and honest about this matter. I am sure some heads are gonna roll, but at least the people affected will be provided with information and know how it happened.
Speaking of how it happened... the article does not go into technical details, but I am curious how this database was accessible to the world and was spitting out data to qualifying queries of SSNs without any security context... I am sure someone here on
This johnny-come-lately "UT" is ripping off the initials and the colors of the original UT (est. 1794 thank you very much)!!
;-)
We demand that our child State of Texas cease and decist in the molestation of our look and feel.
Sincerely,
Volunteer Graduate of 1994
PS, The UTK English Department is the Home of the Vowels
Eve Fairbanks says I drive a hybrid!LOL
I'll bet this attack was done by a student to get more information about which college freshman girls to harrass. When I went to college, the online phonebook did not include gender, or year by default, but you could get that information if you clicked a few checkboxes (but only one student info at a time). A friend of a friend of mine (at the time) wrote a simple script to harvest all of the data. He was never contacted for doing anything wrong.
Very popular slashdot journal for adul
SSN's are valuable because you can use them for identity theft. You can use them for identity theft because they're a national ID card. Something "they" (the mythical them) say they are not.
Apart from that all of the credit reporting, etc. goes through shadow companies that you can do nothing to if they screw you over (IE issue a credit card to a you that's not you).
We need to make using an SSN for identification purposes entirely illegal, credit card companies and banks be damned. Or say it is a National ID and come up with a better way of securing identities.
The key to the enjoyment of pop music is to replace any instance of "love" with "C.H.U.D."
Northwestern recently sent this out to all students:
d /inde x.html
d /vend ing.html#refundloc
Dear Students:
The following three bulleted topics are of student interest:
* Social Security Number is removed from WildCARD ID
With complaints about identity theft nearly doubled last year as the fast-growing crime topped the government's list of consumer frauds for the third consecutive year, WildCARD offices on the Evanston and Chicago campuses have started issuing new WildCARD identifications without social security numbers.
The re-designed WildCARDS are being issued at no charge to faculty, staff and students who wish to exchange their existing card for one minus a social security number printed on the front. Those without a card to exchange because it was lost or stolen will be
charged a $15 replacement fee.
"The new purple WildCARD looks the same as the old one, but as opposed to printing the person's social security number that used to be their Northwestern "id" number, we have implemented a shortened "emplid" number which the University is issuing that has no association whatsoever with one's social security number," said Arthur Monge, manager of WildCARD and Vending.
"We are not mandating that WildCARD holders be issued a new card, but the option is available for anyone who feels concerned about having the social security number visible on their existing card. It is a matter of personal choice to replace their existing card for one with an "emplid" number, at no charge, unless they have lost their card or it has been stolen." Since switching to a new WildCARD is optional, it can be done at one's leisure. Existing WildCARDS will continue to work, so if someone doesn't feel the need to have one without a social security number immediately, they can continue using their existing card until it expires.
Northwestern University's multi-purpose, one-card program, WildCARD, was developed nine years ago to provide better identification for members of the University community and to simplify use of existing services, control access, reduce handling of cash, and enhance security. Students, faculty, staff, spouses and domestic partners of active, full-time faculty or staff, authorized contractors working within the University community, Research Park tenants, and individuals affiliated with a University department are all eligible for a WildCARD. For more information, call Art Monge (847) 467-3135 or check the WildCARD Web site at:
http://www.univsvcs.northwestern.edu/WildCar
* New vending machine refund bank locations
If you didn't already know it, there are vending machine refund banks located throughout both campuses. A complete list can be found on the WildCARD & Vending web site at:
http://www.univsvcs.northwestern.edu/WildCar
New locations include the Family Institute at 618 Library Pl (front desk), Lake Shore Center at 850 N. Lake Shore Drive (front desk) and at Wieboldt Hall, 339 E. Chicago (Administrative office, 2nd fl). One is also planned for Galter Library in the near future.
Each vending machine should have a sticker on it that indicates the nearest refund bank. If one is missing, please inform the Evanston Wildcard Office at 7-6843.
* Other tidbits of information:
--The Abbott Hall ATM now sells stamps
--A Pepsi vending machine promotion is taking place now. Pepsi is giving away 80 Willie the Wildcat bobble head dolls. Look for a sticker on your next Pepsi purchase.
Creationists are a lot like zombies. Slow, but powerful and numerous. And they all want to eat our brains.
While my university doesn't use the SSN for our student ID number, it still asks students to put it on countless forms and enter it into countless databases. It's always made me uneasy, and I hadn't even thought of the potential for a computer break-in. Rather, I was unsettled that any student worker who checked out a book for me at the library could see my SSN on his screen after scanning my ID card.
But nothing wakes up a university -- especially a state school -- like the threat of litigation. If the cracker followed up and committed full-scale identity theft, the students would have grounds for a lawsuit against the school. Consider the recent New Hampshire lawsuit that dealt with SSNs and other personal information. With the potential for bloodthirsty lawyers, universities might finally get serious about protecting their students' information.
Doesn't one of Bush's daughters go to UT?
Could this possibly be related?
Seriously. In the UK the closest equivalent is a National Insurance number, which you give out to quite a few people. Banks often want this (because it's unique to you, which makes record-keeping easier). Your employer will want it, so their accountants can calculate your tax. Your doctor will probably want it, again, because it's a unique identifier.
Why are Americans so paranoid about who knows their SSN?
Sorry....we'll do our best to lock the barn door now that the cow's escaped!.......
I used to admin at a University. One of the most frustrating things I encountered was the incessant desire for there to be no restrictions on any of the computing systems that the students used. This includes the servers. The firewall was just an expensive router. We were not allowed to run blocks from the internet to inside IPs, as that defeated the spirit of free access. I tried to explain why it was a 'Bad Thing(tm)' repeatedly, but alway met with resistance from the shared governance committee. One cannot blame the administrators in this thing. I assure you they feel just as powerless as I did. This kind of thing will become more and more rampant as clueless faculty (or upper-management in the business world) are allowed to influence major IT decision-making.
Big deal. If anyone wants to know my ssn, it's "336721433".
SSN's are public information.
You need to restart your computer. Hold down the Power button for several seconds or press the Restart button.
IT is more important than a SSN. With an SSN someone could ouse public records to find place of birth, date, etc (heck even the SSN itself is coded for regions of the US).
