U of C Student Information Compromised

fhqwhgads writes "SFTP access to the University of Chicago's web server has been temporarily blocked as Networking Services and Information Technology (NSIT) responds to 'the discovery by a campus web developer that files containing social security numbers were located on a portion of a public server that could be accessed by web developers not associated with the site.' The Chicago Maroon is reporting that this was done without escalation of privileges, and that some files were accessible from the internet."

seen it before, will probably see it again.

[lecithin]

About 3 years ago I ended up finding a site that had a similar problem. It was on a University site and was devoted to students asking their instructor a question. The questions were something like this:

HI MY NAME IS COLLAGE FRESHMAN. MY SOCIAL SECURITY NUMBER IS XXX-XX-XXXX. i WASNT IN CLASS TODAY AND WANTED TO KNOW IF THERE WAS ANY HOMEWORK DUE.

Each entry (about 50) had students names and social security numbers.

I contacted the instructor via email and let him know about the problem. The email was acknowledged but 3 months later, the SSNs were still up.

I then contacted one of the students. The page was 'secured' in 1 day.

I do not see the need for Colleges to have our SSNs or track the students via that number. I don't think they care enough to be responsible.

Re:seen it before, will probably see it again.

[DrinkingIllini]

The University of Illinois, and many other universities I suspect, issues everyone a Unique Identification Number which basically takes the place of the SSN for all university business. Makes a hell of a lot more sense if you ask me.

Re:seen it before, will probably see it again.

[richdun]

Sad thing is, after four years of Collage, the student found that randomly assembling bits of paper and pictures and such to create works of art doesn't really pay that much.

But seriously, my college just last year switched from plastering SSNs on IDs and such, IDs used for meals, building entry, even registration at student government meetings, to a university-only number. This doesn't surprise me one bit, and really it could have happened at a lot of colleges a long time ago.

Re:seen it before, will probably see it again.

[ednopantz]

The U of C uses 6 digit student ids for routine stuff. No doubt SSNs are somewhere, but the UCID number seems to be the most commonly used id, so it isn't a case of the Univeristy using SSNs willy nilly.

But who cares if someone steals your SSN? Your library card # is what really matters to U of C students. I don't think they can survive long without access to the Reg.

Re:seen it before, will probably see it again.

[A+beautiful+mind]

Well, to point to a working system without the need for SSN to operate universities, in my country we use a university identification string, composed from initials, and some other unique parts based on a random algorithm to make sure they are unique indeed.

You can use that id for university related business only and it works extremely well. For example to access the website to schedule courses and exams, i need to login with that university id string and my password. If someone gets to know your university id, not much they can do with it, at max they can get your real name, but the rest is optional (user-selectable) to disclose, like email address, etc.

I don't see why couldn't universities in the states use such system, especially since in m experience it works extremely well.

Re:seen it before, will probably see it again.

Who cares if someone steals for SSN?

If you feel so safe giving it out why dont you post it here on slashdot. Your SSN # in the US is the number that identifies you and your credit history. You cant just get a new # if someone steals it, and if they have it they can open credit card accounts in YOUR name.

Re:seen it before, will probably see it again.

[wallykeyster]

If someone gets to know your university id, not much they can do with it, at max they can get your real name, but the rest is optional (user-selectable) to disclose, like email address, etc.

That depends on which system they can access once they have your university ID. If you can use it to register for courses and such, then it must tie back to the main student information system (SIS), which stores all of your informaion (including SSNs, here in the States). But, at least the ID itself reveals little or nothing, unlike systems that use the SSN as the ID.

Re:seen it before, will probably see it again.

It is called humor, dumbass.

Re:seen it before, will probably see it again.

[BrianH]

Hey, I just shut one of those down the other day. One of our faculty slapped up a public query form and was writing the students results, which contained their SSN, name, and address, to a publically accessible Access db. When I contacted the instructor his response was, "But how can anyone download it if I don't link to it?"

And therein lies the crux of the problem. On most college and uni campuses, the publishing of data isn't controlled by a "webmaster" or other campus employee. In our case, we give our faculty unfettered access to a Frontpage server and pretty much allow them to publish whatever they want. The upside is that the college isn't responsible for objectionable material, because it's owned by the instructor and posted under the auspices of "academic freedom". The downside is that, when someone does something stupid like this, it's typically the college, and not the instructor, who takes the heat. People fail to realize that for most college web content, the college is acting more like an ISP than a publisher.

It sounds like this Chicago incident is much the same. It wasn't that the university put up a security free server, but rather that some faculty member or staffer shoved some private data onto a public server without realizing that it became publically accessible.

Re:seen it before, will probably see it again.

[A+beautiful+mind]

That depends on which system they can access once they have your university ID.

Without a password? Absolutely zero.

Re:seen it before, will probably see it again.

[wallykeyster]

Without a password? Absolutely zero.

Christ. What exactly do you think "access" meant? Unfortunately, it isn't uncommon to find student workers who know the SIS username and password of the faculty or staff member they assist.

Re:seen it before, will probably see it again.

[A+beautiful+mind]

That is no longer a problem with the system, it is up to the particular user to keep their passwords secret.

Re:seen it before, will probably see it again.

[wallykeyster]

Okay. Let me try to spell it out for you.

You: If someone gets to know your university id, not much they can do with it, at max they can get your real name, but the rest is optional (user-selectable) to disclose, like email address, etc.

Me: That depends on which system they can access once they have your university ID. If you can use it to register for courses and such, then it must tie back to the main student information system (SIS), which stores all of your informaion (including SSNs, here in the States). But, at least the ID itself reveals little or nothing, unlike systems that use the SSN as the ID.

My point was that just because your school uses a less obvious student ID does not mean that all of your data is safe. Your post made it sound like this ID gives you complete anonymity, with your name being the most sensitive information available to someone who learns your ID. I agreed that a seemingly random ID number is better because it has no obvious data in it (unlike an SSN). Yet, the reality is that employees trust student workers more than they should when the same student has worked with them for several years. I am the IT director at a university and I've known of too many offices where a student was entrusted (in violation of policy) with an employee's SIS username and password.

Re:seen it before, will probably see it again.

[Dr.+Derail]

In WV there was a state law passed a few years ago that is now pahsing in that no state run institution could display or search off of anything more then the last 4 digits of an SSN. Last summer Marshall University and I'm guessing the other higher ed schools in the reissued all new ID numbers and cards to all the students.

Re:seen it before, will probably see it again.

