Slashback: Texasocial, Networking, Attacks

Slashback this evening brings updates on social networks, Audioscrobbler, the Social Security-number security breach at the University of Texas at Austin, and more. Read on for the details.

Why meet people in real life? Roland Piquepaille writes "I wrote [Saturday] a column about social-network mapping tools mentioned by Slashdot. Slashdot readers sent me many comments and e-mails about other visualization tools. Here are these new tools, in no particular order: email constellations, Apache Agora, NetVis Module, EtherApe, inGridX, NameBase's Proximity Search, Surf3D Pro and the dazzling KartOO. Finally, a reader talked about another kind of tools, the Visual Thesaurus. This web tool is not about social mapping, but it shows graphical connections between words. In this previous column, "The Visual Thesaurus: What Does it Show About Thanksgiving?," I already explored this very funny tool. Check this new story for more the details about all these tools."

Update: 03/19 00:34 GMT by T : Directly related: Josh Tyler writes "Related to a recent Slashdot posting on social networks is this paper on automatically discovering communities based on email data, just published by our group at HP Labs. We find that simple communication data is enough to identify communities, both formal and informal, and possibly even to identify the leaders of these groups."

Speaking of online community ... TGK writes "Audioscrobbler (which many of us visited the first time it was posted here) has a new site up, and most importantly, new plugins for XMMS and Winamp 3."

From the site, a capsule description of what Audioscrobbler does: "It grows to know what music you like by monitoring what songs you play on your computer. From this information you can discover other users that share some or all of your taste in music."

Feedback is always cool. An anonymous reader writes: "Sudhakar Govindavajhala, co-author of the paper referenced by the Saturday Slashdot article 'Using Memory Errors to Attack a Virtual Machine,' has responded to many of your [Slashdot readers'] questions and comments. His commentary is located at his Princeton CS website."

Another reason that Social Security isn't. GregAllen writes "Remember the recent case of SSN data theft at The University of Texas? A student has turned himself in. In his confession he says that he acted alone, and had no intention to disseminate the information. Maybe this will convince them to stop using SSNs for student IDs." Bonker also points out that "Salon is carrying an AP article that's a followup to the story a few days ago about the mass of Social Security Numbers stolen from University of Texas. Christopher Andrew Phillips is described as a 'fine young man who has never before been in trouble with the law'. Apparently he wrote a program 'to access a university Web site that tracks employees who attend training classes'. Whether or not this was done for illegitimate purposes remains to be seen. As a former UTA student, I'm glad my SSN is no longer in danger!"

What's the state of the device? An anonymous reader writes "N-Philes.com did another State of the GBA Industry Article and Roundtable. Here is the Industry Article, and here is the Roundtable"

Update: 03/19 00:34 GMT by T : And one more presroi writes "Just one week after even slashdot has noticed the new 2.2.24 linux kernel, Alan Cox has announced a new version due to a security issue found in 2.2 as well as in the 2.4 branch. I hope that we all were to lazy to upgrade from 2.2.X to .24 until now :)"

scrobbler privacy

what steps are being taken to protect the data and users privacy ? hypothetically if a large company offers say a million dollars to use the data how protected are the users who contribute or are they for sale to the highest bidder ?

or is it a case of when they hand over the cash the project leaders will be rich so who cares

Why SSN?

[saynte]

I thought about this for a moment (just one, just one moment) and came to the conclusion that I actually have no idea why an instition would use SSNs (or SINs) to internally identify their members. The university I go to has their own student numbering system and we seem to do fine. It's not difficult at all to remember a 7 digit code that you find you have to write down at least 5 times a week. *shrug*

Learn your PIN then

[phorm]

So basically, it's OK to use SSN because students aren't smart enough or are too lazy to learn a new PIN. While the PIN seems pretty long, I still see no reason for an SSN. Between phone #, address, etc, you should be able to identify your Michael John Smiths. Being that the identifier given is relatively the same length as an SIN (at least ones around here) - why couldn't anyone who memorizes their SIN memorize the ID.
For those that can't... put it in your damn wallet on a card or something, because with the SIN they're probably referencing their card anyhow.

Re:Learn your PIN then

[mmol_6453]

I work at GRCC in the ATC open computer lab. We have 7-digit student ID numbers, and typing those into our sign-in software with a numeric keypad is a heck of a lot faster (and easier) than typing in their name and address. And this really matters when you have eight people lined up to sign out computers.

But then, their student number is on their student ID card. A physical ID+unique integer is a godsend.

Re:Learn your PIN then

[Ian+Bicking]

Phone numbers and addresses aren't IDs. In ten years my SSN will still be the same. In a hundred years my SSN will be the same, even when I'm dead. My phone number, address, etc., won't be the same. My name very well may have changed.