Using that info someone could generate a false passport. Get the picture. False passport, fals entry into the States. False entry under a name that exists, that is legit. Airlines would see this person as a green threat (under the proposed new system) and ignore them. If the actual person was a Branch Dividian, an IRA terrorist, PLO, etc they have transparency of movement.
Someone just got all the information they need to smuggle thousands of people around our country. Give each illegal 5-10 different identities, never use the same one for connecting flights, then travel tracking becomes really hard for FBI.
robi
they thought it would be cool, or because they wanted me to r00t it ?
thanks,
fluffy bunny
They immediately disconnected the compromised database from the Internet, later hooking up a database of useless information.
They probably just copied over the DB containing the University's security procedures.
UT says:
Someone is more than a little bit confused about the nature of digital storage if they think they can `recapture the stolen data'.
`Ah, cool, we've managed to delete the copy they made of our data.'
(whispers)
`Another copy? How many copies did they steal?'
In principio creauit Linus Linucem.
A few years ago I got a new bank account and they told me that due to a federal social security law they could not use my SSN as an identification source and that anyone who used it as such was breaking the law.
I know that many institutions and businesses use it (SSN) that way, but isn't it against the law? Or did I misinterpret the statement from the bank?
All I can say is 'Oh Shit'
Nanite
God is real unless declared integer.
Hold on, why were UT's internal data reporting systems hooked up to the internet? I thought sensitive information like this was only exchanged over secure intranet and stored in systems with no access to public networks?
They just should not be used by any third party, one thing I was amazed on after moving from the UK to the US was just how many companies/people here ask for that information when really its not necessary.
StarTux
@ UB we have a "people number" it might sound stupid... but atleast if there hacked they dont get my ssn
http://www.DaveNet.biz/
Dear UT Austin Students/Faculty/Staff,
We were dumb@sses and now you're royally fscked.
Now let's try and hide those two facts by swamping you with irrelevant details
Sincerely,
UT Austin MIS Staff
I'm not sure which is worse: do you want your orange brighter and more eye-pokin', or browner and more rustlike?
...
UTK has a nicer campus, IMO, for matters of simple geography -- Knoxville has *hills*! Architecturally, though, UTA wins by a nose. (Whether or not you're a fan of the UTA campus "Master Plan," it's really not much of a going concern any more -- sprawl has taken care of that.)
Culturally, more similar than people like to admit, but Austin is simply a bigger, hipper city. In fact, Knoxville and Austin have a lot in common -- somewhat liberal by comparison to the rest of the state, high student population, comparitively green
timothy
jrnl: http://tinyurl.com/c2l8yr / foes: http://tinyurl.com/ckjno5
Bad thoughts!! Bad thoughts!! Think pure thoughts!!!!
When you apply for a credit card you do not need a SSN until it comes time for verification. You just did yourself a disservice... I hope someone that can do this will see your post and will remove your number for you.
You've got WAY more to worry about than hackers.
ANYONE who works in the offices (especially student workers) can get this information. Admissions? Financial aid? All of these people could find enough info out about you to get a credit card in your name or go down to Circuit City and buy a big screen.
Just like the people who worry about their credit card being stolen from shopping online - You've got a better chance of the guy working at the mall going through reciepts, or the waitress at Hooters when she takes your card up to pay the bill.
Obviously there's no way that database should have been connected to the internet. Someone failed to put the crack pipe down on that one. But at least they bothered to take full responsibility for the breach, and admit that they did in fact f*ck up. Should I be impressed, or should I wonder why someone admitting in a pupblic manner that they dropped the ball is refreshing?
If thou see a fair woman pay court to her, for thus thou wilt obtain love
Thank you.
This is my digital signature. 10011011001
Some helpful person probably setup a "phone search" databse where you could search via ID. Probably they just didn't know the IDs were SSNs, or didn't care, or didn't put 2&2 together to realise that in adition to finding people's phone numbers, you could find people's SSNs.
Then someone just wrote a script to brute force the SSN range it seems from the 2nd link
"Thursday, March 06, 2003 12:34 PM RE: addl info for transcript rrequest Your student ID # is your SS#. When requesting transcripts: Full Name Purdue Student Identification number Date of Birth Dates of Attendance at Purdue Where you would like the transcript sent The number of transcripts being requested(maximum 10 per request) Your written legal signature Our fax number is 765-494-0570, or you can mail in a request. " gee
*I used to be quite irreverent and ignorant. I am probably much smarter now. I seem to realize this every 45 days or so.
..., but I to am glad that they changed in WA State. I Currently am enrolled at a college there, and as bad as my finance situation is, I sure don't need to be telling creditors,
"No, I did not get a Credit Card, buy a yacht with it, and crash it into the Golden Gate Bridge with a dead body on board..."
Yito Graft
I currently am a student at the University of Texas at Austin. The spineless fuckers in administration still have yet to inform us about our possible exposure. They may have only release info to the public about this yesterday, but as a current student, and employee I feel that I should have been informed first, not by my mom calling me at 8 am this morning, asking what the hell is going on at UT. Besides, you can't trust a University that claims a budget shortfall, but pays $400,000 for personal consulting for the UT President so he "looks like a more kind, and understanding person." One last thing, test forms that you hand out here have a field for you to bubble in your SSN as a unique identifier. Last I checked, isn't that a violation of the Social Security act?
I don't know what the law is here, but in Virginia, you still may be screwed.
...
I work for Virginia Commonwealth University. We have unique ID numbers for the students, staff, and faculty--not our SSNs
But every time you need something, almost ANYTHING, you have to give your SSN. Over the phone, in person, on a form, whatever.
When I got my university ID, some jackass had written down my SSN and NAME on a fucking Post-It and almost THREW IT AWAY when I got my little plastic card.
I said, "Whoa, give me that, dude. Don't throw it in the trash can." He looked at me like I was crazy.
No one around here understands why that kind of stuff is bad. I, on the other hand, ripped it into pieces and put it in two different trash cans.
Perhaps a bit paranoid, sure, but after I saw what happened to a friend of mine whose SSN and name were compromised (massive fraud around the city in his name, by some still-unknown individual), I don't care.
It's the same mentality that leads people not to password-protect their computers.
-/-
Mikey-San
Karma: +Eleventy billion (mostly affected by watching Celebrity Jeopardy)
Hmmm, Univ. of Texas' mascot is a Longhorn...
Microsoft's upcoming O/S is codenamed Longhorn...
And Microsoft has a campus agreement with the Univ. of Texas to provide faculty/staff/students with full/premium/pro versions of their software at extremely low prices!
