Slashdot Mirror
Outsourced Confidential Data On Children Posted
Kataire writes "MSNBC exposes a grievous blunder in which an outsourced programmer posts highly confidential data to a public website, concerning the daily whereabouts of hundreds of children in upstate New York. Yes, this person did this not once, or twice, but three times, with two different data sets. Even worse, the data was out there, publicly 'visible' for months. Just because RentACoder finally discovered and yanked it, after a coder 'stuck with a tricky formatting issue' posted the specific database he was working on to their messageboards, doesn't mean the damage is undone. The ramifications reach beyond the painfully obvious privacy issues, touching on outsourcing and peer ethics."
Who do you trust? And who do you get to solve something like this?
Do you say, "Only certain government approved facilities can deal with this sort of information?" Seriously, should I feel that someone "government sponsored" is better off with my information than an outsourced programmer in India? Who gets to play Big Brother? And what will they do with what they know?
You can take this to the extreme, and be wary of anyone to handle private data about you. But then, if there's that sort of outcry, nobody would be able to handle it, would they?
I suppose it's better than having the Smoking Man from the X-Files having a file about you, and a blood sample. I find most programmers to have a certain level of professionalism to what they do.
I personally have access to roughly 10,000 credit card numbers. I'll never abuse the fact that I have access to them. But on the other hand, I'm not stupid enough to post all of them on the net for everybody to see, either.
I hope anybody who ends up doing something that stupid becomes a victim of identity theft. That'll really open their eyes to respecting other people's privacy.
By the way, I hate how everybody gets up in arms over the fact that this is data from children. This is horrible for ANYBODY to have their information posted on the net like this. And it could have been worse. It could have been a list of women tying them to the current Battered Women's Shelter they were staying at.
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
I'm sure the "it professionals" on alt.pedophiles were more than happy to check out the db issues for him.
When you're looking to cut corners, be careful who you give the scissors to...
Obliteracy: Words with explosions
Talk of identity theft, damaged credit, and so on may not rile up the Soccer Moms of the world, but once something affects the children, watch and admire as their mouths begin to froth!
Myself, I'm always careful about 'stripping' any information when posting code samples or looking for help in Forums. I'm surprised this isn't reported more often...
I wonder if the parent company that hired this 'outsourcer', even knows that their data has been compromised...
outsourced programmer posts highly confidential data to a public website, concerning the daily whereabouts of hundreds of children in upstate New York.
In other news: Michael Jackson to move to NY soon.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
When you outsource, you run the risk that the individuals doing the work do not share your company or even cultural values. If you are not willing to take the time to make sure that your outside contractors are what you expect, this is the kind of thing that will happen. Few companies really understand this.
Floating face-down in a river of regret...and thoughts of you...
This, and the Florida case will be brought up again and again. And I am sad to say that these are just the beginning of a long decline.
I have seen some people spread data via slashdot comments encoded with base64 and encrypted. (anyone have a link to a specific occurance - at least one time someone decypted it and posted it) Could slashdot be used as a way to anonymously leak information like this, and use slashdot's general policy of "just mod to -1, don't delete" towards comments as an advantage? Unlike other forums, posting anonymously leaves nothing but a MD5SUM of your ip to be used in court. Also, if you "post anonymously" while logged in, slashdot caches your username. You can verify if you have mod points by noticing that even when you post anonymously AND change your ip address, you can't mod up/down the comment.
Officials at the New York State Office of Children and Family Services and in Livingston County, where the incident occured, are investigating. Livingston County's social services office is located in Lima, just a few miles south of Rochester, N.Y.
If it's an outsourced programmer, shouldn't it be Lima, Peru?
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Couldn't a "non-outsourced" developer make the same mistake? What does this have to do with outsourcing at all? Seems to be a very leading post to me, designed to generate the usual angry, anti-outsourcing replies.
All your favorite sites in one place!
As much as I feel the outsourcing trend is not a good move, both for my career path and the US industry in general, this 'news' neither adds nor subtracts from the debate.
It would be better titled:
"Idiot makes mistake, exposes private data to Net. Sound thrashing in progress."
Anything is possible given time and money.
I wonder if they've checked the wayback machine at archive.org.
One line blog. I hear that they're called Twitters now.
Those in the medical industry such as myself have a deep understanding of these issues. The government of the United States identified the amount of this kind of sensitivy in the information that we keep, and decided to pose some restrictions on how we handle it. For those who are interested, feel free to google for "HIPAA," and be sure to read over the consequences for disclosing "PHI" to unauthorized sources. Perhaps these kinds of sensitive information handling rules should be global, and not industry-based?
Jamon
I can count to 1023 on my hands. Ask me about #132.
