Berkeley Grads' Identity Data Stolen

yali writes "Did you get a graduate degree from Berkeley? Or maybe you just applied but didn't go there? If so, your identity may have been stolen. A laptop was stolen containing names, social security numbers, birthdates, and addresses of grad students, alumni, and applicants. University police suspect that the thief just wanted the laptop, but the irony of California's mandatory notification law is that the thief may now know they have something even more valuable. Berkeley has set up a website with information on the breach."

Secret

[BWJones]

Personal data need to be treated as government certification of Secret documents, or at least give it Collateral classification level treatment. When personal data is checked out and allowed to be placed on laptops or other portable devices for removal from the central location where the data is stored, personal responsibility needs to be ensured and access should be confirmed by 1) need to know basis and 2) those who are trained to undergo training with confidential data.

Granted, this will not prevent all leaks as even the State Department, CIA and FBI have had problems with missing laptops, but they are getting better about data confidentiality and security through training and implementation of protocols designed to limit leaks and unauthorized access.

Re:Secret

[hackstraw]

Personal data need to be treated as government certification of Secret documents, or at least give it Collateral classification level treatment. When personal data is checked out and allowed to be placed on laptops or other portable devices for removal from the central location where the data is stored, personal responsibility needs to be ensured and access should be confirmed by 1) need to know basis and 2) those who are trained to undergo training with confidential data.

That sounds fine and good, and what _should_ be done. But there first needs to be some desire or interest for the government to do such a thing, and there is no evidence of any interest whatsoever. I see government sponsored prime time TV ads reminding us to behave and not get high and to be good mommies and daddies by paying attention to our kids and their homework, but I have yet to of seen an ad about protecting my government initiated and issued social security number. Its still legal for just about anybody to ask for my government social security number with no laws protecting me if that person mishandles or misuses my SSN. Identity theft is practically legal, and there is little to no initiative to pursue or prosecute people that steal (or infringe for those people that are anal about the word "steal") people's identities.

So why doesn't the government actually care about this? Because people are adaptive, and will basically stay at their status quo after an identity theft. A poor person's identity theft will keep them poor, and being that they have little credit, not much theft is going on, and their credit is probably bad already, and they are already behind on their bills, etc. A middle class person will suffer a temporary setback (probably most vulnerable of the classes), but they aren't going to loose their job because someone opened up a bunch of credit accounts in their name. In other words the government will still get paid one way or another. Rich people will still be rich, regardless of an identity theft, and its likely they will take care of the pursuit of the thief themselves.

Basically, from the government's point of view, identity theft is a victimless crime. I know no one personally that has been affected by it, but I've read stories here and other places about it. It basically seems like a pain in the ass, kinda like being hassled by the law or a divorce, but life goes on, and I would only expect for it to escalate a little higher over the next couple of years and then taper off some.

Re:Secret

[cpeikert]

Personal data need to be treated as government certification of Secret documents, or at least give it Collateral classification level treatment.

You're kidding, right? Then practically every employee in the student services and financial aid offices would need a US Government security clearance, and none of the computers there could be connected to the internet.

Re:Secret

[dmf415]

Hundreds of thousands of students livelihood are left in the hands of 1 idiot. What ever happen to responsibility for ones actions? Whoops? I left the door unlocked?

Re:Secret

[nmx]

You're kidding, right? Then practically every employee in the student services and financial aid offices would need a US Government security clearance, and none of the computers there could be connected to the internet.

Sounds good to me. I, for one, don't think that the overworked and underpaid people (often students!) working those offices should necessarily have access to so much personal data.

Re:Secret

[stinerman]

You raise good points, but what must happen is that people need to be more careful with their personal information. Most people gladly give away their phone number to Radio Shack, Best Buy, etc. at the drop of a hat. I'll bet you ~50% of people would give their SSN to any brick and mortar retailer (but not those hackers on the internets) if asked to do so. Most of them don't know that they can refuse to give out any of their personal information (of course, the cost may be not being able to do business with that store), but probably would so they wouldn't be put-out by having to go to another store.

Convenience trumps all with security being a close second and privacy a distant third.

Why do they need the SSNs?

[lecithin]

This is a pet peeve and it is just getting worse.

Why does a school need our SSNs? Why does anybody outside the government?

Here in Minnesota, I need to provide my SSN now just for fishing and hunting licenses. WTF?

Re:Why do they need the SSNs?

[DarkTempes]

they use it as a personal identification number (which it isn't supposed to be used as but since everyone has a unique one it makes it easy for them to do it).

they don't NEED to but they CAN and so they do.

Re:Why do they need the SSNs?

[G-funk]

Because your SSN (like our TFN, or Tax File Number) is your nation ID number. Wether you like it or not, wether it's legal or not, it's still a fact. You guys have it worse than us, we seem to have the TFN for all "official" docs like government, financial institutions etc, and we have our license no for everything else, such as video cards etc. But we're still in databases all over the world, easily indexed by a small number of different "unique enough" keys.

Re:Why do they need the SSNs?

[matth]

I bet you don't NEED to.. just tell them you don't have one... they can't make you give them something you don't have... that's what I do.. I've never had a problem.

Re:Why do they need the SSNs?

Why does the school need and keep your SSN after nearly 30 years? Yes, they probably use it to "id" the student records if some employer inquires if you actually attended college there back in 1976. The business I'm in, all SSN's and Credit card#'s are encrypted on the disk that there stored on. That only makes it "more secure", not 100%. Our e-commerce is 100% secure since they do not keep CC# or SSN#'s in any records.

Re:Why do they need the SSNs?

"Why does a school need our SSNs? Why does anybody outside the government?

Here in Minnesota, I need to provide my SSN now just for fishing and hunting licenses. WTF?"

Are hunting and fishing license not awarded by the gouvernment

Re:Why do they need the SSNs?

[russler]

Think of how many institutions we deal with require our SSN. With Social Security supposedly going defunct in 2041 (from the headlines) do you suppose all of these organizations are going to be so forward thinking as to choose a new "key" for each of us by then? How much is it going to suck for kids in the future to be issued a Social Security Number when it's used for pretty much everything under the sun EXCEPT for obtaining Social Security benefits.

Re:Why do they need the SSNs?

[flyingsquid]

Why does a school need our SSNs? Why does anybody outside the government? Here in Minnesota, I need to provide my SSN now just for fishing and hunting licenses. WTF?

Next time you apply for a license, just tell them you are John Kruptowski, 537 Cherrywood Circle, Minneapolis, Minnesota, 575-63-6216, currently applying to UC Berkeley's astrophysics program.

If you don't like that name, I got a zillion more.

Re:Why do they need the SSNs?

[anon*127.0.0.1]

But SSN's don't make very good personal ID #'s. They're not unique forever, because the government recycles them after a few years. I'm assuming the Berkeley has a fair number of foreign students, they probably have to generate some sort of artificial ID number for them... why can't they just generate an artificial ID number for all their students?

To answer my own question... they could, and quite easily. The difficulty lies in transitioning all your data systems from one ID number to the other.

Re:Why do they need the SSNs?

[calethix]

"Why does a school need our SSNs? Why does anybody outside the government?"
I believe in many cases (e.g. student worker, financial aid recipient), they need it for tax reporting purposes.

Re:Why do they need the SSNs?

[mshiltonj]

Here in Minnesota, I need to provide my SSN now just for fishing and hunting licenses. WTF?

We must verify your information against the Homeland Security Threat Matrix to see if you are a terrorist.

Since you have questioned the need to produce your papers on demand, you have exhibited suspicuous behavior according to our profiling specifications. Your threat rating has been raised three points.

Please report to your nearest Homeland Security office immediately for interrogation and possible re-education.

Thank you.

Re:Why do they need the SSNs?

[ikkonoishi]

#12074974, I am shocked by your assertation that my actions are being tracked by an ID number of some kind. All places should put the effort to protect our identities that Slashdot does.

Sincerly
#12072440

Re:Why do they need the SSNs?

[anthony_dipierro]

Why does a school need our SSNs?

They definitely need it so they can file a 1098-T at the end of the year. They probably also need it so they can do a credit check on you, both to determine if they're going to admit you, as well as to determine whether or not you qualify for whatever tuition plans they offer (unless you're prepaying in cash, the school is giving you a loan). If you're a transfer student, they need it so they can verify your transcript, this could perhaps be done in another way, using your name, addresses, birth date, etc., but it's a lot easier to just see the SSN on the transcript and match it to the SSN in your profile.

Why does anybody outside the government?

The same basic reasons. Either they need it to report something to the government, to check your credit, or to match up files.

Re:Why do they need the SSNs?

[anthony_dipierro]

They're not unique forever, because the government recycles them after a few years.

Insightful? This is patently false. There are some instances of multiple people having the same SSN, but these were accidental, and not intentional, and the government will issue a new SSN for people who are in this situation.

why can't they just generate an artificial ID number for all their students?

Read my reply to the parent. The school definitely needs your SSN. It probably shouldn't be used as a primary key, since there's a (very slim) chance it's not going to be unique, and not all students will have an SSN. But don't the vast majority of foreign students have a government issued ID number already (just not to be used for employment purposes)?

Re:Why do they need the SSNs?

[forand]

Berkeley does NOT use your SSN for your student number. It does, however need your SSN to provide you with federal financial aid and work. Since virtually EVERY grad student falls into one of these catagories they need the SSN.

Re:Why do they need the SSNs?

But SSN's don't make very good personal ID #'s. They're not unique forever, because the government recycles them after a few years.

The US Government goes through ten billion numbers fast enough to recycle them "after a few years?" I don't think people will have much trouble telling between the two people with the same SSN when one does get recycled. Do we send the check to Jim Smith born in 1977 or to Stacy Esteban born in 2204?

Re:Why do they need the SSNs?

Most schools will use an ITIN assigned by the IRS for foreign nationals, because they often need to pay taxes on earnings/whatnot but have no SSN.

Re:Why do they need the SSNs?

[matth]

Exactly why my kids will not be getting SSNs!

Re:Why do they need the SSNs?

[defy+god]

http://www.ssa.gov/history/hfaq.html

Q20: Are Social Security numbers reused after a person dies?

A: No. We do not reassign a Social Security number (SSN) after the number holder's death. Even though we have issued over 415 million SSNs so far, and we assign about 5 and one-half million new numbers a year, the current numbering system will provide us with enough new numbers for several generations into the future with no changes in the numbering system.

Re:Why do they need the SSNs?

[antifoidulus]

AFAIK, foriegn students do receive SSN #s, but an SSN # doesn't entitle you to social security benefits. Everyone who is not on a short term visa is required to get one. I hosted a student intern from Argentina here at my school and had to help her get all this stuff.

Re:Why do they need the SSNs?

[dayid]

Schools need SSNs because they file paperwork for you with the government regarding the amount of "school expense" you've paid, along with tuition and the likes. They file almost as much tax paperwork with the government for every student as a bank would for a common customer (savings+checking+one or two investment accounts). It sure would make it fun for the government to get a bunch of files for "Bobby B. Brown" rather than "077-10-1199" now, wouldn't it?

That said, the fact that anyone would store SSNs on something such as a laptop just shows that they need to get smacked around a little bit.

...I also like how you say that in Minnesota you need your SSN for hunting and fishing licenses, but you argue that no one outside the government should need it. Well, do you think the money and information associated with your hunting and fishing licenses is just going to some random private organization?

Re:Why do they need the SSNs?

[mzwaterski]

If by video card you mean a card for renting movies and by "you guys" you mean US citizens, then I would say that we our pretty similar to you. Video stores generally take a driver's license number or credit card to keep on file, they don't require a social security number and I don't believe I've even been asked to provide one optionally.

Generally, social security numbers are used for things relating to schools, banking/investing/fincial activities, and government documents like tax returns.

Re:Why do they need the SSNs?

[fuzzybunny]

OK, agreed, tax & SS-related forms are legitimate.

Now: what abou the whole "credit check" thing? Let's ask a more fundamental question--why is the SSN required for this sort of thing at all? Or for transcript verification?

Simple answer: It's a unique identifier, you said it. Funny thing that, doesn't the Social Security Act specify that the SSN is not meant to be used as identification except for Social Security purposes?

You hit the nail on the head with the word "easy". It's easy. "Easy" is not always good, and in this case, it is shit. "Easy" is what made some plank store this sort of crap on a laptop, probably in Excel, probably unencrypted. "Easy" in this case is bad.

As this link mentions, one of the problems is that there is no law _preventing_ business (including schools) from requiring this supposedly private piece of information as a precondition for delivering services, without making allowance for an alternative.

So I think in this case we can replace "easy" with "unprofessional", "lazy", "unethical" even.

Re:Why do they need the SSNs?

[anthony_dipierro]

It's basically an SSN (same format and everything), but I think it's called something different, since the people aren't entitled to social security.

That said, not everyone in the country has an SSN. I've been debating whether or not I should give one to my children (if I ever have any children), or if I should let them choose for themselves whether or not to get one. At least one disadvantage is if they don't have an SSN, you can't claim them on your taxes for stuff like the child tax credit.

Re:Why do they need the SSNs?

[dumllama]

It is not going "defunct".
It will just have to cut benefits to about 75% of what is promised by the current formula.

Don't listen to the politicans, they'll say anything to get what they want.
Don't listen to the newspapers, they just repeat what the politicans say.

Re:Why do they need the SSNs?

[vettemph]

Score:+5 Funny?
More like
Score:+5 Scary!

Re:Why do they need the SSNs?

[anthony_dipierro]

Now: what abou the whole "credit check" thing? Let's ask a more fundamental question--why is the SSN required for this sort of thing at all?

Because that's what the credit reporting agencies use as a key into their database.

Or for transcript verification?

Most schools have an SSN on your transcript. It's pretty much the most permanent thing about you. Changing your SSN is hard, and you need a pretty good reason to do it.

Funny thing that, doesn't the Social Security Act specify that the SSN is not meant to be used as identification except for Social Security purposes?

No, it doesn't.

You hit the nail on the head with the word "easy". It's easy. "Easy" is not always good, and in this case, it is shit. "Easy" is what made some plank store this sort of crap on a laptop, probably in Excel, probably unencrypted. "Easy" in this case is bad.

I don't see how.

As this link mentions, one of the problems is that there is no law _preventing_ business (including schools) from requiring this supposedly private piece of information as a precondition for delivering services, without making allowance for an alternative.

I don't see how that's a problem.

So I think in this case we can replace "easy" with "unprofessional", "lazy", "unethical" even.

By your definition, perhaps, but you've failed to back it up with any real evidence.

Re:Why do they need the SSNs?

[shoppa]

Why does a school need our SSNs?

Many grad students are employed by the school. This is something they'd collect not on application but on the student showing up to work.

For undergrad financial aid, there's the requirement that male students be checked to be sure they're registered with Selective Service. Some schools use this as an excuse to collect SSN, but I think it's a lame excuse because when I registered at least (many years ago you can tell!) I didn't even have a SSN.

Re:Why do they need the SSNs?

[G-funk]

Ah I see... Due to the level of whinging that goes on around here, I figured in the US you needed your SSN to do anything more complicated than buying a litre (quart?/pint?) of milk :)

Re:Why do they need the SSNs?

[anthony_dipierro]

That said, the fact that anyone would store SSNs on something such as a laptop just shows that they need to get smacked around a little bit.

I wish more people would do it. In fact, I wish every SSN in the country was suddenly released to the public. The problem isn't using an SSN as an identifier. As you've explained, it makes a pretty good one. The problem is treating SSNs as secret information. As was said by another poster, and I agree, if they just published everyone's SSN in the phone book it'd solve the whole problem.