[aaronl]

You said: "I do not see the need for Colleges to have our SSNs or track the students via that number. I don't think they care enough to be responsible."

That's OK... neither does the Federal government. It is technically illegal to use a SSN for most purposes, as set forth in the Privacy Act of 1974, as well as the Social Security Act.

Re:seen it before, will probably see it again.

[Master+of+Transhuman]

City College of San Francisco used SSNs up until a couple years ago. They have changed to issuing a Student ID. SSN is still usable, particularly before the student is assigned a Student ID in the application process - something I think is ridiculous. The student should be given a Student ID as soon as he applies over the Web so he NEVER has to enter his SSN subsequent to his application.

We have begun issuing student ID cards with barcodes which are compatible with the college library barcode systems, but a full student ID with picture (and smart chips and RFID and the like) is still too expensive even for the largest community college district in the country.

Re:seen it before, will probably see it again.

[Master+of+Transhuman]

That depends on the password strength, among other things.

The SCT Banner college MIS system, for instance, uses a Student ID and a minimalist six-digit PIN number to control access to the student's account. That PIN number would be trivial to break since most people use 6 of the same number or something like '123456'. If you can get the student id (and some instructors insist on posting it on grade reports tacked to their doors), you've got half the access right there.

If you have a standard system that requires at least eight characters for a password, with a mix of upper case, lower case, numbers, and special characters, that is better.

But then it depends on students keeping their passwords secret successfully - and that is extremely unlikely for any student not in an IT class who has a clue.

As an example, at City College of San Francisco, we issue barcodes on student ID cards which can be used in the college library to check out books and access the library terminals for email and the like. Students "lose" these cards at a phenomenal rate. I say "lose" because most of the time they just forget them at home, then come in to the Registration Center to get a new one - so we had to design the ID application to cancel the old barcode and issue a new one, so that multiple cards with the same barcode could not be used at the library. This is a security issue as well, as students have been known to use the library email access to send threatening emails to instructors - obviously anyone who finds a student's card with a usable barcode could cover his tracks in this regard.

So expecting students to protect their passwords is probably not too realistic.

Re:seen it before, will probably see it again.

[dj245]

try This page Last semester this page included SSN's with the home addresses and emails. It also used to have phone numbers. Due to public outcry some of the personal details were removed. But not all. There is no reason this page is linked directly from http://www.mma.edu/ (academics, Student Schedules spring/fall)

Re:seen it before, will probably see it again.

[luigi1015]

I am a student at the UofC and know that the university uses a seperate 6 digit ID number for identification.
It sounds like to me this is more like there were some files out on the Web server that listed the SSNs of some of the students and had improper permissions.
But yes I know this can be a huge problem. I used to go to a small university where they did use the SSN for an ID, mostly due to laziness. They didn't want to go through the trouble of having to create another unique ID for each student. I worked in the computer helpdesk as a work study and we would always ask their SSN when a student wanted their email password reset. On a busy day we might get a few dozen resets.
Needless to say it was a huge risk. A worker with bad intentions or the wrong person overhearing somone recite their SSN could be disasterous. This situation wasn't helped much by the student workers since we usually had at least half a dozen student workers each semester and they were coming and going like crazy. Thankfully they changed over to another ID about a year ago.

Add it to the list

[WebHostingGuy]

of companies who are losing data by the minute.

Seriously, doesn't anyone take privacy seriously?

Re:Add it to the list

[CyberNigma]

sure. the guys taking the numbers sure do, in the form of profit :-)...

Re:Add it to the list

[Saven+Marek]

> Seriously, doesn't anyone take privacy seriously

The sites dont take it seriously because the students dont take it seriously.

if privacy info was treated like money or like cars or like anything else people attach "worth" to then the blocks would have been patched 10 years ago and never allowed to leak!

but people dont care about privacy breaks. u could have a telemarketer phone 100,000 people and say "hi is your name xxxxx and social security number yyyyyyy? if so then we have a deal for you!!!" but nobody would care.

but if you had a telemarketer phone and say "hi I have your car here with me would you like a deal" well I bet law enforcement would close them down in days.

but its not going to happens because people in general dont care when their private details let out. like if people get emailed by a company to their own name and address, they accept it. they get viruses they accept it. they get telemarketer custom phonecalls and they accept it.

too used to it happening to care now are people.

Re:Add it to the list

I wonder if such a list exists. It would be interesting to see how rampant this is, especially combined with an "anonymous tip" feature.

Re:Add it to the list

[a_greer2005]

It is hard to take security seriously when NO ONE around you does. Here at schiil i have to give my SSN for everything, and every document I recive from the school has my ssn on it, I have repeatedly complained but no one gives a rats ass, i point out situations like this and it falls on deaf ears.

the problem is the "It cant happen to me, not in this little town, that only happens in the big city" mindset of old applied to technology. it seems like no one will learn untill it is too late for them.

the worst part is there is not a god damned thing I can do about it, everyone, like trained trones gives it out freely, without thought of the consequences, and when the policy is questioned, they look at me like my tin foil hat is too tight or something...

Re:Add it to the list

[yali]

If you call the cops and say "somebody has stolen my social security number," do you really think you'll get the same reaction as if you say somebody has stolen your car?

In a weird way, this problem seems like a bass-ackwards parallel to copyright infringement. In both cases, it is unlike a traditional theft because information is copied with no loss to the original holder. So the infringers do not value the information as much as the infringed-upon. (But in this case, the little guy is the one getting infringed upon, and the big institutions are the infringers.)

In other words, universities and corporations do not intrinsically "lose" anything when somebody breaches their system and "steals" people's SSNs. They only lose if they get caught and if there is some sort of penalty (like a really expensive lawsuit). Until the legal system starts whacking them in a way that hurts, this problem is going to keep coming up.

Re:Add it to the list

[slashdot.org]

Well, I'm certainly no expert on the subject of this matter as a resident (as opposed to a citizen), but perhaps you could mention that you will hold them responsible for damages?

I would think that especially a formal letter to that regard should stirr up some things.

In any case, I do agree with others that the problem is with the value that a SSN (combined with some other personal data) has. But that's the reality of the situation. If people don't take you seriously, it would perhaps be an idea to mention something like, 'fair enough, so long as you understand that in case of identity fraud, I will hold _your_ organization responsible for any damages'.

Just a (perhaps simplistic) idea.