That he has even tought of posting his customer's true dataset is inforgivably moronic. Whether it was data on children's whereabouts, credit card information, or even "just" accounting information on some business.
While it is true that not revealing your customer's data is the ethical thing to do, it's also just plain ol' common sense.
Though I should perhaps say vintage common sense. Seems that product has been discontinued for some years now.
-- MG
I have tried so far to be patient and tolerant. To be patient and tolerant is to be a good person.
= zd nn
But there is a line.
Every person who is reading this article, every person who wrote this article, is wearing an "outsourced" shirt (maybe even made in India! look at your textile tag!), looking at an "outsourced" watch (usually Taiwan), staring at an "outsourced" computer monitor (again, Taiwan), and ready to drive home from their job which is "threatened by outsourcing" in their "outsourced" Japanese car. This is the way of the world! George Bush, the popularly elected president of America, meets at Free Trade summits, and this is Free Trade! Why should anyone whose entirely life is purchased of "outsourced" products complain of "outsourcing"??
Well my large personal escaping out of the way, it is a tragedy and a flaw what has happened in this article. However I believe it has happened many times before with American firms as well.
http://zdnet.com.com/2100-11-526757.html?legacy
No?
So, we are trying not to make these mistakes as well. I can say that at least here the discipline is greater. This person will be beaten for sure.
Very creative, however, if you had read the whole article, you would have realized that the chain of contractors - the university that received the original contract, the programmer they subcontracted, and the programmer that the subcontractor contracted, were all US citizens and/or organizations.
Just because a programmer is located in the US does not make him or her infallible and capable of doing perfect work.
Hunt your preferred prey at Aliens vs Predator MUD. Join the war at avpmud.com port 4000
Who the hell thought to give him REAL information about these children in the first place? A fake datase would've worked just as well for development purposes.
You can't judge a book by the way it wears its hair.
Rather than mod you down, I'll just let you (and all the other knee-jerks) know that THIS WAS NOT AN INDIAN PROGRAMMER. This was a guy named Mark Dennis. Not a very Indian sounding name. Also, Mark Dennis actually subcontracted the job involving the database out to someone in New Jersey. Maybe IHBT, but the article summary could make you believe this had to do with offshore outsourcing, so that's a misconception we should clear up early.
It should be illegal to say that freedom of speech should be limited.
Unscrupulous? No, just incompetent. Posting credit card numbers to some hacker site is unscrupulous; this guy's just too stupid to do his job.
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
"not yet determined"!?! Those parents should be informed so they can be alert for trouble.
However, in this case, all the outsourcing was within US borders, as is evident from the contents of the article.
Hunt your preferred prey at Aliens vs Predator MUD. Join the war at avpmud.com port 4000
First of all, the article is fanning the flames by saying this is a database of children's whereabouts. Okay, this is a problem, but then again it doesn't matter if its children or anyone, it just gets "oh please save the children!" sympathy clicks.
It also doesn't address what I think the biggest problem is. It's obvious to me someone assumed this bozo of a programmer had some not-so-common-sense about posting information to a website. I deal with customer data all the time, and my company has taken some steps to make it a little harder for people who should not need the data to not get the data, and our data exchange policy clearly states "Do not give this data to anyone outside of this company or you will be beheaded!"
I get to this day accountants in our company saying "why can't I peek at this customer's data" to which I reply "Do you have a signficant need? If so, tell your manager to talk to my manager, and I'll be happy to give it to you." I get nothing after that. The customer data we have is for support and development use, not an accountant who has no use for inventory and sales information (at least not in this company). It is also freely accessible amongst those people, who typically only share it within others in their department.
One day a manager might get an idea that looking at a customer's data might give them an idea of their open bills, but that might be unethical or illegal so until a manager says to give access, I won't.
My point is, it could be that the policy was not pounded into this dolt's head, or that a proper data exchange policy even existed. If so, he's still a dumbass, but companies frequently hire dumbasses, which is why you sometimes need a policy to help prevent dumbass behavior. The article puts full blame on the programmer and doesn't really give any blame to the company who hired him.
"All great wisdom is contained in .signature files"
You would not believe the sensitive information we receive. People don't even think about the ramifications when they send us, for example, somebody's high school transcript, or mortgage closing documents, or people's credit reports. We have secret inventory lists for competing companies, each of which would probably kill to get their hands on that information. We have "insider" information on the international banking industry. We have medical records. Prison records. It goes on and on.
Because of this, we have an extremely tight document policy. Data exists on paper only long enough for testing purposes, then it is destroyed. The bug tracking database is purged of old test cases on a regular basis. Customer files never leave this office, in paper form or otherwise.
