Slashdot Mirror
Whopping-Big Data Theft At U.C. Berkeley
aceta writes "An intruder penetrated a research computer at U.C. Berkeley in August and had access to names, social security numbers and other data for 1.4 million Californians participating in a state social program. CNET calls it the worst intrusion U.C. Berkeley has experienced. SecurityFocus additional details: the hacker used a known vulnerability, and state officials have yanked the university's research access to the data because of the breach. The victims were all receiving or providing at-home care under a state program to help the elderly and disabled. The FBI is investigating."
And this would lead to even more draconian laws.
Which, rather than protect our privacy, will give the government even more control over it.
It's "copyright infringement".
Interesting. A few years ago there was a smaller such incident at the Berkeley Traffic Safety Center.
Berkeley is a top notch school. I figured they would provide better security, especially with a system that has so much potentially sensitive data.
what's next MIT?
Should be quite easy to fix, now give new name and social security name to everyone involved.
Was the system in question still running BSD? ;)
I'd have a personalized plate on my car, but "toxic bachelor" won't fit into 7 letters.
I can smell an over-reaction brewing. This is just the sort of incident that can force the adoption of stringent laws. The thing is, the machine at Berkeley were the ones victimised but it seems to me that this type of information will be sought after regardless of where it is. What I mean is, although Berkeley should have hardened the machine against an intrustion they were victimised because of the info they had, not who they were. The government servers are going to be targeted too.
I didnt know the "SSN database.mdb" in /tmp was 'secret'!
Oh-nos!
The data, which included home addresses, telephone numbers and dates of birth, was being used at the state's authorization but without the consent of the individuals whose information was being used in the study.
The title says it included SSNs but the article doesn't mention them. Were they included or not? What the hell does a researcher need to have SSNs for anyway? Can't they be identified by insignificant numbers?
The university detected its computer system had been broken into at the end of August, but did not notify the state until Sept. 27 after the school had done its own investigation with the FBI, Strait said.
And here we are on October 20th hearing about it. I wonder if the people that were included in that database (that should have been kept on a completely secluded network IMHO) were contacted September 28th or if they had to wait until three bureaucratic agencies had done their own investigations...
Obviously I haven't RTFA but presumably they're doing somekind of analysis on the data?
---
We spoke for about a half an hour. I don't recall a thing we said. - Colorblind James Experience
No. It's only the worst intrusion they were made aware of. There could have been more...
Indy Media Watch-Proctologist of the Internet
It makes you wonder...
Why does a research program need access to social security numbers, phone numbers, and the like?
I think the real story is the State of California sharing too much personal information, regardless of how the hacker got access to it.
ayershome.org/users/eric
1.4 million Social Security numbers.
Universities are notorious for having poor network security! They typically don't have sufficient staff to maintain such tight control over network access. Why would such sensitive information be kept on inherently vulnerable networks in the first place?
This smacks of laziness on the part of the data provider and the researcher(s).
Preventive measures like changing their name, address, SSN and date of birth?
This seems to be a case when the privacy of the information could have been maintained despite the breach of security if they had been using a "translucent database". Peter Wayner wrote a good book about this, and as far as I know coigned the term.
It naturally requires some thought to do right but it seems like it could have worked in this case.
The thing that worries me about these sorts of news articles is the fact that there are probably 10x as many similar intrusions which go undetected. I imagine that most crackers worth their salt would be concerned with covering their tracks!
:)
Which is why I always say "NO" when asked by online stores, "Would you like us to remember your credit card number for future transactions?" I think they need a "HELL NO!" option
Visit the Game Programming Wiki!
I run FreeBSD at home and feel a little safer that a company
Will your FreeBSD installation prevent you from putting your data on an available Apache server?
What's given you the idea that this was a BSD vulnerability?
I'm not disputing that it might be the case (and yeah I know what BSD stands for) but how do you know it wasn't Windows or something else?
Iran has endorsed
Personally identifying data is (rightly) given more stringent protection than copyright.
Oddly enough, the large University I work for has been discussing making two or three seperate networks inside the univesrity to keep something like this from happening. Presently, the Hospital has their own private network interconnected to our network via a firewall. We have been toying with the idea of making a private network for sensitive university machines an faculty networks. Thus then leaving the students and other network users on a more normal public network, behind the border firewall of course. The discussion of data security has come more than once and now I'm just waiting for that email saying, 'it's on'. And the acronymns will fly.... VLAN, VPN et al. yay!