Re:Add it to the list

[dj245]

I disagree. There was a direct link to a webpage with SSN's of every student on the main page at http://www.mma.edu/ Due to student outcry, the SSN's and phone numbers were removed. The page is still linked, however, and still contains home addresses and emails. That page is here

Re:Add it to the list

the fact the page is still there proves the students don't care enough. if they did, they would force its removal.

it's still there, so they don't.

For once,

[imcclell]

an internet problem that can't be blamed on IE

Re:For once,

[raolin]

Oh come on, I'm sure we can find SOMETHING here to pin on IE, we just need to look harder.

Re:For once,

Well, you could use IE to download the file containing all the data so there is an IE connection even if it can't be blamed on IE.

Adding Insult to Injury

[booyah]

Now their webserver seems awfully slow and unresponsive...

Sysadmins are reporting a MASSIVE distributed denial of service attack... then they head over to /. to see how the rest of the world is going.... aw shit!

1 ... 2 ... 3 ...

[darkonc]

OOPS!

What more is there to say?

SSNs as Student ID Numbers

[EnronHaliburton2004]

I bet a large chunk of this problem stems from the fact that many (or most) colleges use your SSN as your Student ID Number.

About 8 years ago, a City College of San Francisco sent out a bunch of postcards to the students (There are tens of thousands of part-time students there). The postcard (No envelope) contained some information on how to register, and a reminder of the students Student ID Number-- which was a SSN. On a fricken postcard.

Re:SSNs as Student ID Numbers

[fhqwhgads]

That might be true, but in the case of the University of Chicago, it is not. Student ID numbers are separate from SSNs.

Re:SSNs as Student ID Numbers

[eggoeater]

I was about to ask "Wasn't using SSN as student ID numbers outlawed?" but obviously it isn't. My second year of college (1989) is when my university switched from SSN to 6 digit numbers. I thought all colleges did that in the early 90's.

Re:SSNs as Student ID Numbers

[raolin]

My alma mater used SSN's for student ids until 2 years ago. They then (for our protection) implemented new id cards that had only 2 things on the mag stripe. The first was your new student id (also printed on the card), the second was a counter, so if you got a replacement card it incremented and the old one was no good. So, an unscrupulous person could swipe your card, re-encode it with the updated count, and do whatever they felt like on your credentials.

Creepy as hell.

Re:SSNs as Student ID Numbers

[JJ]

U. of C. does not use SSNs as student id numbers (or at least they didn't when I was there.)

Re:SSNs as Student ID Numbers

I bet a large chunk of this problem stems from the fact that many (or most) colleges use your SSN as your Student ID Number.

No.

The actual problem is that knowing somebody else's SSN is actually useful. What we need is for the Social Security Administration to step forward and say:

"This is getting ridiculous. SSNs were never designed as personal passwords, just unique identifiers. In 12 months, we are going to publicize every single SSN, so everybody else has that long to get their collective shit together and use some real form of authentication"

Re:SSNs as Student ID Numbers

[Scott+Laird]

Yeah, they haven't used SSNs for student IDs for at least 15 years.

Re:SSNs as Student ID Numbers

Except that the SSA wants everyone to have an SSN, and unless it is required for normal life (home loans, bank accounts, student loans, GETTING A FREAKIN' JOB, dependents on tax returns, etc.) a lot more people would simply opt out of the system. The SS system is still technically optional, it just happens to be nearly impossible to live a normal life in our society without one. Believe me, the SSA likes that part of the status quo JUST FINE.

Re:SSNs as Student ID Numbers

[Cally]

There was a recent discussion on NANOG on this topic which ended with a fairly definitive statement from One Who Knows This Shit (actually it was Dan Golding) that virtually no colleges use SSNs as unique IDs any more; but that they have to maintain *old* data, which *did* use SSNs as UIDs. I'm paraphrasing, badly; go read the archived post.

Re:SSNs as Student ID Numbers

[cheesewire]

What is it with the US and social security numbers? How different are they from, say, a UK NI number?

The only times I've ever needed my NI number have been:
a) When I got a job
b) When I registered to not have tax on my bank account interest.
c) When applying for a US visa

AFAIK my university doesn't know my NI number.
To identify us we get a 7-digit number, which is pretty much only useful in exams, where it's printed for us, and a six-letter (half's our initials) code/email address used to identify us on a day-to-day basis by lecturers etc..

Re:SSNs as Student ID Numbers

[BrianH]

There's a reason why CCSF, and many other public colleges, uses the SSN. Most public colleges are funded by the state based on enrollment, and are required to regularly submit enrollment and financial aid reports to their funding agencies (in the case of CCSF, the CCC Chancellors Office). These reports are legally required to include the SSN for each listed student (used for a wide array of purposes ranging from fraud prevention to tax reporting). Since the basic structures of most school record databases have their origins in the mainframe days, they were created when having TWO unique identifiers for each record was considered wasteful and identity theft was virtually unknown. Though the databases themselves have been updated, the data structures themselves have simply been crosswalked, retaining that SSN dependence.

Changing to a student ID means retooling databases that may have 30 years worth of records in them. On top of that, it usually requires replacing or rewriting whatever software they use to interface with that database to support the new key (my own college recently spent over three million bucks and spent two years to do exactly this).

Re:SSNs as Student ID Numbers

[aaronl]

As I've said many times, they could also just enforce existing laws. You aren't allowed to use a SSN except for Social Security and for matters specifically exempted by law. Look up the Social Security Act, the IRS excemption from 1962, and the Privacy Act of 1974.

Your bank and your school, etc, isn't supposed to be using the SSN at *all* for this sort of thing.

Re:SSNs as Student ID Numbers

[Master+of+Transhuman]

Yes, that WAS true eight years ago. Today City College uses a Student ID number - the SSN has been removed from the Student Schedule/Bill if I remember correctly (I had to rewrite it for the barcode project, but I think it was removed before that.)

They still need to only ask for the SSN during application and issue the Student ID IMMEDIATELY upon completion of the Web application. The problem is the Banner system uses a batch job to stage the Web applications, then move them into Banner later, so the Web application isn't truly interactive with Banner.

A good reason to ditch that incredibly expensive monstrosity that is Banner, in my opinion.

Re:SSNs as Student ID Numbers

[ottothecow]

though there still exists web-based usage of SSNs: I had to use my SSN a couple of weeks ago to claim my CNetID/email/access to class of 2009 site.

Who knows, maybe thats where the numbers were showing up.

Alumni reaction

[JJ]

As an alumni of the U of C, I have to say I'm not surprised. DCS was never permitted near the IS office and the enmity between the two just caused IS to be the most frequent target of pranks by DCS students.