Re:Why do they need the SSNs?

[mzwaterski]

Extra, extra, read all about it:

/. users exagerate..

hehe

Re:Why do they need the SSNs?

[AmigaAvenger]

the government does NOT recycle them! There are only around a billion possible #'s though, so at some point they will have to be recycled. (SSN's are assigned randomly or sequentially, some of the digits mean something.) How SSN's work

Re:Why do they need the SSNs?

[pixelpusher220]

agreed, one of my college roomates didn't have a SSN. Her dad paid the 20K tuition in friggin cash every year ;-) Even to the point of mailing her cash wrapped in tinfoil!

His 'profession' was 'auto parts reseller' - he drove around to mechanics selling them 'discount' parts. Um yeah right ;-)

Dunno what he was hiding, but it wasn't pretty I'm sure!

Re:Why do they need the SSNs?

[mikael]

Oddly enough, for certain college courses, students no longer put down their name, but just use their matriculation number.

And for various research journals, you will never know the name of the persons reviewing your paper, but only an identifier such as "IXL04356". But as you are now able to reply to the reviewers comments, the log of the discussion will appear to be something out of an Asimov short story.

Re:Why do they need the SSNs?

[endoboy]

ahh.. you must be comfortably wealthy-- or, more likely, childless and blowing smoke.

SSN's are required to get the tax deduction for your children

Re:Why do they need the SSNs?

[bfizzle]

They keep that kind of business in the "family"

Re:Why do they need the SSNs?

[Audigy]

If you don't have a SSN, you can't become legally employed, nor will you ever build any credit. That's a pretty silly move.

Re:Why do they need the SSNs?

[fearanddread]

We should all just give up and start using our SSN as our /. id.

Re:Why do they need the SSNs?

[enbody]

Ask the university department responsible for fund raising. They will tell you that the easiest way to track alumni in the USA is with SSN. If you have someone's SSN, it is easy to find their up-to-date address -- critical for fund raising. There are businesses which will provide you with up-to-date addresses, if you give them SSNs. My university does not collect all student SSN so it is severly handicapped in fund raising.

Re:Why do they need the SSNs?

No longer. You must have done the intern hosting a while back. Now, if a foreign student is not employed but is merely enrolled, SSNs are not issued. See this page

Re:Why do they need the SSNs?

They're not unique forever, because the government recycles them after a few years.

What when more and more people become immortal?

Re:Why do they need the SSNs?

[DesertBlade]

You may want to get you children a SSN. They need to have a SSN to work and if the apply for one when they are older than 12 they will need to do an in-person interview and explain why they don't have one.

There are 3 types of SSN cards.
one for US citizens,
one for Valid for work with DHS authorization,
and one that is not valid for employement.

All this and more can be found at http://www.ssa.gov/pubs/10002.html/

Re:Why do they need the SSNs?

[Fulcrum+of+Evil]

Insightful? This is patently false. There are some instances of multiple people having the same SSN, but these were accidental, and not intentional, and the government will issue a new SSN for people who are in this situation.

SSNs alone are not guaranteed unique - they are only unique in combination with your birthdate.

Re:Why do they need the SSNs?

Ha! Caught you, you identity thief! Trying to masquerade as #12072440, when you are really #12075103 ! Fortunately, Slashdot has a foolproof identity verification system. We know who you really are....

Re:Why do they need the SSNs?

[stinerman]

The school definitely needs your SSN.

If I'm not mistaken, you do not have to give out your SSN to any agency that will not use it for Social Security related stuff. That is, the only people who need to know your SSN is your employer (for payroll taxes) and the SS Dept (along with the IRS). Since your school does not need your SSN, you don't have to give it to them.

Perhaps this was the original idea, but isn't that way in practice. I was always under the impression that it was on the books in the way I described.

Re:Why do they need the SSNs?

[Jerf]

I am not a number, I am a free man !

Sincerely, #171not-6not-6.

Re:Why do they need the SSNs?

[rotor]

Fortunately ID theft only works if you know how to find and use the ID (like referencing the message ID when you clearly meant to use the user id was kind of silly)

Re:Why do they need the SSNs?

They only can if you let them. Unless the Department that issues those licenses is specifically authorized to use the SSN by the legislature, for that purpose, then the Federal Privacy Act is supposed to prevent them from "requiring" it. Any goverment organization, federal, state, or local is supposed to cite the applicable authorizing statute, when requesting your SSN. Even supposed to apply to govt. contractors, acting on a govt. program.

Re:Why do they need the SSNs?

[anthony_dipierro]

If you don't have a SSN, you can't become legally employed, nor will you ever build any credit. That's a pretty silly move.

It's a silly move if you want to be employed or borrow money. Not everyone needs that, though, and if you don't have an SSN, you can always get one (at least, if you were born here).

Re:Why do they need the SSNs?

[anthony_dipierro]

They need to have a SSN to work and if the apply for one when they are older than 12 they will need to do an in-person interview and explain why they don't have one.

If the only problem were having to go through a little interview, in the event my children decide they want to work, then it'd be a no-brainer. The issue, like I said, is the tax benefits of being able to claim them.

I wonder what the deal is if you pay someone who voluntarily does work for you (on a regular basis) and they don't have a social security number. I don't see how this could possibly be illegal. I mean, I have a right to give my kids money, and they have a right to do things for me, right?

Re:Why do they need the SSNs?

[anthony_dipierro]

If I'm not mistaken, you do not have to give out your SSN to any agency that will not use it for Social Security related stuff.

Well, I never said you have to give it.

That is, the only people who need to know your SSN is your employer (for payroll taxes) and the SS Dept (along with the IRS).

Those two aren't the same statement. You need someone's social security number for more than just employment. For instance, if you pay someone interest, gambling winnings, or nonemployee compensation, and don't withhold 20% backup withholding, you need their SSN.

Since your school does not need your SSN, you don't have to give it to them.

No, you don't, and they don't have to let you go to their school.

Perhaps this was the original idea, but isn't that way in practice. I was always under the impression that it was on the books in the way I described.

Well, see http://www.usdoj.gov/04foia/1974ssnu.htm for the closest thing I can find. From my quick reading, it seems even if it's a public school it would be perfectly legal for them to not let you attend without giving your social security number. If it's a private school, it's definitely legal.

Re:Why do they need the SSNs?

[ikkonoishi]

Yeah I noticed that just after posting...

Didn't feel like posting an addendum and so I just hoped that nobody would notice it.

Re:Why do they need the SSNs?

[jasonwea]

From How SSN's work:

"statisticians say that the nine-digit SSN allows for approximately one billion possible combinations!"

Great stuff :)

Re:Why do they need the SSNs?

[fuzzybunny]

Because that's what the credit reporting agencies use as a key into their database.

...which is part of my point. It's wrong. You do not use a number designed to allocate, as its name states, social security benefits, as an identifier for non-SS-related financial info.

Most schools have an SSN on your transcript. It's pretty much the most permanent thing about you. Changing your SSN is hard, and you need a pretty good reason to do it.

Fair enough, but you you _can_ do it, and you can get a new one. So there's not much point in using it as an identifier. Any identification mechanism which _can_ be changed without the knowledge of the system using it is not useful as an identification mechanism. And no, I don't have a better idea--I refuse to bring up something like personal ID cards or biometrics or other "solutions" that open up a pandora's box of issues.

No, it doesn't.

My mistake, the SSA does not explicitly say so. Older cards (including mine) say "not to be used for identification" which, for some reason, no longer seems to appear. Good catch. As I stated, there are no laws preventing business from using it as an identifier, although I stand by my assertion that it was never intended for use as an ID number; if you dig a bit, you may be able to find the relevant FDR speech introducing FICA. If memory serves, the "will never be used for identification", at least for 30 years after 1935, is a direct quote.

I don't see how.

Then we're talking past each other. I'm a security consultant and am confronted with the catastrophic results of laziness and choosing the 'easy' path (or at least what is perceived as such) on a near daily basis at my clients'. Refusal to use basic crypto & authentication mechanisms because it requires procedural rethinking or retraining is such an example.

Most examples of identity theft are not the result of caffeine-fueled Russian mafia h@x0r breakins, but rather exploits of some fairly basic mistakes--viz. the tourist who lets the Hong Kong shop clerk out of his sight with a credit card, the refusal of most major US banks to even consider decent two-factor authentication for cost reasons, etc.

I don't see how that's a problem.

You may not have an issue with using an insecure mechanism that's subject to compromise and misuse this easily to identify yourself, but I do.

The only remotely "positive" thing about using SSNs as identifiers is that they are understood to be insecure, as opposed to biometrics, which are (mistakenly) widely believed to be safe, so if I am affected I can, such as happened to many individuals in the ChoicePoint breakin, have recourse.

By your definition, perhaps, but you've failed to back it up with any real evidence.

Are you just being contrarian? Confidential student data which could be used to cause serious financial liability to individuals was stored on a laptop in a poorly secured facility (I graduated from Berkeley; stealing laptops is not black magic at a university that size.) There was obviously some fundamental failure of awareness, information security management processes and basic user responsibility here.

Once again, maybe you simply do not care--I assume this attitude partially results from never having this sort of thing happen to you. Many others have, and do. Frankly, I find the idea that "it works, leave it, I don't care if it's fundamentally broken and vulnerable to compromise" pretty obtuse.

Re:Why do they need the SSNs?

[anthony_dipierro]

Because that's what the credit reporting agencies use as a key into their database.

...which is part of my point. It's wrong.

That's your argument. However, it is not true on its face, so if you're going to convince me it's wrong you're going to have to present some reasoning.

You do not use a number designed to allocate, as its name states, social security benefits, as an identifier for non-SS-related financial info.

Why not?

Fair enough, but you you _can_ do it, and you can get a new one.

Some people can, yes.

So there's not much point in using it as an identifier. Any identification mechanism which _can_ be changed without the knowledge of the system using it is not useful as an identification mechanism.

Then there is no useful identification mechanism. Well, I guess we could get someone's fingerprint whenever they apply for a loan, but somehow I don't think that'll go over very well with people.

And no, I don't have a better idea--I refuse to bring up something like personal ID cards or biometrics or other "solutions" that open up a pandora's box of issues.

So why not use the closest thing we've got. I have to dispute that there is "not much point in using it as an identifier". It still works just the same for anyone who hasn't changed their number, and it'd only be a problem for people loaning money to those that do if they had really bad credit before the change. New credit takes a while to establish anyway, and records leave your credit report after 7 years anyway. So it isn't really that big of an issue, even if someone with horrible credit is allowed to establish a new number. They've still got to work for years to build up good credit.

The system works pretty well. The only major problem is that some people have chosen to use the social security number as a password. But that has nothing to do with the fact that it's used as an identifier.

You may not have an issue with using an insecure mechanism that's subject to compromise and misuse this easily to identify yourself, but I do.

I don't see how security plays a role in identification. We just need a pointer to a person's records. We could use name, birthdate, birth city, mother's maiden name, etc., but instead we use a number. Security issues only come into play when you think that knowledge of the number means something.

The only remotely "positive" thing about using SSNs as identifiers is that they are understood to be insecure, as opposed to biometrics, which are (mistakenly) widely believed to be safe, so if I am affected I can, such as happened to many individuals in the ChoicePoint breakin, have recourse.

How are SSNs "insecure"? You seem to be cocnfusing identifiers with passwords. They are completely different things. Some people use the SSN as a password, and you have my full support that that is bad.

Confidential student data which could be used to cause serious financial liability to individuals was stored on a laptop in a poorly secured facility

So if I tell you someone's name I've given out "confidential student data which could be used to cause serious financial liability to individuals"? Just how can you use someone's SSN to cause serious financial liability to that person anyway? You're once again confusing a SSN with a password. A social security number is not a password. Repeat it again with me. A social security number is not a password.

Re:Why do they need the SSNs?

[anthony_dipierro]

Confidential student data which could be used to cause serious financial liability to individuals was stored on a laptop in a poorly secured facility

Pardon me for the strawman, but I'm going to follow along with what you seem to be saying, since you don't seem to want to explain yourself.

A school gathers information about a student, including that student's name, address, and social security number. Someone who has this information on their laptop loses it. The theif takes the information, goes to a bank, and presents them with the student's name, address, and social security number. The bank decides to lend that person $1,000. The thief doesn't pay the bank back. The bank sends a letter demanding payment to the person. The person writes back, saying that he knows nothing about the loan. The bank sues the person in court. A judge looks at the evidence, and says since the person who took out the loan knew the social security number of the defendant, they must have been the defendent, and awards $1,000 to the bank.

Now, in that story, you'd say the cause of the liability is the loss of the social security number???? Because, in my opinion the immediate cause was the fraudulent loan. The responsibility lies on the thief who took out the fraudulent loan and the bank who gave $1,000 to the thief without verifying his identity. And then, of course, the judge made a decision which no judge in the US would ever make.

Like I said, this is a strawman, so perhaps you can present a more realistic situation where someone can get a $1,000 liability just because someone knows his SSN, because my story just isn't realistic. No judge would award a settlement simply because the person taking out the loan knew the person's SSN. So it's impossible on its face, and even if you ignore that it would still be the fault of the person allowing the loan, not in the person who gave out the SSN.

As I've said in other threads, I know Bill Gates' name, address, and SSN. Does that mean I can steal money from him? Of course not. A social security number is not a password.

Re:Why do they need the SSNs?

[knight37]

They will never HAVE to recycle them. They could just add more digits to the number for future generations at some point when this is necessary. It'll help stimulate the economy with all the coding changes that will need to be done, like Y2K.

Re:Why do they need the SSNs?

[fuzzybunny]

Someone who has this information on their laptop loses it

Why was it on a _laptop_ in the first place? Regardless of who hangs in the end for the financial liability, damage is caused. The problem with your argument is the assumption of a "victimless crime"--assuming someone got hold of 100,000 SSNs, as well as associated data allowing you to assume the identity of an existing person, there's a good chance your $1,000 example would be multiplied quite a bit. Even _if_ the person whose persona was thieved were proven innocent, the result would be harm to everyone in the form of tougher loan criteria, higher fees, etc.

Think of it this way: a fair amount of what Visa charges you in interest & fees goes towards insuring them against credit card fraud. After the ChoicePoint exploit, one African gentleman was caught only after submitting loan applications under at least 40 assumed personas, and having received approval for quite a few of them.

The loss of the SSN is not the cause per se; it is the piss-poor awareness of data protection best practices that led the data to being on a _laptop_ in the first place, and the piss-poor system that led to a perceived requirement to collect that information in a manner not necessarily directly related to social security-relevant purposes.

Pardon me if I'm being thick here, but I am really having trouble understanding how I am not explaining myself. I believe the system is broken, for reasons I tried to state very clearly,
and I think the behavior (or lack thereof) that led to the theft of this information in such a manner being possible is equally broken.

Regarding your example, we're not just talking about loans here--here are a few random links on the topic of identity theft, with plenty of information on potential consequences.

Your argument is perfectly legit, no a strawman at all, except for the part about stealing money from Bill--of course not. But Bill's not Sam T. Gradstudent, so fallacy of equation there.

Re:Why do they need the SSNs?

[fuzzybunny]

Without another lengthy reply, as I really need sleep, one pont:

How are SSNs "insecure"? You seem to be cocnfusing identifiers with passwords.