I'm assuming that the full-page advertisement saying "yeah, we got hacked, and you're all screwed" - as required by the new CIPA - will be coming to a newspaper near you very soon?
http://ist-socrates.berkeley.edu:7015/protected. data.html
Hope you find it to be as educational on this subject as I did
Chris Williams clw7500nc@gmail.com
So we are all MUCH safe now than we used to be. I don't think so. This is just the tip of the iceberg when it comes to data security in this country. There are many databases out there that are just as vulnerable. Not much is being done to identify these risks. Cyber terrorist don't have to be rocket scientists, but they could be.
Where I live there is no such thing as identity theft. Why? Because the equivalent of the SSN is useless without proper id. In order to obtain a credit card or a loan you have to meet with a human being who will check that you are who you claim to be. It has always been this way.
It could be the same in the US. The reason it's not is economical. It is cheaper for credit companies to deal with fraud than it would be to fix the system. They could not care less about their customers.
Let's see, how it plays out for this ubber-liberal establishment.
In Soviet Washington the swamp drains you.
It's Felony computer intrusion
This is a play on the argument that /.ers claim when RIAA/MPAA/BSA claim loses due to piracy theft?
Are YOU kidding? Most universities perform huge amounts of research using Professors as project managers and students as mostly underpaid labor. You think they survive on tuition? Think all Grad students do is study? Many work on projects which have and will change the world. many work on projects which are/will be hacked. Many work on security. Some work... on LSD.
Busy aligning my non-linear thoughts.
All about programming, in the strictest sense of the word
... writing code, of course! Error messages make us less productive. Don't fall into the trap. Ignore them.
Ignore messages
Compilers, operating systems, etc. generate error messages designed only to be read by their creators (maybe to justify their salaries). Precious time is wasted reading these messages; time that could be better spent
As for warning messages, ignoring them makes you feel like a professional programmer who's not scared of computers. What better way of showing one's experience as a programmer than delivering a program that generates dozens, no, hundreds of warning messages when it compiles without its author feeling the slightest bit concerned? Everyone can see that you're an experienced, laid-back programmer who is too busy to waste time on drivel.
Don't stop to think
Let's not kid ourselves here. What are we building? A program. What is the only thing that really matters in a program? Code. What really works? Code. Why use outdated resources like pencils, pens or paper? You are a paid-up member of the SMS generation; you don't make a fool of yourself writing time-consuming syllables, right? Then, stop messing around thinking about nothing when there's so much code to write.
You should never stop coding. We all know that error messages are an unacceptable interruption, a pointless obstacle as we go about our work. So what do you do if you get a compiler error message? As you should know by now, reading and understanding it is just not an option.
You can try making some random change to the source code. You never know, you might pull the wool over the compiler's eyes. But if this doesn't work, don't waste any more time. NO, don't be tempted by trying to read the message or understanding it. Just keep churning out code - that's the only way of finishing off this horrendous assignment. You'll get to sort the error out later on. And as we all know, errors tend to disappear by themselves if they're ignored. At the end of the day you'll compile, you'll run, and even if you had tested (not that you needed to) you'd have seen that everything was OK.
If the code compiles but does something wrong, it doesn't really matter; sort it out later, when it's finished. Anyway, you might get lucky and find out that the lecturers have changed the assignment outline and that it fits in with your program after all. So don't take the risk of fixing programs that seem to be off track - you might be wasting your time. I don't want any trouble
If your program contains a bug that crops up every now and again, it will be difficult to find and it won't probably show up during the exam demo. Maybe it will disappear by itself. Don't worry. But if the bug comes up again and again, change things at random until it disappears. We've already said that pausing for thought is not an option. If you decide to get rid of the bug - simply because the urge takes you - just write the same code in different ways. Maybe the problem will disappear; something you'll have achieved without 1) understanding what caused it, and 2) having to stop writing code. Clearly, this is the most professional approach.
Don't compile on a regular basis, don't tiptoe your way forward. You're a professional and professionals take giant steps. Write thousands of lines of code first and leave the compiling for later; it will be far more entertaining and worthwhile to look for compiling errors.
The same rule applies for runtime errors. If you try to keep your program correct as it grows, it will be too easy to pinpoint a new bug. Only cowards do that. A real programmer writes the entire program and then digests it whole like a boa constrictor. Looking for a bug hidden in the last 10,000 lines is exciting but if there are only 10 or 20 lines, well, what fun is there in that?
And... why use debuggers? It's up to the lecturer to look for your bugs. Programming errors are the except
This may be seen as slightly offtopic, but the company I work for has outsourced payroll. Payroll includes the information supposedly stolen from this database, Social security numbers, home addresses, age, date of birth as well as a lot of financial information giving access to the earnings of many for many years.