Re:Alumni reaction

[dijjnn]

As an alumni of the UofC, i have no idea what 'IS' and 'DCS' stand for. If one of those would now be called 'NSIT' or 'USITE' or something of that nature, then ok, i understand that.

I worked at the only NSIT independant computer lab on campus (http://maclab.cs.uchicago.edu/ and i'm very familiar with NSIT. While i never thought much of NSIT as an organization (company, actually), i have to say that in general they're pretty good about security; i would definitely like to know what component of their organization was responsible for this.

Re:Alumni reaction

Yeah, I suspect that the Grandparent poster is a very non-recent alumn. I believe that a lot of the current NSIT used to be split into different organizations...but that was long before I was a student there. Having been an RCA for a few years (they still have those?) I think NSIT generally does a pretty good job on the security front.

-Devon

Re:Alumni reaction

[NeuroBoy]

As an alumni and one whose graduation date falls within the years where data may have leaked I can say I'm a little disappointed with administrators.

I was never overly impressed with the quality of staff that the university employed as systems administrators. By and large the students that worked the various posts made available to students were far more qualified and up-to-the-task.

That said, I realize that administrators can't be responsible for all the content posted on univeristy sites. However, any decent sized organization such as universities need to have data screening mechanisms for SSNs at the very least.

How hard is it to run a few shell scripts once or twice a month looking for strings matching suspicious data patterns... They've done it for years looking for pirated software, MP3s, etc.

Re:Alumni reaction

Same feeling here - class of 2k.

I know of at least two severe breakins (not counting this one) and I wasn't 'in the loop' looking for that kind of information. That's off the top of my head.

Not sure if the staff's changed much but back in the late nineties and beginning of this century they were pretty ugly.

Re:Alumni reaction

[Vann_v2]

Yes they still have RCAs, but RCAs are completely unaffiliated with NSIT (as I'm sure you know). They're employed through Residential Computing, which is part of Residence Halls & Commons.

Re:Alumni reaction

[aliebrah]

I'm an alumnus of UChicago as well, I've posted a blog entry about how I think this event has been handled.

Here at the UW we don't use SSN

[WillAffleckUW]

We have separate Student ID and Employee ID and we use those for everything except tax forms.

But my sister works at UCSB and she says a lot of colleges and universities in the UC system still use SSN, at least just a while ago when she was working on a task force for data interchange.

Love the name...

[rnturn]

... of the campus paper.

Re:Love the name...

it is Maroon, you moron

Re:Love the name...

[EmperorKagato]

Those morons(Maroons) are the same ones that will be saving your life! ------ You made my girlfriend cry.

Re:Love the name...

[Frumious+Wombat]

Personally, i always loved the campus motto: "Where Fun Comes to Die".

I miss U. of C.

Wonder what the Chicago Weekly News' (the less disciplined, more anti-authoritarian, campus paper) take on this incident will be?

Re:Love the name...

You know, people say the Maroon sucks.

The Maroon doesn't suck, People Were Robbed, That Sucks.

But the Maroon doesn't suck.

(Yes, that was an actual headline)

Re:Love the name...

[rnturn]

Lighten up.

I knew that. I used to spend quite a bit of time at UofC years ago. Ran many a time on their old dirt indoor track (they used to hold indoor marathon's on that beast) as well as in their 'new' fieldhouse (well it was new in the later '70s). Spent many a summer at the productions of the Court Theatre when it was held outdoors on campus. One of my favorite bars in the world is Jimmy's (God rest his soul), dive that it is. A couple of friends have taken advanced degrees from there. As a result, even though I never was enrolled there, I'm familiar with The Maroon.

I suggest you rent a copy of some old Loony Toons. Maybe you'll get the humor in "The Maroon". Then again, maybe you won't.

Colleges are stupid

For the most part, colleges don't really seem to care about the students. You are a number, and that number is your SSN.

I'll never forget at my college, the way they listed which freshmen had which advisors. They printed out a sheet with advisor name, student name, and student SSN. They then posted this on the bulletin board in the lobby and pinned a blank piece of paper over the SSN column.

Now that's brilliant security!

Meanwhile

30 million illegal immigrants work in the US without social security numbers.

Which brings us to the point: Social Security numbers are already completely compromised.

Re:Meanwhile

[rovingeyes]

Hmmm... Anynomous coward posting about compromised SSNs. Hey do you have any spare I can use? Man my credit history is fucked up ;)

Hey, you know what...

[Goronmon]

At least they don't use your SSN as your ID number and print it on everyone's ID card like my school does =|

Bigger Problem

[twistedcubic]

I think this is so common because of the flat refusal of many organizations to pay programmers and administrators anything close what they're worth. You get what you pay for, but nobody seems to care.

Re:Bigger Problem

I think you're absolutely spot on there. IT and computers in general have become 'popular'. The problem is that people don't understand that programming allows for a very small margin of error, and this can result in bugs, unmaintainable code, and security issues. Instead, managers hire cheap idiots who have little/no skill, and/or outsource to places like India where cost comes first, and quality takes a very distinct second place. Unlike something like manufacturing, a single mistake in a piece of software can be a disaster.

Re:Bigger Problem

[Ffakr]

This is true, and it's absolutely wrong at the same time. How cool is that.

I'll make the disclaimer now, I'm a UC employee and I work in IT. I'm not affiliated with NSIT, the group under who's watch this problem occurred.

First off. There are plenty of very smart people working at UC. The quality and the size of the central IT staff is superior, imho, to that of my previous employeer.. a State University that was actually larger (plenty of friends on staff at that State university and they are good smart people too.. I'm making broad comparisons here).

As for pay, Yes, Education pays less than the 'real world'. It often pays MUCH less. UChicago doesn't pay salaries comparible to the corporate world but it's far from the worst EDU in the area in this regard. EDU staff doesn't tend to come or stay for the pay, however. Working in EDU is often a geeks dream. Flexible hours.. I know plenty who work 2pm till they are done because they prefer that. Getting good work accomplished is more important than being at your desk at 9am. Great benefits... 4 weeks vacation/personal holiday to start at UC.. more at the last Univeristy I worked for staff with a degree. Overall, a fun, relaxed, and often challanging work place where you help interesting people day in and day out.
Bottom line, there are plenty of very very intelligent, very very talented people doing IT at Universities and they are retained because they'd rather be happy with a smaller pay check than misserable and rolling in dough. (I wish it could be both as much as anyone).