Hmmm... now why would I really ever want to upgrade Windows?
"There are six to 12 ways we could have reduced the risk to the database," Updegrove said. "The sad thing is, we didn't do any of them."
Unfortunately the literal translation of this is:
I am so fired!
"I'm just here to regulate funkyness." - James Gandolfini, as Winston in The Mexican
Ever dream you could fly? Get up from the Flight Sim. I Fly
Is it really that hard for a university to assign sequential student numbers? I mean, you start at 1000000, and go up from there! That way, the only information imparted by a student'd number is approximately when they enrolled.
-Michael Roy Some people are like Slinkies. Not really useful, but you can't help smiling when you see one tumble down
Even if the school didn't use SSN as a student ID number, there are many reasons why the school needs to know a student's SSN. Financial aid, and "selective service", to name two.
So the fact that the university uses SSN as a student ID number is only interesting at best. I bet if they used a different ID for "university ID", they'd STILL have the student's SSN in their records.
In any case, any organization that use the knowledge of a person's SSN as a means of "security" doesn't know anything about security.
Currently the State of Texas is in the middle of some staggering budget shortfalls (as are most of the other states in the US). One state-funded entity that is looking at a shrinking budget is the UT system.
:P
Here's what I'm wondering: How do the powers-that-be, whether elected officials or University administrators, or the public for that matter, expect that security breaches like this are to be avoided when there is little to no budget to prevent them?
The agency that I work for, and many others, is faces increasing scrutiny by the state legislature and must undergo budget cuts, hiring freezes, and potentially the loss of staff to meet the State leadership's plans. As a result, we've already lost funding not only for basic needs already planned for, but also for what are known as "exceptional items" or those items that we see a need for outside our normal budget.
I understand the argument that "Hey, we need Police and health protection before you get new computer software!" but let's get real. Those are the same folks who will be panic stricken when their SSNs, or other personal info are stolen by crackers when agencies are broken into. And woe to the poor SysAdmin who couldn't work magic with a non-existant budget to prevent it...
I'm a taxpayer too, mind you, but how can we expect State and Federal agencies to protect their resources without security being made a priority and funded as such...
"Of course I'm wrong... That's how I get to 'right'." - Gil Grissom
Have you every worked for a non-profit? It's pretty hard to get fired. People that work for non-profits tend to fall into the "touchy-feel" category. Imagine taking a corporation's HR department and staffing every single position throughout the non-profit with that type of personality. In other words, if you see ".gov", ".org", or ".edu", don't expect normal organizational behavior.
Even so, if there ever was an event that deserved a massive firing, this is it. Here's hoping my company doesn't pick up the newly unemployed.
kind of scary that just anybody can find all this info by getting some scrap paper from the recycle bins or wherever around campus. I do that a lot but most of it's junk. But if you work in on campus I'm sure you can find lots of confidential info in the recycle bins and such that should NEVER be released.
Stop the Slashdot Effect! Don't read the articles!
That's interesting wording.
Given that the official number of stolen records is "approximately 55,200", I think that I would've chosen the phrase "more than 55,000" instead.
Of course I wouldn't've used a comma to separate the thousands. Confuses the tiny parser in my brain.
// todo: implement sig
Knoxville will always have Cas Walker. All Texas will ever have is LBJ.
Eve Fairbanks says I drive a hybrid!LOL
"Those SSNs that matched selected individuals in a UT database were captured..."
Does anyone else wonder what the attacker's selection criteria were?
It's a great idea. The minor detail being that the cost of every bank, state agency, credit reporting company and insurance agency in the US migrating off that number is going to be incredible. More work for me though.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
my university has 'chmod 644' backups of /etc/shadow for anyone to read. anyone can ftp this of the public unix box and rip the passwords out of the 30,000 staff, student and admin accounts contained within. they could then steal, delete or change every last byte of data on the network. if the admins are dumb enougth to leave such critical files unsecured, how many serious attacks remain undiscovered as well?
All numbers are public, by definition, but some numbers are more public than others. A SSN has value if you know that it belongs to a live human being of a certain age group, with a good credit rating and without a passport, if you have a bad credit rating, no passport and the same age. In contrast, a non-existent SSN, or one that belongs to a dead person has zero value. See for example an old guy who got arrested in South Africa recently, due to an FBI most wanted listing. A criminal stole his SSN and is probably a serial murderer, so this old guy spent a very hard time in a very tough jail for a few weeks. Not a nice holiday, but one he'll never forget.
What's your full name and your mother's maiden name?
Best Slashdot Co
I worked at UT Austin for a semester in '01, not sure if my SSN was compromised or not. I know there have been and are a lot of non-US students and faculty at UT Austin... What are the chances that one of our SSNs is going to get misused as a result of this and land us in trouble at some point with Homeland Security, INS, or the like?
is 60,000 lawsuits against the university for using those S.S. numbers. I can understand a student who is trying to get accepted to the school being afraid to confront them and not supply it even though they have no legitimate use for it, but they should be held responsiable for their misuse of the numbers. 60,000 lawsuits would be a good start, and send a message to outhers who careless abuse these numbers at great risk to the individuals who own them.
I'm an American. I love this country and the freedoms that we used to have.
Whew, for a second there I thought the Undertaker and Steve Austin were both robbed.
D
The first, last, and only tech news site on the net
Yes, that's probably it. Saddam Hussein is trying to steal her identity as part of his plan to create a fake-daughter robot, full of explosives.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
It's absurd, but you only need the number to assume the identity of the person to which the number belongs. While credit card numbers usually can't be used without the actual card, the SSN can.
The US really needs a personal ID card, to protect the citizens from identity theft, like many other countries have. Americans already are uniquely identified by the government with a combination of paper trails, so it is not a question of integrity - that was lost long ago.
Think of the SSN as a public key, with your personal physical ID card as your private key. If it gets stolen that's when you worry and contact the police, not when your SSN gets guessed or stolen. Countries far more secure and respectful of citizens integrity than the US use this model successfully.
Oh, I can't help quoting you because everything that you said rings true
I have both attended at work at UT in IT, so I can give you my observations.
