U of C Student Information Compromised

fhqwhgads writes "SFTP access to the University of Chicago's web server has been temporarily blocked as Networking Services and Information Technology (NSIT) responds to 'the discovery by a campus web developer that files containing social security numbers were located on a portion of a public server that could be accessed by web developers not associated with the site.' The Chicago Maroon is reporting that this was done without escalation of privileges, and that some files were accessible from the internet."

seen it before, will probably see it again.

[lecithin]

About 3 years ago I ended up finding a site that had a similar problem. It was on a University site and was devoted to students asking their instructor a question. The questions were something like this:

HI MY NAME IS COLLAGE FRESHMAN. MY SOCIAL SECURITY NUMBER IS XXX-XX-XXXX. i WASNT IN CLASS TODAY AND WANTED TO KNOW IF THERE WAS ANY HOMEWORK DUE.

Each entry (about 50) had students names and social security numbers.

I contacted the instructor via email and let him know about the problem. The email was acknowledged but 3 months later, the SSNs were still up.

I then contacted one of the students. The page was 'secured' in 1 day.

I do not see the need for Colleges to have our SSNs or track the students via that number. I don't think they care enough to be responsible.

Re:seen it before, will probably see it again.

[DrinkingIllini]

The University of Illinois, and many other universities I suspect, issues everyone a Unique Identification Number which basically takes the place of the SSN for all university business. Makes a hell of a lot more sense if you ask me.

Re:seen it before, will probably see it again.

[richdun]

Sad thing is, after four years of Collage, the student found that randomly assembling bits of paper and pictures and such to create works of art doesn't really pay that much.

But seriously, my college just last year switched from plastering SSNs on IDs and such, IDs used for meals, building entry, even registration at student government meetings, to a university-only number. This doesn't surprise me one bit, and really it could have happened at a lot of colleges a long time ago.

Re:seen it before, will probably see it again.

[ednopantz]

The U of C uses 6 digit student ids for routine stuff. No doubt SSNs are somewhere, but the UCID number seems to be the most commonly used id, so it isn't a case of the Univeristy using SSNs willy nilly.

But who cares if someone steals your SSN? Your library card # is what really matters to U of C students. I don't think they can survive long without access to the Reg.

Re:seen it before, will probably see it again.

[A+beautiful+mind]

Well, to point to a working system without the need for SSN to operate universities, in my country we use a university identification string, composed from initials, and some other unique parts based on a random algorithm to make sure they are unique indeed.

You can use that id for university related business only and it works extremely well. For example to access the website to schedule courses and exams, i need to login with that university id string and my password. If someone gets to know your university id, not much they can do with it, at max they can get your real name, but the rest is optional (user-selectable) to disclose, like email address, etc.

I don't see why couldn't universities in the states use such system, especially since in m experience it works extremely well.

Re:seen it before, will probably see it again.

[wallykeyster]

If someone gets to know your university id, not much they can do with it, at max they can get your real name, but the rest is optional (user-selectable) to disclose, like email address, etc.

That depends on which system they can access once they have your university ID. If you can use it to register for courses and such, then it must tie back to the main student information system (SIS), which stores all of your informaion (including SSNs, here in the States). But, at least the ID itself reveals little or nothing, unlike systems that use the SSN as the ID.

Re:seen it before, will probably see it again.

[BrianH]

Hey, I just shut one of those down the other day. One of our faculty slapped up a public query form and was writing the students results, which contained their SSN, name, and address, to a publically accessible Access db. When I contacted the instructor his response was, "But how can anyone download it if I don't link to it?"

And therein lies the crux of the problem. On most college and uni campuses, the publishing of data isn't controlled by a "webmaster" or other campus employee. In our case, we give our faculty unfettered access to a Frontpage server and pretty much allow them to publish whatever they want. The upside is that the college isn't responsible for objectionable material, because it's owned by the instructor and posted under the auspices of "academic freedom". The downside is that, when someone does something stupid like this, it's typically the college, and not the instructor, who takes the heat. People fail to realize that for most college web content, the college is acting more like an ISP than a publisher.

