Slashdot Mirror
Whopping-Big Data Theft At U.C. Berkeley
aceta writes "An intruder penetrated a research computer at U.C. Berkeley in August and had access to names, social security numbers and other data for 1.4 million Californians participating in a state social program. CNET calls it the worst intrusion U.C. Berkeley has experienced. SecurityFocus additional details: the hacker used a known vulnerability, and state officials have yanked the university's research access to the data because of the breach. The victims were all receiving or providing at-home care under a state program to help the elderly and disabled. The FBI is investigating."
And this would lead to even more draconian laws.
Which, rather than protect our privacy, will give the government even more control over it.
I can smell an over-reaction brewing. This is just the sort of incident that can force the adoption of stringent laws. The thing is, the machine at Berkeley were the ones victimised but it seems to me that this type of information will be sought after regardless of where it is. What I mean is, although Berkeley should have hardened the machine against an intrustion they were victimised because of the info they had, not who they were. The government servers are going to be targeted too.
No. It's only the worst intrusion they were made aware of. There could have been more...
Indy Media Watch-Proctologist of the Internet
It makes you wonder...
Why does a research program need access to social security numbers, phone numbers, and the like?
I think the real story is the State of California sharing too much personal information, regardless of how the hacker got access to it.
ayershome.org/users/eric
This smacks of laziness on the part of the data provider and the researcher(s).
Preventive measures like changing their name, address, SSN and date of birth?
I run FreeBSD at home and feel a little safer that a company
Will your FreeBSD installation prevent you from putting your data on an available Apache server?
Personally identifying data is (rightly) given more stringent protection than copyright.
Yeah, but you have to realize that they don't have smart CS security expert professors doing their windows administration for them.
Are YOU kidding? Most universities perform huge amounts of research using Professors as project managers and students as mostly underpaid labor. You think they survive on tuition? Think all Grad students do is study? Many work on projects which have and will change the world. many work on projects which are/will be hacked. Many work on security. Some work... on LSD.
Busy aligning my non-linear thoughts.
This may be seen as slightly offtopic, but the company I work for has outsourced payroll. Payroll includes the information supposedly stolen from this database, Social security numbers, home addresses, age, date of birth as well as a lot of financial information giving access to the earnings of many for many years.
I'm wondering when the Indian company (or some person within that company) decides to legally sell that information to some Moldavian Mafiosi. I'll bet there are no Indian laws regarding the release of Social Security numbers and financial information of Americans. Might violate a contract but who's paying more?
Does your company outsource payroll?
Gods don't kill people, people with gods kill people.
The SSNo was never intended as an ID number. Yet, many businesses will take nothing else as a customer idendifier.
Myself, I am being hounded by my electric power supplier who wants me to give them my SSNo (which I didn't when I opened my account).
But that is completely insane. They're saying you can refuse to give it but that may mean you have to go without the service requesting it and then they mention a utility as an example and say "the choice is yours". So if you want to keep your SSN as private as possible you may have to live without electricity and water? It that what they call choice? /Claus
In cases involving over 500,000 people, the organization can warn the potential victims en masse through a website posting and by alerting the media.
Yeah, like bed ridden old people that need in-home care are going to be able to check a website for info on what's going on.
Try sending them a letter or something!
This is a perfect example of why people who are out to save the world are dangerous.
It is illegal for the government to use the SSN for identification
Really? The IRS is part of the government, and they use that number to identify me. What exactly are the "social security and tax purposes" that it could POSSIBLY be used for, OTHER than identification?
Actually, I thought it was the card itself that wasn't supposed to be used for identification. I.e., you can't walk into airport security, flash 'em your SS card, and say, "I'm John Doe, here's my ID".
Seems like the data on each individual should BELONG to the individual....
Shouldn't you own your own data, and be able to say who does what with it?
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
Go ahead and blame IT if you feel like it, but the fact is that the importance placed on computers and IT starts in one place - at the top with the University President.
The former president of Rice University, for example, was known to brag about how they had the lowest ratio of IT staffers to campus computers. Of course, Rice was one of the sites used in the zombie DDOS attacks on Yahoo, and some other sites, a few years back.
If the university leadership doesn't understand or place any importance on spending appropriately for IT staffing, salaries, training, etc., then you are going to have overworked, undertrained and understaffed IT people - the perfect scapegoat. But, it won't fix their problems until the university leadership itself takes IT seriously.
Just my $.02
blue
The law that the previous poster thinks is protecting him is probably the Privacy Act of 1974, which is only binding on government agencies. It's discussed in the FAQ.
There is also a SSN FAQ at cpsr.org, but it formats like crap on Mozilla. You'd think "computer professionals" wouldn't screw up something like this.
Have you read my blog lately?
It obviously wasn't Windows or that would have been mentioned in the first sentence.
So basically you blame IT, Microsoft, STATA, and Arnold instead of having the researchers take any of them blame themselves for being unable to generate usable random IDs. Why didn't they just generate their own random 9 digit identifier and delete the SSNs?
Why didn't they make sure the box was secure by never putting it on the Internet?
Granted yes, Microsoft software has vulnerabilities, STATA may suck, IT support may be stupid, and the state may have been negligent in distributing sensative data this way, but don't you think the researchers have some responsibility for this as well?
The researchers knew it wasn't good to have SSNs in the data and (according to you) had strict rules about network access because it wasn't a Berkeley box. Yet, they put the box on the Internet anyway with unobfuscated SSNs.
Don't you think those actions on the part of the researchers require them the share in the responsibility?
If you have SSN as a required field with a unique constraint or index, you're setting yourself up for a denial of service attack -- User1 enters a bogus SSN which happens to belong to User2. Now User2 is effectively locked out of the system -- he can't enter his (valid) SSN because of the key constraint violation, so he either has to give up or give a bogus value as well.
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
Any DBA who uses SSN as a primary key needs to be flogged with a CAT-5 cable.
By her boss, maybe, but not by the government.
Privacy concerns aside, it's generally a bad idea to use any user-provided value as a PK because of the difficulty of guaranteeing uniqueness.
True, since there are at least some people out there with the same SSN.
If you have SSN as a required field with a unique constraint or index, you're setting yourself up for a denial of service attack -- User1 enters a bogus SSN which happens to belong to User2. Now User2 is effectively locked out of the system -- he can't enter his (valid) SSN because of the key constraint violation, so he either has to give up or give a bogus value as well.
Or you could just put the new account in a temporary table and have a human sort it out. It all depends on your application. If you're making a geocities site, OK. If the purpose of the database is to store company employees, then flagging identical SSNs is a feature, not a bug.
There's a slight difference in our thinking, I think.
When I say businesses don't have to assume their internal users are enemies... the users can unknowingly ruin systems (works, viruses, etc), but most of them are there just to do their work (the employees). My students specifically take the time to try to break my workstations, servers, and everything in between.
Everything has to be physically protected far more than your standard company (at least in my experiences with both sides). At the lowest level, we find missing mouse balls routinely. It's not as sophisticated as the 20% of employees who are stealing the extra memory out of their machine, but it's much more of a pain in the ass. I wonder if it has to do with the "it's my workstation in my cubicle" mentality vs "this is just a computer in the computer lab."
Sig!