For many years, UT had a non-centralized IT infrastructure. That is, the Colleges did one thing, the Administrative Computing Group did another thing, the Academic Computing Group did yet another thing, and the Libraries something else entirely. This was recently changed with the introduction of a new Office of Information Technology head by a new Vice Provost (Dan Updegrove, originally at Yale). One of the very first things I heard him address was the Social Security number problem in which every student, faculty, and staff member used their SSN as their ID. That practice had to change in order to meet both legal and privacy standards (see FERPA) , and UT has been trying for the past couple of years to make that happen. The trouble is, it was so integrated into all of the different services and departments that it is a slow process to remove it. They started to phase it out, but now UT is seeing the effects of this particular practice. I'm likely one of the ones who will be affected, so I'm waiting for them to announce where people can find that out. (It may be at the UT site, http://www.utexas.edu/datatheft/.
The Daily Texan (student newspaper) has an article about the theft, as does the Houston Chronicle.)
By the way, your Social Security Number isn't public information. It is required for use by some agencies of the government, but you are not required to provide your SSN to private groups unless they need to interact with certain government agencies (this includes your employers, who deal with the IRS). That being said, SSNs are so commonly used a search may pull up that information- but that doesn't mean it is legally public info.
The university for which I work uses SSNs as student ID numbers as well. They are in the process (another 3 years or better) of converting over to PeopleSoft, which will use another unique ID number for staff, students, and faculty. Until then, we just have to hope all our systems are secure.
ZeTeS
2+2=5 for extremely large values of 2
They use SSNs initially to keep track of how much money you are paying into the SS system, and they usually catch it when two different people are paying into the same account. Besides, there can only be one name on the account, so one person would wind up with a SS card with the name of the other person on it, though I suppose the last person assigned the number would have his name on the account. As soon as you give it to your employer they check with the SSA and would come back with the other person's name on the account.
"Gig 'em Ags!"
I feel socially insecure :(
-- www.globaltics.net
Political discussion for a new world
Gee.. Don't they know not to have the database
located on the outside of a firewall, and when it is
on the inside you should use kerberos or pki.
Just to let everybody know, this was the last semester that UT was using SSN's as id's. We are in the process of switching over to what they call the EID. The EID is just a text string (similar to a user login). This is what we have to use to access online services for several years. Within months it was going to be our official identifier in all of the university's systems.
Ok, this is just silly. I for one also thought whe i first saw the header that Unreal Tournament had been breached, but thats off topic. People need to figure out that: 1. an SSN really doesnt matter. 2. that the gay martian fagoodelic freaks who are so paranoid they plug the push pin holes in their rooms with putty because *They are out to get them* would shutup if they did what MY HIGHSCHOOL does and have a nice litte 4 digit Student ID!!!
$a = SQLquery) 'What we do in life
...I resent both your spelling and your implications.
A better question would be "why the hell is everyone pretending a heavily distributed 10 digit number printed on an easily duplicated piece of paper is a viable means of identity verification?"
It's just plain dumb. Your SS number is no more a secret than your driver's license number. In fact, it's less of a secret since more places request it of you. And the card is easier to fake than even the most rudimentary fake id.
If you wonder whether a national ID system will ever come into being, you need look no further than large scale data thefts like these. In the wired world, being able to prove you are who you are (and be secure in the knowledge that someone else can not prove they are you) has never been more important. As online electronic transactions replace face to face paper ones, the same efforts taken to prevent counterfeiting and theft of cash will be necessary to prevent the equivalent cybercrimes.
Personally, I wouldn't mind if I only needed one card instead of a wallet full of them, with all my accounts cleverly linked to it.
Special IDs like school cards are meant for quick visual verification of identity and enrollment. Reference cards like my insurance and calling cards are meant to be read. Gift cards like Best Buy are meant to be given as physical item. Data cards, like my subway stamp card, need to cary special information. Everything else - ATM, cash, credit, ID, store membership, and so forth could be rolled into one rigorously protected and verified universal card. If you're really fancy, maybe even one that can store and display custom data, including reference and special ID.
---If you can't trust a nerd, who can you trust?
What we need is a honey pot full of fake SSNs ... when people try to use them (obviously stolen), the Feds go round and arrest the bastards.
A lot of schools still use SSN's as student ID's out of sheer habit. Many small schools never bothered to update to Student ID's, and are now in a situation where there are tens of thousands of SSN's floating around campus being used for things as simple as resetting an E-mail password.
My employer just finished a shift from SSN's to an actual student ID less than a week ago. The conversion's been a bitch (users: "whaaaaaa, why do I have to learn a new number?") and the fact that it was done in the middle of the semister hasn't made things any easier. I'm glad it's been done, it's something that should've changed a long time ago.
On a side note. When the ID's were changed we were told that it was being done in part to comply with upcoming changes in government regulations? Any truth or links to back that up?
There are some people that if they don't know, you can't tell 'em.
Now, so is mine . . .
Sdelat' Ameriku velikoy Snova!
Being that I work at a university, I understand your point. The thing I have found is that it is far easier to be fired from a University for misconduct than for poor performance. In this case however, someone is going to be fired. That is, if they can determine who is responsible and that person is still working there. Even then, (taking your point in consideration) it is entirely possible that the events that caused this system to be available occured far too long ago to really hold somebody accountable now. (Although, IMHO, some heads should roll for not doing proper security audits)
The thing is that Universities hate bad press... UT will likely do something public to show that they cannot allow this to happen in the future.
It's sad, but UT already *has* unique IDs for each of its students. I'm holding my UT student ID card in my hand, and I've got a 16-digit number and a barcode printed plain as day on the front of it.
On tests @ UT, it's common to have to write your full name and SSN on the front of the test when you turn it in. In all my time there, only ONE professor ever asked for the number from our ID cards. Only in small classes or discussion sections did I hand in tests without my SSN.
I'm betting that, even though someone was bright enough to know that using SSNs for IDs was a bad idea and came up with new ID#s to print on student ID cards... there's too much legacy code to manage the 50k+ students that relies on their SSNs.
It is theoretically possible to be an adult without a SSN, although it would make life very difficult.
Mea navis aericumbens anguillis abundat
"the more urgent task is to [...] recover the data"
Huh? Does this mean that UT no longer has the data? That the FBI will have to go around to thousands of FTP servers and gather together a few bits here, a few bits there?
This theft metaphor just doesn't work with "stolen secrets", and never has. Once someone has discovered your secret, and told someone else, you can't get it back. It's not the data that was removed, but only the secrecy.
The money you have in your account is accessible from anywhere, if your bank has any kind of Web front end for checking and savings. It does, by now. Banks also hook into one hell of a certificate system for all the electronic transactions going on out there, leaving alone the little consumer Web site thing. They take this stuff seriously; if anything they take it more seriously than Health Care has, which is why HIPAA's got everyone worked up.