It sounds like this Chicago incident is much the same. It wasn't that the university put up a security free server, but rather that some faculty member or staffer shoved some private data onto a public server without realizing that it became publically accessible.

Re:seen it before, will probably see it again.

[A+beautiful+mind]

That depends on which system they can access once they have your university ID.

Without a password? Absolutely zero.

Re:seen it before, will probably see it again.

[wallykeyster]

Without a password? Absolutely zero.

Christ. What exactly do you think "access" meant? Unfortunately, it isn't uncommon to find student workers who know the SIS username and password of the faculty or staff member they assist.

Re:seen it before, will probably see it again.

[A+beautiful+mind]

That is no longer a problem with the system, it is up to the particular user to keep their passwords secret.

Re:seen it before, will probably see it again.

[wallykeyster]

Okay. Let me try to spell it out for you.

You: If someone gets to know your university id, not much they can do with it, at max they can get your real name, but the rest is optional (user-selectable) to disclose, like email address, etc.

Me: That depends on which system they can access once they have your university ID. If you can use it to register for courses and such, then it must tie back to the main student information system (SIS), which stores all of your informaion (including SSNs, here in the States). But, at least the ID itself reveals little or nothing, unlike systems that use the SSN as the ID.

My point was that just because your school uses a less obvious student ID does not mean that all of your data is safe. Your post made it sound like this ID gives you complete anonymity, with your name being the most sensitive information available to someone who learns your ID. I agreed that a seemingly random ID number is better because it has no obvious data in it (unlike an SSN). Yet, the reality is that employees trust student workers more than they should when the same student has worked with them for several years. I am the IT director at a university and I've known of too many offices where a student was entrusted (in violation of policy) with an employee's SIS username and password.

Re:seen it before, will probably see it again.

[Dr.+Derail]

In WV there was a state law passed a few years ago that is now pahsing in that no state run institution could display or search off of anything more then the last 4 digits of an SSN. Last summer Marshall University and I'm guessing the other higher ed schools in the reissued all new ID numbers and cards to all the students.

Re:seen it before, will probably see it again.

[aaronl]

You said: "I do not see the need for Colleges to have our SSNs or track the students via that number. I don't think they care enough to be responsible."

That's OK... neither does the Federal government. It is technically illegal to use a SSN for most purposes, as set forth in the Privacy Act of 1974, as well as the Social Security Act.

Re:seen it before, will probably see it again.

[Master+of+Transhuman]

City College of San Francisco used SSNs up until a couple years ago. They have changed to issuing a Student ID. SSN is still usable, particularly before the student is assigned a Student ID in the application process - something I think is ridiculous. The student should be given a Student ID as soon as he applies over the Web so he NEVER has to enter his SSN subsequent to his application.

We have begun issuing student ID cards with barcodes which are compatible with the college library barcode systems, but a full student ID with picture (and smart chips and RFID and the like) is still too expensive even for the largest community college district in the country.

Re:seen it before, will probably see it again.

[Master+of+Transhuman]

That depends on the password strength, among other things.

The SCT Banner college MIS system, for instance, uses a Student ID and a minimalist six-digit PIN number to control access to the student's account. That PIN number would be trivial to break since most people use 6 of the same number or something like '123456'. If you can get the student id (and some instructors insist on posting it on grade reports tacked to their doors), you've got half the access right there.

If you have a standard system that requires at least eight characters for a password, with a mix of upper case, lower case, numbers, and special characters, that is better.

But then it depends on students keeping their passwords secret successfully - and that is extremely unlikely for any student not in an IT class who has a clue.

As an example, at City College of San Francisco, we issue barcodes on student ID cards which can be used in the college library to check out books and access the library terminals for email and the like. Students "lose" these cards at a phenomenal rate. I say "lose" because most of the time they just forget them at home, then come in to the Registration Center to get a new one - so we had to design the ID application to cancel the old barcode and issue a new one, so that multiple cards with the same barcode could not be used at the library. This is a security issue as well, as students have been known to use the library email access to send threatening emails to instructors - obviously anyone who finds a student's card with a usable barcode could cover his tracks in this regard.