All that said, yes, there are plenty of dumb asses doing IT at Universities. One pattern I see is that smaller groups like Departments and Institutes will hire Techs for internal use but they won't seek out the right people on campus to properly evaluate the applicants. It's awfully easy to BS your way through an interview when the interviewers are the ones desperate for tech support because they are clueless about computers.
Me, I interviewed with a one of those people.. and an associate Director of NSIT. That and an internal reference are the reasons my position isn't currently filled by a real dumbass (just my minor and occasional dumbass-id-ness).

OK, nuff of my rant.
Read the story again. It appears that NSIT may not have even been responsible for creating this problem. The University of Chicago has a professional web developer on retainer. From the story, it looks like a web developer put a sensitive file in the wrong location with the wrong permissions. I'm not sure if this was even caused by an NSIT staff member.

BTW: The current security group on campus is actually quite good. I'm very happy with them, they are really on top of their stuff as far as network monitoring, reporting, and control. Machine get's violated and bam, the port is off with a quickness. The report shows up in our email immediately and we can go off to see who brought an unsecured box into our division with out even bothering to ask us about whether it's buttoned down. :-)

Re:Bigger Problem

[Master+of+Transhuman]

Well, sometimes you DON'T get what you pay for. An IT administrator with no clue can be devastating to an organization regardless of what he's paid.

Case in point: City College bought the SCT Banner MIS system for over a million clams, along with $150K or so a year for "support".

Then, to get REAL support, they hire a consultantcy called SIG, and pay THEM $115K/year - just a couple weeks ago raised by another $85K to $195K just to "finish the conversion to Banner 6".

As I've said before, if the College spent that money on re-engineering an OSS/inhouse version, they would save themselves a million bucks over five years after deployment. (Not to mention license fees for Oracle, HP/UX, etc., ad infinitum.)

Of course, morons on /. have claimed that isn't feasible for a variety of lame reasons.

The point is, colleges are willing to PISS incredible amounts of money away for bogus reasons, then nickel and dime their staff for everything else.

City College spend an ungodly amount of money - MILLIONS - on refurbishing the windows in Science Hall, for Christ's sakes! (And the windows all looked perfectly damn good to me - I suppose the justification was to reduce energy bills or something. Nobody's noticed any difference in the classrooms I've sat in this last semester.)

Now they want to spend a couple hundred thousand on workflow software - with a ton of mature OSS workflow products available.

Meanwhile, the head of the Registration Center can't hire a 20-hour-a-week clerk to help out. And I can't get hired there because my boss says HIS boss says there's "no money" - but he also tells me the college can contract with me for any amount of money!

It's organizational politics and incompetent management at the base of it.

Re:Bigger Problem

[Vann_v2]

No, it's not even that. The server which had the sensitive data was not a server on which anyone should be putting anything sensitive. Dozens and dozens of people have some level of access, from students unaffiliated with NSIT to people working on the server itself, and the policy is clear: don't do stupid things like put up private information!

So, some organization within the University (who I won't name) basically put up world-readable files with sensitive information on Krypton and, surprise, other people with access to Krypton were able to read said files.

Re:Bigger Problem

[Ffakr]

Thanks for the additional info. I'll admit, I've still not read the other links like that Maroon article.

In the post you replied to, I was specifically trying to quell the absoluteism and idiocity that is too common on slashdot (by a minority I like to believe).
I primarily wanted to point out that lower pay than the industry doesn't mean there aren't talented people. There are a lot of talented people in NSIT, on campus, and at most if not all Universities. I know plenty of people who are more than smart enough and talented enough to do the grind in corporate. I know some who have and immediately returned.

I'm not excusing NSIT or WHO EVER was directly or passively involved. It's a major F up. I can't imagine why a file with SS#s were up there in the first place (though I've done this work long enough to know that just because I can't see the purpose outside the black box, that doesn't mean it isn't there).

thanks,
ffakr

Re:Bigger Problem

[Ffakr]

I wish I could edit posts. :-)
I went and reread my initial post and I can easily see that it appears to let NSIT off the hook too easily. I really intended to say 'don't crucify them yet till you know the facts' but it did come out as 'this isn't their fault, it's the outside web developers'.
I didn't intend that, I only ment to demonstrate that it's more complex an issue that nsit must have done it.

That's what I get for posting just before bed.

Google Search!!

[TubeSteak]

Uni & Colleges are notorious for their insecure networks.
They practically bleed information.

http://www.google.com/search?q=site:edu

You can dig up SSN's, passwords, and various other juicy tidbits.

College mailing lists are also nice treasure trove. They tend to be publicly archived, but the people mailing stuff out don't seem to be aware of the fact.

They're also a good read just for the intra-office drama.

Focus is on the wrong problem.

[Distan]

It seems like most of the focus is on how universites and companies aren't doing enough to secure this data, and that somehow if they try hard enough identity theft will go away.

That is completely the wrong problem to solve.

The true problem is that we have developed a system where knowing somebody's identifying information (name, address, SSN, DOB, etc) gives you power. Instead of approaching the impossible task of keeping this information secure, we should instead approach the solvable task of dismantling the system that gives this information so much power.

Imagine that the "master tape" of SSNs for every citizen in the United States had been publicly leaked, and that it was being openly shared on P2P networks. How would we put the cat back in the bag? If you can solve that question, then you are on the right path.

One idea: pass a law prohibiting anyone, governmental or non-governmental, from using the SSN for any purpose other than administrating social security taxes. Take the power away from that number. Since nobody would ask for it, or care what it was, for anything except your social security taxes, no harm could come from sharing it.

Re:Focus is on the wrong problem.

[TubeSteak]

Two words: Mission Creep

Re:Focus is on the wrong problem.

[john_anderson_ii]

I agree that is the right track of thought. Unfortunately, the alternatives might put us back in the same boat.

When applying for a credit card, what would we use as personal identification if the SSN was omitted. Wouldn't that then mean that anyone who know my address, name and phone number, i.e. anyone who has access to the white pages would be able to take out a credit card in my name? Short of biometrics I don't see an alternative. Maybe I'm not creative enough.

Re:Focus is on the wrong problem.

[George+Tirebuyer]

The SSA should issue two types of numbers. Your Social Security Account number which remains a secret known only to you and them that is permanent. and a pointer number for public consumption that can be changed on demand to be used on tax forms and by banks etc. The SSA computers could keep track of whether the public number is active and matches the name given.