I'm wondering when the Indian company (or some person within that company) decides to legally sell that information to some Moldavian Mafiosi. I'll bet there are no Indian laws regarding the release of Social Security numbers and financial information of Americans. Might violate a contract but who's paying more?
Does your company outsource payroll?
Gods don't kill people, people with gods kill people.
Looks like there might just be a job opening up in California.
*prepares resume*
Props to California for passing a law requiring them to notify those folks whose information was involved. Although, I'm sure UC Berekely would have made the ethical decision on it's own, I'm also sure *some* wouldn't.
Why, BSD of course. What do you think the "B" stands for?
...and the "D" does not stand for "dying."
SecurityFocus's description is no better than CNet's, I thought they'd have more technical details. What system were the running? What exploit?
Oh, wait, I get it, they probably haven't patched the exploit yet.
They should have cleaned the data and removed the SSN. When we pass information outside the company we remove any reference to the SSN and replace it with a zero padded sequence to the same length as the SSN. If they ever need to know who the individual is they can give us this sequence number and we can look them up. Our plans are to remove any possible reference to the SSN in the database and replace them with a good old fashion sequence number (IE Customer number). Only payroll will have a table that links the sequence number to the SSN (a must when filing taxes).
My Sig indicates the end of the comment I posted.
I suppose you would know.
The solution is to abandon SSN as the enabler for identity theft by making it 100% completely public. If this were the case, banks, etc would no longer ask for just an SSN to establish your identity. The SSN was intended for *Social Security*, nothing else. People using it as a short form of your DNA are just wrong.
Was it Windows, Linux, BSD, Solaris etc?? It doesn't say in the articles.
Stop giving everyone your social security number.
Only the government really needs it. For the sake of saving time and aggrevation, I'll provide mine to my employer and my bank as well but no one else needs to get it. Ever.
NTITE
-You can cry, but you'll still die. There'll be no tears in the end.
I disagree. Regardless of the particular institution, I think we're all aware of the fact that providing sensitive information to a univerisity without tight controls is amazingly dangerous. I don't blame Berkeley here, nor would I blame any school. I do think they should take this as a warning, and improve their security, but the state has to ask themselves what they were thinking, and restrict future access to this kind of information.
The process for releasing sensitive data should be:
1. Establish the exact scope of the release (who gets it)
2. Perform a reasonable amount of screening of those people based on the sensitivity of the information (ranging from simple ID checks all the way up to full security clearance procedures depending on how much risk you are exposing yourself to).
3. Perform the above two steps for any computers that will have access to the data. This means either performing a security audit, or requiring a third-party ceritification. Again, you tier the requirements based on the risk.
The state did not do that. The state got burned. If the state had handed this info to some random guy on the street and that guy had turned around and sold it to the highest bidder, I wouldn't be blaming the guy.
IMHO it is highly unlikely that this is BSD.
A confession, perhaps?
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
It was the government that
- required their information
- handed the info out to a third party
- failed to ensure that the third party took adequate care
Surprised? You shouldn't be. There's no market pressure on the government. If you're offended at their cavalier attitude, it's not like you can go with a competitor!One example of a government agency doing things the right way: about 15 years ago I worked on a university research project that used Census bureau data...but the data had been anonymized before we got it: some fields were removed, some were hashed, and the data had been pruned enough that you couldn't do an exhaustive match against a telephone book.
In this case, though, it looks like some California agency just handed over the entire database, raw.
Wonderful.
Can you provide a reference that it is illegal?
Seriously, this is not a troll....I see this statement often and I want to know if it's an urban myth or not.
The SSNo was never intended as an ID number. Yet, many businesses will take nothing else as a customer idendifier.
Myself, I am being hounded by my electric power supplier who wants me to give them my SSNo (which I didn't when I opened my account).
Since they're old, they won't have to deal with the ensuing identify theft for long.. hehe
I reset my case.
THE NORTH KOREANS DID IT!!! What's their army for? To make money! How do they make money? They steal personal information and create fake IDs. Then they sell those fake IDs to whoever wants them to come bomb the US!
---- I am certain of only one thing : I know nothing else.
So why bother stealing the SSNs of victims who are old and broke? You can't steal their money - they don't have any! If you steal their identity you'll wind up laying in a hospital with a tube in your nose being pumped full of Demerol....
Oh, ok, now I understand.
I'd have to say that Cal suck.
Just remember that it was a liberal social program that gathered all that data together in the first place and gave it to the university.
Not to mention the Department of Homeland
Security (DHS), which is a proven oxymoron!
How do I know?