So expecting students to protect their passwords is probably not too realistic.

Re:seen it before, will probably see it again.

[dj245]

try This page Last semester this page included SSN's with the home addresses and emails. It also used to have phone numbers. Due to public outcry some of the personal details were removed. But not all. There is no reason this page is linked directly from http://www.mma.edu/ (academics, Student Schedules spring/fall)

Re:seen it before, will probably see it again.

[luigi1015]

I am a student at the UofC and know that the university uses a seperate 6 digit ID number for identification.
It sounds like to me this is more like there were some files out on the Web server that listed the SSNs of some of the students and had improper permissions.
But yes I know this can be a huge problem. I used to go to a small university where they did use the SSN for an ID, mostly due to laziness. They didn't want to go through the trouble of having to create another unique ID for each student. I worked in the computer helpdesk as a work study and we would always ask their SSN when a student wanted their email password reset. On a busy day we might get a few dozen resets.
Needless to say it was a huge risk. A worker with bad intentions or the wrong person overhearing somone recite their SSN could be disasterous. This situation wasn't helped much by the student workers since we usually had at least half a dozen student workers each semester and they were coming and going like crazy. Thankfully they changed over to another ID about a year ago.

Add it to the list

[WebHostingGuy]

of companies who are losing data by the minute.

Seriously, doesn't anyone take privacy seriously?

Re:Add it to the list

[Saven+Marek]

> Seriously, doesn't anyone take privacy seriously

The sites dont take it seriously because the students dont take it seriously.

if privacy info was treated like money or like cars or like anything else people attach "worth" to then the blocks would have been patched 10 years ago and never allowed to leak!

but people dont care about privacy breaks. u could have a telemarketer phone 100,000 people and say "hi is your name xxxxx and social security number yyyyyyy? if so then we have a deal for you!!!" but nobody would care.

but if you had a telemarketer phone and say "hi I have your car here with me would you like a deal" well I bet law enforcement would close them down in days.

but its not going to happens because people in general dont care when their private details let out. like if people get emailed by a company to their own name and address, they accept it. they get viruses they accept it. they get telemarketer custom phonecalls and they accept it.

too used to it happening to care now are people.

Re:Add it to the list

[a_greer2005]

It is hard to take security seriously when NO ONE around you does. Here at schiil i have to give my SSN for everything, and every document I recive from the school has my ssn on it, I have repeatedly complained but no one gives a rats ass, i point out situations like this and it falls on deaf ears.

the problem is the "It cant happen to me, not in this little town, that only happens in the big city" mindset of old applied to technology. it seems like no one will learn untill it is too late for them.

the worst part is there is not a god damned thing I can do about it, everyone, like trained trones gives it out freely, without thought of the consequences, and when the policy is questioned, they look at me like my tin foil hat is too tight or something...

Re:Add it to the list

[yali]

If you call the cops and say "somebody has stolen my social security number," do you really think you'll get the same reaction as if you say somebody has stolen your car?

In a weird way, this problem seems like a bass-ackwards parallel to copyright infringement. In both cases, it is unlike a traditional theft because information is copied with no loss to the original holder. So the infringers do not value the information as much as the infringed-upon. (But in this case, the little guy is the one getting infringed upon, and the big institutions are the infringers.)

In other words, universities and corporations do not intrinsically "lose" anything when somebody breaches their system and "steals" people's SSNs. They only lose if they get caught and if there is some sort of penalty (like a really expensive lawsuit). Until the legal system starts whacking them in a way that hurts, this problem is going to keep coming up.

Re:Add it to the list

[slashdot.org]

Well, I'm certainly no expert on the subject of this matter as a resident (as opposed to a citizen), but perhaps you could mention that you will hold them responsible for damages?

I would think that especially a formal letter to that regard should stirr up some things.

In any case, I do agree with others that the problem is with the value that a SSN (combined with some other personal data) has. But that's the reality of the situation. If people don't take you seriously, it would perhaps be an idea to mention something like, 'fair enough, so long as you understand that in case of identity fraud, I will hold _your_ organization responsible for any damages'.

Just a (perhaps simplistic) idea.

