Slashdot Mirror
Berkeley Grads' Identity Data Stolen
yali writes "Did you get a graduate degree from Berkeley? Or maybe you just applied but didn't go there? If so, your identity may have been stolen. A laptop was stolen containing names, social security numbers, birthdates, and addresses of grad students, alumni, and applicants. University police suspect that the thief just wanted the laptop, but the irony of California's mandatory notification law is that the thief may now know they have something even more valuable. Berkeley has set up a website with information on the breach."
Personal data need to be treated as government certification of Secret documents, or at least give it Collateral classification level treatment. When personal data is checked out and allowed to be placed on laptops or other portable devices for removal from the central location where the data is stored, personal responsibility needs to be ensured and access should be confirmed by 1) need to know basis and 2) those who are trained to undergo training with confidential data.
Granted, this will not prevent all leaks as even the State Department, CIA and FBI have had problems with missing laptops, but they are getting better about data confidentiality and security through training and implementation of protocols designed to limit leaks and unauthorized access.
Visit Jonesblog and say hello.
This is a pet peeve and it is just getting worse.
Why does a school need our SSNs? Why does anybody outside the government?
Here in Minnesota, I need to provide my SSN now just for fishing and hunting licenses. WTF?
It could be worse, it could be Monday.
Oh, HELL no, I just applied there!
Windows, love it or hate it, makes it very easy to secure your data on a laptop. Just right click, and buried somewhere in there (Advanced options or something) tick the Encrypted option.
Better still, just create a directory (C:\Encrypted), and encrypt the folder, and all subdirectories.
Of course, there are issues with losing the encryption key, but as it's a laptop, and probably only has the one harddrive, I would expect the person to be keeping a backup somewhere else.
Get your own free personal location tracker
Talk about your OpenBSD (Berkeley Social Data)...
Karma: Excellent Birds (mostly as a result of listening to Laurie Anderson)
Let's hope the sheer amount of identify theft problems will spearhead a push for more privacy protection.
I don't just mean everyone gathering less personal information, I also mean making sure that what they do gather is adequately protected. You have a resonsibility to your clients, customers, whatever.
Assorted stuff I do sometimes: Lemuria.org
It seems like this could be solved with a public database of SSNs and birthdays. Once you list yourself, you can tell credit bureaus and banks that this information has been widely published, and therefore anybody who acts like it's a secret is negligent. Civil disobedience for the information age.
I am too chicken to go first, though.
With all this personal data getting stolen (and the tinfoil crowd will hate this) the only way to avoid a complete infoclypse may be to actually appear somewhere in person and have your identity biometrically certified when you apply for credit.
These leaks aren't gonna go away, so we'd better start finding ways to make them irrelevant. Sure, it'd be inconvenient and raise privacy concerns, but I'd rather have my prints on file than have my bank accounts cleaned out and credit ruined with little, if any recourse, solely due to someone else's blunder.
[/blockquote][I]...but the irony of California's mandatory notification law is that the thief may now know they have something even more valuable[/I][/blockquote] And in another twist of fate the theif is a hardcore slashdotter.
I kid because I love. What other university lets you major in "crispy" ?
StupidChildren...the reason jesus is crying
Identity information is only useful to people who know how to perpetrate identity theft. If this crook knew how to do this the chances are he'd already have looked. And he has to realise that it is the laptop he stole.
It's a problem if he knows this and knows someone who knows what to do with the data, but at least with disclosure the victims know they are at risk.
UC-Berkeley is a state university.
People say I'm crazy, I got diamonds on the soles of my shoes...
umm, sir, Berkeley is a State University... University of California. It in fact might be one of the best public universities in the country, alongside UT Austin, UW Seattle, Georgia Tech, and that probably wraps up my knowledge of US Public Universities.
Trivia - who is the highest paid state official in California...?
The coach of the UCLA Football team.
M.
Unless they have no idea what specific data was involved why not just send these people a letter?
As I read the law personal notifcation is not only allowed it is prefered. The complants about "now the theves know they have something valuable" seems like it is more a result of the choice to hold a press conferance and save the cost of a lot of stamps.
Well, during my undergrad years at an unnamed university...oh what the hell...The University of West Georgia, I worked in the ITS department on campus which was responsible for all the applications in our internal system called Banner (a big freaking waste of money for an Oracle Forms application..but that's another discussion for another day).
Anyway, my role was to prepare reports for various people around campus. For example, if a student organization required a given GPA for membership, their faculty advisor could request a report of all students meeting the criteria.
The thing that most amazed me when I started working there was the complete lack of respect for people's social security numbers and birthdays. Any professor on campus could get pretty much any information he or she wanted.