I agree, negligence would be the legal principle, so we don't need to invent new punishments as a deterrent. But the analogy works.
"Fundamentalism" isn't about divine morality. It's about human authority.
This is really sickening. A lot of schools still use SSN as student IDs. In State University of New York, until very recently, your SSN was used on your grad reports, your dorm phone bills, your administrative notices, and teachers even insisted that this SSN/Student ID should be written at the top of every homework. Old phone bills with your name, date of birth, address and SSN were often found in classrooms or on the floor.
When I approached a SUNY teacher about this potential ID theft problem (back in 1999), his answer was: "I've been doing this for 20 years and I've never heard of this problem". Shocking, astonishing conclusion: The American academia is clueless! Oh no! How can that be! (But hey, it explains so much.)
It took a few ruined students and an order from the Attorney General (IIRC) for stopping NY schools from using SSNs as student IDs.
I am not really surprised that some administrative cretins are still camping on their position after all the theft ID problems of the last few years. After all, Schools Are Clueless.
I would like to entertain the hope that a few of these moronic school administrations would be sued 'till they bleed by ruined students, but how could ruined students afford this kind of legal costs?
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
molybedenum-at-hotmail-dot-com
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
In US territories a ssn is often assigned to a family rather than to an individual. Then the children of the family come onto the mainland for college. A bit of a mess when a large puerto rican family has 8 kids that all go through the same college.
"What steps can one take to protect one's identity?"
;
Don't go to UT . . . wait a minute ; ;
Actually, I also graduated from UT in the last couple of years. I majored in Economics, but that's not even a part of the Business School at UT! So, I see this as a opportunity to steal the identity of someone who DID graduate from the business school. Business school majors were usually snobs anyway.
Sdelat' Ameriku velikoy Snova!
UT is being hit with a penalty, but its no fine or jail time. They're suffering a huge blemish on their reputation. IMHO, a hit to one's reputation is jsut as bad as being convicted of some crime. People think UT now, they think "insecure network, i wouldnt trust them with my info if ya paid me." No one takes this type of think lightly, and those who know about this will probably reconsider applying for admission or a job there. They've got some serious makin up to do. -D
That information wasn't leaked, it was FREED!
"Ask not what your country can do for you." --John F. Kennedy
(Extra credit props points to anyone who can name the system that I am talking about... Hint, this was late 70s to early 80s)
Cool. What's your /. password again?
Share and Enjoy!
Here's a solution: Cash only! Screw credit, that's how we got into this mess in the first place.
UT has about 50,000 students attending at any given time. Given this, probably what was taken were the records of currently attending students.
I suspect that we alums probably have less to worry about, though vigilance is probably still a good idea.
It was probably some over-eager credit card company who will now use the information to send 60,000 "pre-approved" credit card applications to the students. I mean, come on. Everyone knows we have to keep these students drowning in a pool of debt. Otherwise, how would the economey function?
This space for rent.
From http://www.utexas.edu/datatheft/affected.htmlIs your SSN in the following ranges?
449-31-98xx - 450-91-24xx
451-12-32xx - 451-20-35xx
451-20-64xx - 452-20-40xx
If so, within these ranges, 55,200 people of the following types, including but not limited to:
Current students, faculty and staff
Former students, faculty and staff
Job applicants
Retirees
may be affected.
If you believe you are affected, please contact us.
------ This has been provided as a public service! ------
You were born in Illinois.
Not necessarily. It is the state where it was issued. Kids today had theirs done up at birth by mom/dad, but older folks applied when older. I got mine when I was 13 and started working. However, that SSN is from great lakes region. Besides, I seriously doubt that it belongs to the poster. It is almost certainly made up or somebody else like an X.
I prefer the "u" in honour as it seems to be missing these days.
I highly recommend to everyone to read this page carefully
http://www.fightidentitytheft.com/flag.html
and if the drawbacks don't sound too bad (think carefully!) make the calls. It takes about a half hour. Much less than the time you'll spend untangling the mess of an identity theft. You may also consider calling your bank and creditors to ask them to put similar holds on your contact info so that some clever scammer doesn't have your statements forwarded to Timbuktu, thus gaining them extra time to run amok and causing you even more grief. This isn't paranoia talking, it's experience.
Here are the numbers.
Credit Bureau Fraud Departments
TransUnion
Fraud Victim Assistance Department
Phone: 800-680-7289
Equifax
Consumer Fraud Division
Phone: 800-525-6285 or: 404-885-8000
Experian
Experian's National Consumer Assistance
Phone: 888-397-3742
Davo -- Free speech, free software, AND free beer.
I am surprised at the number of people calling for a unique number (or code or whatever) and best argued for in the parent. However, I think this is a Very Bad Idea. Who gets to hold this information and use it? The only people I can see close to achieving this in the present/near future is Microsoft. Needless to say I don't have, and won't be signing up for a password account. The idea that one key can be used to unlock everything encrypted about you leaves cracking it as a way to screw you up bad. I'm not advocating security through obscurity, but a bit of redundancy. Maybe if there were 5 keys which could control everything, then if one was comprimised, the other 4 could prove your identity. And each one should only protect 1/5th of your sensitive data, so your doctor can't check you cash situation, and your employer can't check on your health.
Nice to see that UT used the term "attacker" instead of "hacker" or "cracker". It's a fair and reasonable compromise. Too bad the media report didn't follow UT's lead.
I work in computing support for an academic institution which shall remain nameless. My observation has been that we are generally more secure than most other academic institutions. That being said, I once helped someone who was trying to transfer a rather large file from a satellite office to one of our main offices. The person had been having problems with an FTP server. I checked the server in question. Lo and behold, there was a text file with 50 screens worth of SSNs, names, and addresses, on a publically readable server.
Academic institutions frequently fall victim to the security/convenience tradeoff. While the official policy may be to err on the side of security, an awful lot of people with access to sensitive data don't have any data security training at all, and just "do what works". With a large bureaucracy, the odds that at least one person will screw up are rather high.
WARNING: there is a trojan on your
Here at the University of Florida we have just moved to a new system called the UF-ID system. Students had to get recarded. It took almost a year to re-code all of the University's systems (housing, accounting, libraries, etc) but we had a successful launch on January 21st 2003. The system works great and ties in directly with the University's new ActiveDirectory that was established for the entire campus.