Now, every institution could give me a unique ID number. They do anyway. That's okay as long as my relationship with the institution is limited and specific, like with a retailer. But a school is a much more extended relationship, with a lot more bureaucracy -- I need to know my ID number in that situation.

SSN should be a fine ID. The idea of your SSN being secret and official is stupid, and a pipe-dream in this day. The real fault is not with using the SSN as an ID number, but with the banks and credit institutions that treat your SSN like some sort of password.

The banks and credit institutions should be sued for their incompetent security -- identity theft has its source almost entirely in their bureaucracy and systems. But I'm sure there's laws specially to protect them from being liable for their own actions. The dumb part is that they don't even benefit from it -- they are lazy, but that laziness still costs them as well as us. I really don't believe the cost of a secure system would be greater than the cost of fraud.

The conspiracy minded among us might claim that a steady level of minor fraud gives a cover to massive systemic fraud in banking institutions -- fraud that may or may not benefit the institutions, but certainly benefits some players in those institutions. (We still haven't learned who made money off futures during 9-11... shouldn't be that hard to figure out, should it? Where did all the money from Enron and Worldcom go? It's not like they were literally burning money, it went somewhere. And illegal narcotics... they don't keep that money in their mattresses in Colombia. Fraud and other illegal finance exists on huge scales)

Re:Learn your PIN then

[Hard_Code]

"what the fuck is the difference?"

A lot the fuck is the difference. For example, how are you going to identify foreign/remote students or visiting professors? Your social security number should not be used as an identifier, and smart universities have already implemented some other system. In fact, IIRC, you are not even obliged to give your SSN out.

SSN security at my old school

In the school system I used to attend (I won't name it, but it's a K-12 district), studends were assigned student ID numbers which were recycled when the student left. Faculty members, however, didn't get such a priveledge, and instead were tracked by their SSNs. Although this information was not supposed to be available, I was able to gain access without much work (and I suspect I could still do so). In fact, I have a file on my computer right now (encrypted of course) containing the names and SSNs of every faculty member of the entire district as of when I left. This includes janitors, teachers, principals, district administrators - anyone with an account on their system.

The problem seems to stem from the lack of knowledge of the people in charge of running the system. The "technology admin" at my school looked to me like he was chosen as the teacher who knew the most about computers- certainly not hired as a professional.

This district has no idea I have this data, and I don't intend to tell them. Most of the faculty there didn't like me much anyway, and I'm not putting myself at risk for those bastards. They're just lucky I have too much integrity to use it for evil :)

What law was broken?

[Thomas+Wendell]

Seriously, what law was broken here? If the university left a list of student/faculty names and SSNs on the sidewalk and someone picked it up, with no intent to commit fraud etc., would that be crime?

Suppose someone from the school administration had memorized everyone's SSN and sat in the student union and would answer questions of the form, "do you know who has xxx-xx-xxxx as their SSN?" If students (or others) asked questions of this form and eventually learned a list of SSNs, would this be a crime? And who would be guilty, the questioners, or the idiot that was giving out confidential information without the owner's consent?

In this case the moron who created the web site was answering this question indirectly over the Internet. Who's at fault? The guy who took the time to ask the questions, or the dork who made it possible to get the answers?

In going through some old papers from my grad school days, I found my carbon copy of a grade report which lists student names and SSNs (along with their grades in the class I taught). Am I guilty of a crime for possessing that list? Clearly, I was trusted with that information because I was hired to teach a class, so isn't it my responsibility to keep that information confidential? It seems to me the web author has the same responsibility.

Obviously, it's a very different situation if someone does something illegal with the list, but just building the list from publicly available information doesn't seem like a crime to me. Making the list easy to publicly deduce seems like the real crime in this case.

Clarification about UT and SSNs

[ceilijohn]

I am a student at the University of Texas and I think there a couple of things that need to be clarified here. First of all, the SSNs that were accessed are, for the most part, not student SSNs, they are SSNs of employees of the University (some of whom are also students). Read the article again, you will notice that he accessed a web site that tracks employees who signed up for training classes. This means that the SSNs are from tax forms and not student IDs. Secondly, UT Austin no longer uses SSNs as student IDs. I am a recent addition to the student body so I don't know how long this has been true, but the ID cards have a 16 digit number printed on them that you would use whenever that is necessary and that the Electronic ID (EID) is a user-assigned login and password combination and that the social security number is no longer part of the information available electronically even to the student. That was a change that happened just last semester. Students interact with the university electronically with the EID not with an SSN. The only time a student needs to use the SSN is when trying to change the EID (which they have to do in person, with photo ID). So, in the end it is ironic that most of the complaints about the use of SSNs as Student ID numbers, good discussion that it is, has nothing to do with the UT hack!