Easy. The OS the DHS settled upon for their
servers and workstations is Microsoft-based
(in spite of studies critical of Microsoft
OS security vulnerabilities.)
Be afraid. Be very afraid. (Just ask Bush.)
why do you think segmenting the network is going to help, let me give you this senario which will show you that is not going to do shit.
1. joe hacker takes a jpg image and inserts a zombie trojan.
2. joe hacker uploads this to a web server.
3. joe researcher who has user level access to the database navigates to joe's web page containing the zombie containing image.
4. joe hacker now owns a client on the inside and has easy access to the data, but wait you say we got a firewall that will solve it.
5. joe hacker being smarter than the resident MCSE at the hospital and knowing of course about firewalls programmed the zombie to retrieve all
remote commands from a web server using a simple get request probably somebody else's that joe hacker owns.
We had a similar incident occur here at work and let me tell you the firewall did nothing, the hacker fully owned the machine and was attempting
to use it to exploit other machines.
Firewalls are usless against well crafted attacks and virus scanners are false hope.
Got Code?
Becuase this is Slashdot, if it was a Windows machine, it would have bleated the "Windows Machine Hacked" in the headline.
Does anyone know their vendor, or if it's an in-house setup?
Was it an inside job of a disgruntled employee or student, or an opportunistic outsider?
At what entry point did they do it? If it was wired, then they either tapped something inside security, or had enough creds to get in.
If it were wireless, would a new fear of wireless access be resurrected? Personally, I don't trust wireless, mainly since I am somewhat ignorant of it. I do know that WEP helps, but is not perfect, if enough cracking computers or CPUs are thrown at it and the encryption. I know that DHCP should be turned off, and I know that a table of KNOWN/TRUSTED MAC addresses must be created and used.
But, with so many students coming and going, with so many employees who do or don't have wireless, and since many visiting students and others can come and go, I suspect it's inevitable that the human link is the source of the problem. But, the human link can be a complacent IT employee OR a nosy person exploiting the infrastructure, OR a sloppy sofware security mechanism.
Inquiring minds want to know.
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
My company also outsources payroll, like thousands of smaller businesses. ADP, founded in part by Senator Lautenberg (D-NJ), does payroll for my company. They are headquartered, as one would imagine, in New Jersey, not India.
Outsourcing means having another company do the work. It doesn't mean that the work is necessarily being done in another country.
I was working on this project, and I'll tell you I was extremeley disheartened to learn people would try and sabotage this project. It is for a really good cause (if you believe in unions that is, I don't, but it was still for a good cause) and I hope the project isn't jeapordized beyond repair because of this. For those who might have guessed, the system that was hacked was a Windows 2000 Pro box running SQL Server and a statistics program called STATA. The box was only up and running while retrieving data and was turned off the rest of the time while I was on the project. There were very strict rules about letting the box onto the network since it wasn't a Berkeley box, but then they took the box and put on their own security software which supposedly made the data safe. I can give you the name of the IT guy in charge if you want. Many of you are listing reasons for not having the SSN's on the database, and that they should have been kept at the state level and then the state give us unique identifier numbers. In actuality, the state does not provide that service, and only provides the data from several databases. We ourselves then created unique identifiers because we needed very specific samples from different populations of California. This identifier was made with a combination of people's relations, their ethnicity, and their social security number. You'd be surprised how many people in California have the same name. Also, although maybe not the best reason in some programmer's opinion - it was easier to separate people by their SSN because STATA didn't present a way to compare strings in a useful enough manner so as to use a combination of name and zipcode. And if you are wondering why we had names and addresses and phone numbers, it is because we called and mailed these people ourselves. Our first mailing - worked a 22 hour day, and tried about four different assembly lines! The state didn't help at all - and in the current time when we have idiot Republicans like Arnold (I can't spell his last name) who thinks fixing a state budget crisis involves cutting the budget of an already failing program and driving MORE people into poverty, I don't think you can expect them to help us tell them how and why they are wrong. I'm no longer on the project (got shipped overseas) but the people working on it are rock solid individuals, and personally, as a former IT guy myself, I blame the morons who worked IT at the division this project is taking place. I understand Berkeley is huge, but for a University that supposedly is "computers" - they have a lot of people with absolutely no clue.
I run FreeBSD at home and feel a little safer that a company (WindRiver) puts their reputation on the line with every installation of FreeBSD.
Does that mean I should have the warm fuzzies about using Microsoft Windows XP at work?
Name + Car Description = Happy Stalker
What faulty logic. I don't care who built the barn, close the damn door.
The Feds understand IT security so much better than anybody at UCBerkeley that I feel completely safe with them having my ssn, income data, employment history, medicaid records, selective service, military records, and whatever the FBI/Homeland Security dug up. Yup, my mind is at ease.
