Slashdot Mirror
Carnegie Mellon Says Computers Breached
maotx writes "Carnegie Mellon University is warning more than 5,000 students, employees and graduates that their Social Security numbers and other personal information may have been accessed during a breach of the school's computer network. What makes this one even more interesting compared to other recent break-ins is that CMU is home to the famous CERT."
And credit given where credit due, I picked up this story from a post on a mailing list from Paul Ferguson and his tech news.
What I found to be so interesting about this story is that unlike the other thefts, this one did not require the theft of a computer or social engineering skills. This one looks like the works of a group of hackers and now has the FBI's computer crime squad joined in the investigation.
I'm a virgo and on Slashdot. Coincidence? Yes.
Interesting. I'm a CMU student and I haven't heard anything about this.
They suspect Gallagher.
This CERTianly is an interesting piece of information.
Anyone seen my jagged little pill?
sprintf(ssn , "000-00-0000");
while (1) {
do_bad_stuff(ssn++);
}
Now, having said that, I think it stands to reason that any number that can be automatically generated is automatically at risk of hacking.
Which is to say that it is at the same risk of hacking as any other random number. Which is to say that it is not at risk.
As long as your SSN is nothing more than a number, nothing bad can happen to it.
Now, if someone were to take it and try to do something with it, hopefully you guys over in the U.S. have something to protect yourself with. Some kind of legal recourse to protect SSN holders.
I know I'm not assuming too much here. Those Murkins have thought of everything.
Sadly, it seems more astonishing if a day does by when a major personal information breech is NOT reported.
What exactly were social security numbers doing on that computer?
I'm still amazed at what companies ask me for my social security number and their casual attitude about what they do with it. My health insurance company uses it as my ID number. My dentist thinks nothing of asking for it and scribbling it on a post-it note along with my name while they enter a claim form into their computer and then they throw the post-it note away.
I always make an attempt to refuse to give my SSN. The shocked, negative reaction I get is absolutely amazing to me. It is apparently so ingrained to U.S. culture to give that number up to anyone that asks regardless of the totally insecure way they handle that number.
I'm a big tall mofo.
"Social Security numbers and other personal information"
Which is probably enough for someone to steal your identity, get credit in your name, make your life miserable, etc.
Until a national Public Key Infrastructure is devised, requiring biometric input from each user, identity theft is not going to stop.
Creative Commons music that doesn't suck: emptydrum.com
He just wants your insurance ID. Whether that's your SSN or your dog's birthday is of no matter to him. If you don't want him to have it, demand that your insurance company give you a different ID.
I'm not going to moan about how frequently this seems to be happening lately, I've been thinking though
Carnegie Mellon University is warning more than 5,000 students, employees and graduates that their Social Security numbers and other personal information may have been accessed
What is one supposed to do with such warning?
The following statement is true
The preceding statement is false
My company just deployed a new application to help manage employee data, calendars, timesheets, etc. Guess what? We didn't put SSN anywhere near this application. It's a simple enough matter for someone to go to the locked file cabinet in the HR office and grab a number if need be.
It's not like this method is particularly secure, but it doesn't really matter -- a physical break-in seems much more "acceptable" in the eyes of customers etc than does an electronic break-in.
As far as I can tell from the article, this only affects business students in the school. Judging from that, I'm guessing someone in the department was keeping a few spreadsheets or something of that nature around on a public windows share. This strikes me as far more of a careless employee problem than a truly insecure infrastructure problem. Thus, comments about CERT may be a bit premature.
Can I have my social security number replaced legally ? I don't know for sure, but I suspect my number is just about worthless now. Hell, sometimes we don't here about these thefts till months or years later. That leads me to work under the assumption that my SS# has been stolen, from someone , somewhere.. it's utterly worthless (not that it had any value before, my credit was crapped out anyways.)
Something needs to be done about this, SS#'s are a joke. I was watching the local chicago news the other day and migrant workers can go down to the local 7-11, meet a shady character and have their own SS#, for $75-$100.. Come on, this is nuts.
Yes, please just fill out this short form and I will take care of it for you.
Current Social Security Number: ___-__-____
Full Legal Name: ____________
Date of Birth: __/__/____
Address: _____________
City: __________ State: __
ZIP: ______-____
Thank you.
