Carnegie Mellon Says Computers Breached

maotx writes "Carnegie Mellon University is warning more than 5,000 students, employees and graduates that their Social Security numbers and other personal information may have been accessed during a breach of the school's computer network. What makes this one even more interesting compared to other recent break-ins is that CMU is home to the famous CERT."

Is This Really News???

[ferrellcat]

Sadly, it seems more astonishing if a day does by when a major personal information breech is NOT reported.

Casual attitude about SSNs

[bigtallmofo]

What exactly were social security numbers doing on that computer?

I'm still amazed at what companies ask me for my social security number and their casual attitude about what they do with it. My health insurance company uses it as my ID number. My dentist thinks nothing of asking for it and scribbling it on a post-it note along with my name while they enter a claim form into their computer and then they throw the post-it note away.

I always make an attempt to refuse to give my SSN. The shocked, negative reaction I get is absolutely amazing to me. It is apparently so ingrained to U.S. culture to give that number up to anyone that asks regardless of the totally insecure way they handle that number.

Re:Casual attitude about SSNs

[Angostura]

Well, I suppose there are two ways of thinking about things like the SSN. One way is to consider it a piece of privileged private information that can be used for security purposes.

The other way is to think of it as a piece of information information as public as your first name or hair colour.

It seems to me that SSN now has to be considered in the second category.

The problem is that there is a mismatch of perception in society, so some people see it as a secure item, some people think of it as insecure and some people don't really think.

It is this mismatch which is causing the potential identity theft and security problems.

I'm sure it is handy as a unique key in many people's databases, but it has to be realised that it is public and can be falsified.

Disclaimer: I'm British, so I may have misunderstood some aspect of the problem.

Looks like a departmental problem to me.

[morph-]

As far as I can tell from the article, this only affects business students in the school. Judging from that, I'm guessing someone in the department was keeping a few spreadsheets or something of that nature around on a public windows share. This strikes me as far more of a careless employee problem than a truly insecure infrastructure problem. Thus, comments about CERT may be a bit premature.

SSN versus ID-card

[Councilor+Hart]

I am not an American, but from Belgium. I am required to carry a ID-card with me. Although the only time the police asked for it, was one time I got hit (lightly) by a car while on my bike. My bank has seen my ID card more than the police. Which I think is a good thing. It's my money afterall.
So, if every american has an SSN, and it's given out almost like candy. And since the the US govn knows this number. Then what is the difference with a national ID card? And why are Americans so opposed against such a card?
It's something I have been trying to understand for years.
I don't feel harassed, having to cary my ID. I rarely use it. If I get in an accident, it can be used to identify me. It's rarely asked for. The police needs a justified reason to ask to see it. The bank can ask for, before giving out a lot of cash money, or before paying a check (also something which is very rarely used over here). I can travel freely across member states without showing it. Perhaps not yet with the 10 new ones, to be honest.
Just wondering...

Re:Why store the SSN?

[fourtyfive]

Because this would only be minutely more secure than storing the SSN itself. Theirs nine digits in a SS #, numbered 0-9, thats 10^9 Even at a meager brute force rate of 1.5 Million MD5Sums / sec, it would only take 11 minutes to break every possible combination.