You call that a troll? I have a whole beltway full of trolls better than that!
I am a surgeon in a large, multispecialty group practice. The place has always used SSNs as medical record numbers for the patients. Virtually every piece of paper in the chart gives the SSN. Granted, all of these materials are supposed to be confidential even without the SSN, but it seems foolish to me to plaster it all over the chart. Doctors don't need your SSN to manage your medical condition, they just need to be able to verify that your records are actually yours and not those of another patient with a similar name. My suggestions that we stop using SSNs for medical record numbers have thus far fallen on deaf ears.
I'm picking "Yusuf Islam", then I'm catching a flight.
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
I once attended a community college that insisted on having my SSN. I gave it, but then they tried to INSIST on making it part of my student ID card. I steadfastly countered and rebutted them. I told them if I lost that card and someone called in on the phone, they'd have access to MY files. I insisted they append my file to NOT release ANY information outside of my physical presence, presentation of credible ID, AND my SSN card. They said the ID card had to have a unique number. So, I INSISTED they use some number I made up on the spot, put THAT number in my file, and THAT number on the to-be-carried-on-campus ID card. For some reason, THAT demand shut them up, they complied with ME, and we both seemed happy. That was circa 1995 or 1996.
Then And NOW:
There should be a NEW SSN layer which is the number used ONLY by government and law enforcement. The EXISTING SSN can be public, since the dipshits in government allowed themselves to be WHORED to corporations that demand the SSN for banking and other services.
Since the corporations are highly corrupt anyway, it's not likely that my suggestion for a secondary identification layer which is once-and-for-all OFF LIMITS to corporations will ever take root.
The ability for a person to have some distance from hound dog collectors or from benefits thieves should be important. The existing SSN would not go away, but would be the reference for banking, renting, credit, and school. It's so abused as to be worthless to privacy. But, for employment with the government (military, emergency, law enforcement, SSA, Secret Service/FBI, etc) it SHOULD be used on THOSE employment applications.
The existing SSN would still let the IRS do it's functions, and allow states and counties to handle WIC and retirement stuff. BUT... the new ID number would NOT even be necessary to give to employers. ONLY IRS/SSA and the named assignee of the new layer number should have it. Well, and certain government agencies could ACCESS but not make frequent or regular use of it outside of law ENFORCEMENT, not simply for investigative or gold-digging operations.
I suggested this to a long-term SSA employee and made this suggestion, but the response I received was that they are so swamped with other stuff it would never likely happen, despite my counter that all it takes is adding new fields to the database and enforcing each new recipient to personally and physically obtain the new card and number. It just should be doable in under 5 years.
However, another person I talked with said so many corporations and wealthy investors who drive programs and policies have a vested interested in ALWAYS having every last numerical or title link to every person in the "system". Therefore, SSNs are screwed, and any laws claiming the sanctity and privacy of the SSN are rendered pointless.
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
Windows machines getting hacked per se stopped making headlines about 3 years ago. In this case it actually was Win2000 + SQL Server.
If you accidentally or intentionally disclose personal data you were required to protect, your corresponding personal data must be published for the next 3 years. I think that would appropriately discourage lax security.
"The govt should have in place an opt in (note I said opt IN, not opt OUT) option for citizens who dont mind their info being shared, and also the option to choose HOW MUCH info is being shared."
I'm going to request that they not share my info with interpol, the FBI, and the local police. For, umm, various reasons.
If it has to be connected to the net, any sensitive information should be encrypted.
Mea navis aericumbens anguillis abundat
I'm tired of SSN being considered "sensitive" data, given how easy it is to find someone's, and the number of places that ask for yours.
So what we should do is have the Government announce: "Stop considering SSN private information. As of Jan 1, 2010, we will be publishing the complete list of names/SSNs."
This would force places that misuse SSNs because they think it is "confidential" to stop using it in that manner.
In cases involving over 500,000 people, the organization can warn the potential victims en masse through a website posting and by alerting the media.
Yeah, like bed ridden old people that need in-home care are going to be able to check a website for info on what's going on.
Try sending them a letter or something!
How about just putting information like this on networks that aren't connected to any external network or connections? When I worked for a defense lab we restricted the system we were on down to the point where the only connection was a the mail server that was ID'd via mac address. No other connections were physically or logically allowed.
This was in addition to all the other security methods of course.
I still have my SS card issued in the 1960s. It says, and I quote:
"FOR SOCIAL SECURITY AND TAX PURPOSES -- NOT FOR IDENTIFICATION."