Furthermore I think the FERPA (Family Educational Rights Protection Act) makes it illegal to use even partial identification numbers to post grades. You can read more about the University of Florida's system at http://ufid.ufl.edu
Apart from the fact that the guy in question (whose last name was Bond btw) was a Brit and hence didn't have an SSN in the first place. However, I seem to recall a "not so publically disclosed" piece of info that the criminal actually managed to find the guys passport number and use that with the guys name + DOB: dunno how he did it though (of course, this fact would have probably got in the way of a 'stupid fbi' story...)
There's a solution if you use cryptography. Assign everybody a social security number. Also, give them a private key (or better, let them pick their own). Then, publish everyone's social security numbers and the public keys that match up with their private keys. (The government could even provide a service that allows people to look up public keys based on social security number.)
Then, everyone's number is out in the open. Whenever you want to do something with it, you create a message along the lines of this:
Then you sign that message with your private key. Once you've done that, anyone can use your public key to verify the signature. That means they can be assured that, unless someone has stolen your private key or broken the crypto, it could only have been you that wrote that message.
Thus, your social security number becomes public knowledge, but that doesn't help anybody because they'd need your private key to do anything with it. And, most importantly, there never is any situation where you have to give your private key to anyone. Your secret remains your own. No third-party ever gets a copy of it. This is important for two reasons:
My younger brother's SSN is actually immediately prior to my own. Yet we were born 3 states away from each other (and 2 years apart, too). So the parent post is correct. The probability of being born in the associated state is high, and higher with younger people, but is not a certainty. And as the numbers are used up, they may even change the scheme to assign them. Maybe they should now.
now we need to go OSS in diesel cars
I work in the admissions department of a Community College which uses SSNs for SIDs. One of the reasons that it is almost necessary to use the ss# as the identifier is because of the transcripts that we require for admissions into certain degree programs. We have about 20,000 unidentifiable documents that have only the name as the identifier on them, and 99% of these documents use maiden names, so without some uid (even as little as a current name and a birth date) , they are utterly worthless, and thus end up in a dead letter office. I personally recieve the same documents over and over again, but without the sending party taking the step to identify people, the documents aren't processed and people are denied admission because they miss deadlines.
At UT, a student's SSN is used as his/her ID number by default. However, a student may request that it be changed to a random 9 digit number by simply going to the ID center. Few students know about this, but it's why UT does not get in trouble for using SSNs as ID #s.
Hook'em
Stealing files with fingerprint information isn't as helpful as it sounds. Fingerpint scanners don't compare against graphic files, they look for similarities between distinct features of your fingerprint (where ridges are, how far apart loops, etc...) Not enough information is stored in these files to make a working duplicate of someone's fingerprint (you might could hit a few of the features, but not enough). On the other hand, you could always lift someone's print off a glass and use the ole gelatin trick...
;).
Not sure about retinal scans, maybe that's an answer
I agree though, the use of SSN is outdated, it is security through obscurity using a less than obscure number. If I want to steal your identity, all trying to hide your SSN from me does is make it take me a little longer and piss me off that much more, you'll be owned soon enough
26th street (now Dean Keaton, or however that's spelled) is a big hill, for instance. But compared to Knoxville, No ;)
(I remember wondering where the "Hill Country" was.)
However, that *is* another good comparison -- both Knoxville and Austin are *relatively* hilly, compared to the vast bulk of the rest of their respective states.
timothy
jrnl: http://tinyurl.com/c2l8yr / foes: http://tinyurl.com/ckjno5
Cas Walker's old location on Chapman Highway is now Disc Exchange ;)
That doesn't actually invalidate your point though. Just funning a bit.
timothy
jrnl: http://tinyurl.com/c2l8yr / foes: http://tinyurl.com/ckjno5
Not to be ignorant or anything, but as a Texas A&M Aggie it's my duty to say -- Whoop!
-dewhite
I was bitching about their lack of security as early as 1997... by default, they shunt(ed) all contact information into a publicly accessable x500 server. It wasn't a commonly known thing, and you had to take proactive steps to remove yourself from it (go down to an office, fill out a form, etc)
:)
:p)...
:)
:)
:))
From ksparger@vaevictis.stf.org Fri Aug 1 10:42:46 1997
Date: Fri, 1 Aug 1997 10:42:45 -0500 (CDT)
From: Vaevictis
To: info@x500.utexas.edu
Subject: Questions regarding the x500 service.
Message-ID:
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: RO
X-Status:
Hi
Sorry to pester you (I know how much of a pain it can be to administrate an internet service
I'm a freshman taking English 301 (Composition class), and we've just recently been assigned a proposal argument.
My proposal is that the university change the policy on the x500 so that instead of having the student's information accessable by default, the
student would need to sign a release form. (in other words, the exact opposite of the way it's done now... as a new student, I was horrified to find that my personal information (home address and telephone number, specifically) was being given to all comers..)
I would like to know the following information, if it's not too troublesome for you to give to me
What would need to be done to change the student's default from "distribute information" to "withhold information" in the x500
directory?
Would it require a change at the actual x500 site (ie, configuration files?), or would it require that some other group (the registrar, perhaps?) change policy?
What kind of security measures are installed to log accesses of information? For instance, I know for a fact that you don't attempt identd lookups, do you log access attempts by hostname, IP address, or do you log at all?
What are the scenarios if it is found that someone used information acquired from this database for illegal/unethical purposes? ie, could you even prove where a certain access came from if you had to in court?
Anyhow, thanks for your time, it's much appreciated
If you don't know the information for any of the above questions, I would
appreciate it if you could tell me who could (if you know, anyway
Thanks a lot,
Kyle Sparger
Date: Fri, 01 Aug 1997 11:13:04 -0500
To: Vaevictis
From: "William C. Green"
Subject: Re: Questions regarding the x500 service.
In-Reply-To:
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Status: RO
You should read our FAQ and all associated links: http://x500.utexas.edu/x500info/faq.html
Specifically, Appendix C Subchapter 9 with special attention to section 9-201 of the General Information Catalog.
I would suggest you begin your inquiry with the Registrars office, although many other offices would be involved. My understanding is that any change would need to be approved by the Regents.
This question is more complicated than it would appear.
As part of your argument, you should consider the implications of not having a directory service, or, a service that is restricted to UT Austin
access only.
Host access information is kept in rolling logs.
Yea, I work for ACC and I know this to be truth. But in actuality it may be that he CYA'ed too. It may be one of those institutional things that just can't be fixed until the sh** hits the fan. At that point then you can say "I told you this would happen", until then the only thing you can do is holler long and loud.