In fact, as I write this message, I can think of several ways that we should probably be even more paranoid. Fortunately, the officers of the company take our responsibilities very seriously, and there has never been any serious breach of customer confidentiality. I hope there never is.
The programmer who posted identifiable information to a public web site, because he was too incompetent to solve his own problems, is an idiot who should be fired and beaten with a wicker cane.
I hope that the police in upstate New York correlate the kids whose information was posted and missing children reports.
Also for everyone who says: "This could happen with an American programmer just as easily." Yes that is true but you could punnish that programmer but you will have a hard time punishing programmers in other countries.
"It's not likely all those visitors unzipped the attached database, but there's no way to know how many did, according to RentACoder CEO Dan Ippolito."
This company is so damn stupid they don't know how to check their logs to see how many times that file was downloaded,
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
Outsourced moderators, of course.
This work was outsourced, not offshored. This article has obviously been posted to show how outsourcing threatens the future of our children. This work wasn't offshored. It was done by an American programmer. If outsourcing is bad, why did the navy outsource a 5billion $ chunk of IT work to EDS?
This is one of the things that really concerns me about offshoring. As US corporations keep outsourcing software development to another countries, the confidential data will inevitably move there too.
How long before private information like credit histories, medical records etc. is leaked out from some company in Bangalore?
Imagine being blackmailed by someone in a third world country. Given the state of law enforcement over there, you would have no legal recourse.
[/paranoia]Guess my sig goes double now...
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
It's great to see how different news orgs handle headlines. MSNBC makes pains to name the Government as the offender in it's headline, "Government agency exposes day-care data". Slashdot is a little less breathy and indicates the true source of the leak, the out-sourced coder.
Both could be called correct, but more interesting is how the positioning of the story indicates the inclination of the news source. MSNBC is part of the mainstream news establishment that has been telling us for years that the government hasn't done a good thing since kicking the British out of Yorktown.
Slashdot speaks to a lot of developers who don't ever want to work for a place called "RentaCoder", and don't have a lot of respect for anyone who would.
Personally, I much prefer the Slashdot take on the story.
I'm much funnier now that I'm a subscriber.
is this little bit at the end of the article
County officials have not yet determined if they will tell the families involved about the incident.
If that isn't sick I don't know what is. I thought it might be more like 'haven't decided how to tell....' not IF they would tell
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
If you're an independent consultant, your insurance agent has probably mentioned "Software errors and omissions" insurance to you. Software E&O coverage is written to protect your ass(ets) in the event that you colossally screw up and do something that gets your client's client answering awkward questions from major news organizations. (A colleague once observed that, "if, when you walk in the door in the morning, your secretary says that a CBS producer is on the phone trying to schedule you for an interview with Mike Wallace, it's probably a bad day.")
Suffice it to say that if Mark Dennis doesn't have Software E&O coverage, he's going to wish he did. Because he's going to get so sued. Along with the community college, the government agency, and everybody else involved.
Getting sued, however, is the least of this bozo's worries
If he has insurance, it might cover his liability exposure. However, his real problem is the civil fines he is going to have to pay--and no insurance policy in the world will protect you from a criminal court sentence. He'll get a whopping fine--but I doubt he'll do jail time. Unless, that is, somebody can demonstrate that a child molester used the database to identify a victim and attacked him.
There's an important point here
The software community should make it ABUNDANTLY CLEAR that this dumb cluck should have the book thrown at him. We have absolutely zero sympathy--and when his attorney (with nothing else to argue) says "it was all a tragic mistake..." somebody needs to stand up and yell, "LIES! LIES! DAMNABLE LIES!" This was willful, deliberate, with knowledge aforethought stupidity. And this jerk deserves to get run up the (proverbial) yardarm for it.
:%s/[A-Za-z]/X/g :%s/[0-8]/9/g
Simple. Just obfuscate it, and you can pass it around for people to help with formatting issues all you want. I've done that with payroll data plenty of times.
Just two lines or vi commands could have saved this guy so much trouble....
I looked too... I'm not sure which is worse though - the fact that the prices on the projects are beneath a living wage for me to consider bothering with them (I'd make more as a barista or a dishwasher), or that half of them seem to be helping some dishonest schmuck in a CS class cheat on his assignment so there will be more clueless dorks that can't program their way out of a paper bag holding CS degrees out there applying for jobs.
I'm cool with competing with Indians - for the most part the Indian coders I've met worked their asses off and knew their stuff, even if they might be willing to do it for half the price I'm used to commanding. If I was in their shoes, I suspect I'd do the same. Feeding your family is a good thing....
It's all the people that fill their resumes with keywords for technologies they don't understand and couldn't use if their lives depended on it that clutter up the application inboxes that annoy me. HR departments encourage that behaviour, as do hiring managers that can't tell the difference, but it still pisses me off - both when I end up having to interview such cluebags and show them to the door, and when I'm competing with them for a job.