An identity transaction has three parts: assertion, identification, authentication. While the order depends on the system and context, my name is my assertion as to who I am. Theoretically the "system" should then identify me, and I authenticate, i.e. prove the veracity of who I am, by some means.

How many companies have you dealt with which asked you for your SSN as proof that you are indeed Anthony di Pierro, or in my case, John Salomon? I've encountered way too many to count, including banks, credit card companies, govt. agencies not dealing with SS, etc.

Just how can you use someone's SSN to cause serious financial liability..

See above, and my other post. You're right, it is NOT a password. Repeat it again with me. A social security number is not a password. But a whole lot of organizations use it as an equivalent. Maybe you should ask them to repeat it again with you, instead of me.

Interestingly enough, I've never been asked for the equivalent of an SSN (AHV here in Switzerland) for stuff here that isn't related to my pension or my taxes (which are directly related to my pension.) If I must identify myself, I have a machine-readable photo ID, such as a passport or a driver's license, or for those who want one, a national ID card (note: voluntary, always has been.)

No fingerprints, no mess. How do I get that? A birth certificate, for example. Unfortunately, communities here require you to register when you move, which is a problem, but at least there are strong and proven (although not infallible) data protection frameworks in place to make sure nasty little eyes don't see that information.

As to why SSNs should not be used for identification with your example of credit reporting agencies: (a) unless someone like Equifax has foolproof mechanisms to prevent this, which they don't, someone with knowledge of my personal details from obtaining more information than they should about my background. (b) You may be comfortable living in a glass box, I am not. My pension information is, as far as I'm concerned, my business, not Experian's. (c) Someone with access to such an 'aggregate' identifier (remember above? Not a password, but often used as one?) can, for lack of a better word, fuck me for all I'm worth. And a few other reasons which I'm too tired to type.

I realize the need for identification, even though I have issues with the idea of credit rating agencies (although I won't argue that they serve a purpose.) However, I maintain that the SSN is a messy way of doing it, contrary to its purpose.

Anyway, I understand your point, I simply disagree with it, and am now going to bed. Thank you for a good discussion.

Re:Why do they need the SSNs?

[anthony_dipierro]

Regardless of who hangs in the end for the financial liability, damage is caused.

In the most likely case, the damage will be caused by the entity most responsible for the damage (other than the thief). That is, whatever bank is dumb enough to loan someone money without verifying their identity.

The problem with your argument is the assumption of a "victimless crime"

No, the problem is that you are considering the taking of numbers to be a crime in the first place. The only crime which has occurred is the stealing of a laptop.

Even _if_ the person whose persona was thieved were proven innocent, the result would be harm to everyone in the form of tougher loan criteria, higher fees, etc.

Only for those who go to a bank dumb enough to loan someone money just for knowing a number. I don't know of any such banks.

After the ChoicePoint exploit, one African gentleman was caught only after submitting loan applications under at least 40 assumed personas, and having received approval for quite a few of them.

Apparently he got caught, though.

The loss of the SSN is not the cause per se; it is the piss-poor awareness of data protection best practices that led the data to being on a _laptop_ in the first place, and the piss-poor system that led to a perceived requirement to collect that information in a manner not necessarily directly related to social security-relevant purposes.

No, the cause is people who think that a social security number is a password. That is, the very people who think it matters that these numbers were leaked in the first place.

Re:Why do they need the SSNs?

[anthony_dipierro]

How many companies have you dealt with which asked you for your SSN as proof that you are indeed Anthony di Pierro, or in my case, John Salomon?

None. And if I ever did, I'd immediately stop using their services.

A social security number is not a password. But a whole lot of organizations use it as an equivalent.

If that were true there would be way more fraud then there actually is. About the only thing you can obtain with information about a person like a social security number is a little bit of information. OK, if it would be a travesty for a crook to learn how many times you've gone to Wendy's in the past month, then maybe you've got something to worry about. But if you're that paranoid, you probably should be paying cash for everything, and go to a bank with no telephone or internet banking services.

Interestingly enough, I've never been asked for the equivalent of an SSN (AHV here in Switzerland) for stuff here that isn't related to my pension or my taxes (which are directly related to my pension.)

Wait a second. You're not even living in the US? No wonder you have no clue what you're talking about with regards to SSNs.

As to why SSNs should not be used for identification with your example of credit reporting agencies

Your examples are reasons why SSNs shouldn't be used as a password, not as identification.

My pension information is, as far as I'm concerned, my business, not Experian's.

Experian doesn't know anything about your pension. They keep records of your debts with companies (which you've agreed those companies are allowed to report, otherwise they wouldn't have given you the loan), and they keep public records, stuff like any judgements against you, any bankruptcy you've declared, etc. It's all either public information, or voluntary information.

However, I maintain that the SSN is a messy way of doing it, contrary to its purpose.

You know what. If you think you've got a better way to do it, start your own credit reporting agency. No one forces anyone to use experian, trans union, or equifax. People use these services because no one does what they do better.

Re:Why do they need the SSNs?

[fuzzybunny]

None...

Good. Now you're catching on.

If that were true there would be way more fraud then there actually is.

It happens, it happens quite a bit, and just because it doesn't happen more than it does is more a testament to the fact that there are easier ways of scamming money from people. If it happens to an individual, it's quite a hassle for them, with potentially tragic consequences, wouldn't you agree?

You're not even living in the US

Nice ad-hominem. I am a US citizen, I've lived in the US for most of my life. Yours is about as stupid a statement as "all Americans are fat and never travel abroad." "No clue?" Bite me. I've probably been dealing with identity-related issues for quite a bit longer than you. I shouldn't even dignify that with a response.

Your examples are reasons why SSNs shouldn't be used as a password, not as identification.

No, I'm saying that SSNs should not be used as either. They should be used as designed, which is as an attribute of an identity, which is fundamentally different. I suggest you do some reading up on identity management. If you're really interested in the topic, I'll be glad to recommend a few good books.

Experian doesn't know anything about your pension.

No, they don't. However, they could. In fact, anyone with their scope of knowledge of my identity and its aforementioned attributes, could. And that's what I don't want.

No one forces anyone to use experian...

I don't. I also don't patronize, knowingly, any company which utilizes their services.

But you know what? When I attended UC Berkeley, a publicly funded institution, as a California resident, I had no choice but to give them my SSN and a whole lot of other information. And don't give me any crap about "you could have chosen not to attend." All public universities require this. Partially for the legitimate reason of identifying me to Social Security, but to a large degree because they're too lazy to come up with a better mechanism, and too ignorant of proper ways of dealing with this information to implement proper safeguards against theft. And gee, what do you know? A laptop the stuff was stored on was stolen.

No, the data probably won't be used against anyone, as it's likely some crack-addict who'll sell it for a quick fix. That's not the point though, as it could have been. And that's what you don't seem to comprehend.

Re:Why do they need the SSNs?

[anthony_dipierro]

It happens, it happens quite a bit, and just because it doesn't happen more than it does is more a testament to the fact that there are easier ways of scamming money from people.

We certainly agree that there are much easier ways of scamming money from people.

If it happens to an individual, it's quite a hassle for them, with potentially tragic consequences, wouldn't you agree?

Not at all. The vast majority of the time it is easily cleared up by a few phone calls. Yes, there are probably cases where a combination of factors led to it being a hassle for some individuals, but that's going to happen with any identification system.

Yours is about as stupid a statement as "all Americans are fat and never travel abroad." "No clue?" Bite me.

You hardly can claim to have a good working knowledge of how things in the US work if you don't even live here.

No, I'm saying that SSNs should not be used as either.

Yes, that's what you're saying, but you haven't given any legitimate reasons why.

They should be used as designed, which is as an attribute of an identity, which is fundamentally different.

OK, now we're arguing semantics. Credit reporting agencies only use SSNs as an attribute of an identity. There is much more to a credit report than just your SSN.

Experian doesn't know anything about your pension.

No, they don't. However, they could.

They could? WTF is that supposed to mean? They don't. They never will. They have no intention of ever knowing about it. It would make no sense for them to know it. And perhaps most importantly, they could only legally find out about it if you gave someone permission to tell them.

No one forces anyone to use experian...

I don't. I also don't patronize, knowingly, any company which utilizes their services.

Fine. So you don't borrow any money from US companies. I guess that's not so difficult, since you don't live in the US.

But you know what? When I attended UC Berkeley, a publicly funded institution, as a California resident, I had no choice but to give them my SSN and a whole lot of other information.

I'm not so sure that's true. A lot of places make you think you have to give them your SSN, but you really don't. But you know, so what? Why should the world have to adjust to the distortion you've become? Go live in another country if you don't like it. Oh, wait a second, you already have.

Partially for the legitimate reason of identifying me to Social Security

Partially? Either they need it or they don't. They can't need it partially. You admit they need it for a legitimate reason, even by your extremely narrow standard of what is a legitimate reason.

but to a large degree because they're too lazy to come up with a better mechanism

Yes, they've chosen not to waste money to fix something that isn't broken.

and too ignorant of proper ways of dealing with this information to implement proper safeguards against theft

The proper way to deal with social security numbers is to publish them in the phone book. Then no one will get the bright idea that they can use it as a password.

No, the data probably won't be used against anyone, as it's likely some crack-addict who'll sell it for a quick fix. That's not the point though, as it could have been. And that's what you don't seem to comprehend.

No, I don't understand all the ruckous about a stupid number.

Re:Why do they need the SSNs?

Oh, come on. "Statisticians?" Who needs statisticians? Nine digits, 999,999,999. Gosh ...

No!

[TheSpeedoBeast]

Oh, HELL no, I just applied there!

Re:No!

[RootsLINUX]

So did I, about a year ago! Dammit, they better take responsibility (in the form of giving me a free graduate degree as compensation)! *shakes fist*

Re:No!

[tomhudson]

That's okay. Don't worry. I can now sell you a genuine degree. Wink wink, nudge nudge.

The price is cheap and lets you get into the job market that much quicker: $5,000.00 in Doritos and Mountain Dew [tt]

Mind you, it's ALWAYS been possible to game the system to get universities to issue degrees. Records are lost, etc. It used to be that you had to go in with fake paperwork a couple of decades later, be really insistent, and walk out with your sheepskin. Nowadays, it's SO much more convenient, thanks to the internet :-)

Re:No!

Oh, HELL no, I just applied there!

Hopefully they offer a refresher course in "alumni means that you GRADUATED from the university, not that you just applied"

Re:No!

You're stupid. The article also mentions people that merely applied.

It's easy to encrypt in Windows

[caluml]

Windows, love it or hate it, makes it very easy to secure your data on a laptop. Just right click, and buried somewhere in there (Advanced options or something) tick the Encrypted option.
Better still, just create a directory (C:\Encrypted), and encrypt the folder, and all subdirectories.
Of course, there are issues with losing the encryption key, but as it's a laptop, and probably only has the one harddrive, I would expect the person to be keeping a backup somewhere else.

Re:It's easy to encrypt in Windows

[Zemplar]

"Windows, love it or hate it, makes it very easy to secure your data on a laptop. Just right click, and buried somewhere in there (Advanced options or something) tick the Encrypted option."

I'd bet your paycheck that the password to login is on a post-it stuck to the laptop's keyboard!

"Of course, there are issues with losing the encryption key, but as it's a laptop, and probably only has the one harddrive, I would expect the person to be keeping a backup somewhere else."

HAHAHAHAA! A Windows user? I wouldn't count on it!

Re:It's easy to encrypt in Windows

[bostonsoxfan]

Don't make all Windows users sound incompetent. I am a Windows user and I have backups of all my data and most of my passwords are eight characters and alphanumeric.

The thing about this is that if you have access to the laptop, you will be able to crack it. It is just a matter of time.

They need to be more responsible for the data they collect. Why do you need to carry around thousands of SSN and nearly enough information to steal their identities.

Re:It's easy to encrypt in Windows

[silconous]

It's also really easy to crack windows encryption there's a couple of linux cd's that will crack the sam file on a windows box, you get the admin password you get the data. Local admin is the default recovery agent in windoze. So using windows encryption would only prevent the data from being accessed in about 10 min.

Re:It's easy to encrypt in Windows

[tmasky]

With Win2k, maybe XP too, you need to download a special pack to get the 3des cipher if your copy is from outside the US. IIRC, this isn't even the default cipher. Plain DES is! (which is very insecure ;))

Screw encrypting stuff with 3des =/ Laptop power is precious enough as it is.

Re:It's easy to encrypt in Windows

[canuck57]

Windows, love it or hate it, makes it very easy to secure your data on a laptop

I am not sure Windows has anything to do with it as any OS supports crypto, the question is why did an application designed to hold social security numbers on a insecure PC not encrypt the data store?

Users will not do anything they do not have to. An encrypting/decrypting files leave copies of data un-encrypted on the disk. So blaming the user is not it either.

I would blame whomever aquired and authorized the use of the software (even if it is the user). This application was not designed for this type of use. And how did the data get on the laptop? Likely unencrypted ftp or perhaps a insecure CIFS share where the passwords are routinely cracked.

And how much spyware did the use load on the system?

Far too few are really too interested in security. For many it is lip service as they continue to practice careless computing.

Re:It's easy to encrypt in Windows

[Wingsy]

Just as easy if not easier in OSX. Created an encrypted disk image (AES 128 bit) where the files are to be kept and do not put the pw in the Keychain. I'd trust encryption on a Mac a zillion times more than on Windows.

Re:It's easy to encrypt in Windows

[defy+god]

from the article though, it is assumed that the person who stole the laptop did not know it contained such private information. most thefts are usually for the property itself (ie the laptop, the desktop, etc) and thieves don't actually care what's on the hard drive. if things like this were encrypted, then i highly doubt they would bother using a linux live cd or other tools to try and crack encryption. most of the time the laptop will be sold out of someone's trunk and the new user will not even realize what data they have on their new computer. fixing many computers, i've seen some people have data, settings, etc that obviously did not belong to them.

Re:It's easy to encrypt in Windows

[caluml]

I assume that the person that stole the laptop wasn't targetting it - they just had a quick browse (maybe it auto-logged in a la XP), and went "Wahey, a nice spreadsheet full of gumpf - maybe I can sell this." I'm sure single DES would have stopped them.

Re:It's easy to encrypt in Windows

[jocknerd]

Or you could just encrypt your entire home directory with File Vault. I'm doing this in Panther on my iBook with no problems. Of course, you can still make an image thats encrypted with AES128 inside of your home directory thats been encrypted.

Re:It's easy to encrypt in Windows

It's also really easy to defeat that crack you mention: Enable the local security policy item labeled, "Do not store LAN Manager hash value on next password change" and then change the account password. While the Linux-based crack utilities you allude to will allow you to reset the account password to blank, you will not have access to the hash value of the secret key passphrase necessary to decrypt the Encrypted File System object(s). Obviously the strength of the secret key passphrase still determines the relative security vs. cryptographic attack/analysis, but it defeats the script-kiddie level attack you mention.

Re:It's easy to encrypt in Windows

[Pingsmoth]

Macs used to have that feature in OS9 and possibly OS8, but it's gone in OSX. Weird. You could ctrl-click on any document and get an option to encrypt it.

Re:It's easy to encrypt in Windows

[n6kuy]

I keep backup of my encryption key in C:\Documents and Settings\Administrator\My Documents\EncryptionKey.txt just in case I forget what it is...