I recently had a cyberstalker try to get some personal information about me from my alma mater. This yutz did this by contacting department secretaries, who were happy to oblige with all the information they had available. Luckily, this wasn't very much information, but it has caused some problems. So even though the registrar's office had things locked down fairly well apparently, these other points of entry into the system appear to be potential vulnerabilities: unattended laptops and workstations, and people who don't really think their job description involves a privacy/security aspect. I predict many more problems via remote access of a centralized institutional database.
Evil sig is livE.
But when your SSN is associated with your name, people can use it to pretend to be you and sign up for other forms of ID that can be used and show up as black marks against you...
Is this true? You'd think that at least the most basic protections would be in place to prevent this sort of fraud.
I go to CMU and work for the psychology departments comptuing support. Well about a month ago, our server crashed and our backups only partially restored. So I hopped on a new machine and installed linux. We switched it over to the network and created some accounts with easy logins so the teachers could get their stuff back up. Needless to say, less than 24 after being online it was hacked. While not malicious, the hacker did use our box as a staging point to make DOS attacks. I caught the guy a day later when I started getting emails from companies and kicked him off. The wierd thing is, the attack happened on the 10th of April. The same day Tepper was breached.
Just a quick clarification, Carnegie Mellon itself was not hacked. This was a Tepper School of Buisness machine that was hacked and their student data lost. As seems to be fairly normal, the buisness school is almost its own entity, even running on a different schedule than the rest of the campus.
I don't use my own identity anymore anyway.
The last two weeks has been a media hype job about computer security. Ever since the news about 500,000 credit card numbers being stolen two weeks ago from a major clothing retailer, there has been a rash of reports about credit card numbers and other personal information being hacked out of major retailers' databases. This has been going on for some time now, but the media just recently realized what a frenzy it creates, so there you have it. I'm sure these hackings have been going on some time now. It's just turned into a legal money maker now.
Why is it that every time that we see these reports about computers getting hacked into, that NONE of the reports list the number one fact that the public deserves to be told.
WHAT KIND OF COMPUTER/OS WAS HACKED???
Sheeesh. Isn't the news supposed to be about facts?
My $0.02
I comment occasionally so that I can mod others -1 overrated or -1 offtopic.
Why does a system like this even need to store the SSN? Why not a (md5/sha1/sha-256/whatever) hash of the SSN? This would still allow easy lookups and associations by SSN, but would not reveal the SSN to anyone who steals the data.
I know, I know -- I shouldn't bother asking "why"...
I am not an American, but from Belgium. I am required to carry a ID-card with me. Although the only time the police asked for it, was one time I got hit (lightly) by a car while on my bike. My bank has seen my ID card more than the police. Which I think is a good thing. It's my money afterall.
So, if every american has an SSN, and it's given out almost like candy. And since the the US govn knows this number. Then what is the difference with a national ID card? And why are Americans so opposed against such a card?
It's something I have been trying to understand for years.
I don't feel harassed, having to cary my ID. I rarely use it. If I get in an accident, it can be used to identify me. It's rarely asked for. The police needs a justified reason to ask to see it. The bank can ask for, before giving out a lot of cash money, or before paying a check (also something which is very rarely used over here). I can travel freely across member states without showing it. Perhaps not yet with the 10 new ones, to be honest.
Just wondering...
An interesting thing to note is that the media broke the story on Thursday, but CMU didn't tell the CMU community until late Friday. I heard it on the news first!
Another interesting note is that in the CMU internal announcement, the _second_ paragraph was effectively, "it isn't as if we're the _only_ school to lose information"
The third paragraph says that the data was stolen from desktop and laptops rather than servers. WTF was sensitive data doing there?
Sucks to be the business school, I guess.
I wonder how the P2P and "fight the copyright" crowd feel about this? Obviously it's just information, bits and bytes, so it's not like it's really stealing or anything -- nothing has been lost or stolen, only copied.
Oh wait, you mean data is only valuable if its *your* data. I see now.
Matt Slot / Bitwise Operator / Ambrosia Software, Inc.
That's why a lot of companies (health insurance, financial,etc) are switching from using your SSN to Personal IDs as the unique identifier in the system. HOWEVER, they will still need your SSN for reporting stuff to the government. At least your SSN won't be listed on the health insurance card when you go to the doctor. Right now your doctor's office has enough info about you - SSN, home address, "emergency contact info", phone numbers and even possibly bank routing and account number (if you pay by check)
Person who's handling all this can easily make copies and apply for new credit cards,etc.