I write code.
OK the coder screwed up.
The primal problem is that the government agency gave the data to their outsourcing provider. That data should have never left the secure area of the government. Once it is out, it is out. It doesn't matter whether it has gone to Gennessee CC or RentaCoder. Posting it on the web is just a matter of degree.
Everybody is ready to hop all over this clueless coder and blame everybody's favorite boogie man of outsourcing. There is a manager back in the government that originally disclosed the data.
Don't tell me about NDCs. The first rule of confidential data is NEED TO KNOW. It would have taken someone 15 minutes to put in some dummy data for the programmer to work with, but they couldn't be bothered. Now that person wants to crucify the programmer.
The programmer who screwed up is only the last (and most visible) in the chain of screw ups.
The fact is this person revealed details against their contract code and more importantly, if they are in this position they should have the moral/ethical decency not to do this.
Whether they were outsourced or not outsoured does not matter (IMHO) - they still have a personal moral/ethical judgement... FT government contractors are not great saviours, rather this individual is one with poor/sick ethical judgement (it is in no way 'freedom of speech' to disclose confidential/sensitive information about young kids).
I do not believe outsourcing creates a more or less trustworthy/moral/ethical situations/employees (well, they just have less benefits rights and more legal liability if somethinggoes wrong), it is the individual who makes a better individual and avoids being a piece of scum.
(A "scruple" is a unit of weight, don't you know.)
Publicly posting government records of children's whereabouts is not a morally neutral act; it is a reprehensible one. The programmer in question was not, it is claimed, ignorant of the nature of the data he had in hand; he simply did not correctly value that data. He failed to make a necessary value judgment: that to post masses of information on children's whereabouts is, in our world, a wrong thing to do.
It is not simply a stupid or ignorant thing to do. It is not simply incompetent, like writing C code with gets() in it, or turning in code to one's boss which won't compile. Rather, it is a form of carelessness that shows that one places no value upon that with which one has been entrusted.
If you're the sysadmin of a mail system, reading other people's mail for fun is an unethical act. However, leaving the mail-system password lying around, so that random hooligans can read other people's mail, is also an unethical act. Not just stupid. Wrong. It shows that you don't value your users' privacy -- that your values do not match up with your users' values. That, while you may be competent to operate a system for them, you are not trustworthy to do so.
That is a very different way to be bad at one's job.
You get what you pay for.
In other words, this guy could not only have given a black-eye to the county, but he could even go to jail for it.
If the information lost can be linked to a crime against one of the kids (no matter what age), he better have a good attorney. Gross Negligence and Reckless Endangerment come to mind.
It's pathetic that they even question whether or not to inform the parents. That's like publicly saying; "Hey, we know we screwed up BIG, we know the media knows, but we're not quite sure if we're going to try and cover our own asses yet or not."
Knowingly endangering a child in any form is a felony. This is simply more proof that allowing the government to act with relative impunity results in criminal acts against citizens. The county is responisble for the leaked information and should be responsible for securing the daily activities of those children, to ensure the leaked data does not allow any harm to come to them.
When I was seven years old, my day-care center had 'accidently' released confidential information about myself and several other children in their care. The day-care center cared for somewhere around 70 children. The leaked information was found in the posession of a convicted child molestor. By the next day, the day-care center was shutdown and the city had filed criminal charges against it's owner and two employees at the facility.
Why is it that when the government does it, everything is not only OK -- but they're not even sure they should bother wasting their time to inform the parents/guardians that their children have been placed at risk.
This bogus trash needs to stop, the government has to be responsible for it's actions. They violate laws on a regular basis as a part of their daily operations. Enron is almost perfect compared to our own government.
That's pitiful.
California has a bill designed to deal with these situations, though it's not clear if it would apply to this specific situation.
5 1- 1400/sb_1386_bill_20020926_chaptered.html
http://info.sen.ca.gov/pub/01-02/bill/sen/sb_13
The problem is that the bill is designed for data theft, not for dipshits giving it away for free. Nevertheless, the bill requires that consumers whose data has been stolen be notified through viable means - email, letter, public notice if they can't be identified. Fines to the company for not doing this and the person responsible for the data is open to civil action.
The main problem I see from the article is that the impacted individuals may not be notified, which is just wrong. Granted, this kind of thing probably can't prevented (minimized, yes, stopped, no) but there's a right way to address the problem and a wrong way. At least notify the affected people of what's happened.
I strongly suspect I work for the same hosed up HMO as this guy, and I'm in a position to know for a fact this happened pretty much as he said it did.
I don't need no estinkin'
Jeepmeister