Re:It's easy to encrypt in Windows

[hakalugi]

it works, but just be sure to not loose the login password for the account that does this 'encryption' step.

if you log in as local/domain admin and [have to] forcibly change the dumb user's PW - you'll loose access to all this date (they key is tied to the user's un/pw)

Re:It's easy to encrypt in Windows

[hakalugi]

you should read macosxhints - and the agony of several users who encrypted their disk when 10.3 came out (an option in it)

it was "buggy" per apple, and these folks lost all their data (when they turned off the buggy encryption, their data was still encrypted, but now the key didn't work)

so blanket statements are worthless, even this one. but in the case above, i'd have taken the XP encryption :)

Re:It's easy to encrypt in Windows

[springbox]

I am not sure Windows has anything to do with it as any OS supports crypto

Yes, there are encryption applications for most operating systems, but the big difference with NTFS is that encryption is built into the file system's spec. It might leave some unencrypted data around, but a lot of the recently used unclaimed space seems to get trashed quickly.

Re:It's easy to encrypt in Windows

[the+gnat]

Of course, there are issues with losing the encryption key, but as it's a laptop, and probably only has the one harddrive, I would expect the person to be keeping a backup somewhere else.

Yeah, but this is Berkeley, which means it has all the entrenched arrogance of higher education, the mindless bureaucracy of any government-funded organization, and the sheer surreality of, well, Berkeley.

Our department has several employees who spend significant amounts of their time explaining how to deal with the rest of campus administration. God bless 'em - we'd never figure this shit out on our own. Other than our handlers, the only good thing I can say about Berkeley bureaucracy is that the post office here is much, much worse.

If that data really was being stored unencrypted on a laptop, there'd better be some pink slips handed out or I'm buying guns. This is one of the rare occasions where I wish I belonged to the degenerate pack of Marxists known as the graduate employee's union, because they might actually be able get something done. (Unless the person responsible was also unionized, of course!)

On behalf of Berkeley grad students, I'd like to offer a big "fuck you" to the administration.

Re:It's easy to encrypt in Windows

Really? Hmm... my drive was formatted FAT32 and I don't see such options. ;-)

Re:It's easy to encrypt in Windows

Yes, there are encryption applications for most operating systems, but the big difference with NTFS is that encryption is built into the file system's spec. It might leave some unencrypted data around, but a lot of the recently used unclaimed space seems to get trashed quickly.

You aught to read something more than Microsoft brainwashing. NTFS is no more or less advantageous to other systems if not used or incorrectly used. A decent programmer knows not to write un-encrypted data to the disk and since NT's memory protection is poor compared to say Linux or other UNIX OSes, other running applications may have access to un-encrypted memory.

You would be surprised to see what is on the un-used disk blocks of NTFS... go and try it on your home PC, any program can call BIOS on interrupt 21 and read disk block by block. Swap/page files can be especially interesting. Do a google on "dd.exe forensic".

Wow...

[InterruptDescriptorT]

Talk about your OpenBSD (Berkeley Social Data)...

Privacy

[Tom]

Let's hope the sheer amount of identify theft problems will spearhead a push for more privacy protection.
I don't just mean everyone gathering less personal information, I also mean making sure that what they do gather is adequately protected. You have a resonsibility to your clients, customers, whatever.

Re:Privacy

[tuxette]

You may want to use the EU Personal Data Directive (95/46/EC) as a starting point. But even the Directive has its weaknesses...

Re:Privacy

[Tom]

The problem here being that

a) the US (where most of these problems happen) is not a member of the EU
b) the US has put immense pressure and bought/bribed some politicians in the EU to bypass the EU directive, even where it would apply to US businesses (i.e. transfer of data from EU to the US).
I say bribed because the affair (about a year ago) was quite similar to what's happening with the software patents right now - only insanity or bribery can explain the behaviour of some key persons.
If I recall correctly, there was even talk of criminal prosecution of the responsible EU director, but I fear like all such things nothing came of it once it had dropped out of the public interest.

The real problem: unchangeable passwords

[pocari]

The real problem is that banks, credit bureaus, and schools are allowed to continue to pretend that knowing someone's SSN and birthdate is proof of anything.

It seems like this could be solved with a public database of SSNs and birthdays. Once you list yourself, you can tell credit bureaus and banks that this information has been widely published, and therefore anybody who acts like it's a secret is negligent. Civil disobedience for the information age.

I am too chicken to go first, though.

Re:The real problem: unchangeable passwords

[anthony_dipierro]

The real problem is that banks, credit bureaus, and schools are allowed to continue to pretend that knowing someone's SSN and birthdate is proof of anything.

Schools maybe, but what bank or credit bureau does such a thing?

It seems like this could be solved with a public database of SSNs and birthdays. Once you list yourself, you can tell credit bureaus and banks that this information has been widely published, and therefore anybody who acts like it's a secret is negligent.

I am too chicken to go first, though.

The problem is, you'd probably be negligent for listing yourself in such a database.

If you really want to make harder to get a loan, just call up the three credit bureaus and tell them that your identity was stolen. They'll put a note on your credit report and you basically won't be able to do anything by phone any more.

I fail to see how this is a good thing, though.

Re:The real problem: unchangeable passwords

[pocari]

As an individual act, it is foolish. Which is why I am chicken. You cannot boycott the bus system by yourself and expect change. But if enough people did it, businesses would be forced to figure out something else. You can't put a note on everybody's credit report and expect the system to run smoothly.

Re:The real problem: unchangeable passwords

[matth]

I have been "bucking" the system for years... the only people who have my SSN are my bank, my employer, the IRS, and my college (due to some horrible mixup that occurred when my parents gave them my number back in my youth.. however I got the school to generate a number for general use.. but they refused to remove my SS from the database)..

But.... I've happily gone around not giving out my SSN.... Given Blood, etc, etc... just say "sorry, I don't have one".

Re:The real problem: unchangeable passwords

Never bothered to post before, sorry for the AC.

Have a system where US citizens (Gotta HAVE a SSN) fill out a bunch of such data, and then it's hidden.

Gone, invisible. Noone else can see it.

Untill, lets say, a million people sign up.

See? Noone has to be the chicken.

And you better encrypt that system ;-)

Re:The real problem: unchangeable passwords

[bblfish]

I completely agree. The banks and all these instituations should be penalised for using such numbers as proof of identity.

Private institutions such as banks or the government should instead be giving out kryptokeys (also knowns as token cards) that give unique one time time-limited
passwords to proove the person's identity.

That is what we had when I worked at AltaVista. At Sun they have exactly the same system, and I believe most security conscious institutions work that way. I would be really surprised if the technology is not far enough that one cannot now get such a display embedded on a credit card.

Re:The real problem: unchangeable passwords

[anthony_dipierro]

But you're assuming it's a bad thing in the first place. If someone wants to give someone a loan without first checking that they actually are who they say they are, why should I care just because they say they're me? Sure, up to a year later I'll notice a false statement on my credit report, and I'll have to make a phone call or 2 to get it removed, but ultimately the person who really gets screwed over is the person who made the loan in the first place.

There's enough disincentive against banks in just blindly giving away this information. The only part that's really going to hurt you is if your bank is willing to give out your other sensitive data (like your balances or your last checks paid) to someone who just gives your SSN. Yeah, that might suck if you're hiding that information for some reason, but not all banks are that lax with their information. If your bank is, maybe it's time to have a chat with them, and/or get a better bank.

Re:The real problem: unchangeable passwords

[GigsVT]

"A phone call or two" are not how most of the stories of abused credit ratings read.

Seems to me more like a multi-year process of making calls and writing letters, and dealing with sleezy collection agencies.

Re:The real problem: unchangeable passwords

[anthony_dipierro]

"A phone call or two" are not how most of the stories of abused credit ratings read.

Because "a phone call or two" doesn't make for a very good story.

Seems to me more like a multi-year process of making calls and writing letters, and dealing with sleezy collection agencies.

If you catch it soon enough it's not going to get to that. I strongly recommend that everyone check their credit once a year. Under a new federal law you can do this for free in every state, it used to be state law in only some states. I've had a number of false items taken off my credit, and haven't had any problem. I know someone else who has had their identity used by someone to sign up for all kinds of stuff. A few phone calls was all it took to take it off her credit report. The only ongoing inconvenience is that now she can't sign up for anything major online or over the phone, which is essentially what we'd have anyway.

I'm sure there are a few isolated cases of people who have gone through bigger problems, but most of the time it's nothing more than a phone call or two (it's just that this doesn't make the news). Anyway, one thing that should be done to make things easier is to give everyone unlimited access to check their own credit report.

Re:The real problem: unchangeable passwords

[ArmchairGenius]

I agree. Although I think the real problem here is the idiot policy or person that allowed a large amount sensative data like this to be stored on a laptop

That is just begging for a class action lawsuit.

Re:The real problem: unchangeable passwords

[JBlaze03]

You obviously have never actually had to deal with Identity theft... "A phone call or two" doesn't even begin to describe what you have to go through. This is a long and involved process that can take a month or more. If you happen to find out about this because you are applying for a loan, as I was, this can be a major hassle waiting for a month before the bank can begin to process the loan.

Re:The real problem: unchangeable passwords

Schools maybe, but what bank or credit bureau does such a thing?

BankOne.

Re:The real problem: unchangeable passwords

[Vitriol+Angst]

More effective, would be a website that published banker's and credit card company executives SSN. Perhaps a few college administrators as we. And don't forget to throw in a few Senators. These people wont' act until it's their butt on the line.

What I would like to see, is the SSN becoming public like you say, but then having a "private key" component that is encrypted as well. The government, and authorized bodies, would decrypt the private key and send it back--showing that they were authorized to receive the authentic password. All the user would need to remember is their current password, that could be changed without ruining ones credit. Businesses would see the unique identifier for the person, and a note from the government authorization service that the person was authorized to use the SSN.

We need real protection because everything now is about our credit. Especially since we are moving back to a system supporting indentured servants.

Re:The real problem: unchangeable passwords

[anthony_dipierro]

You obviously have never actually had to deal with Identity theft.

Of course not. No one has ever stolen my identity. At the most they've copied it.

If you happen to find out about this because you are applying for a loan, as I was, this can be a major hassle waiting for a month before the bank can begin to process the loan.

Well, if you knew you were going to be buying a house, you should have checked your credit report at least a month before you even begun the process. Of course, maybe you didn't know until the last minute and couldn't do that.

Biometrics

[failure-man]

With all this personal data getting stolen (and the tinfoil crowd will hate this) the only way to avoid a complete infoclypse may be to actually appear somewhere in person and have your identity biometrically certified when you apply for credit.

These leaks aren't gonna go away, so we'd better start finding ways to make them irrelevant. Sure, it'd be inconvenient and raise privacy concerns, but I'd rather have my prints on file than have my bank accounts cleaned out and credit ruined with little, if any recourse, solely due to someone else's blunder.

Re:Biometrics

[tuxette]

Riiiiiiiiiiight. Until someone decides, just for a cheap thrill, to mess around with the databases matching people to their biometric data. (Among the many things that can easily happen to fuck everything up.) Then the fun really begins!

Re:Biometrics

[Leadhyena]

If anything, the original thief doesn't have the laptop by now... he probably hawked it for cash the firsh chance he got. I bet you that the original thief is kicking himself right now while the trafficker is salivating over his newest purchase.

Re:Biometrics

[Sierpinski]

I have to agree. Instead of trying to protect information like our SSNs (which will never happen) we should instead make it more difficult to apply for these credit/life ruining things, like credit cards, loans, whatever. I have a little trashcan on the inside of my front door that all of the credit card applications, mortgage applications, and anything else that is more than a 'To the Resident At...' letter. Those get shredded, then incinerated.

How honest do you think all of the waiters/waitresses are in the country? You don't think that no server has ever written down or somehow captured your credit card number before charging your meal to your card? Even worse, they also have that little 3-4 digit number that verifies that you actually own the card.

Recently while making an online purchase, I was asked to provide that number. I instantly thought that if I gave that number away to someone else, then THEY would have that number, as well as all the information that I provided to bill me. The caveat is that I wanted them to charge me, but how do I know that my CC information isn't in some waiting-to-be-hacked database somewhere?
I don't, so I check my statements rigorously to make sure that there are no charges on there that I don't know about. Since our bank offers online banking, I don't have to wait until the end of the month see what's happening.

The problem with this whole situation is not that poeple's information is being leaked to/stolen by dishonest people, its that those people have way too easy of a time USING that information for their own benefit. Make it more difficult to USE this sensitive information, and the information will become less sensitive.

I've never seen a cop show or heard about a court case where they convicted someone based on what their SSN was, but they use fingerprints for that all the time. Why should this be any different.

Re:Biometrics

[the+gnat]

Among the many things that can easily happen to fuck everything up.

Subpoenas or search warrants for these databases scare me far more than hackers do.

Re:Biometrics

[JimBobJoe]

I've never seen a cop show or heard about a court case where they convicted someone based on what their SSN was, but they use fingerprints for that all the time. Why should this be any different.

Actually the SSN is a major piece in US criminal records, you just don't hear about it because it's not as sexy as forensics is.

Fingerprinting is a bit on the overblown side, you hear about it a lot more often than it is used.

Great

[baadger]

[/blockquote][I]...but the irony of California's mandatory notification law is that the thief may now know they have something even more valuable[/I][/blockquote] And in another twist of fate the theif is a hardcore slashdotter.

Re:Great

I was going to mention something to that effect: The theif may not know he has all this, but by everyone jumping up and down about how bad it is, he may be better informed.

I haven't had my coffee and NPR yet to find out whether this has hit the real news circuits.

I know!

[starmang]

Just give everyone affected a new SSN!

Identity data stolen from a private university

If the headline were about a state university or a community college instead of Berkeley, the Slashdot Losertarians would be coming out of the woodwork claiming "That's why we need to abolish these 'unconstitutional' colleges". Since it is about a private University, the Losertarians probably won't say a word here about it "except, perhaps that California's mandatory notification law is 'unconstitutional' and should be abolished". Maybe they don't want people to know that maybe they're wrong about privatizing everything?

Re:Identity data stolen from a private university

[tuxette]

UC-Berkeley is a state university.

Re:Identity data stolen from a private university

[Muttley]

umm, sir, Berkeley is a State University... University of California. It in fact might be one of the best public universities in the country, alongside UT Austin, UW Seattle, Georgia Tech, and that probably wraps up my knowledge of US Public Universities.

Trivia - who is the highest paid state official in California...?
The coach of the UCLA Football team.

Re:Identity data stolen from a private university

[silconous]

Should be the USC football coach he wins more games.

Re:Identity data stolen from a private university

Thank you for that wonderful mod, it proves that most of shitdotters are fucktards that once the Libertarian Party gets into power that shitdot will crumble because most shitdotters, including Fucktard Taco and FucktardNeil, will no longer have welfare coming in. BTW, this willl get me an insightful mod, Linux Rulz and Windowz Droolz. OSS rulz and Microshit Droolz.
_________________________________________ __
A vote against a Libertarian candidate is a vote
to abolish the Constitution itself.

Re:Identity data stolen from a private university

USC is a private school

Re:Identity data stolen from a private university

[chialea]

Perhaps I'm biased, but I'd have to rank Berkeley higher than those other schools. In CS, it's certainly ranked higher, though UW is reasonably close and Georgia Tech has been hiring well recently. In addition, Berkeley has hundreds of top-10 departments; virtually any discipline you can think of has a top-level department.

But hey, I went there as an undergrad and loved it, so I may well be biased.

Lea

Re:Identity data stolen from a private university

[Doctor+Faustus]

The AC was probably thinking of Stanford.