There's absolutely no reason why they need your SSN, your health insurance card (with non-ssn personal ID should be enough)
Any information you are routinly asked to give up can not be considered secret. The problem with the SSN's is not that they get stolen, the problem is that they are useful to the thief. The idea that knowledge of a "secret" number entitles you to enter into financial obligations is simply insane. Adding other "secret" information to add further "safety", like mother's maiden name or place of birth, does very little to improve the situation and those extra pieces of information are likely to become available to the thief at the same time as the SSN's, from the same database.
The only reason you are able to get into debt just by knowing your SSN is that it suits the lenders. They can be based in one state but do business in all of the states, through mail, internet and telephone. They have then managed to make it your problem that they give money to someone pretending to be you, sticking you with the problem of clearing up the credit reports they use to decide if you are trustworthy and doing what you have to do to get out from under the debt. Basically the lenders punish you for them (the lenders) giving money to someone pretending to be you. (Yes, I know that sentence is twisted, it's a really twisted system). This is an outrageously good deal for them and they have no incentive to fix the system, at least not until the amount of fraudulent loans is more than the money saved by not implementing a secure system.
The solution is painfully obvious. When you apply for a credit card or enter into any contract, you should have to show your face and acceptable forms of id, either at an office of the lender or at a mutually trusted proxy. The proxy could perhaps be the closest USPS office. This proposed system is naturally not totally foolproof, no system can be, but it's a heck of a lot better than the current one. It's a lot more work to falsify id's than it is to harvest SSN's and the chance of capture is much higher. As there's no indication the lending business will self-regulate this, and it's really too big and diverse to ensure self-regulation, this will have to be implemented by laws.
It's really incomprehensible to me that party A stealing my SSN from party B and using it to get money from party C becomes my problem. It should be the problem of party C that gave money to someone without bothering to make sure he was who he said he was.
Making it a bit more work to get more credit cards is really not a bad thing either, most people have too many and practically everyone has too much credit card debt.
While we're at it, we can stop pretending that credit card numbers are secret. That problem has already been solved, the banks just need to implement a system like PayPal, where you sign in and ok each transaction. Again, painfully simple.
A furore Normanorum libera nos, O Domine! [From the fury of the norsemen deliver us, O Lord!] -- Medieval prayer
CMU used to host an easily fooled IRC server, one that was commonly used in security breaches. Anyone remember it or know what happened? Last I heard, they weren't willing to shut it down, leading many folks to think CERT was a big joke.
SS# were not intended to be a secure ID number to be kept confidential. This is a complete fabrication of credit agencies and the like.
The intent is to provide a unique ID number for the social security system. In many state databases (NYS employees) this ID number is freely available (along with your salary).
To help keep yourself out of the "identity theft" arena, opt-out of instant credit. This is advisable for everyone, alas no more discounts at the GAP for opening a credit card...
Dear ______,
On Sunday, April 10, the Carnegie Mellon Computing Services Office of Information Security identified a breach of some computers at the Tepper School of Business. Upon investigating and recognizing the unusual activity, Computing Services worked to disable, inspect and secure all servers and personal computers.
We have no evidence that personal information on breached systems has been used for illegal or malicious activities. However, the potential risks associated with identity theft are very serious matters, and the Tepper administration has chosen several precautionary steps to communicate with all affected students, graduate alumni, faculty and staff on safeguarding measures aimed at protecting privacy.
While we have not identified unauthorized use of information, we strongly encourage you to take steps to ensure your privacy. Personal information included in the databases that may have been accessed includes:
- For master's alumni Class of 1997 through the Class of 2004: Social Security number and grades included in a student services database.
- For master's alumni Class of 1985 through the Class of 2004: Job offer information you may have entered into the COC database as part of your job search process.
- For all alumni: Contact information you may have entered into the alumni directory/alumni database. (Note: All Personal Access Codes (PAC) for the alumni database have been automatically updated for increased security.
Your new PAC number is: **********
Your email address in the directory is: ****************
- For doctoral alumni Class of 1998 through 2004: Social Security number, GMAT, GPA and information submitted in your application to the doctoral program.
Please visit www.tepper.cmu.edu/******* for information regarding precautions and steps to take to protect your personal information.
We apologize and regret the inconvenience associated with this incident. Currently, the business school is in the early stages of investigation and does not have all details regarding the source of this breach. As further information is discovered, we will be sure to include it on the Web site listed above. In any event, please understand that we would not disclose details that would put any computer or network at risk of further intrusion or malicious attack.