Re:Add it to the list

[dj245]

I disagree. There was a direct link to a webpage with SSN's of every student on the main page at http://www.mma.edu/ Due to student outcry, the SSN's and phone numbers were removed. The page is still linked, however, and still contains home addresses and emails. That page is here

Adding Insult to Injury

[booyah]

Now their webserver seems awfully slow and unresponsive...

Sysadmins are reporting a MASSIVE distributed denial of service attack... then they head over to /. to see how the rest of the world is going.... aw shit!

SSNs as Student ID Numbers

[EnronHaliburton2004]

I bet a large chunk of this problem stems from the fact that many (or most) colleges use your SSN as your Student ID Number.

About 8 years ago, a City College of San Francisco sent out a bunch of postcards to the students (There are tens of thousands of part-time students there). The postcard (No envelope) contained some information on how to register, and a reminder of the students Student ID Number-- which was a SSN. On a fricken postcard.

Re:SSNs as Student ID Numbers

[eggoeater]

I was about to ask "Wasn't using SSN as student ID numbers outlawed?" but obviously it isn't. My second year of college (1989) is when my university switched from SSN to 6 digit numbers. I thought all colleges did that in the early 90's.

Re:SSNs as Student ID Numbers

[raolin]

My alma mater used SSN's for student ids until 2 years ago. They then (for our protection) implemented new id cards that had only 2 things on the mag stripe. The first was your new student id (also printed on the card), the second was a counter, so if you got a replacement card it incremented and the old one was no good. So, an unscrupulous person could swipe your card, re-encode it with the updated count, and do whatever they felt like on your credentials.

Creepy as hell.

Re:SSNs as Student ID Numbers

[JJ]

U. of C. does not use SSNs as student id numbers (or at least they didn't when I was there.)

Re:SSNs as Student ID Numbers

[Scott+Laird]

Yeah, they haven't used SSNs for student IDs for at least 15 years.

Re:SSNs as Student ID Numbers

[Cally]

There was a recent discussion on NANOG on this topic which ended with a fairly definitive statement from One Who Knows This Shit (actually it was Dan Golding) that virtually no colleges use SSNs as unique IDs any more; but that they have to maintain *old* data, which *did* use SSNs as UIDs. I'm paraphrasing, badly; go read the archived post.

Re:SSNs as Student ID Numbers

[cheesewire]

What is it with the US and social security numbers? How different are they from, say, a UK NI number?

The only times I've ever needed my NI number have been:
a) When I got a job
b) When I registered to not have tax on my bank account interest.
c) When applying for a US visa

AFAIK my university doesn't know my NI number.
To identify us we get a 7-digit number, which is pretty much only useful in exams, where it's printed for us, and a six-letter (half's our initials) code/email address used to identify us on a day-to-day basis by lecturers etc..

Re:SSNs as Student ID Numbers

[BrianH]

There's a reason why CCSF, and many other public colleges, uses the SSN. Most public colleges are funded by the state based on enrollment, and are required to regularly submit enrollment and financial aid reports to their funding agencies (in the case of CCSF, the CCC Chancellors Office). These reports are legally required to include the SSN for each listed student (used for a wide array of purposes ranging from fraud prevention to tax reporting). Since the basic structures of most school record databases have their origins in the mainframe days, they were created when having TWO unique identifiers for each record was considered wasteful and identity theft was virtually unknown. Though the databases themselves have been updated, the data structures themselves have simply been crosswalked, retaining that SSN dependence.

Changing to a student ID means retooling databases that may have 30 years worth of records in them. On top of that, it usually requires replacing or rewriting whatever software they use to interface with that database to support the new key (my own college recently spent over three million bucks and spent two years to do exactly this).

Re:SSNs as Student ID Numbers

[aaronl]

As I've said many times, they could also just enforce existing laws. You aren't allowed to use a SSN except for Social Security and for matters specifically exempted by law. Look up the Social Security Act, the IRS excemption from 1962, and the Privacy Act of 1974.

Your bank and your school, etc, isn't supposed to be using the SSN at *all* for this sort of thing.