Even more brazen than this activity was the infrastructure on campus. Every user ran their applications over a telnet session. Yes....telnet. I demonstrated to my boss how easy it was to run a packet sniffer and catch social security numbers as they went across the wire..but all my concerns fell on deaf ears. I also showed them how SSH could be used as a direct replacement for telnet but again...no one seemed care.
I then wrote a letter to the editor of the University's only newspaper describing the lack of respect for peoples' personal information, but the letter was never published. When I e-mailed the student editor and asked why my letter wasn't published, she said she was asked by the administration not to run it.
I graduated in 99 so I'm not sure if any changes have been made. I would love to know.
Why was that amount of personal data allowed to be on a laptop in the first place?
Why was all of this on a laptop?
Sensitive information should be placed in a central repository and then encrypted and guarded. The mere fact that someone can download this to a laptop shows that their mindset is that this information is just normal stuff like a word document. Before you can have true security organizations need to get this first.
Quality Hosting e3 Servers
Something tells me the whole thing was on Excel.
There is absolutely no reason to have anything like this on a laptop. If there is some reason one would need the information from a laptop, you can access it from a server using a client that won't make a local copy. Ridiculous.
They will need one eventually.
Without an SSN you can't get financial aid. I was born on a commune near the Canadian border and didn't have either a birth certificate or SSN for many, many years.
Eventually I got the opportunity to go to Moscow. It took me almost 2 years to get a passport. Needless to say I missed the trip.
I then applied to college and got accepted. Since we are dirt poor I applied for financial aid. They promptly said, sorry you are not enlisted with the selective service. I said no shit. They said no money. I then went to enlist with the SS (selective service) and they said "who the fuck are you, what do mean you don't have an SSN, get one and come back." I finally got a SSN when I was 17 years old, enlisted Selective service, got financial aid, went to UCLA and now am your typical suburban programmer with a wife and family (my way of rebelling against being born in the fucking woods).
The moral, get your kids a SSN. Don't punish them because you hate the government.
Is it just me, or is this like the third story of personal information being stolen from California universities recently? WTF is going on over there?
As an aside, my girlfriend lives in California, and someone opened a credit card in her name soon after she had sent in applications to several California universities applying for grad school.
Ironically, the word ironically is often used incorrectly.
I don't use my own identity anymore anyway.
Unless there is going to be an unconditional format of the hard drive in question, either the thief or the fence (i.e. buyer) would have discovered the data eventually. Given that it's most likely an MS Access database, it shouldn't be too much of a problem extracting those numbers from the file.
In the event that difficulties are encountered, it's not too hard to find someone on the black market who will crack the information (e.g. brute forcing login passwords to gain access to whatever that follows.)
Any irony obtained by the law will only accelerate what would have occurred normally.
If you lost your ID, it was a simple matter to go down to Student Accounts and get a new one for $10. But since the SSN is used as an ID, the old ID card couldn't be deactivated and the missing one could be used by whoever found it.
Thankfully, last year they switched from using SSN to a 12 digit ID number generated by the college. However, "lost" cards are still usable
Free MacMini
If you just slip and fall on the grounds of a business, you can expect to make a couple 100 Gs for "mental suffering". Why not do the same here? People should get together and file class-action lawsuits left-and-right. Then watch the companies scramble to protect the data.
Don't get me wrong: I am dead against frivolous lawsuits. But the language of financial pain is the only language these businesses understand. "Morality" is a word that is not there in their lexicon.
Wow. These poor guys will be branded as Berkeley alumni for life.
I can't seem to find it yet, anyone have it?
cyn, free software and *nix operating systems enthusiast.
Los alamos national lab, contrary to the implied conclusions of all its bad press and false accusations, has in fact shown that the removable disk method is an excellent means of both tracking secret data and minimizing copies of it.
And even better approach is to make it even easier for people to maintain their data in secure forms without inhibiting their use of it. A good example of this is the macintosh laptop. Every macintosh laptop can transparently AES128 encrypt the users home directory and decrypt it upon log in. Of course you can set that up on a linux or Windows machine, but that's not the point. The point is it's already there on every mac ready to go by chekcing a box. It's not something that one has to spec. If you have to trasnfer the data to another machine you dont have to worry about setting this up. Co-workers know your machine has it. It departments can even enforce its use without penalizing the user. Ubiquity and ease of use is the key to getting encryption part of peoples work habits.
I work in aplace where wireless internet connections are not allowed in the building. Yet when I go on travel I use it. Like everyone else I have to remember to turn off the wireless in the laptop before jacking into the building ethernet. So do you think people remember to do that. Well a lot of the time yes but many times no. but with a mac laptop its trivial to configure it so the wireless and ethernet adapters cant be on at the same time. it's impossible to forget. By the way my company spends money to pay people to walk the halls with wireless sniffers and has to discipline workers that forget. All of that is lost productivity as well as the security exposure.