The recent Tepper incident is similar to the computer breaches reported by other universities. As a campus that prides itself as a hub for technology innovation, Carnegie Mellon is extraordinarily mindful of issues regarding information security. The recent breach is a reminder of the sensitive business environment in which we operate and the need to consistently monitor and advance our infrastructure and processes.
If you have questions or concerns, we encourage you to contact John Sengenberger at jseng@andrew.cmu.edu
Thank you.
Steve Sharratt
Associate Dean for Advancement
I'm not sure wether or not was related, but as part of my application process for their InforSec degree, I noted to their sysadmin, a few security issues. Their application (e-file) is located on another department's server. What was found was that the application used would not force and SSL connection (subject to possibly a XSS attack and connection sniffing) as well as upon just a curious portscan, their Oracle instance was wide open. The application for admission requested Social Security Numbers, among other things, and that, if I poked further, I could probably get in and start querying the database for whatever I would have wanted. I think the business school was picked on because of the profile earlier this year with their "application status" system which also hit some other Ivy League schools.
It's a real shame to have received a rejection letter from the department, even after telling them what was wrong. I got more of an argumentative response from the sysadmin, with some level of bravado in his tone sayng it's not his responsiblity, and that they belive it to be secure. What a load of crap...
I'm maybe bitter that most of the class members of ther graduate program there are from countries that I regularly see attack the network I'm employed to defend. Kind of like "teaching the enemy"... and pushing those who are here defending companies that may be providing them corporate funding for the program aside.
Ah, heck.. just consirpacy theories... but it's a campus network, what could go wrong?!
Being a current grad student at CMU, I can tell you this. In a half assed attempt to implement swipe cards for access control it was decided that the SSN is a unique identifying number which could be coded into the card. Somebody raised a fuss about this and CMU went through the painful process of replacing the SSN's with a pseudo-random number.
I wonder if there is a reason that this is not taking place in Canada or other countries. Is it just not being reported? That scares me.
So just to reiterate, this isn't CMU proper that got hacked, it's the business school. They're off on their own little planet on the far corner of campus and run on their own schedule and everything else. It's like going to a completely different world overthere because you've got folks who dress nicely and what not.
CERT is not really related to Tepper (the business school) in any way. In fact, CERT and the SEI are barely even related to CMU, they're off in their own little building a few blocks away and have their own security and networking. To associate the b-school getting hack to a failure of CERT would be like saying the CIA was vulnerable because the department of argiculture got hacked. It's just bad journalism to make an insinuation along those lines. CMU is a fairly large organization and it has its share of folks who understand computers and share of folks who are dolts.
On to the other question, why were SSNs on there? Well, CMU is still stupidly using them as your student ID number. Up until this year they were encoded on your magnetic stript of your student ID card. You can change it, but they look at you funny when you ask to do that.
So why would CMU even need SSNs? Well, like most institutions you've got to do a lot with financial aid to students. If you're doing financial aid and credit you need to use SSNs, simple as that. Tepper has its own financial aid department and thus probably needed the SSNs for that.
This is just another point that the credit industry probably needs an overhaul more than anything else. Allowing someone to get credit by simply providing the SSN and a few other easy questions seems a bit reckles.
My Slashdot account is old enough to drink...
This really shouldn't surprise anyone who works at a university. There are several mitigating factors that make this sort of intrusion inevitable.
Here's why:
Unlike private companies, universities are difficult places to enforce security policies because PhDs feel that these policies somehow inhibit their freedoms or that the rules shouldn't apply to them. Profs and researchers each get their own computer money and they build their own little networks, server farms, and have their own methods. Because they often want to share their servers with other univerisities, they are usually not behind a firewall and/or given address space that is world addressable.
This usually creates a perfect place for intrusion--lack of cohesive security policy, machines that are run by novice sysadmins, and a really fat uplink the net.
To make things worse, the networks on campuses are generally a hodge-podge of technologies and topologies that have been piece-mealed together like some kind of electric crazy quilt. You might have aging border router equipment, old hubstacks with vulnerabilities in their management utilities, random unmanaged/non-seucre wireless networks in the dorms or offices, etc--a nice untraceable uplink to your LAN.
Managing the security for these networks is almost impossible unless the entire infrastructure has been updated--which costs millions of dollars that universities do not likely to spend (at least not without a major campaign).
All of these computers--Macs, PCs, Linux, Solaris, etc., have no real security policy, they're poorly managed by amatures, and they have a network with no real firewall. Talk about a honeypot!