Re:Identity data stolen from a private university

University of Illinois at Urbana-Champaign is also a great public university, one of the best engineering schools.

For basketball fans, this is the same Illinois that is in the Final Four.

Wow...

[jpiggot]

..and the irony of the theft...is that pot dealers are anixously bidding for the laptop on Ebay, for a chance to sell weed to more than enough smokers needed to put that down payment on that cool 50ft motoryacht they've been wanting.

I kid because I love. What other university lets you major in "crispy" ?

Yeah, but what's the thief gonnado with it?

[91degrees]

Identity information is only useful to people who know how to perpetrate identity theft. If this crook knew how to do this the chances are he'd already have looked. And he has to realise that it is the laptop he stole.

It's a problem if he knows this and knows someone who knows what to do with the data, but at least with disclosure the victims know they are at risk.

Re:Yeah, but what's the thief gonnado with it?

Sell it to the highest bidder?

Re:Yeah, but what's the thief gonnado with it?

[91degrees]

I want details. A complete scenario.

Put yourself in the thief's position - You're a thief. You see a laptop. You also see that its owner isn't looking, so you steal it. Normally you'd just sell it to a fence who would format it and resell it. You already know the guy. You've sold him dozens of pieces of electrical equipment. He takes it apart and sells it as components.

However, instead you hear that a laptop that has lots of personal information useful for identity theft has been stolen, and somehow you realise tis the one you stole. You take it to the fence. He doesn't know anyone who is into anything above petty crime, so will only pay you the usual rate.

How do you find any bidders who want this information? They don't advertise and aren't going to trust you since you could easily be a cop.

So come up with a more detailed scenario. Perhaps the fence knows people, but why would he know them? How is it that he often gets hold of lists of SSNs?

My identity stolen?

[anthony_dipierro]

No, my identity may have been copied, but my identity certainly wasn't stolen.

Re:My identity stolen?

[anthony_dipierro]

Bill Gates SSN is 539-60-5125. That is public knowledge and has been for years (his address is too). Now do you think he's lost his house or has any trouble using credit cards?

How would you lose your house due to bad credit anyway? Once you've been approved and bought the house, as long as you make payments, you're not going to get your house taken away no matter how bad your credit becomes.

Re:My identity stolen?

Maybe when the creditors start garnishing your wages. Maybe when you try to enter a second mortgage.

Re:My identity stolen?

[HexDoll]

An identity is supposed to be unique. Copying it makes it no longer unique. The uniqueness of your identity was stolen.

Re:My identity stolen?

[anthony_dipierro]

You can't garnish someone's wages just because you gave a loan to someone who pretended to be him.

I don't believe it

Can someone post all stolen data here for proof?

Re:I don't believe it

It's not theft, it's copyright violation ;-)

Can you say "Irony"

[tomhudson]

SISS, UC Berkeley - Social Security, Driver's Licenses, and California ID Cards

Social Security Number Safety

Although a SSN is only meant to be used for tax and government purposes, it is often used by financial institutions, businesses, and others as a unique identification number. Because the SSN is a unique ID, it is often the target of "identity theft". Therefore you should be very careful about where and to whom you give your SSN.

• Never carry your Social Security card or number with you. Keep it at home in a secure place.
• Only give your SSN to someone who has a specific and legitimate need for it.
• Be very careful with any forms, applications or other materials that may have your SSN on it.
• Never give your SSN to someone who phones you. You should initiate the call or meet in person.
• Never reply to email or web sites that request an SSN.

Gee, too bad they don't follow their own advice to "be careful". Guess they haven't quite gotten the hang of that "intarweb thingee" yet.

Why does the notifcation have to be public?

[vrimj]

Unless they have no idea what specific data was involved why not just send these people a letter?

As I read the law personal notifcation is not only allowed it is prefered. The complants about "now the theves know they have something valuable" seems like it is more a result of the choice to hold a press conferance and save the cost of a lot of stamps.

Re:Why does the notifcation have to be public?

[WebHostingGuy]

I think it really doesn'y matter. As soon as someone gets the notification someone will tell the press. Also, by releasing it out you control the story and timing. There is no way a story about a large university losing this data would stay out of the media.

Re:Why does the notifcation have to be public?

[Life2Short]

Send a letter where? I was at Berkeley '94-95. Since then I've lived in London, Western MN, San Francisco, and NC. Since the data includes people who got degrees in the '70s, they might not be too easy to track down.

At Least It's Not Arrogance

[mirio]

Well, during my undergrad years at an unnamed university...oh what the hell...The University of West Georgia, I worked in the ITS department on campus which was responsible for all the applications in our internal system called Banner (a big freaking waste of money for an Oracle Forms application..but that's another discussion for another day).

Anyway, my role was to prepare reports for various people around campus. For example, if a student organization required a given GPA for membership, their faculty advisor could request a report of all students meeting the criteria.

The thing that most amazed me when I started working there was the complete lack of respect for people's social security numbers and birthdays. Any professor on campus could get pretty much any information he or she wanted.

Even more brazen than this activity was the infrastructure on campus. Every user ran their applications over a telnet session. Yes....telnet. I demonstrated to my boss how easy it was to run a packet sniffer and catch social security numbers as they went across the wire..but all my concerns fell on deaf ears. I also showed them how SSH could be used as a direct replacement for telnet but again...no one seemed care.

I then wrote a letter to the editor of the University's only newspaper describing the lack of respect for peoples' personal information, but the letter was never published. When I e-mailed the student editor and asked why my letter wasn't published, she said she was asked by the administration not to run it.

I graduated in 99 so I'm not sure if any changes have been made. I would love to know.

Re:At Least It's Not Arrogance

[emotionus]

I'm a undergrad student now. Currently not declared.

Anyways, who should I go talk to? I also know a CS gradstudent here.

I could give my liberal hippy friends soemthing to protest about on campus.

Re:At Least It's Not Arrogance

[EmagGeek]

ARRRRRGH!!! BANNER!!!! I remember that big, ugly whore of a database from my days at another unnamed university... oh hell, the Georgia Institute of Technology. In fact, after I saw your post, I logged into my banner account (I graduated in 1999) and checked out my grades... hah...

Re:At Least It's Not Arrogance

[Skater]

When I was a teaching assistant at the University of Georgia, we were given the SS# of every student in our class. I never once used them, and I would've strongly preferred not to have them at all. Also, we were never given anything saying, "Hey, this information is confidential and should be treated with care." (I know that's obvious to you and I, but it's not obvious to everyone.)

The only reason I could see for us having SS# was that without them we were relying on names to be unique within a given class of 30 people - a problem I didn't run into in 2 years of being a TA. But a simple unique student ID would serve that purpose as well - and the last few digits of that could be read aloud without any risk to distinguish the two students on the first day of class.

For basic stats classes (STAT 200, later 2000), we also had them fill out their SS#s on the scantron forms.

Re:At Least It's Not Arrogance

[Acidangl]

We are required to run Datatel's Colleague product. It runs telnet and just reacetly got the ability to run telnet over SSL. Our backend database is IMB Unidata...Oracle would be a god send. Ever tried to pull a report from a nested relational database?

Re:At Least It's Not Arrogance

[Fancia]

Dear Goddess, that school uses Banner and doesn't even bother to use its own ID system? o.o; My school uses Banner, too (although I can't comment on the quality of the system - I'm on the student side, not the faculty/administration side), but they assign us specific Banner IDs that we use everywhere instead of SSNs or whatnot.

Re:At Least It's Not Arrogance

Do they still post SSNs and your grade outside of classrooms? That's real secure!

Re:At Least It's Not Arrogance

[Skater]

Since I don't know what Banner is, I'm going to say that we didn't have it. The University of Georgia is separate from Georgia Tech and the University of West Georgia. :)

It's quite possible it's been put in since I graduated in 1999.

Re:At Least It's Not Arrogance

[emotionus]

we have seperate school ID #s now. They have phased out the use of SSN.

Re:At Least It's Not Arrogance

When I was in grad school, my school had the same practice. Everyone who taught (grad student or professor) had a list of their students' names and social security numbers. Again, no notice of confidentiality.

It was a large enough school that there were perhaps a thousand people who would have had access to SSNs as a result of teaching. This doesn't include people who were involved with administration or financial aid. With that many people with access to SSNs, what would be the odds that at least someone would abuse such access?

In the case of very large classes, the test results would be posted, along with the last 5 digits of each student's SSN.

Worse yet, for decades my school printed a student's full name SSN on their ID card--the same card which was also used for charging on-campus purchases and checking out library materials. A person's SSN was also imprinted on the campus store receipts and the library checkout slips. It was only when I was in grad school that they switched to less-revealing ID cards and receipts.

Too bad there isn't a +1 Scary mod.

Re:At Least It's Not Arrogance

[Fancia]

Oh, sorry. I just saw Georgia and assumed you were talking about the same university as the parent.

Too much

[QuietLagoon]

Why was that amount of personal data allowed to be on a laptop in the first place?

Re:Too much

[tuxette]

I was about to ask the same thing.

What a lot of "security officers" seem to neglect is that an important part of security is to make what one would want to steal physically difficult, even impossible, to do so. This would perhaps work as a last resort against other stupidities such as forgetting to encrypt or letting non-authorized persons in a restricted zone.

Incidentally, a laptop doesn't even need to be stolen. Call any train station or airline and ask them how many laptops are forgotten each day. Each week. Each month.

Nobody raises an eyebrow when they see someone carrying a laptop on a university campus. Someone trying to haul a big machine would draw more attention.

Re:Too much

Sometimes people don't think when sending systems outside of their network/building/campus/whatever.
For example, one of my college roommates got a computer second-hand from his mom's place of business. He asked if I could clean it up a bit, as the sysadmin who sold it outside the company had failed to either replace the hard drive, or at least format it. I was able to pull names, addresses, phone numbers, email addresses, and SSNs for employees of that company.
What company, you ask? I won't say outright, but it's a big one. Everyone has heard of them. And it's not MS.

Re:Too much

Does the position of Security Officer even exist there? And no, a student who works in the lab and can spell nmap doesn't count.

Re:Too much

[tuxette]

That's sort of why I put it in quotes. They're called different things different places. In hindsight, I should have written "person responsible for security" or something like that I suppose...

But yeah, back to your question. Does such a position exist? And if not, would the typical duties of a "security officer" be the duties of someone else with an entirely different title?

If not, why?

My college, too.

[Short+Circuit]

Late last year, GRCC had three laptops stolen from the Payroll department. To get there, you have to go to a specific hallway, on a specific floor, in a specific building.

Methinks it was a targeted effort.

Re:My college, too.

[OneSmartFellow]

Surely to get into any room in any large building one must go to a specific hallway, on a specific floor.

Does this mean all theft from all large buildings is targetted ?

Re:My college, too.

[Short+Circuit]

During a vacation period, when nobody's supposed to be around? When only that department is burglarized?

It's not easy to find that department, if you haven't been there before. It's not on the ground level, or on the same level as any of the skywalks into the building.

Re:My college, too.

[deadweight]

"To get there, you have to go to a specific hallway, on a specific floor, in a specific building" Doesn't that describe ANY physical location inside ANY multistory building?

Re:My college, too.

[grassy_knoll]

Methinks it was a targeted effort.


Might have been. A friend of a friend had her car broken into, purse and briefcase stolen. The briefcase contained employment records for her business ( small cleaning company ). Passed other cars to hit hers, in and out quickly... does seem like she was targeted.

So perhaps there are criminals targeting personal info for theft?

Why all on a latop?

[WebHostingGuy]

Why was all of this on a laptop?

Sensitive information should be placed in a central repository and then encrypted and guarded. The mere fact that someone can download this to a laptop shows that their mindset is that this information is just normal stuff like a word document. Before you can have true security organizations need to get this first.

Re:Why all on a latop?

[wrenhunt]

Exactly! The media is missing the point here too that not only that data was taken, but why was all this stuff on a laptop in the firstplace?

Re:Why all on a latop?

They probably figured that was an obvious conclusion that didn't need to be pointed out.

Maybe the law should require that people who manage sensitive personnel data need to have IQs of at least 90.

Re:Why all on a latop?

User probably had a laptop.
User was probably also told they had to keep some report or another around on their personal machine "for audit purposes" (which is used to justify more outrageous security breaches than you can possibly imagine.)

Re:Why all on a latop?

Sensitive information should be placed in a central repository and then encrypted and guarded.

And exactly how many of those systems have you implemented?

Re:Why all on a latop?

[__aapopf3474]

Yup, this is a huge problem.
Berkeley does have a Provisional Data Management, Use and Protection Policy (DMUP), but the key is getting users who have personal data to classify and protect their data.

The hardest cases are Professors, who _really_ like their laptops. How protected should a list of student names and student IDS be? (Mercifully, the student id is not the SSN). Note that student names are protected information, grades can be posted on doors, but the student id is used, not the name.

It is sad that it takes a case like this to get the barn door closed.

Total Disclosure: I work for Berkeley, but I have no idea about the details of the missing laptop.

You can refuse to give out your SSN

Here in Minnesota, I need to provide my SSN now just for fishing and hunting licenses. WTF?

I have done it a number of times.

Federal law mandates your SSN is a private and the only organization that can legally require you to disclose it to them is a branch of the Federal government.

Next time tell them you are not comfortable giving out that information. If they give you shit and are not a private organization ask to speak with a manager, explain to him and if he still refuses ask to speak with his manager, etc... I did this until I talked to someone at the fish and game dept to get a 5-day fishing license in Colorado. Once the guy heard from the "horses mouth" so to speak to sell me the license he apologized and sold it to me.

My father, a paranoid man, refused to give his SSN to the DMV and they refused to register his car. He waited in the lobby until he talked to the commissioner of the DMV and they promptly apologized and gave him his plates.

You don't ever have to give it out to a non-government agency but your refusal will be an inconvenience.

Re:You can refuse to give out your SSN

um...DMV *is* a gov't agency last time I checked...

Now it's a State agency, not a federal one, perhaps you mean you don't have to give it to a non-Federal gov't agency?

Re:You can refuse to give out your SSN

[DesertBlade]

Urban legends need to have some basis.

This is from the Social Security site:

The Privacy Act regulates the use of SSNs by government agencies. When a Federal, State, or local government agency asks an individual to disclose his or her Social Security number, the Privacy Act requires the agency to inform the person of the following: the statutory or other authority for requesting the information; whether disclosure is mandatory or voluntary; what uses will be made of the information; and the consequences, if any, of failure to provide the information.

If a business or other enterprise asks you for your SSN, you can refuse to give it. However, that may mean doing without the purchase or service for which your number was requested. For example, utility companies and other services ask for a Social Security number, but do not need it; they can do a credit check or identify the person in their records by alternative means.

http://ssa-custhelp.ssa.gov/cgi-bin/ssa.cfg/php/en duser/std_adp.php?p_faqid=78&p_created=955482891&p _sid=4s9RaDBh&p_lva=&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5 PSZwX2dyaWRzb3J0PSZwX3Jvd19jbnQ9NjMmcF9wcm9kcz0mcF 9jYXRzPTE2LDAmcF9wdj0mcF9jdj0xLjE2OzIudTAmcF9zZWFy Y2hfdHlwZT1hbnN3ZXJzLnNlYXJjaF9ubCZwX3BhZ2U9Mg**&p _li=&p_topview=1/

Re:You can refuse to give out your SSN

"whether disclosure is mandatory or voluntary; what uses will be made of the information; and the consequences, if any, of failure to provide the information. "

Umm you forgot to include the list. All except the below are not mandatory.