Re:SSNs as Student ID Numbers

[Master+of+Transhuman]

Yes, that WAS true eight years ago. Today City College uses a Student ID number - the SSN has been removed from the Student Schedule/Bill if I remember correctly (I had to rewrite it for the barcode project, but I think it was removed before that.)

They still need to only ask for the SSN during application and issue the Student ID IMMEDIATELY upon completion of the Web application. The problem is the Banner system uses a batch job to stage the Web applications, then move them into Banner later, so the Web application isn't truly interactive with Banner.

A good reason to ditch that incredibly expensive monstrosity that is Banner, in my opinion.

Re:SSNs as Student ID Numbers

[ottothecow]

though there still exists web-based usage of SSNs: I had to use my SSN a couple of weeks ago to claim my CNetID/email/access to class of 2009 site.

Who knows, maybe thats where the numbers were showing up.

Alumni reaction

[JJ]

As an alumni of the U of C, I have to say I'm not surprised. DCS was never permitted near the IS office and the enmity between the two just caused IS to be the most frequent target of pranks by DCS students.

Re:Alumni reaction

[NeuroBoy]

As an alumni and one whose graduation date falls within the years where data may have leaked I can say I'm a little disappointed with administrators.

I was never overly impressed with the quality of staff that the university employed as systems administrators. By and large the students that worked the various posts made available to students were far more qualified and up-to-the-task.

That said, I realize that administrators can't be responsible for all the content posted on univeristy sites. However, any decent sized organization such as universities need to have data screening mechanisms for SSNs at the very least.

How hard is it to run a few shell scripts once or twice a month looking for strings matching suspicious data patterns... They've done it for years looking for pirated software, MP3s, etc.

Re:Alumni reaction

[Vann_v2]

Yes they still have RCAs, but RCAs are completely unaffiliated with NSIT (as I'm sure you know). They're employed through Residential Computing, which is part of Residence Halls & Commons.

Re:Alumni reaction

[aliebrah]

I'm an alumnus of UChicago as well, I've posted a blog entry about how I think this event has been handled.

Here at the UW we don't use SSN

[WillAffleckUW]

We have separate Student ID and Employee ID and we use those for everything except tax forms.

But my sister works at UCSB and she says a lot of colleges and universities in the UC system still use SSN, at least just a while ago when she was working on a task force for data interchange.

Love the name...

[rnturn]

... of the campus paper.

Re:Love the name...

[EmperorKagato]

Those morons(Maroons) are the same ones that will be saving your life! ------ You made my girlfriend cry.

Re:Love the name...

[Frumious+Wombat]

Personally, i always loved the campus motto: "Where Fun Comes to Die".

I miss U. of C.

Wonder what the Chicago Weekly News' (the less disciplined, more anti-authoritarian, campus paper) take on this incident will be?

Re:Love the name...

[rnturn]

Lighten up.

I knew that. I used to spend quite a bit of time at UofC years ago. Ran many a time on their old dirt indoor track (they used to hold indoor marathon's on that beast) as well as in their 'new' fieldhouse (well it was new in the later '70s). Spent many a summer at the productions of the Court Theatre when it was held outdoors on campus. One of my favorite bars in the world is Jimmy's (God rest his soul), dive that it is. A couple of friends have taken advanced degrees from there. As a result, even though I never was enrolled there, I'm familiar with The Maroon.

I suggest you rent a copy of some old Loony Toons. Maybe you'll get the humor in "The Maroon". Then again, maybe you won't.

Hey, you know what...

[Goronmon]

At least they don't use your SSN as your ID number and print it on everyone's ID card like my school does =|

Bigger Problem

[twistedcubic]

I think this is so common because of the flat refusal of many organizations to pay programmers and administrators anything close what they're worth. You get what you pay for, but nobody seems to care.

Re:Bigger Problem

[Ffakr]

This is true, and it's absolutely wrong at the same time. How cool is that.

I'll make the disclaimer now, I'm a UC employee and I work in IT. I'm not affiliated with NSIT, the group under who's watch this problem occurred.