Re:Focus is on the wrong problem.

Then they would require a national ID number and then people will request it for everything. Then what happens when that gets out? It doesn't matter what the info is. The peoples in charge decided the SSN was proof of who you were.

Re:Focus is on the wrong problem.

[pregister]

Public and private key SSNs? Nifty.

Re:Focus is on the wrong problem.

[toddestan]

When applying for a credit card, what would we use as personal identification if the SSN was omitted. Wouldn't that then mean that anyone who know my address, name and phone number, i.e. anyone who has access to the white pages would be able to take out a credit card in my name?

And how exactly is that different from the current situation?

Re:Focus is on the wrong problem.

[john_anderson_ii]

It's no different. That's exactly the point.

Wow...

[coop0030]

Either companies (or schools in this case) are getting more careless with delicate information, or it is being publicized more. I would tend to think that some organizations are getting so large that they can't possibly keep track of where all their information is at all times.

I am not that concerned about identity theft as others, but it is happening so often that maybe these companies should be held accountable.

I mean, just last week alone 600,000 people had their identities sold from 6 seperate banks (this was a little different, but still...).

@#$@#$ NSIT

I *work* in Desktop support at U of C and this is how I find out about it...

SSN BOFH

What is your logi^H^H^H^HSSN number, again?

Alumna reaction

[jokestress]

I have sent three letters to the U of C Registrar's Office this year after two department secretaries supplied information to a cyberstalker about me from their available files. Cal Black, the Registrar, said he'd get back to me, but of course he didn't. What a bunch of Maroons. Not surprised here.

Re:Alumna reaction

[terranwannabe]

Well, gee, since his name is THOMAS Black (http://dos.uchicago.edu/staff.html),I'm not surprised he never got back to you. It always helps to make sure of the name of the person you're talking to...shows a little respect.

Re:Alumna reaction

[jokestress]

Actually, he wrote back today to say he was still working on it. Said they'd had several meetings on this recently. I had his name correct in the letter. It had been so long since I'd originally written him, I'd forgotten his name when mentioning him here.

Same thing for Purdue University

[geders]

http://www.itap.purdue.edu/newsroom/news.cfm?newsI D=436

Only affected about 11,360 current and former employees...joy. They have switched over to a new numbering system, but only a few of the computer systems can handle the new numbers. They tell us to not use the new numbers just yet. Hehe...looks like by the _end_ of 2006 they'll have switched over...

Re:Same thing for Purdue University

It's not a simple task. If they're like the University I work for, there are lots of departments which rely on data feeds, and the student ID number is used as the primary key. Since historically the ID number has been the SSN, that's what's in databases all over the place.

Central IT may have the task of coordinating with all of these departments to get them switched over to using a new ID. So whose fault is it if a department doesn't make the deadline they're supposed to? Central IT receives the blame, but there's nothing they can do.

And then there's University politics which probably enters the picture in some form. That inevitably slows things down a lot more.

If they're done switching over by the end of 2006, that's still ahead of where most other universities will be.

The more important question...

The more important question right now is: How can we blame this on Microsoft?

If it's about human stupidity, then it's not interesting but, if ot's about Microsoft's incompetence, well that's a different kettle of fish.

Ignorance is Strength

[Doc+Ruby]

These SSN "leaks" will all be fixed by Bush. He'll replace the SSNs with an actual universal ID#, used throughout the American Hegemony, and destroy Social Security itself. Everyone knows socialism is dead, so Social Security is no security at all, right? Instead, we'll have Capital Security, in an "ownership society", where anyone's identity can be bought for a price, and security is just another profitable industry.

Re:Ignorance is Strength

[Doc+Ruby]

You fascists are getting so tired that your mask is slipping. Bush tries to destroy Social Security, simultaneously pushing a mandatory, international universal ID card among the rising tide of identity theft. And you demand that Americans be gunned down against the wall.

You blame some imaginary Social Security threat to the Constitution on FDR, though it's been 50 years, and we've become much more fascist, not Communist, ever since. With even the "Number of the Beast" remaining merely a bureaucratic method for ensuring minimal pensions, rather than certain poverty, for hundreds of millions of Americans. Your parents and grandparents, no doubt, included. Until your boys got control, when they started destroying everything they touched. And all you you've got is nonsense about Communists, gloating over presidential assassinations, fascist cliches about presidents and irrelevant blowjobs. And breathless demands for your fellow Americans to be executed.

Thank you for clarifying just what kind of fascist zombies are lined up behind Bush, your hero. I'm not waiting for the state to execute you, Anonymous fascist Coward. Why don't you come out behind your anonymous apron, your whining for the state to make the scary people go away? Why don't you come out here to NYC, so I can pull your head out of your ass, right before I rip it off your neck?

Re:Ignorance is Strength

[Doc+Ruby]

Moderation -1
100% Offtopic

The trend in SSN theft and SS destruction is "Offtopic" to the topic of U of C SSNs being published? TrollMods are antisocial and insecure.

Question?

[anandpur]

How long it will take some one to compile complete (nearly) database of all US citizens. That will include almost vital information. What will be its use?

Re:Question?

[disposable60]

You've never heard of Equifax, ChoicePoint, TransUnion, or MBNA?

It's not your information. It's information about you.
-- John Ford, Vice President, Equifax

try this...

looking for jennifer
http://www.google.com/search?hl=en&q=site%3Awww.st ate.tn.us+filetype%3Atxt+jennifer&btnG=Google+Sear ch

Just a quick FYI

[skwang]

As a UC student I just want to let slashdotters know that the university does not use our SSN as our student ID.

That doesn't excuse the networking staff from allowing this breech to occur, but I thought I would set the record straight.

Re:Just a quick FYI

[Vann_v2]

Krypton was never designed to be a secure place to store files, and has thousands of users. This is no different than making files in your home directory world readable and then being surprised when users on the same machine can -- *gasp* -- read your files.

None of these files were ever, as far as I know, available directly from the internet. You had to have access to Krypton, at the least.

Re:Just a quick FYI

Yep. RTFL:

"There are over a half million files on the server, most of which are managed by staff and student employees around campus," Bartlett said.

So, it looks like the U of C's networking people are acting as a sort of colo, and someone with space on their server screwed up. Now they're recertifying everyone who uses the service, but sooner or later one of those recertified people will make the same mistake again.

As another poster pointed out, the real problem is reliance (by lots of places, not just universities) on SSN's as not-private-enough keys.

