Slashdot Mirror
HS Students Steal SSNs to Prove They Can
thatshortkid writes "Local news in Chicago is reporting about two Hinsdale Central High School students who breached their school's computer system and retrieved all of their peers' (plus staff's) Social Security Numbers. They claim they have destroyed the information and haven't given it out, but the SSA and FTC have been alerted for good measure. While they claim their motive was to prove that the breach could take place and no malice was involved, they face possible school disciplinary action and criminal charges."
From the article, it appears they didn't reveal the security flaws, they got caught. Besides, breaking into systems without permission just to show they are insecure isn't necessary. I've never had anybody who I reported a security problem to just pooh-pooh it, not even when I was a teenager.
Different SSN prefixes are assigned to specific SS offices to give out. What determines which one you get is which office you get your numbers/original card through.
In many cases (especially recently), SSNs are applied for semi-automatically through the hospital someone is born in, so in that case the hospital location would determine the prefix.
Personally, I didn't have a SSN until I was 23 (and only then because I couldn't avoid it anymore without causing myself hassles with otherwise-decent employers that I didn't feel like hassling with), so my prefix is the same as the office I applied through when I got mine at age 23, nothing to do with my birth location.
The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
That would be "tyrants" and "patriots", not martyrs. (Though, I suppose a patriat who acts in a way that will result in his death for a noble effort, and recognotion thereof, is a martyr.)
You could've hired me.
---Personally, I didn't have a SSN until I was 23 (and only then because I couldn't avoid it anymore without causing myself hassles with otherwise-decent employers that I didn't feel like hassling with), so my prefix is the same as the office I applied through when I got mine at age 23, nothing to do with my birth location.
I should have clarified myself. The SSN state code is based off of the location of the mail collection where you requested it. So, if you lived in the sticks near a border of a state, and went to the other states Post office, you'd get a SSN associated to that state you requested it from.
Usually, it is requested automatically when you're born these days. For example, my parents were living in Indiana when I was born, but I was born in Ohio (neaest hospital). As a resulty, the request was sent from an Ohio Post office. Hence, I have a Ohio SSN.
Don't inkjet printers these days print yellow markers to indicate a GUID or serial #?
Plus there's the postmark info, fingerprints, the easily identified stocks of paper and ink you used... (hope you bought it w/cash) Not to mention the DNA on skin flakes you forgot to wipe off, and the saliva on the back of the stamp. And all the cameras that recorded you grinning as you bought the paper and then caught you later dropping in that public mailbox.
On the other hand, they never got the anthrax guy(s)...
The students commited the act months ago!
What a dumbass. I bet that if you were on the jury for someone who killed their parents, and that person threw himself on the mercy of the court on account of his being an orphan, you'd be weeping your eyes out. "That poor soul lost his parents and is alone in the world!"
Take that messenger, indeed. More like: Take that punks! I hope you like community college.
What you do then is offer to make a bet. Offer him something nice and juicy, and get it in writing. Never do security testing without written permission.
I would think that people would have learned from the example of Randall Schwartz. You especially don't want to do it with someone who would be publically embarrassed by it because you're at high risk that they will file charges.
Of course they would. There's ranges for many states. It's not just one number.
There's even some 10 digit SSN's out there. It has to do with the 1950 military personnel or something (Im still unclear about this one) and their distinctions therof.
Most systems that have SSN coding do not account for this, nor do they account for a few 8 digit SSN's used during the thirties (when SS was enacted). Most of the 8 digit ones were renewed to the now 9 standard, but it was not a requirement to have the 9 vs the 8.
Hopefully, this site will help you understand.http://www.ssa.gov/foia/stateweb.html
Focusing on the kids is a load of bullshit anyway. What was the personal data doing on a server accessible from a home computer? It sounds to me like the school administration is trying to create a smoke screen for their gross or willful negligence.
If the personal data was on a Microsoft server AND it was connected to the Internet, then the school system is in for a world of hurt in the courts: Willful negligence.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
"The only way to demonstrate that you can download social security numbers is by downloading social security numbers."
And the proper way to show this is with a teacher or network person next to you, after telling the school of the possible problem and your desire to show them how it may be exploited (in writing). I am not sure of what type of exploit this was however it may have very well been possible to show that one can take the SSNs without taking everyones (take your friends or whatever).
The private sector isn't supposed to use SSNs to begin with. Take a look at the Social Security Act (1936 I believe) and then at the Privacy Act of 1974.
We don't need RealID or anything other stupid thing, we just need to enforce the existing laws. Just like almost everything else Congress passes new laws about.
.. with less risk would be to send a formal letter to someone high up that you believe that the information held on that server to be insecure, and ask that it be secured or your information be promptly removed. Offer to demonstrate how the information is insecure, maybe, but point out that since you have informed them of the possibility of an intrusion you will consider sueing (?) if *your* information is stolen. That will get their attention!
*--BigMan--- Time flies like an arrow.. but personally I prefer a nice glass of wine!
Now your SSN is your life for the most part.
Yes, this is true--though only to a certain extent--but your following argument is quite overstated:
If somsone has your number, they dont even need to know anything else to screw you over. With the number they can do searches and find your name and current residance. With that info they can sign up for credit cards in your name and screw over your credit.
If this were true, nobody would ever bother to steal a "list of SSNs" from a database! They would just randomly choose any 9-digit number. The security (or lack thereof) is in the linkage between the SSN and a person.
They can basicly steal your identity just by knowing that one special number.
Again, this an oversimplification. They still need to know whom that SSN represents. A reverse-lookup, if it existed, would imply that lists of SSNs wouldn't need to be stolen in the first place. Of course the kids in TFA most likely obtained more than just a list of raw 9-digit numbers; they probably also got the linkages between the SSNs and their owners.
Pretty much all schools have SSNs, and it is pretty friggin' lame. Most schools use them as Unique Identifiers instead of coming up with their own ID system.
Our school system recently (this year) went from SSN as the student identifier to a 5 digit random ID number. These are used for things such as attendance records, academic records, etc. I think one reason we do have (and we do) students' SSN is for communicating with other school systems who may have their own ID number scheme. Or maybe hospitals. I'm not saying this justifies the school having all this info but that's probably one reason.
When the axe came to the forest, the trees said, "Look out - the handle was once one of us."