* Internal Revenue Service for tax returns and federal loans
* Employers for wage and tax reporting purposes
* States for the school lunch program
* Banks for monetary transactions
* Veterans Administration as a hospital admission number
* Department of Labor for workers' compensation
* Department of Education for Student Loans
* States to administer any tax, general public assistance, motor vehicle or drivers license law within its jurisdiction
* States for child support enforcement
* States for commercial driver's licenses
* States for Food Stamps
* States for Medicaid
* States for Unemployment Compensation
* States for Temporary Assistance to Needy Families
* U.S. Treasury for U.S. Savings Bonds

ALL of which use goverment funds for support and or report back to the federal goverment. At least post the info that contrdicts your clai mif youare goign topost any of it. Otherwise it is just lying.

Re:You can refuse to give out your SSN

[DesertBlade]

And you forgot to include:
While we cannot give you a comprehensive list of all situations where an SSN might be required or requested.

Andy don't be a coward.

Copycat thief, or wiley hacker again?

[Dossy]

Maybe the laptop thief was actually the same wiley hacker at Harvard Business School.

Are hunting and fishing license not awarded by the

Are hunting and fishing license not awarded by the gouvernment

No they are State issued without any goverment involvement.

Some Are Switching

[LighthouseJ]

My school has switched from using Social Security Numbers to our unique numbering system. I can use this number in everywhere where I used to use my SSN when logging into secure sites, signing up for university classes, etc... Even my state of Virginia changed over from SSN's on the license to "Customer Numbers" which mean nothing to anyone who doesn't need to know my ID.

idiots

[Mr.+Underbridge]

I am not sure Windows has anything to do with it as any OS supports crypto, the question is why did an application designed to hold social security numbers on a insecure PC not encrypt the data store?

Something tells me the whole thing was on Excel.

There is absolutely no reason to have anything like this on a laptop. If there is some reason one would need the information from a laptop, you can access it from a server using a client that won't make a local copy. Ridiculous.

get them SSN's

They will need one eventually.

Without an SSN you can't get financial aid. I was born on a commune near the Canadian border and didn't have either a birth certificate or SSN for many, many years.

Eventually I got the opportunity to go to Moscow. It took me almost 2 years to get a passport. Needless to say I missed the trip.

I then applied to college and got accepted. Since we are dirt poor I applied for financial aid. They promptly said, sorry you are not enlisted with the selective service. I said no shit. They said no money. I then went to enlist with the SS (selective service) and they said "who the fuck are you, what do mean you don't have an SSN, get one and come back." I finally got a SSN when I was 17 years old, enlisted Selective service, got financial aid, went to UCLA and now am your typical suburban programmer with a wife and family (my way of rebelling against being born in the fucking woods).

The moral, get your kids a SSN. Don't punish them because you hate the government.

Re:get them SSN's

[matth]

Yeah sad how you can't get financial aid without enlisting in the selective service isn't it? It's like they use that to check to make sure you are enlisted.. how cheap is that?

Re:get them SSN's

[Excen]

I was born on a commune near the Canadian border. . .Since we are dirt poor. . .

There are too many jokes there for me to possibly do justice to your "Goddamned Hippy" background.

California Universities

[That's+Unpossible!]

Is it just me, or is this like the third story of personal information being stolen from California universities recently? WTF is going on over there?

As an aside, my girlfriend lives in California, and someone opened a credit card in her name soon after she had sent in applications to several California universities applying for grad school.

Re:California Universities

[ahodgkinson]

• Is it just me, or is this like the third story of personal information being stolen from California universities recently? WTF is going on over there?

Nope, it's not just you. The same thing is going on everywhere else. It's just that in California they have a law that requires disclosure when data gets out. (article describing law)

The reason you keep hearing about data leaking from Californian universities is because they actually follow the law, unlike some federal agencies.

A better question to ask is: 'What about all the privacy violations that you don't get to hear about?

You need this law at the federal level.

Re:California Universities

[JohnsonWax]

I work at a CA university, so I know the answer.

The answer is that CA passed a law a year ago that mandated notification of personal data theft (there's a list of data elements that trigger this) either directly to the individuals or publicly if that is not possible.

What you're seeing in CA is the first semi-proper accounting of how much data theft is taking place. The reason you don't see it in other states is that they don't have such laws, so it's not being disclosed. It most certainly IS still happening, however.

Re:California Universities

[That's+Unpossible!]

You need this law at the federal level.

No, we don't need better band-aids, we need cures. It starts with the credit bureaus and ends with them moving to a better system of identifying people that doesn't make identity theft so fucking easy.

Re:California Universities

[ahodgkinson]

• No, we don't need better band-aids, we need cures. It starts with the credit bureaus and ends with them moving to a better system of identifying people that doesn't make identity theft so fucking easy.

I'm not sure what you mean by better systems for identifying people. If you mean that not all database systems need a global identifier like a social security number, then I agree. That said, database systems that are global in scope, like credit bureaus, need to be able to associate you with your data. This means that some kind of global key value is necessary and will always be a target of identity thieves.

A federal law on accidential data disclosure is a start. Unfortunately, it may be the best you'll get, given the lobbying power of the industry groups that would campaign against the real cure.

The real cure is to create an economic incentive for the data holders, e.g. the public institutions, banks, credit bureaus, etc., that imposes costs associated with improper disclosure. Once there is an economic incentive, better procedures will be developed and enforced by the data holders themselves. BTW: This should also include an incentive to encourage data holders to fix incorrect data.

Bruce Schneier has written extensively on the subject. A good quote taken from this article is:

• The only way to fix this problem is for vendors to fix their software, and they won't do it until it's in their financial best interests to do so.

Another part of the real cure is to have authentication associated with the use of personal records about you. A key part of this is proper vetting of entities changing your data, which should, in some cases, include your direct authorization.

That's ok.

[RandoX]

I don't use my own identity anymore anyway.

Is it really irony?

[Sigma+7]

but the irony of California's mandatory notification law is that the thief may now know they have something even more valuable.

Unless there is going to be an unconditional format of the hard drive in question, either the thief or the fence (i.e. buyer) would have discovered the data eventually. Given that it's most likely an MS Access database, it shouldn't be too much of a problem extracting those numbers from the file.

In the event that difficulties are encountered, it's not too hard to find someone on the black market who will crack the information (e.g. brute forcing login passwords to gain access to whatever that follows.)

Any irony obtained by the law will only accelerate what would have occurred normally.

Re:Is it really irony?

p.s. An "unconditional" format doesn't erase any data on the disk, it only wipes out the directory and file tables.

Colleges by and large don't respect privacy

[brontus3927]

When I was in college, to enter the dorms and other "sensitive" areas, you had to swipe your school ID. To purchase food on your meal plan, you had to swipe your ID. You could put money into a debit account to buy things on campus and select off campus stores (like the local gas station), and swipe your ID to use it. The ID sent unencrypted the student's SSN. Anyone with a POS card reader and access to a student ID could retrieve the SSN, and legal name (printed on the front of the ID).

If you lost your ID, it was a simple matter to go down to Student Accounts and get a new one for $10. But since the SSN is used as an ID, the old ID card couldn't be deactivated and the missing one could be used by whoever found it.

Thankfully, last year they switched from using SSN to a 12 digit ID number generated by the college. However, "lost" cards are still usable

Re:Colleges by and large don't respect privacy

I work in an admissions office and let me tell you, we have student numbers but the people here will never give up the SSN's, their just too engrained into the systems.

Most admissions software programs are developed in house or based on very old databases (like FoxPro). Security appears to be present but really the data is stored unecrypted and transfered in plain text over the network. Data security at Higher Educational institutions is quite poor. I'm sure there are some schools that do a good job, but anybody determined enough could get all the personal data they wanted here. FYI we have about 14,000 students which means about 40,000 to 50,000 inquiries and applications in just one year. Look at all that data.

Re: Not all school are alike

Some schools are beginning to move away from SSN in the wake of identity theft. I work for Kansas State University and we have been working on this for a couple years. And while it might sound simple on the surface, there are a lot of software systems and departments involved.

Everyone now must use there eID to access email, the central unix servers, use K-State Online, and a host of other services.

The general idea is that a person is assigned an eID and a dirkey. The eID may change in the future, but a single person is guaranteed to have only one dirkey over their lifetime. The dirkey is a CHAR(12) primary key in Oracle.

Windows crypt is easy to break, better to use bios

[woodsrunner]

From my experiments with the Windows encryption, it's not too difficult to break by moving the file to another directory.

A better protection for sensitive data on a laptop is offered by IBM. In addition to needing to replace a chip to change the BIOS password, as is common on most laptops, IBM encrypts the harddrive so without the BIOS password which sends a bigger password to the HD, the data cannot be accessed -- even if you change the BIOS password with a soldering iron.

Keep that in mind next time you are carrying around a laptop full of other people's personal data.

The Library

At the state university I attended, the librarians had access to all of a student's personal information (SSN, etc).

Lawsuits?

[Quixote]

Seeing how lawsuit-friendly the US society is, why haven't more people sued these companies which "lose" private data?

If you just slip and fall on the grounds of a business, you can expect to make a couple 100 Gs for "mental suffering". Why not do the same here? People should get together and file class-action lawsuits left-and-right. Then watch the companies scramble to protect the data.

Don't get me wrong: I am dead against frivolous lawsuits. But the language of financial pain is the only language these businesses understand. "Morality" is a word that is not there in their lexicon.

Re:Lawsuits?

Oddly enough, you can't sue software companies for failing to provide proper security in their programs either.

Poor devils.

[bobbuck]

Wow. These poor guys will be branded as Berkeley alumni for life.

Re:Poor devils.

That's ok, Berkeley Alumni never leave the area anyway.

Re:Windows crypt is easy to break, better to use b

[hhghghghh]

Dell also has this on the lattitude D410, D610 and D810.

Ack! What about recent post-doc?

The Cal website indicated that "Other small groups who will be notified individually" are affected. Has anyone heard if includes recent post-docs?

Welcome back

[Alomex]

It's nice to see that Ian Goldberg is back to its old self.

Torrent?

[Cyn]

I can't seem to find it yet, anyone have it?

And the funny thing is...

[Chibi+Merrow]

I took my GRE Saturday and Berkley was one of the schools I checked off to receive my scores... Ahwell, the thief will be long gone before my info gets there... ;)

Re:And the funny thing is...

Good thing you didn't send it to Berkeley.

Los Alamos

[goombah99]

The problem is not just education. One has to create situations that engender proper handling of data. For example, if confidential data is only permitted on removable media and that media has to be a vault every night, signed in and signed out then its you have a situation where the person using the data and all of his or her collegues can tell by inspection if the person is not fulfilling their obligations. If its up to the person to always rememeber then eventually conveinence will override caution.

Los alamos national lab, contrary to the implied conclusions of all its bad press and false accusations, has in fact shown that the removable disk method is an excellent means of both tracking secret data and minimizing copies of it.

And even better approach is to make it even easier for people to maintain their data in secure forms without inhibiting their use of it. A good example of this is the macintosh laptop. Every macintosh laptop can transparently AES128 encrypt the users home directory and decrypt it upon log in. Of course you can set that up on a linux or Windows machine, but that's not the point. The point is it's already there on every mac ready to go by chekcing a box. It's not something that one has to spec. If you have to trasnfer the data to another machine you dont have to worry about setting this up. Co-workers know your machine has it. It departments can even enforce its use without penalizing the user. Ubiquity and ease of use is the key to getting encryption part of peoples work habits.

I work in aplace where wireless internet connections are not allowed in the building. Yet when I go on travel I use it. Like everyone else I have to remember to turn off the wireless in the laptop before jacking into the building ethernet. So do you think people remember to do that. Well a lot of the time yes but many times no. but with a mac laptop its trivial to configure it so the wireless and ethernet adapters cant be on at the same time. it's impossible to forget. By the way my company spends money to pay people to walk the halls with wireless sniffers and has to discipline workers that forget. All of that is lost productivity as well as the security exposure.

So in conclusion, any company that is concerned about data security that does not use macintoshes is wasting its money. Sure you can make a windows system secure but its the little daily things that keep it secure.

Re:Los Alamos

[Thud457]

Recylced post for a recycled story, mods plz ignore:

If this keeps up, pretty soon we're all going to have the same identity!

Re:Los Alamos

[SpaceLifeForm]

The problem is not just education. One has to create situations that engender proper handling of data.

No it *is* education. WTF was this type of data doing on a laptop in the first place?

Re:Los Alamos

[staev]

You raise some interesting points, but I fear your concerns are overblown.

I, as a former minister ub the Nigerian government, have been trying in vain to contact someone in a more developed nation for almost 2 years. I have access to over $34,000,000 (US) and just need someone to supply their bank account and Social Security number to transfer these funds.

Please, the next time I email you- respond. It will be most beneficial to the two of us.

Thank you for your attention and uhuru.

Clarification of classification

[sczimme]

Personal data need to be treated as government certification of Secret documents

First, I think you mean classification, not certification.

Second, there is a reason and a definition behind each classification. For example, the definition of SECRET according to the Defense Security Service (available here (scroll down)) is as follows:

SECRET. The designation that shall be applied only to information or material the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security that the original classification authority is able to identify or describe. (emphasis mine)

Nutshell: yes, personal information should be protected; no, it does not warrant the same protection as classified information.

or at least give it Collateral classification level treatment

Finally, Collateral is not a classification; it is a category of information classification. Our friends at DSS clarify the issue here:

The current classification system starts with three levels of classification (Confidential, Secret, and Top Secret), often referred to collectively as collateral.

Please do some research before providing erroneous information. (For many years I worked in positions where I was required to know these things.)

Re:Clarification of classification

Good, you can read DSS website. But in practice, at some point in the classification chain, the purchase of inane objects such as a toilet seat get classified SECRET. Sure, a $23 million toilet seat is embarrassing, but is it serious damage to the national security?

Re:Clarification of classification

[rmsimpso]

I think he meant personal information should be given its own SCI channel or SAP category or whatever the department put in charge of it felt like calling a system of similar design, or that at least it be given a collateral classification.

I can see what he was trying to say, but that doesn't mean I agree.

Admittedly, I don't have an answer for the personal information problem, but trying to establish a formal classification system for people's name, address, dob, and ssn would be a nightmare.

OVERRATED?? WTF!!

HOW is the parent overrated?

I was responding to a question asked about the post.

WTF is wrong with /. mods.

By the way, this is overrated, flamebait, whatever. the parent should have been left alone as it was directly related to not only the story topic but also the question asked.

Re:Windows crypt is easy to break, better to use b

[The+Second+Horseman]

Yeah, but IBM's been doing it for years, and the Thinkpads are still built better (without really costing more for corporate and edu). Thinkpads just work. The only other company putting as much thought into Intel-based laptops is probably Sony, and they don't really have support for enterprise customers.

Whoever lost the laptop should be liable

[blueZ3]

This kind of thing just ticks me off no end. Some Berkeley bureaucrat leaves a laptop in their car, which will no doubt result in 1000s of stolen identities, lives ruined, tens-of-thousands of wasted hours? and they?re likely not even going to get a slap on the wrist. Personally, I?d make any individual who is responsible for this kind of thing financially liable for damages. I?d also try them for criminal negligence and possibly for aiding and abetting fraud. Then I?d let each person who has their identity stolen take one swing at them with an aluminum baseball bat. Currently, there?s just no accountability for this type of thing.