"I'm just here to regulate funkyness." - James Gandolfini, as Winston in The Mexican
Aside from the fact that the custodian of the information certainly has a lot to blame in this, there is another big part of the problem. That problem is what people can actually do with the information.
An SSN is identity. It is nothing more than that. The problem is people make the incorrect assumption that it is authenticity (I can recite the number, or read it off a little card in my wallet, so it must be me), and authority (this account has your SSN and is overdrawn, so you are liable for it).
If any law change is needed, it is a law change that says that it is illegal for an SSN to be accepted for any purpose other than identity. What that means is that if I walk into a bank and open an account citing some SSN, the bank needs to understand that all this does is identify someone, and not necessarily me. If the bank causes harm to the real owner of the SSN by having provided any derogatory credit information based on that SSN, then the bank shall be fully liable for having not taking reasonable measures to ensure accuracy of information. And by that, what I mean is that the bank can't simply say that the victim needs to track down the perpetrator to cover the costs. The banks need to be forced to properly authenticate the information they use, especially when and where it might be used in a negative way.
And I don't mean to pick on banks (I just happen to have an open case with Chase Manhattan bank which continues to allow someone to operate a credit card account with my SSN, reported on my credit reports, without my consent, and after I have advised them of the fraud). Such a law should apply to anyone and everyone who accepts and uses SSN data for anything. It's the negative things that can be done (like bad credit info) that needs to be stopped (in addition to other stupidities like running computers insecurely and connecting systems to the internet that have no business being there).
now we need to go OSS in diesel cars
When I was in college I was broke, in debt and had no credit. Go ahead steal my identity you can have
it!
Microsoft aggravates my tourettes syndrome.
If SSNs were only supposed to be used by the IRS, and the current system is so ripe for abuse, why hasn't there been a law against using SSNs for non-tax purposes? Easy - lobbyists and money. Credit card companies and credit bureaus see SSNs as a godsend. For them, it's cheaper and easier to have a central registry in order to troll for new credit accounts, regardless of the security problems inherent in using SSNs for everything.
Every effort to reduce the power of credit bureaus and protect individual privacy has been defeated or weakened by the credit bureaus and credit issuing companies. Their claim is that a central database tied to everyone's SSN is critical to doing business. Of course, they neglect to mention that they do plenty of business outside of the US without having such a system in place, AND the fact that SSNs are not guaranteed to be unique.
At this point, reasonable souls would start to question whether this is a government for the people, by the people, or a government for big business, buy the politicians! Face it, it won't be until the system is completely broken, with millions of people affected, and with the costs of keeping the current way of doing business too high to continue, that they'll change. By then, it'll be too damn late...
Is your SSN in the following ranges?
* 449-31-98xx - 450-91-24xx
* 451-12-32xx - 451-20-35xx
* 451-20-64xx - 452-20-40xx
If so, within these ranges, 55,200 people of the following types, including but not limited to:
* Current students, faculty and staff
* Former students, faculty and staff
* Job applicants
* Retirees
may be affected.
I attend community college at night and in one class we have to telnet into a Solaris box from W2K. Our login name is the frist 3 letters of our last name, followed by the last four digits of our social security number. Guess what the password is? Yeah, our full social security number. One day I came to class early with a copy of Knoppix on a CD and booted off it and ran ettercap, poisioning the switch so all traffic goes through my machine first... One by one, as students came in, I was able to sniff the their login name and password (which was their social security number). I sent an email to the school using that as an example of why students passwords, or their ID number should be a SSN number. I have not yet gotten a response
No big words.
... but the West Disk Exchange is far inferior to the big one in what used to be C. Walker's grocery. Plus, it's next to a great used book store (Book Eddy).
timothy
jrnl: http://tinyurl.com/c2l8yr / foes: http://tinyurl.com/ckjno5
This has concerned me for quite a while. UT was very slow to change it's policy regarding the use of the social security #. Up until a year or two ago, you could find papers outside TA's offices with socials on them.. Probably still can..
A witty saying proves you are wittier than the next guy.
So what happens when these would be identity thieves find out my credit is maxed out with student loans?!@#
Doh! Don't you think college student and facility SSNs aren't really the right crop to harvest?
But, while your there please fix up a few of those loans!
that March 2nd is Texas Independence day?
Could this be a politically- or culturally-motivated attack?
Funny how this security breach at Princeton never got the media attention it deserved:
t
http://www.ispep.cx/files/tucson.princeton.edu.tx
Mod this up as Informative...
Ever need an online dictionary?
The Indiana University School of Medicine was hit recently. Not just social security numbers, but medical records, too--everything you need to know to become someone else. All these poor folks were patients of their sleep clinic. I guess they have something else to keep them awake all night now...
-Scott Hutton
This isnt an isolated incident, rather its a trend. Big state universities are a target for hack attacks unfortunately.
Kansas University was hit hard in late January. SEVIS was pilfered, Student Exchange Visitor Information System; part of the Patriot Act)
Info here.
A click on the travel.fp3 file listed a couple hundred SSNs. It was completely wide open.
UT made it sound like a deliberate attack, but it looks to me more like administrative incompetence (and cya).
Think about it, if NASA has computers that are 20+ years old doing mission critical calculations, what to you think THIS would be run on? The keys would stay the same while computing power got cheaper and cheaper untill the Game Boy XL27B has enough power to crack the keys between games of Super Hyper Japenese Fighting Robot Training Farmers
Banaaaana!
They're quite aware of this and last I heard we were going to switch from SSN to what we use for our student services login which (in my case) is just lastname + first + arbitrary digit(s). It should be a tad better.
Its not a defeat, its just that all corporations and institutions do things this way (using the SSN, having poor security, etc) because its cheap.
the guarantee of "if something bad happens we'll fix it for you" is given but all burden of time, proof, investigation, research and argument falls on the consumer. the catch is that the consumer often doesn't have the time or money to do that without serious hardship. yet the corporations are absolved of all responsibility for your lost opportunities while you fight to prove that your credit rating has false entries on it, etc. even a simple two week hold put on a bank account while you dispute an address change or fradulent charge is a serious hardship for many.
An ID card of any sort doesn't matter; those are easy to fake. the entire financial security of most people in this country rests on their widely-distributed SSN and their mailing address or possibly their mothers maiden name. that's not likely to change so long as its always "somebody else" statistically insignificant that gets screwed. raise id theft crime enough and watch heads start rolling and stupid laundry list ideas (like extra id cards) start flying.