Each node on this honeynet is now a prime place for root kit installations. They lie in wait for someone to log in to the right systems and, voila--a password and userid. A keylogger records a legit log-in. Now your cracker is using one of the unmanaged nodes on your network to have his way with your student/employee information system.
If any university has a better system, I think they're in the minority. Hopefully, this will change. But until then, the inmates run the asylum.
I might know what I'm talkin' about, but then again, this is Slashdot...
I'm not trying to get too personal -- but you don't sound too concerned & that concern's me psychology. :)
Lately I've been getting the feeling that I take care of my home subnet, on my free time, better than most admins do on the clock.
I keep up on the latest exploits, re-visit old ones, keep critical (and new) machines well patched, write shellcode to understand BoF/Ret2Libc exploits & employ handfuls of hardening techniques & limits everywhere I can, especially in the Kernel. Then I keep images of my fav installs & nc+dd them onto new boxes when needed... _Then_ I go to work and do the same on many more computers in addition the job I was actaully hired for. I still maintain a social life and even -- gasp -- a lady friend.
So I do realize there are large factors that go into haveing enough time and infrastructure to admin 1000 vs 100 vs. 10 boxes. But is "easy" just considered routine due to time constraints, even at a fine establishment like CMU?
If your box was on the net for 24hrs, and it got cracked into, somethings gone wrong in your department.
I don't consider it much of a "hack" if the admin sets up a deficient system (i.e. easily guessable usernames/password) and puts it live on the Internet without montoring it for brute-forcing; which you allude to. One cannot rely on a 3rd party to inform them that machines in their domain are hacked. It only takes a few key punches to duplicate very good securiy efforts after you've done them once.
I'd be interested in knowing what the exploit vector was (if you did the above) if you guys are able do I.R. after a breach. Or even bother to image the drive for later...
I dunno, but I see a pattern here with locations that put busy, course-loaded students in the employ of guarding the subnets...
argan0n
My old crappy (inherited) bike got stolen in two years time. My new, marked bike is still with me after 4 years. And I live in a University town. As you know, in such a town, stealing^H borrowing bikes is common as breathing air.
So once again, my ID card is used in my favour. You could say, the same could have been accomplished with a driver ID card or a SSN. To which I will, again, ask: then what is the difference?
Thanks for the replies so far.
isc.sans.org
To see how f'ed up the Internet is today. The color changes actually do mean something there as opposed to the constant and useless level of panic at homeland security.
"Lately I've been getting the feeling that I take care of my home subnet, on my free time, better than most admins do on the clock."
Fucking A. I'm with you on this 100%. Granted, I run OpenBSD at home, but that doesn't mean I just sit back and pretend like everything is okay. I check the errata at least twice a day and act on the updates/patches as soon as I get a free couple of seconds in my day. I have pf setup to my likings and haven't had a problem since I installed OpenBSD. No, I'm not an OpenBSD fanboy, I'm just making my claim--YMMV.
In short: there is simply no excuse to be lazy/relaxed about security. Call me paranoid, but I'd like to keep MY data to myself.
What can "identity theives" do with another person's SSN? (I'm not an American, I don't know)
Businesses here have to provide their social security number (padded with B01 for business use) on their invoices.
.. as long as you can blame people doing it, on their stupidity and point them on their individual responsibilities and common sense (individualism, causing big social problems there, from addiction, crime, to what more.. since society as a whole is not taking responsibility for the weakness of an individual and their dependency on environmental factors for their behavior).
Social security numbers here (Netherlands) are not as big of an issue I think..whether someoen knows it or not.. I think unlike in the USA, not EVERYTHING is identified by that number.. And I think other security steps are in place, (passport and picture) to do anything useful with a social security number.
So I'm wondering how this is different in the USA, other than that you have no laws protecting privacy like we do/did, where any company (including website) here who wants to store any private information, must ask for permission from a governmental institution overseeing privacy protection (law on personal information registration "wet op registratie persoonsgegevens"), and JUSTIFY why they need that information to function as a business, and all the laws and rules regarding how they must store and protect that information and can or can not link their database with other databases without permission, etc.
But I'm not sure exactely how this is in the US, except anybody can just make a website and collect personal data legally,
Peace
E-Fuckin-Nuff Already!
We the people are sick of your fucking domestic terrorism shit.
GSIA couldn't admin their way out of a wet paper bag, at least, not when I worked for Computing Services back in the day.
"Tepper School of Business"....LOLOLOLOL
Lately I've been getting the feeling that I take care of my home subnet, on my free time, better than most admins do on the clock.