Re:Whoever lost the laptop should be liable

[ParaMarineBates]

RTFA: The computer, which required a password to operate, was left unattended for a few minutes in a restricted area of a campus office before someone walked in and stole it, Felde said. A campus employee witnessed the theft and reported it to university police. It wasn't a car, but a RESTRICTED area left unattended.

Re:Whoever lost the laptop should be liable

[iggymanz]

doesn't excuse the fact/act this data was on a PORTABLE computer (should be a crime in itself), and someone PORTED it.

Re:Whoever lost the laptop should be liable

[awtbfb]

"You're fired! You're sooooo fired! ... oh wait, you're a public employee. Umm... damn, where's that paperwork... I'll get back to you in 6 months..."

DRM Please

[Jack+Johnson]

It seems to me that protection of this kind of personal information would be the ideal place for some kind of use-limiting DRM.

Prohibit the various uses of sensitive data to control where it goes and what can be done with it.

Sensitive information simply shouldn't exist in any permanent form on physically insecure devices like laptops, pdas, flash drives, phones and blackberries.

The Ideal use for University ID Theft

[[cx]]

Now they can unsuspisciously order large numbers of Ayn Rand novels in bulk, which I'm sure was the entire reason behind this theft.

Does every university have a laptop filled with various pieces of carefully organized identification?

Why a laptop? To make it easier to steal? I'd imagine they would have this kind of information, encrypted on a computer that was bolted down, with no monitor that could be accessed with seperate passwords for encryption/login. From now on they should only allow log in with a parallel port behind glass. That'll learn em!

Were they creating a package for the thief? A clever lunchbag of id theft?

All the Berkeley punks were playing D&D and contemplating murder and were too busy to notice the shiny laptop that controls the entire school through its cunning rolls, was taken by the chaotic good thieves of the night!

A crime for MacGruff, to solve! Hooray!

[cx]

You would think they could learn...

[MasterVidBoi]

This would be the *third* time that a University has 'lost' my personal information as an applicant, either for undergraduate or graduate applications, during the last 4 years.

Perhaps future applications should seriously consider refusing to provide a SSN until they make it though the admissions process.

I'm still waiting on real data privacy laws too, even if they are California only.

Haven't you ever seen "Brazil"?

[Thud457]

No, funny, because I used lecithin (745575)'s /. login to make that post!

(Ok, well, scary for Lecithin, funny for the rest of us...)

So what is the answer?

[Some+Slashdot+Reader]

So what is the answer? Consider the following:

-An application requires that the user be able to process personal data about clients.
-The Social Security Number and other "sensitive" data is required by US government.
-The application must work across a wide geographical area. The application is on PCs that although locked up in buildings, could be stolen.
-Regardless of connectivity the data application must perform all functions, access all historical records of the client. So it must have some sort of local cache to enable work when connectivity is not available. (Yes, there are many places where reliable high speed network access is not available.)
-Data is reported periodically for aggregation by encrypted synchronization to a central repository.

Considering this, what does one do?
What local cache of the data could you possibly use and how would you secure it?

If someone steals the pc, how would they NOT be able to get into it? And how do I secure hundreds of pcs spread over hundreds of miles that are not connected to a single network?

If I encrypt individual fields in the local database, how do I know when I have done enough of them?

For that matter, what if someone steals the entire central database repository? How would it be possible to guarnatee they can't get it?

I'm dealing with shades of gray- when is the gray dark enough?

Bunglers

[Doc+Ruby]

There's an epidemic of identity theft across the country. Many thousands of American lives are being ruined overnight by theft and fraud. International crime syndicates, including the huge Russian and American mafias, are directly involved. Where's the FBI? Busy working on the Patriot Act to protect us from "terrorists". Thanks, Ashcroft, and, er, uh, who's that guy who replaced you this year?

Re:Bunglers

Why waste time to look up the name of the Attorney General, I mean why slow the rate that you provide /. with your drivel. It might be easy to sound like you know what you are talking about without really being knowledgeable in the subject but you can't fool everybody you stupid idiot. Please learn the name Albert Gonzalez.

Re:Bunglers

[Doc+Ruby]

I purposely neglected the name of Grand Inquisitor Alberto Gonzales (learn to spell it, asshole - you'll need it on your appeals from Guantanamo, like everyone else). To underscore his absence - the point of my post. You can't really expect me to explain every joke to you, you insane Anonymous stalker Coward. I'd apologize for hurting your sniveling baby feelings with some prior post, but I'm glad I've turned you out, showing your useless character with every post you spew. If you're going to suck off my posts with retarded insults, empty of sense, logic or info, at least ask someone to explain them to you first. Jerkoff - you're FBI material.

Re:Bunglers

Oh no, I made you mad.

Too bad you are still my poster-child for what is the matter with /..

Re:Bunglers

[Doc+Ruby]

We can't all be as stupid as you, who mistakes their own hurt sniveling feelings for anything but contempt on my part for you. Who cares what you think about Slashdot, or anything else? Go spank yourself, and leave the adults alone.

Re:Bunglers

I like /. quite a lot. What I don't like are mass posting zero substance users like you.

Wrong Wrong Wrong!

[Penguinoflight]

The problem isn't securing the information better, the problem is the information is your enemy. Security is an oxymoron in this case, no matter how well you lock down the systems there's nothing keeping someone inside from stealing information.

It's like everyone has their own poison being stored by someone else. The problem isn't who's storing your identity, the problem is your identity is a vulnerability!

Until a non-vulnerable identity is made, organizations should respect people's privacy even if it comes at the cost of anonymity.

Re:Wrong Wrong Wrong!

[Tom]

Let's differentiate between security technology and security management. Technology is only a part of the equation. One part of a serious security effort is to analyze which information is needed where, and limiting access to that.

Example: One way SSH is more secure than Telnet is because it gives you the option to never transfer your password over the wire, encrypted or not. You can do key authentication and know that your password has never left the machine you're sitting at.

Putting a huge database of sensitive information on a laptop is a security breach, no matter the technology installed on said laptop. Unless there is a very good reason to do it, the answer isn't technology.

Happened at my University too.

[Maul]

Last summer, I received a letter from the University I attended. They said that a computer system containing records for just about all current and former students had been compromised, and that it was possible our personal information (including SSN, etc.) had been stolen.

This is obviously not a unique situation.

Re:Happened at my University too.

Which university?

Re:Happened at my University too.

Well, which university was it? There is nothing more annoying than a "Me Too!" post that contributes 0 to the conversation.

Retinal scans

[happyemoticon]

I will personally champion the cause of retinal scans as the only valid form of identification, as shown in the book/film, Minority Report. Sure, that will mean having a national database of retina biometrics, but this will be impossible to fake as long as the scanners are powered by a serious, closed-source platform like Longhorn, and equipped with bombs so that the Orrin Hatch can blow up offending units.

In other news, as of 8:00 am this morning, I have filed my application with Berkeley's optomology program, hoping to specialize in ocular surgery.

But I didn't even go to Cal!

[empedocles]

Silly me for having applied there in the fall of 2001 for a graduate program. How long do they really need to hold onto my data when I told them I was going somewhere else? I suppose just in case I apply for something else again.

Their Identity FAQ is useful, but the number they list to call to see if your name was on the laptop just plays a message. They also claim they'll try to contact everyone who's name may have been compromised.

Identity fun.

You can't.

[EvilStein]

You're not "their customer" so therefore you have no recourse. See: ChoicePoint and the 145,000+ people they screwed over.

Re:Are hunting and fishing license not awarded by

[DesertBlade]

States are government and have government.

So the fishing license is a government issued document, but it is not a FEDERAL license, it is only good in the state issued.

The fix

[starman97]

The best way to fix the problem would be if all that stolen information got published on FTP or USENET or torrents. The outcry from 1 million people would finally get things fixed, especially if some of them were of the elite class.

So, info theives.. You up to it?
Steal as much personal info as you can, and publish it. The free-for-all should be fun to watch.

Bad UC security policy

[kabloom]

The San Jose Mercury News reports:

The UC system has required since the fall that such sensitive data on portable equipment be encrypted. But in this case, the information was downloaded onto a new laptop the day before it was stolen, and was scheduled for encryption the afternoon a thief walked off with it, said campus spokeswoman Marie Felde.

Encryption takes 5 minutes. It's bad policy to need to schedule encryption, and its bad policy to keep the data on the laptop before it's encrypted, even for a day.

Universities pay many grad students taxable income

[__aadkms7016]

Many graduate students draw salaries that are taxable (Teaching Assistants, Research Assistants, etc) and an SSN is required for tax reporting to the IRS + Franchise Tax Board.

Berkeley is just being lazy

[t_allardyce]

The US seriously needs a data protection act, get with the times..

As a Chico State grad...

[Edward+Teach]

and one who was notified that my information was stolen, I say: The best way to protect yourself from identity theft is to just remain so far in debt that if your identity is stolen, the theives get all those calls from the creditors. I say, please, someone, steal my identity!

I received my Berkeley PhD 3 years ago

[GAATTC]

Got my PhD in 2002. I called the hotline at Berkeley and my name was on the laptop. Ahhh - the benefits of a Berkeley PhD.

Let's defang SSN theft.

[anorlunda]

The single personal data item that can do the most damage if stolen is your SSN. With your name and SSN, a crook can establish credit. The SSN is not secure, never was secure and never will be secure.

Establishing a secure national ID is a politically loaded issue and not likely to happen soon. I'm not proposing that. It seems that we could substantially limit the danger of identity theft, and the motivation to steal IDs, if we merely gave up the convenience of being able to establish accounts and/or credit by phone or mail using nothing more than name and SSN.

I'm not proposing that you can't use your credit card to purchase by phone or by net, but rather that one shouldn't be able to use only a name and SSN to get a new credit card.

Legally, the only change needed would be a regulation establishing minimum ID requirements for banks and creditors required to establish new accounts. The minimum requirement must include a face-to-face meeting and one or more corroborations of identity.

I suspect that creditors may be the only ones opposed to the idea because they profit from easy credit, despite fraud and ID theft.

Note that my proposal does not prohibit businesses from using SSN as a database key to locate your record. Abhorrent as that practice is, it's too embedded to ever eliminate now.

Granted, this proposal doesn't eliminate all the risks of identity theft, nor eliminate all the harm of SSN theft. I believe however that it would eliminate the most harmful component of risk.

This must have been proposed before but I never see it discussed. What does the Slashdot community say?

I am on that laptop

I just received this email from an associate dean about 10 minutes ago:

GRADUATE DIVISION
BERKELEY, CALIFORNIA 94720-5900

March 29, 2005

Dear Graduate Student:

I am writing to advise you that a computer in the Graduate Division at UC Berkeley was stolen by an as-yet unidentified individual on March 11, 2005. The computer contained data files with names and Social Security numbers of some individuals, including you, who applied to be or who were graduate students, or were otherwise affiliated with the University of California.

At this time we have no evidence that personal data were actually retrieved or misused by any unauthorized person. However, because we take very seriously our obligation to safeguard personal information entrusted to us, we are bringing this situation to your attention along with the following helpful information.

You may want to take the precaution of placing a fraud alert on your credit file. This lets creditors know to contact you before opening new accounts in your name. This is a free service which you can use by calling one of the credit bureau telephone numbers:

Equifax 1-800-525-6285
Experian 1-888-397-3742
Trans Union 1-800-680-7289

We encourage you to check for more details on our Web site at:
http://newscenter.berkeley.edu/security/grad/ . The following Web sites and telephone numbers also offer useful information on identity theft and consumer fraud.

California Department of Consumer Affairs, Office of Privacy Protection: http://www.privacy.ca.gov/cover/identitytheft.htm

Federal Trade Commission's Website on identity theft: http://www.consumer.gov/idtheft/

Social Security Administration fraud line: 1-800-269-0271

To alert individuals that we may not have reached directly, we have issued a press release describing the theft. Unfortunately, disreputable persons may contact you offering to help and falsely identify themselves as affiliated with UC Berkeley. Please be aware that UC Berkeley will not contact you by telephone or any other method to ask you for private information. We recommend that you do not release personal information in response to any contacts of this nature.

UC Berkeley deeply regrets this possible breach of confidentiality. Please be assured that we have taken immediate steps to further safeguard the personal information maintained by us. If you have any questions about this matter, please feel free to contact us at xxxxxxx@berkeley.edu or toll free at 1-800-XXX-XXXX.

Sincerely,
Jeffrey A. Reimer
Associate Dean

Re:Are hunting and fishing license not awarded by

jesus fuck nit pick nit pick. If you couldn't associate the post with the general theme of FEDERAL govermetn then perhaps you shoudl brush up on your english skills.

You also have the people factor

A few years ago, I received a letter by mistake from the Harvard Alumnus Association. It was addressed to someone completely different. Nonetheless, I opened it, filled it out, and wrote a polite letter back to Harvard that they had spelled my name wrong, and needed to update my contact information. My request was all the more credible because I included the original letterhead they sent me, and the intended recipient had the same last name as me. Without double checking against the registrar's records, they complied with my request.

I soon began to receive more mail from them, including invitations to reunions, which I accepted. It was awkward at first, but as I researched other Alumni's lives, it became easier to pass myself off as an Alumnus myself: "Hey Thom Davis! Do you remember the time when you accidently got your foot caught in the broken-open drainage ditch? Oh, that was a hoot! And I'll never forget the look on your face! Har har!" Soon, with subtle suggestion, most Alumni even began to "remember" me and several of my antics. Amongst these Alumni was someone who had strong connections to the original Administration... I thought my charade was up - but much to my surprise, when he didn't find my name in the original records, he offered to help me "correct" them! "After all," he said, "Everyone here remembers you; the administration is at fault. What was your degree again?"

Okay, it wasn't quite as simple as that, but in the end, I got my Harvard degree without ever attending. I nudged someone else off the list and took his place. I stole someone's identity and made it my own. In short, identity theft is also an administration issue.



Malus Dei

Re:Are hunting and fishing license not awarded by

[DesertBlade]

Ditto

Berkeley, BC should loose their federal funding

I just got a letter from Boston College about possible disclosure of my SSN to an intruder even though the last class I attended was over 10 years ago. It appears that colleges will need to loose federal funding before taking this seriously.

It is part of U.S. code.

http://straylight.law.cornell.edu/uscode/html/usco de20/usc_sec_20_00001232---g000-.html

text of notice sent to affected students

GRADUATE DIVISION
BERKELEY, CALIFORNIA 94720-5900

March 29, 2005

Dear Graduate Student:

I am writing to advise you that a computer in the Graduate Division at UC
Berkeley was stolen by an as-yet unidentified individual on March 11, 2005.
The computer contained data files with names and Social Security numbers of
some individuals, including you, who applied to be or who were graduate
students, or were otherwise affiliated with the University of California.

At this time we have no evidence that personal data were actually retrieved
or misused by any unauthorized person. However, because we take very
seriously our obligation to safeguard personal information entrusted to us,
we are bringing this situation to your attention along with the following
helpful information.

You may want to take the precaution of placing a fraud alert on your credit
file. This lets creditors know to contact you before opening new accounts
in your name. This is a free service which you can use by calling one of
the credit bureau telephone numbers:

Equifax 1-800-525-6285
Experian 1-888-397-3742
Trans Union 1-800-680-7289

We encourage you to check for more details on our Web site at:
http://newscenter.berkeley.edu/security/grad/ . The following Web sites
and telephone numbers also offer useful information on identity theft and
consumer fraud.