(The ALL CAPS is what's on my original card, I'm not "shouting"!)
I'm sure there are reams of Social "Security" (ok, my classical-liberal bias is showing with the quote-marks, but bear with me. After all, there's NO TRUST FUND, it's all a BUNCH OF I.O.U.s!!!) documents which form various interpretive rules and laws that can't be fathomed by mere mortal nonlawyers, but ask yourself a couple of questions:
1. Why would so many folks think it's illegal, if it's not?
2. Why does my card say what it says, but modern cards make NO MENTION of the fact that it's allegedly "not for identification"? Did something change? When?!? Who voted for it???!!!
Expanding government, when you lie to do it (and the lie was that the SSN was/is not gonna be used as a de-facto National ID card/number) is morally-wrong. Various events/excuses (I can see a 9/11 thread looming, so I'm trying to pre-squelch that now) don't make the moral-wrong of lying to expand government suddenly become right. If you want to expand government, say "I will make the government bigger, and this is why..." and then make an HONEST argument for once! Ok, rant-over. Back to work.
JMR
Try e-gold - (contact me). I'm NOT e-
"..personal data on a staggering 1.4 million Californians who participated in a state social program, officials said Tuesday"
State social program participants?
Too fscking bad for this hacker - it's going to be pretty hard to scam out anything from the underprivileged crowd.
Information wants to be free!
How ironic that you criticize someone else's grammar but you manage to screw it up youself!
I guess I'll just randomlY capitlize the lasT letter of words and proclaim everyone is dumbeR than I aM.
I can smell an over-reaction brewing. This is just the sort of incident that can force the adoption of stringent laws. The thing is, the machine at Berkeley were the ones victimised but it seems to me that this type of information will be sought after regardless of where it is. What I mean is, although Berkeley should have hardened the machine against an intrustion they were victimised because of the info they had, not who they were. The government servers are going to be targeted too.
Free Desk
Mark this redundant. I posted it especially for the meta-mods who DON'T READ what its applicable to and mark it off-topic. Enlighten us please: Modded relative to the original or the replied to post?? Score me -1 or -10 if you must.
"Are you kidding me? Why would the university be playing with live data in the first place?"
Are YOU kidding? Most universities perform huge amounts of research using Professors as project managers and students as mostly underpaid labor. You think they survive on tuition? Think all Grad students do is study? Many work on projects which have and will change the world. many work on projects which are/will be hacked. Many work on security. Some work... on LSD.
Busy aligning my non-linear thoughts.
"a state program" Of course the state is the government, so your advice is meaningless.
[...] the system that was hacked was a Windows 2000 Pro box running SQL Server [...]
When the OS, app, and "known vulnerability" weren't named in the articles, I figured that it must be Microsoft. If it had been Linux or BSD the newsies would have trumpeted it. Instead they protected Microsoft by leaving the reader to guess - and to guess, since it was Berkeley, it was probably BSD (even though it was in a social rather than computer department).
(It reminds me of the way the newsies treat others on their good and bad lists, but I won't name names and start a flame war. B-) )
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
History repeats itself.
they were using systems that were known to be easy to break into. That basically means, if the system was windows (windows can never be made secured and should not be used!), or an older form of *nix, or the boxes were unpatched, then they should be held accountable.
I bet every one of those Californians will vote...maybe even twice.
The Moore-Murphy Law: The number of things that will go wrong will double every 2 years.
Some credit card companies had their cardholders information leak via the internet.
Why? For information like this you form an internal network that is not connected to the any public network.
If the information is needed by remotely you build a VPN, and/or you work with a subset of the information.
Them that are illegally using the SSN are, I would think, less likely to be checking that it is in fact the real SSN. Therefore...
No, I really do think it's nearly the perfect example of the dangers of righteousness.
The Grand Experiment in this case was apparently perceived as vastly more "important" than the individual privacy and even *lives* of actual living people. This is quite typical of people who are out to "save the world". It's a form of "the ends justify the means" thinking. I call bullshit.
BTW, in case it wasn't obvious: this isn't a liberal vs. conservative thing. Anti-abortionists have the same damn problem.
This is all assuming, of course, that the parent of my original comment wasn't itself flamebait :-).
Heh, when NASA got all those airline passenger databases, it was just for "research" purposes, right? Maybe this was the same. Researchers were just analyzing the stats; they weren't doing anything with that particular field in the database.
Voter Registration Fraud!
I just use a fake ssn for non-tax purposes like the dentist or video rentals. You should consistently remember the same fake one.