So in conclusion, any company that is concerned about data security that does not use macintoshes is wasting its money. Sure you can make a windows system secure but its the little daily things that keep it secure.
Some drink at the fountain of knowledge. Others just gargle.
Personal data need to be treated as government certification of Secret documents
First, I think you mean classification, not certification.
Second, there is a reason and a definition behind each classification. For example, the definition of SECRET according to the Defense Security Service (available here (scroll down)) is as follows:
SECRET. The designation that shall be applied only to information or material the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security that the original classification authority is able to identify or describe. (emphasis mine)
Nutshell: yes, personal information should be protected; no, it does not warrant the same protection as classified information.
or at least give it Collateral classification level treatment
Finally, Collateral is not a classification; it is a category of information classification. Our friends at DSS clarify the issue here:
The current classification system starts with three levels of classification (Confidential, Secret, and Top Secret), often referred to collectively as collateral.
Please do some research before providing erroneous information. (For many years I worked in positions where I was required to know these things.)
I want to drag this out as long as possible. Bring me my protractor.
"To get there, you have to go to a specific hallway, on a specific floor, in a specific building" Doesn't that describe ANY physical location inside ANY multistory building?
This kind of thing just ticks me off no end. Some Berkeley bureaucrat leaves a laptop in their car, which will no doubt result in 1000s of stolen identities, lives ruined, tens-of-thousands of wasted hours? and they?re likely not even going to get a slap on the wrist. Personally, I?d make any individual who is responsible for this kind of thing financially liable for damages. I?d also try them for criminal negligence and possibly for aiding and abetting fraud. Then I?d let each person who has their identity stolen take one swing at them with an aluminum baseball bat. Currently, there?s just no accountability for this type of thing.
Interested in a Flash-based MAME front end? Visit mame.danzbb.com
So what is the answer? Consider the following:
-An application requires that the user be able to process personal data about clients.
-The Social Security Number and other "sensitive" data is required by US government.
-The application must work across a wide geographical area. The application is on PCs that although locked up in buildings, could be stolen.
-Regardless of connectivity the data application must perform all functions, access all historical records of the client. So it must have some sort of local cache to enable work when connectivity is not available. (Yes, there are many places where reliable high speed network access is not available.)
-Data is reported periodically for aggregation by encrypted synchronization to a central repository.
Considering this, what does one do?
What local cache of the data could you possibly use and how would you secure it?
If someone steals the pc, how would they NOT be able to get into it? And how do I secure hundreds of pcs spread over hundreds of miles that are not connected to a single network?
If I encrypt individual fields in the local database, how do I know when I have done enough of them?
For that matter, what if someone steals the entire central database repository? How would it be possible to guarnatee they can't get it?
I'm dealing with shades of gray- when is the gray dark enough?
Last summer, I received a letter from the University I attended. They said that a computer system containing records for just about all current and former students had been compromised, and that it was possible our personal information (including SSN, etc.) had been stolen.
This is obviously not a unique situation.
"You spoony bard!" -Tellah
I am not from the US, but I was sent there for a few months to work. My wife came too for the holiday.
Some random notes about life without an SSN...
-
I decided to open a US bank account. Got a check book ok. Got a debit card. Then the fun starts - the bank calls back after two weeks to cancel the debit card. No SSN. The checks are 'starters' even though they start at 1000 (to fool those pesky shop clerks on the look out for checks that start at 1). Everyone refuses to honour them. So banking was a bust.
- Couldn't use checks at walmart - no SSN.
- Couldn't use VISA at Best Buy because it wasn't a US based VISA, and (you guessed it) no SSN. I did point out that I have used that VISA all over the world, except this very store.
Strangely, I have purchased from there many times since so perhaps I just hit a loser that day.
- A bank clerk called my passport a forgery when I tried to withdraw my money (since I couldn't use checks or cards) because it had a date "15/3/1967" - to quote ("there's no 15th month").
I eventually found a website that provides fake SSNs you can use with minimal chance of dups. Suddenly everything went smoothly at the supermarketThe reason I think that SSNs are dangerous is that because it is a simple ID, America has become tied to it in a dangerous way. Its become a widely respected and accepted ID. But there is no security associated with it. SSNs leak easily but encapsulate too much power - your SSN gives me trivial access to stuff thats yours.
Picture ID cards, money, drivers licences carry numerous security precautions - holograms, encoded data, special paper, the physical look of them. They are harder to duplicate (although it still does happen).
What is missing is that the SSN should be a first step to identification - perhaps as a replacement for your name + birthdate (yeah, I know.... "I am not a number"). Then follow it up with other identifiers - license, other data only you would know.
And people who dont need it *specifically* should not be permitted to force it from you. Sure, you can take your business elsewhere, but usually its a pain, and sometimes you just can't.Personally I think it should be restricted to government departments only.