Then there was the amusing experiment where a bunch of Germans managed to fool retina scanners using printed images of eyes that could be taken at a reasonable distance with a camera.
Xix.
"Everything is adjustable, provided you have the right tools"
Anyone know which OS is involved?
pr0n - keeping monitor glass spotless since 1981.
I'm a student at UT-Arlington, the next largest school in the UT System. Last October our Student Congress passed a resolution I wrote asking them to basically make it easier for students to be able to request to no longer use their Social Security Numbers as their ID # - UTA currently has a system in place where you can request to use a randomly generated ID# instead of your SSN, but no one knows about it and they don't advertise it or make it easy.
The administration's response was "Come Summer 2005, when we have our new Student Information System, we won't use anyone's SSN" but that in the meantime, we're screwed because they weren't going to change anything.
A month ago I discovered the 'secure' portion of the Housing department's website had been indexed by Google, including the ID # (Social Security Number) of all 1200+ residents living in the on-campus dorms. This highlighted the need for the immediate cessation of collecting and storing SSN's, so I've introduced a follow-up resolution our Student Congress is looking to pass soon basically demanding each department document every way they use SSN's and the security measures in place to protect them, after which we want a committee of students and faculty to go through the documentation and approve or deny their use and storage of the SSN's.
Our school paper, The Shorthorn (www.theshorthorn.com) is supposed to do a story in tomorrow's (Friday's) issue concerning the leak at UT-Austin and the fact that administrators so far at UT-Arlington are ignoring the need to provide secyrity for SSN's NOW, and not just in 2005.
It should be interesting to see if the administration has finally 'seen the light' and will listen to us, this time.
In their newswire, Salon titled this story, "Computer crackers steal students social security numbers."
I thought the Slashdot community would appreciate Salon getting the terminology right on this one. It may seem like a silly point to some, but the distinction between "cracker" and "hacker" is huge in my mind, and it always makes me happy to see a journalistic outlet get it right, for a change.
I agree wholeheartedly that the abuse of SSN is a problem. However, realize that most US educational institutions will assign you another unique student ID which is not your SSN; it is not impossible to dodge their use, and if you truly care about your security you will never use this number except when forced to. You have the right to protest its use otherwise, but consider that this distinguishing characteristic may not be so good socially--the people around you might not be quite as apt to understand your rabid protection of this number, even if many of the more privacy-oriented do.
Moreover, as much as it is claimed (and perhaps rightly) that "the system" wants you to use this one unique identifier, there is a definite advantage to having an easy-to-remember number associated with almost everything, instead of separate account and unique personal identification numbers. However, some privacy experts agree, as do I, that the SSN should only be used for, well, Social Security when possible.Looking at that aformentioned letter, I find a passage which states that "from a technical viewpoint, the SSN is not a good identifier. It is not unique, [and] there are multiple users of a single SSN". While I can find no proof of this assertion elsewhere, I have heard anecdotally heard of people who used Richard Nixon's SSN throughout college (567-68-0515)--the results are obviously mixed. Overreliance on this number poses an undue threat to college students who, frustrated by this kind of wholesale theft which could lead to troubling financial consequences should the perpetrator preserve a copy of the data, might turn to forging SSN's--an OK idea until you get caught at it.
We recently had heard in the office over one of the Yellow Machine that's made by Anthology Solutions.
Can he tell the difference between a real ID and any old fake one that can be had for $20? Green cards, drivers licenses, passports, what have you, if the government can print it so can a forger. That's why so many institutions used SSNs, it was unlikely that a forger would know the SSN that matched a name. Yet it's widespread use by the clueless, such as UT, is the downfall of it's use. Fewer people will trust SSNs as a unique identifier and the government will have to implement some other form of difficult to forge and know identifier.
Friends don't help friends install M$ junk.
And the US thinks it can stop the "infrastructure of terrorism" by freezing the assets of a few charities. Bah. If we can't get a grip on our own record and banking systems, the money will continue to flow. TIAA is a distraction at best, another place to lose information at worst, and a waste of resources either way.
Friends don't help friends install M$ junk.
Hmmm...caught stealing data in Texas. Isn't that a death penalty or at least a castration offense? That'll get the guy to reveal who he's given the data to.
From the UT Datatheft homepage as of 11:13 Central on 6.6.2003.
;)
Data Theft Incident Response: Latest News
From the moment of discovery, much work has gone into identifying the perpetrator(s) and impounding their equipment. This work has involved the vigorous participation of federal and local law enforcement officials. Search warrants were served the evening of March 5. More information on the ongoing investigation will be forthcoming.
Within a few days, we expect to know more about whether the stolen data went anywhere beyond those who captured it.
We will contact individuals whose social security numbers were stolen with information about the level of risk when the risk is evaluated. We will help each such person to take protective steps.
Wheeeee.. Hopefully the skinbeef didnt buy a Jaguar with my credit before the Federales nabbed his/her ass.
We have lots of foreign students, and you have a lot of reports on them to make to the INS (or whatever is replacing the INS now that they got rid of it) due to post-9/11 legislation.
We have many foreign students as well. Most, however, do not have SSN's. The school simply creates a key (starting with "800" as "800" is not a valid SSN location). Why the haven't done that for all students just puzzles me. They are, however, moving to a new system without SSN's as one's student number. It should be in place in a couple of years.
What gets really interesting, is my userid (and consequently, e-mail address) contains my citizen id (last 4 of my social). All someone needs to know is my e-mail, where & when I was born (or otherwise applied for a SSN) and with some research they can recreate my SSN.
Do I contradict myself? Very well, then I contradict myself, I am large, I contain multitudes. -- Walt Whitman
The way this sounds, there was a web page accessible to the internet that you could look up some information about 'yourself' by entering 'your' student ID #. If the person who wrote a script to harvest information stole 55,000 records, do they define theft to mean any access that is not using your own SSN? That's very much akin to having a bucket of mints next to the cash register at a restaurant... you generally take one on the way out, but some people take three or four. Or 55,000. Free within limits? Social customs do not apply on the internet.
...And whoever wrote that web page should be held responsible for the attack. He may as well have opened the vault at Fort Knox and held a bank robber convention on the grounds.
Whoever the script kiddie was, he deserves an accolade for a dumb, brute force attack. Had he made one query an hour, we'd never know about the security breach and there'd be no warning about all the identity theft, and the system would go unfixed.
Any connection between your reality and mine is purely coincidental.