Considering that illegally employed people have deposited at least $374 BILLIONS in fake numbers: here Probably annother $200 BILLIONS in real numbers (assuming 1/3rd number space used so far).
Yeah, but even in DoD and Govt. applications...much of the data for test has to have things like SS and real addresses obfusticated to protect from crap like this. Why didn't they do this here? Surely they weren't using SS numbers for any kind of primary key!!?!!?
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
I've had all of my "so-called" private information (name, address, SSN, DOB, CC#s, etc) freely available on my homepage for seven years. Since the information was effectively public once I divulged it the first time, I see no harm in letting everyone else know. I reserve no special trust for the random guy at the AMEX call center.
Some work... on LSD.
Yeah, no shit, thats how I lost my university research job too.
In the Brave New World of agencies working together (hah, efficient government is the *last* thing we need) I'm pretty sure anyone you'd need to worry about in the federal government has access to all those records, and is already mining them to prove you're a terrorist.
* And remember, it's spelled N-e-t-s-c-a-p-e, but it's pronounced "Mozilla."
The law that the previous poster thinks is protecting him is probably the Privacy Act of 1974, which is only binding on government agencies. It's discussed in the FAQ.
There is also a SSN FAQ at cpsr.org, but it formats like crap on Mozilla. You'd think "computer professionals" wouldn't screw up something like this.
Have you read my blog lately?
I am a surgeon in a large, multi species group practice.
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
Actually, "unoriginal" works cannot be copyrighted; that probably includes a list of students in alphabetical order.
They *tried* to do this with stuff like the data in the phone book, though.
The privacy concerns here, as well as the fact that they hacked in to get this data, however, are more compelling (with the hacking bit being the part that's illegal).
How are they going to get all that data back?
"had access to names"
Having access is different from copying it. Did they have logs of the hacker copying the data?
Someone should call Cliff Stoll .. he's done this before.
... berkely doesn't learn so well from it's own past mistakes so much, eh?
sheesh
We emerge from our mother's womb an unformatted diskette; our culture formats us. - Douglas Coupland
On a related note, the state has started a statewide student ID program where each student is given a unique ID which is still not tied to SSN. (This state-wide student ID is part of trying to comply with requirements of the "No Child Left Behind" legislation.)
So, unless they often needed SSN info for tax reporting, why was it in the DB?
That would be an national ID card, basically. We do not want that. There should be no national ID. Period.
Everyone wants your social security number, because it's so hard to petition the government to change it. Banks, lawyers, credit agencies, YMCA, employers.
Every time you give out ANY personal information, whether it's concerning the magazines you subscribe to or your SSN on a university homework assignment, better double-check that they actually need it. You take a risk every time you WILLINGLY give it out.
Better do a Risk Assessment the next time you put your name and phone number down for a grocery discount tag, and ask yourself if it's worth the risk. I know that I do...
have been running OpenBSD
omgwtfbbq....
Funny thing is if this was a Windows box the MS bashing comments would've already been 3 pages long by now.
The flaw with this whole system is too many companies and organizations use Social Security numbers to authenticate people while others just keep it around for identification.
There should be a system in which you have something else to authenticate that you should never give out willy nilly like you have to with a SSN with some businesses.
The problem with protecting SSNs is that they're already out of the bag and there's no good way to put them back. The SSN is no longer a secret. We need another way to handle authentication.
In the second place, they're lousy numbers. They don't even have check digits, fer cryin' out loud.
What I say does not represent the views of my employers, my friends, my cats, or myself.
Maybe I'm just missing something here, but it sounds like some ID theft fucker(s) stole 1.4 million SS#s for the elderly and welfare types.
Way to hack those social security checks and food stamps, morons.
IronChefMorimoto
I don't run Linux. I am using Windows XP. I'm not a regular here, and don't even have a slashdot account (like you do). But _I_ am the retarted slashdotter?
Maybe it's just me, but I thought when talking about a computer system being broken into, what OS got hacked might just be relevant to the conversation. In other words, go fuck yourself.
...and on more thing. How do you karma whore without a slashdot account? I must be really good.
On the other hand, you must ride the short bus...
There's nothing funnier than screeching granola crunching 'white hat hacktivists' who get pwn3d.
Hey Berkeley - here's your petard, go hang yourself with it.
The worst?
I always the thought the worst (in terms of potential devastation), was Russian spooks in the late 80s as documented by Berkley's own Astronomer turned sysadmin/hax0r trax0r- Clifford Stoll.
Some low-scale nuke secrets were stolen amongst other things but it was a far larger breach.
Read the cuckoos egg. Fun and entertaining Berkley geek-lore
---Up Up Down Down Left Right Left Right B A START
Man you're dumb...