California Department of Consumer Affairs, Office of Privacy
Protection: http://www.privacy.ca.gov/cover/identitytheft.htm

Federal Trade Commission's Website on identity theft:
http://www.consumer.gov/idtheft/

Social Security Administration fraud line: 1-800-269-0271

To alert individuals that we may not have reached directly, we have issued
a press release describing the theft. Unfortunately, disreputable persons
may contact you offering to help and falsely identify themselves as
affiliated with UC Berkeley. Please be aware that UC Berkeley will not
contact you by telephone or any other method to ask you for private
information. We recommend that you do not release personal information in
response to any contacts of this nature.

UC Berkeley deeply regrets this possible breach of confidentiality. Please
be assured that we have taken immediate steps to further safeguard the
personal information maintained by us. If you have any questions about this
matter, please feel free to contact us at idalert@berkeley.edu or toll free
at 1-800-372-5110.

Sincerely,
Jeffrey A. Reimer
Associate Dean

Re:text of notice sent to affected students

[purple+papillon]

And how long would it take them to send the notification to ~98000 people. Plus, the tough part is people who graduated back in 1976. Altho, I'd like to know what they're doing with the information of past applicants, the majority of whom probably didn't get in!

My solution - http://mobilesafeinc.com/

[Gen.+Rasputin+X]

I had to deal with this problem a few years ago. I had a laptop stolen, and I got a bit paranoid about it, and started looking for options. In the end, I settled for a mobile safe. Eventually, I settled on these guys :

http://mobilesafeinc.com/

Yes, the website is a little primative, but the product is great. I bought one for my van, and then a second mounting plate for my apartment. I just open the safe, reach inside, twist the bolts and then pop the safe off the plate. Then I carry it inside, slide it into the plate, reach inside, twist the bolts, and it's securely locked in place. Takes about two minutes.

Basically, to steal my laptop from my van, they need to steal my van. It isn't a perfect solution, but it definately prevents the smash and grab.

It means after work, I can slide my laptop into the safe and then not worry about it while I'm out with friends trying to give my brain a break.

Punishment is not the answer, training is

[klic]

Whenever some thoughtless person lets sensitive information get copied, a chorus of twits call for blood. This is stupid.

Copied information leaves no trace. The only clue we have that something like this has happened is when the person responsible for that data makes a public admission of their error. If the punishment for disclosure is high, they will simply not say anything, and we will not find out until the secure data is abused.

This is a training and management problem, and it goes up the UC administration to the top. From the chancellor on down, it should be made a primary job function that any information gathered for any purpose receives the appropriate amount of protection, and those with access are properly trained. Otherwise, the information is simply not allowed to be collected.

UCB has one of the best computer science departments in the world, and one of the best business schools. Those two groups could easily come up with technical and organizational procedures to robustly and cost-effectively protect sensitive data. This is a great opportunity for UCB, if they have the intelligence to pursue it.

With arch-rival Stanford just across the bay, such programs could turn into another entertaining and productive rivalry, as the two schools compete to penetrate each other's security. Better than football!

The only blood I would call for would be that of administrators who treat this as an excuse for punishment rather than an opportunity for learning.

Keith Lofstrom, MSEE UCB 1974

Re:Punishment is not the answer, training is

[multiplexo]

Whenever some thoughtless person lets sensitive information get copied, a chorus of twits call for blood. This is stupid.

Copied information leaves no trace. The only clue we have that something like this has happened is when the person responsible for that data makes a public admission of their error. If the punishment for disclosure is high, they will simply not say anything, and we will not find out until the secure data is abused.

This is a training and management problem, and it goes up the UC administration to the top. From the chancellor on down, it should be made a primary job function that any information gathered for any purpose receives the appropriate amount of protection, and those with access are properly trained. Otherwise, the information is simply not allowed to be collected.

So what do we do then? Do we just let incompetent fuckups get away with this sort of thing? "Whoops, guess I left a bunch of personal data on a laptop which was then stolen. Sorry, I feel really bad about it. I'll try not to be so thoughtless next time, hope your identity doesn't get stolen."

What should be done in this case is that everyone involved should be fired. The idiot who put data on a laptop should lose his job, the IT morons who failed to secure the data properly should be fired as well, the people who are in charge of these idiots should be fired for not having policies in place to protect sensitive data. Then, after you fire these dumbshits you hire a new group of people, charge them with developing the appropriate SOPs to protect sensitive data, charge them with implementing them, make sure that everyone who has access to that data has read, understood and signed off on the SOP and if anyone fucks up after that you fire their asses and you make them legally liable.

Of course none of this will happen since these are all state government employees of the state of California and let's face it, it's easier to get rid of a bad dose of the clap than it is to get rid of a government employee, regardless of how incompetent they were.

Re:Punishment is not the answer, training is

[klic]

Whenever some thoughtless person lets sensitive information get copied, a chorus of twits call for blood. This is stupid.

... What should be done in this case is that everyone involved should be fired ...

There's the first! Who's next?

Re:Punishment is not the answer, training is

[multiplexo]

I wish I could live in Keith Lofstrom's responsibility free world where losing the personal data of thousands of people, exposing them to identity theft is A-OK and you just get a slap on the wrist for it. It sounds like a nice place, with rivers of chocolate and lollipop trees. Unfortunately I live in the real world, and so do all of those people whose personal information is now at risk. I'm an IT professional, we're a good 30 years into the IT revolution, we're a good 15 years into the ubiquitous computing that laptops have bought about, and there's no excuse for this kind of shit any more. Leaving a laptop out like this, with sensitive data on it is no different than leaving unsecured paper documents containing classified information, which can be easily photocopied, unsecured. It's really, really, really fucking stupid.

I have to wonder how Keith would feel, if one of his employees lost a company laptop containing proprietary data and that data was used by his competitors to put his company out of business. Would he say "Well, thanks for telling me about this, we'll do better next time. Let's use this as an opportunity to educate everyone about data security and formulate some really good policies! Yay Team!". Somehow I doubt that Keith would be so forgiving.

Keith's utterly stupid attitude towards this is kind of like someone saying "Gee, punishing people for getting drunk and running someone over is a bad idea because it gives them incentive to flee the scene. We should get rid of the penalties so that people will come forward and correct their behavior." These people fucked up. Management fucked up because they didn't educate their employees about the importance of data security. Their IT department fucked up because they didn't exercise due diligence to make sure that if people were going to store sensitive data on laptops that that data would not be accessible to unauthorized users. Laptops are fucking portable, the portability that makes it easy for you to pick them up and walk off with them also makes it easy for someone else to pick them up and walk off with them. Again, this is not a new problem, this shit wasn't invented yesterday and Keith's "let's all have a nice cup of chamomile tea and see what we can learn from this experience" isn't going to do a damned thing to keep people from making mistakes like this. Firing them will. Firing feckless idiots, which is what these people are, does two things, it gets the feckless idiots out of your organization so they can go into careers that better suit them, such as giving blowjobs for crack in the dumpster behind the local Baskin Robbins, and it serves as a deterrent to other people so that they don't do fecklessly stupid things (unless of course they find the concept of dumpster fellatio appealing).

Re:Punishment is not the answer, training is

[GoBears]

You're half-right. Both punishment and training need to occur. Many large organizations simply do not have the kind of culture of accountability that is required to protect sensitive information "for real." Bureaucrats (by which I mean any member of a large organization, even soldiers and sailors) do not take information protection seriously until they begin to take seriously the idea that lapses will result in someone being fired and/or sent to prison.

Simpler methods

[hey!]

Well, simpler steps could be taken before going that far.

What we call "identity theft" is only in part about stealing identities. Primarily it is about stealing credit. Key to doing that is the fact that anybody who has an SSN number and a few basic facts about you can apply for credit in your name.

One thing that would stop identity theft in its tracks is making it illegal to transfer credit information about an individual without his consent, and to have a reasonable mechanism for verifying that consent, such as a password. Granted passwords are not perfect, but they are much better than leaving this information wide open to anyone. Invalid passwords should immediately trigger an identity theft investigation.

Of course, the credit reporting agencies make money by selling your information to anybody who asks, so they won't like this. Tough.

Another simple mechanism would be to outlaw storing of a social security number in any private computerized record. Instead, companies could store a one way hash of the ssn. This would be equivalent of an SSN in every way but one -- somebody who had gained unauthorized access to your credit information will not be able to masquerade as you because he won't be able to supply your SSN to calculate the hash.

Finally, it would be even better if the SSN were replaced with a revocable ID #.

Goldmine

The thief has a goldmine and probally doesn't even realize it.

The obvious answer

So they could lock it up in a safe at night.

Does that qualify as ironic?

Because Users are Dummies..

Bah! Issue a laptop where you work and see how many managers download important secure info onto it & forget it. My office has 2 sets of notebooks, high security ones and low. We tried to just have high security ones but the "Users" (upper management) were "too busy" to take anytime to learn how to use them and demanded low security ones too.

Sounds familiar

Tons and tons of laptops with personal data stolen all the time.

SSNs - problems, reasons

[spagetti_code]

This guy is right "like it or not"

I am not from the US, but I was sent there for a few months to work. My wife came too for the holiday.

Some random notes about life without an SSN...

• I decided to open a US bank account. Got a check book ok. Got a debit card. Then the fun starts - the bank calls back after two weeks to cancel the debit card. No SSN. The checks are 'starters' even though they start at 1000 (to fool those pesky shop clerks on the look out for checks that start at 1). Everyone refuses to honour them. So banking was a bust.
• Couldn't use checks at walmart - no SSN.
• Couldn't use VISA at Best Buy because it wasn't a US based VISA, and (you guessed it) no SSN. I did point out that I have used that VISA all over the world, except this very store. Strangely, I have purchased from there many times since so perhaps I just hit a loser that day.
• A bank clerk called my passport a forgery when I tried to withdraw my money (since I couldn't use checks or cards) because it had a date "15/3/1967" - to quote ("there's no 15th month").

I eventually found a website that provides fake SSNs you can use with minimal chance of dups. Suddenly everything went smoothly at the supermarket :-).

The reason I think that SSNs are dangerous is that because it is a simple ID, America has become tied to it in a dangerous way. Its become a widely respected and accepted ID. But there is no security associated with it. SSNs leak easily but encapsulate too much power - your SSN gives me trivial access to stuff thats yours.

Picture ID cards, money, drivers licences carry numerous security precautions - holograms, encoded data, special paper, the physical look of them. They are harder to duplicate (although it still does happen).

What is missing is that the SSN should be a first step to identification - perhaps as a replacement for your name + birthdate (yeah, I know.... "I am not a number"). Then follow it up with other identifiers - license, other data only you would know.

And people who dont need it *specifically* should not be permitted to force it from you. Sure, you can take your business elsewhere, but usually its a pain, and sometimes you just can't.Personally I think it should be restricted to government departments only.

WTF?

[lorcha]

You call yourself a CPA and you don't even know what an ITIN is?

Oh, nevermind. I see you said you merely work for a CPA. What is the nature of the services that you perform for this CPA? I'm assuming it is nothing related to taxes... ;)

Re:WTF?

[anthony_dipierro]

You call yourself a CPA and you don't even know what an ITIN is?

Of course I know what an ITIN is. You can't get an ITIN if you're eligible for an SSN. And as you saw, I never said I was a CPA.

I understand why this happened....

Having worked for a few universities before, I completely understand how and why this happened.

Some Assistant Associate Advisor to the Secretary of the Vice President (who is the boss of your boss' boss) asks for weekly statistical reports, anything from owed fees to ethnic diversity and admissions.

The assignment ends up on your desk. You contact the IT department to ask for access to the records. Since you're security-minded, you ask for a custom database view using a special account and are told to f--k off because (1) they're too busy with more important things and (2) for whatever bizarre technical reasons they give as an excuse and (3) they are in a different part of the org chart so they don't have to do anything for you.

After some high-level back and forth, they decide to give you a regular dump of all the data. They do this to everybody who wants reports, because it's the path of least resistence. They don't want to be bothered creating specialized database queries or managing security. They'll even tell you it's less secure to create special access roles than to give you a dump of the database.

You share this data with your co-workers when they are given similar assignments, because it took you months to get this data, and will take them months just so they are given their own ftp password to the same server you and several dozen other people have. Sometimes the people who own the data say "Hey, you work with joe, don't you? He already has access to it, so have him give you his copy." Maybe you'll just give him your password since you're leaving this job, and it;s not your password anyway, it belonged to somebody who worked there several years before you started.

Anyway, processing thousands of records takes a lot of computing power, and it so happens that the festest computer in your department is the new laptop (which was ordered by the previous Assistant Acting Associate Vice Director for his personal use before he left for a better-paying job)....

Your average university has dozens of computers with student and employee personal details, several of which end up in dumpsters every year because they're too lazy to remove or erase hard drives.

Bullshit!

[Thaelon]

Do you have any idea how much security is actually involved with classified information? Obviously not, or you wouldn't be putting this idiotic suggestion forth because you don't know enough about what you're talking about to be talking about it other than from your rectum.

Suffice it to say there is a LOT of effort that goes into protecting classified information and it's a royal pain in the ass. There is no way in hell a college is going to actually go through such inconvenience to do it. Now go sit down.

Re:Bullshit!

Asshole.

Why the fuss about protecting personal data?

[MntlChaos]

It seems that the root cause of identity theft is NOT that personal data is available, but that businesses trust that data so much. For instance, I recently had to reset my online banking password. I did this over the phone. All I needed was my Social Security Number, my username, my city of birth, and my high school. Let's see here... my high school is on the internet due to interscholastic competitions, my city of birth isn't something I would keep from my friend and my soc number is known to any number of government employees and my employers.

Now if a soc # is not really secure, and all of the others are pieces of information that shouldn't need to be held confidential, then identity theft will be an issue until we find a way to verify identity not based just on faith.

Well duh.

[PeanutGallery]

It is, after all Berkeley we're talking about here. "Have you ever been to Berkeley? Its like taking a tour of the sewer in a glass-bottomed boat." -Frank Peretti

Well deserved

[flibuste]

I cannot do anything but laugh at this.

First we have a system that provide users with password recovery given a very simple combination of NAS and birthdate, which are amazingly easy to obtain. It's not even involving "social engineering". It's just that using a NAS is not safe enough to use as an authentication key.

On the other side, we have a smart cookie (sic!) who is so stupid that she goes into computer hacking without knowing the outcomes, like masquerading your IP.

A well deserve jail sentence for sheer stupidity should have been sent to both parties...

This happened at another school recently

The University of northern colorado just recently had a harddrive stollen with all the info for students and employes who worked for the school over the last four years.

Identity Theft and Cincinnati government

[detroitbuzz]

I couldn't agree with you more. Data confidentiality almost always takes a backseat to availability.

I recently was tipped on a website in Cincinnati that allows you to actually look up digitized images of all speeding, misdemeanor and some felony tickets, court documents and cases. (All containing name, birthdate, ss#, place of birth, drivers license number, address, sometimes occupation, etc.)

The auditor's website also allows you to look up homeowners and find out things like how much they paid for their homes, a digital picture of the front and back, a topographical map of their street, lot size, etc.

All these things provide you with all the information that you need for many types of crimes.

Our government is holding business's (especially public companies, healthcare and financial) feet to the fire on protecting private information (see Choice Point, DSW, etc)... who is holding THEM responsible for THEIR actions??? http://www.detroitbuzz.com/index.php?option=com_co ntent&task=view&id=270&Itemid=54 If we don't take action, it's our fault.

Never had a problem

[noidentity]

I, noidentity, have never had a problem with identity theft. But it may just be me...