Re:Just a quick FYI

[Vann_v2]

First off, no, the problem is being fixed over this weekend. Even if someone does something stupid again, the files will not be exposed to other users.

Second, Chicago does not use SSNs as student IDs.

Re:Just a quick FYI

[44BSD]

It takes a whole weekend to do this?

# find /home -print0 | xargs chmod og-rwx

Re:Just a quick FYI

Umm, in the real world, we don't let things like that happen. There is no reason someone should be able to make a file like that available. The old adage that the user is to blame just doesn't work when they are not the only one responsible. Being a former student, frankly, i'm wondering who i need to sue to make sure that even temporary files aren't accesible to everyone. I can almost guarantee that no one made these files world readable. They just wouldn't have known how to. This whole problem could have been fixed by just making files readable by only owner by default. Just another instance of negligent administration.

Re:Just a quick FYI

[Vann_v2]

I hope you're never put in charge of a serious web server.

I don't think you understand the size of Krypton and just how many files and users of various levels of access there are.

visible email

That's nothing. A number of years ago I reported to humboldt1.com that their entire user email database was world readable and that their password to root was "test" (I kid you not).

Their response was to shut down my account and threaten me with further drastic consequences.

Prestigious?

This wouldn't happen at a real university like Stanford or Yale.

But how else do you learn your SSN?

[llevity]

If my university hadn't used SSN's as individual identification numbers, I would have never learned it. At least I got something out of the pricey education.

Google

[Cally]

Isn't it amazing what you can find on Google?

Re:Google

I call Troll.

There are no SSN at least four pages in. All links just reference forms that need an SSN or cs classes that use it as a potential variable in demonstration code.

Concerned UofC student, but not of this post....

365/24 SPAM

[peter303]

Targeted selling to everyone, everwhere, all the time.

big school ...

[whitehatlurker]

From TFA "And there are 656,000 files on this system, each created by different people.

Wow. 656000+ people at that school. No wonder they can only put up one file apiece, and that the admins can't educate all of their people to not use that one file to post sensitive data.

Jeeezzz

[Pizentios]

When will people learn that security by ignorance doesn't work anymore....then again it never really did.

if you are expecting...

[smartsaga]

your info to be secure in this country... you are nuts. PERIOD

Why?

The U.S. could not avoid the hijacking of airplanes in front of everybody and you want your personal info to be safe? HA!!

Seriously, this country, the people, have no real respect for one's job. Why? Well, it was even on the Simpsons show. Homer even said "do it the American way, do it half ass!" or something like that.

It is that simple, many americans do it HALF ASS. And people wonder why other countries hate the US. The U.S. has a all the freaking resources needed to protect people's privacy... and it does protect it, HALF ASS. Is HALF ASS enought? obviously not. Your SSN are belong to us... get it?

P.S. I don't even need to RTFA... I just know it is always the same crap. Have a good one.

It happened at Purdue University just last week!

They dubbed it affectionately the "data incident." From a few computers, hackers were able to glean 11,000 (eleven thousand!) staff records, including names, social security numbers, pants sizes, and favorite flavors of ice cream. (OK, so maybe I'm making the last two up.)

Yes, I'm one of the disgruntled staff who must watch his credit for the rest of my life, and I'm pissed off.

who actually needs to get your SSN# anyway?

ok, the entities which seem to have a legitimate use of your SSN are:

i - the IRS;
ii - your employer (because they pay you money and i likes to know about it);
iii - bank (because they pay you dividend and i likes to know about it);
iv - the DMV (because... well apparently they do);

other entities who do use it routinely, although I couldn't find any legal justification for it, are:

v - health care stuff (health insurance) -- although they no longer can use it as an id number (at least in California);
vi - the military (why? 'cause that's the way we do it, end of discussion);

why the heck do universities as for the stuff? why on earth would a student / applicant be dumb enough to provide it in the first place?

Re:who actually needs to get your SSN# anyway?

[kalislashdot]

Everyone uses it becasue it is a unique number that everyone has. That is why it became the defacto number to use to ID a person. Only in the last few years did they realize that it was bad. Shoot, my Bank uses SSN for your login ID for its Online Banking. I have old paperwork from the Army that has pages of SSN numbers. It was written on letters sent to me, etc. A few months ago I was asked by a utility comapny for my SSN, I told them no and why do they need it. They said we just need an identifying info, I can also take you drivers license number. Why did they not ask that in the first place.

Re:who actually needs to get your SSN# anyway?

[Master+of+Transhuman]

Check your bank on that login ID.

I thought Wells Fargo needed that, too, until they informed me I could use any login name I want (which, however, is NOT tested for strength apparently). Check whatever account maintenance screen they give you, maybe you can give yourself a strong login name.

There needs to be an appropriate penalty for this.

[the+eric+conspiracy]

Eye-for-eye. If an organization loses security on CC#, SSN, etc. of customers they must publicly post the SSN#s and CC#s of all their excecutives on the default page of a special web site run by the FTC for that purpose.

don crabb would have secured this

[charliebear]

rip donny boy http://www.suntimes.com/output/obituaries/xcrabb.h tml

Will not happen ...

[WindBourne]

until law suits are started. I rarely give my CC to sites that run MS (40% of https but nearly 100% of CC stolen). If ever my ID is stolen via the web, I will be suing the company. If possible, I will try to sue the CIO as well. Until they folks are held personally accountable, nothing will change.

From someone who works with this data.

[dk01]

As a student employee at my university I was amazed at how little security there is on personal information. Sure the data is secure when the admissions department has it but once you start taking classes you are added into countless access databases where most of your information is stored in plain text form and usually not password protected. If someone were to type a wrong email when sending the database as an attachment or if someone's spouse used their laptop they would have access to thousands upon thousands of records. On my second day here I was emailed a database with somewhere around 50,000 entries. Scary. Its unfortunate students aren't warned about the way their data is stored either. When I tell people they get mad at the university (like good college kids should). You'd think the government would start to crack down on the way data is handled in universites. I heard they are busy with a war or something.

Re:From someone who works with this data.

[Master+of+Transhuman]

Email errors do happen, you're right.

The Registration Center at CCSF sent out emails about completed registration to everybody in the campus GroupWise address book last week. Fortunately Groupwise lets you delete emails from other people's mailboxes that you have sent.

I've told them to stop using GroupWise to send out emails, and use the freakin' email list manager they have on the server! That's what list managers are FOR!

Flat files?