Remember that Solaris is actually a derivative of BSD. According to a chart by the Open Group, it was derived originally from 4.2BSD.
Hey Berkeley - here's your petard, go hang yourself with it.
FYI a petard is a bomb. To hoist oneself with one's own petard is to blow yourself up.
Fun Fact: the word petard finds it's origin in the Latin word for fart, peditum.
by Mike Buddha -- Someday the mountain might get him, but the law never will.
...to keep an out of work astronomer on staff at all times.
I browse on +1 so AC's need not respond, I won't see it.
Uh....it seems obvious that he wasn't referring to you, but to people like this guy. Of course, the person just went right past his post and put in the obligatory Win-bashing crap on the same thread.
;)
It might seem on-topic to you, since it relates to the headline - but you have to recall that the topic in every Slashdot story is "Windows bashing." The OS involved is probably not Windows, so we don't need to ask which OS it was. You are clearly off-topic.
I applied for San Diego State University way back in 1998 when I was initially trying to find a school to attend. About 4 months ago I got a notice in the mail saying that Hackers had gained access to the data base that held all of the applicant information (drivers license, SSN, financial awards, PARENTS SSN's, etc.) and that we should all obtain a copy of our credit reports and report any suspicious activity. This apparantly happened in February of this year and I received a message in June notifying me. To be honest, I think it's pretty stupid to keep names and SSN's in a database that is linked to a network. It doesn't seem right, and now I have to worry about Identity Theft because I applied to a University 6 years ago.
jen0r all your base are belong to... me
http://shit.slashdot.org/article.pl?sid=04/10/20/1 329217
Well, then, there you have it.
We by opt-out/silence choose to be a nation of reactionary schizophrenics rather than proactive, calculating rationals.
What is so wrong about having such a card? The damned CORPORATIONS already have nearly or completely as much information. Employers have your mug, your SSN, cell, license PLATE, DL, blood type, dependents' SSNs, access to their medical data for your rate pooling information, and so much more, including your pay history with them, your CV/resume, your references, and insight into your mind.
I realize you may have only tapped into that sentiment of the public without necessarily agreen with it... But, Jesus H. Christ, people. I am not proposing perfection, but having the SEPARATE, carry-at-your-own-option card with the NEW, non-public, non-corporate-accessible SSN.
Maybe it doesn't matter anyway, since the current administration dicked up social (in)security solvency anyway. If the SSN is to tie us to our retirement "benefits", well, there likely won't be any, anyway. If we accept that, and can live with every new employer gaining access to our SSN and CV and other details I named above, then we should just give up on the "sanctity" of the SSN. Go ahead, use it as a password. Use the last 4, identify your state of issue. Now, you've narrowed down 7 out of 9 of the numbers needed to rob someone of their ID.
"We do not want that." Well, we don't want that, either.
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
People start refusing to give SS# to ANYONE?
People stop storing other peoples SS#?
The SS# becomes obsolete?
Why does ANY non-finacial institution directly related to a near-term transaction need that info?
Why is it not illegal to store that info?
The same goes for CC#'s.
I personally don't think that it is such an inconvience for me to give the info when needed. And when it is needed then they can ask ME for it and I can be shown that it is a one time use and the record of that information is stored WITHOUT the 10 digits that make it repeatable. When they need it again I can be asked for it again. If it were illegal for people to store other people's info then wouldn't identity theft go down?
Amazon.com's on-click purchase is wonderful but it is really that hard to enter 10 digits and then click? Convience is what makes the problem.
Of course not. Since the data including their phone numbers was stolen, how could they have been contacted?
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
As of 2001, the states of Wisconsin, Arizona, New York, Rhode Island, and Maryland prohibit using SSNs as student ID numbers. Hopefully, others will follow soon.
Asking about an alternative number is a very good idea, even if the process for obtaining an alternative identifier is not documented in an obvious manner.
It wouldn't suprise me if it was un*x, and the "well known exploit" was that the root password was something like root, password, or god.
Likelihood is that the hackers were just harmless students playing around on the university system. They haven't proved that the attacker actually copied any data, just that they had access to it. This sounds like a classical case of The Media demonizing hackers. It's been almost a month and a half and they haven't determined if the hacker actually downloaded anything? They're not going to. If they catch the person responsible they will probably make up a lot of dubious "damages" that this person is not really responsible for, and after their "fair" court case is over they will have to pay for the time they wasted - or rather, the time that the people in charge wasted worrying over their fears.
that's what happens when ya use FreeBSD! =p
The OS involved is probably not Windows
That's probably a correct assumption, but an assumption none the less.