I think you'd be right. When I was consulting it never ceased to amaze me just how little was done to secure the network at most places. Whether corporate or government it didn't make a difference.
I don't think this is a lackadaisical attitude towards security in particular, but the fact that IT departments tend to attract the least competent people in the computer sciences.
I know my home network is more secure than most of the businesses/government agencies I consulted for even though I could certainly do more to improve it.
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
I'd like to point out that picture id's are silly. How do you decide whether the person in front of you is the person on the card's picture?
I worked as an election judge in Colorado and they explicitly told us not to bother looking at the photo on the id. The law specified it had to be a photo id, but we were told not to care what the picture on it looks like. People change, you can't recognize them reliably.
What prevents someone from fraudulently opening a PayPal account for you and using it on your behalf? The system has problems, and there are no simple fixes.
Perhaps everyone should be required to carry a card with an RSA key on it, if you lose it you create a revocation certificate and get a new one. Doesn't that sound like fun? I'm sure grandma will love it.
Tharkban (It is a signature after all)
how does one opt out of instant credit?
who handles instant credit?
it makes it alot harder to do that.
section 1798.85 dude, look it up (somewhere on www.ca.gov). A company (health insurance or whatever) cannot use your SSN# on an ID card (or if they do, you can have them remove it); moreover, unless you are in the habit of applying for a new credit card, or borrowing money for a house or car every few days, you might be better off putting a security freeze on your credit files (must be done at all three credit bureau and it will cost you 10 bucks for each one of them -- imagine that: you have to pay these guys to stop helping bad guys from ripping you off...)
The FAA used to use SSN# as pilot certificate numbers; that is, for folks dumb enough NOT to read the fine prints on the various FAA forms such as 8710-1 or 8500-8 which say in effect ''yes, we are asking you for this number, but you don't really have to give it to us, your choice,'' and the old FAA databases made this info (including street address...) publically available (no, this is no longer the case, but I bet you can still find the old CDs up for sale on ebay)
If it's not meant to be somewhat secure, then why was it illegal for a long time (perhaps even today) for anyone other than your employer and the IRS to require it?
Luke-Jr
Because it's very convenient to use your SSN for an ID number. Even the goverment does it. Think about how many numbers you go to the trouble of memorizing. Your SSN, your ATM pin, your phone number, and maybe one or two others. What would happen if everyone you dealt with issued their own ID number for you? Not too convenient for the majority, who don't have a PDA.
The problem with the SSN is it was designed and is being used as an indetifier. It was never intended to be an authenticator, but is being misused that way by many. So the problem isn't getting the SSN removed from databases, the problem is educating those who try to use it as an authenticator that it isn't.
One way to solve the problem would be for the government to announce they are going to publish the list of names and SSNs in 6 months. They also announce that anyone still using the SSN as an authenticator after 5 months will be held libel for any losses. This only puts a burden on those who are misusing them for authentication.
The problem of a replacement authenticator is left as an exercise for the student.
The question is not one about what academic departments and profs. do or don't with their computer systems. It is one of what SSNs are doing outside of a secured admin (as in school admin, no sysadmin) network? I suppose a partial answer is that they are using SSNs for student IDs.
But until the world realizes that SSNs aren't authenticators, student IDs shouldn't be SSNs. If the world ever wises up, then SSNs make perfect student IDs. Of course your name should be a good ID, but the collision space is too high.
OS type is entirely irrelevant if someone walks off with a laptop or social engineers a secretary.
/. crowd would get a lot of mileage out of it. But if the system had never been patched, and the Administator password is admin, it's pretty worthless to crow about. "My OS is more secure than an unlocked door! Yippee."
It's also misleading if the OS were reported without a review of the patch level, and the sysadmins level of official paranoia (i.e. did [s]he tighten all the security knobs and have and enforce a good password policy, etc.). It doesn't matter much if you are running OpenBSD and set the root password to "root".
Suppose they had announced it was a Win2k system. The
It is this mismatch which is causing the potential identity theft and security problems.
Imagine if you could sign into a Slashdot account with only the UID! We'd all sign in as CmdrTaco and start posting news about Tribbles and whatever else met our approval.
The dangers of knowledge trigger emotional distress in human beings.
Adequate physical security would at least tend to whittle down the list of suspects, should a theft of documents occur, unless everybody off the street has untrammeled access to the records room.
And that alone makes me wish I was black. Plus they dance better.
I'm only 001-1234-202, and there's a lot more people over here... or so the media tells me!