[fbg111]

What are SSN's doing in unencrypted flat files anyway? At least encrypt them, better yet store them in an encrypted database field. No human should be able to see someone else's SSN (or CC#, or CC verification code, etc.) on a system, not even the admins. All that should be visible is the variable, not its value.

Technical solution

[44BSD]

~badass$ echo > /etc/motd && chmod 444 /etc/motd

Hello, fellow Maroonian.

This server is connected to the big bad internet.

University policy prohibits the storage of sensitive data upon it.

Employees who violate policy will be fired. Students who violate policy will be expelled.

Have a Nice Day.
^D

Re:Technical solution

[Vann_v2]

That's pretty much what happened, minus the "firing" and "expelling" part.

For the last time!

[realityfighter]

Singular: Alumnus

Plural: Alumni

Can't anyone get this straight? It's absolutely rediculous! ;-)

Re:For the last time!

[NeuroBoy]

You are correct, pedantic, and a poor speller. (Ridiculous, not rediculous...) ;)

Mod parent up

[Skater]

AC is right - I looked through a few and all I saw were blank forms, no actual data.

Not that it matters anyway - Google is merely the tool, and as anyone who has read a file swapping discussion on /. would know, it's not the tool that's bad.

Princeton hack a few years ago.... FBI case

Yea this isn't the first, but just for the record you should see princeton.edu's little hack and all the info gained:
http://web.archive.org/web/20011126105456/www.ispe p.cx/files/tucson.princeton.edu.txt

This is FBI case ID 288A-NH-41961 (Pending as of 8/7/2002)....

Here's a snippet:
mvotruba:B8EFeUIgGAWHc:24597:34:Mark E. Votruba,Economics,215 504-5158,:/u/mvotruba:/bin/csh
ijlustig:pOL0uwNfo ruXo:1621:33:Irvin J. Lustig,Civil Engineering,8-4614,:/u/ijlustig:/bin/csh
houseweb :camNw8s7t4cT6:19735:36:Housing Dept.,Macmillan Bldg,8-5641,all:/u/houseweb:/usr/princeton/bin/tcs h
anowacki:hdHbWRq.VGeZ2:23627:35:Anastasia C. Nowacki,221 1938 Hall,8-9134,:/u/anowacki:/bin/csh
slaudio:laPMRmX 38SehY:26028:20:Slavic Audio,87 Prospect St,8-2952,:/u/slaudio:/bin/csh
dwilson:O5A7wNVS8. yJ2:21098:35:Daniel M. Wilson,311 Henry Hall,8-7843,:/u/dwilson:/bin/csh
keigoh:6J69fq0Xk 09dk:21502:35:Keigo Hirakawa,411 Brown Hall,8-7841,:/u/keigoh:/usr/princeton/bin/tcsh
se ritela:zmjxedOecbSBo:16191:35:Paul A. Serritella,Recently Graduated,NONE,:/u/seritela:/bin/csh
rfrickey:MM8 RRjl/M2nTM:21893:35:Robert E. Frickey,321 Cuyler Hall,8-7391,:/u/rfrickey:/bin/csh
jgoldste:dEo0sX gJmGdzs:31581:33:Judith L. Goldstein,Not Here Until 02/01/99,NONE,:/u/jgoldste:/bin/csh

memories...

reminds me of the time in high school when i asked for a list of the faculty and staff members to post on the school's web page. soon after i was given several pages of payroll information: birthdays, ssns, the works. and all i needed were the names and departments.

you would THINK someone couldn't be so careless.

- never graduated

Same thing at my school last year

A similar thing happend at my college, SIUE. an Office of Information Technology (OIT) student worker living in the campus appartments reported that a school run server was running an anonymous ftp that held listings of all foreign student SSN's and personal info...

the response was to fire the student employee and get the FBI to raid his apparment, taking his computers as well as his roomates computers. Further, the two roomates were expelled (now reversed). The computer have not been returned.

The local papers loved the story of swift justice being brought to the devious hackers. overall, the school did an excellent job of shifting blame from themselves to these evil "hackers".

When I went to U of C they did not use SSN!

[Archeopteryx]

They made a big deal about students being known to the University by our names not a number!

This was in the mid-70s.

Sad that it changed.

Re:When I went to U of C they did not use SSN!

[d3m057h3n35]

I'm a current student at Chicago finishing up the academic year, and read about this in the Maroon this morning. Currently, the number a student is known by is a 6-digit student identification number. I don't know why SSNs are needed so often on so many various applications here (financial aid applications in particular make you smear that number all over, and onto every page of your tax return copy, for example). There is also a PIN that is given on each students Chicago card, 7 digits long, but I've only used it for the online library catalog system so far. Perhaps the SSN is being used more often (despite its theft making one more vulnerable than the theft of a student ID number, for example) because administrators assume that all students nationwide are told to memorize their SSN early on, so students are more likely to have that committed to memory than one or more long PINs. Or maybe it makes coordinating health, college, and federal aid records easier. In any case, it doesn't make much sense to not try a little harder at security, considering the negative publicity that universities keep on getting from such breaches. I suppose their used to dealing with it.

Besides, the NSIT (university IT people) has demonstrated moderate incompetency and inefficiency, and I've only been here for a year. I wouldn't expect them to be invulnerable to this kind of mistake.

Retarded MOD alert

Why is this modded a troll? Parent summed it up perfectly.

social security numbers on a school computer?

What in the world are social security numbers doing on a school computer system? Sounds like that school is asking for a lawsuit... I can't believe some students were actually that stupid to give their social security numbers to a school.

That's nothing...

The last company I worked for was writing software to generate parking tickets. As a test for the systems database entries, the VP of Business Development wrote an email to some college administrator asking for some sample student data.

He received am unencrypted flat file containing personally indentifiable information of every student in the college. Including names, addresses, phone numbers and, oh yeah, SSNs.

He jokingly quiped about selling the info for $50 large. I wouldn't put it past him.

+2 Doubly-scary

blame the techs

It is amazing that students are so fast to blame underpaid overworked techs for mistakes made by some high-level UoC administrators.

There is no fail-proof technology which could prevent administrator from inappropriate usage of data he manages.

Did you hear much about the stuff that is regularly found on student and professor computers? No, it is always covered up. And some stuff is really loaded...

So, yea, blame the poor schmuck who does all the work with no reward and all the blame.

Re:It happened at Purdue University just last week

[gregfortune]

Which is different from *two* weeks ago in what way? Seriously, you ought to be watching your credit anyway.