First off. There are plenty of very smart people working at UC. The quality and the size of the central IT staff is superior, imho, to that of my previous employeer.. a State University that was actually larger (plenty of friends on staff at that State university and they are good smart people too.. I'm making broad comparisons here).

As for pay, Yes, Education pays less than the 'real world'. It often pays MUCH less. UChicago doesn't pay salaries comparible to the corporate world but it's far from the worst EDU in the area in this regard. EDU staff doesn't tend to come or stay for the pay, however. Working in EDU is often a geeks dream. Flexible hours.. I know plenty who work 2pm till they are done because they prefer that. Getting good work accomplished is more important than being at your desk at 9am. Great benefits... 4 weeks vacation/personal holiday to start at UC.. more at the last Univeristy I worked for staff with a degree. Overall, a fun, relaxed, and often challanging work place where you help interesting people day in and day out.
Bottom line, there are plenty of very very intelligent, very very talented people doing IT at Universities and they are retained because they'd rather be happy with a smaller pay check than misserable and rolling in dough. (I wish it could be both as much as anyone).

All that said, yes, there are plenty of dumb asses doing IT at Universities. One pattern I see is that smaller groups like Departments and Institutes will hire Techs for internal use but they won't seek out the right people on campus to properly evaluate the applicants. It's awfully easy to BS your way through an interview when the interviewers are the ones desperate for tech support because they are clueless about computers.
Me, I interviewed with a one of those people.. and an associate Director of NSIT. That and an internal reference are the reasons my position isn't currently filled by a real dumbass (just my minor and occasional dumbass-id-ness).

OK, nuff of my rant.
Read the story again. It appears that NSIT may not have even been responsible for creating this problem. The University of Chicago has a professional web developer on retainer. From the story, it looks like a web developer put a sensitive file in the wrong location with the wrong permissions. I'm not sure if this was even caused by an NSIT staff member.

BTW: The current security group on campus is actually quite good. I'm very happy with them, they are really on top of their stuff as far as network monitoring, reporting, and control. Machine get's violated and bam, the port is off with a quickness. The report shows up in our email immediately and we can go off to see who brought an unsecured box into our division with out even bothering to ask us about whether it's buttoned down. :-)

Re:Bigger Problem

[Master+of+Transhuman]

Well, sometimes you DON'T get what you pay for. An IT administrator with no clue can be devastating to an organization regardless of what he's paid.

Case in point: City College bought the SCT Banner MIS system for over a million clams, along with $150K or so a year for "support".

Then, to get REAL support, they hire a consultantcy called SIG, and pay THEM $115K/year - just a couple weeks ago raised by another $85K to $195K just to "finish the conversion to Banner 6".

As I've said before, if the College spent that money on re-engineering an OSS/inhouse version, they would save themselves a million bucks over five years after deployment. (Not to mention license fees for Oracle, HP/UX, etc., ad infinitum.)

Of course, morons on /. have claimed that isn't feasible for a variety of lame reasons.

The point is, colleges are willing to PISS incredible amounts of money away for bogus reasons, then nickel and dime their staff for everything else.

City College spend an ungodly amount of money - MILLIONS - on refurbishing the windows in Science Hall, for Christ's sakes! (And the windows all looked perfectly damn good to me - I suppose the justification was to reduce energy bills or something. Nobody's noticed any difference in the classrooms I've sat in this last semester.)

Now they want to spend a couple hundred thousand on workflow software - with a ton of mature OSS workflow products available.

Meanwhile, the head of the Registration Center can't hire a 20-hour-a-week clerk to help out. And I can't get hired there because my boss says HIS boss says there's "no money" - but he also tells me the college can contract with me for any amount of money!

It's organizational politics and incompetent management at the base of it.

Re:Bigger Problem

[Vann_v2]

No, it's not even that. The server which had the sensitive data was not a server on which anyone should be putting anything sensitive. Dozens and dozens of people have some level of access, from students unaffiliated with NSIT to people working on the server itself, and the policy is clear: don't do stupid things like put up private information!

So, some organization within the University (who I won't name) basically put up world-readable files with sensitive information on Krypton and, surprise, other people with access to Krypton were able to read said files.

Re:Bigger Problem

[Ffakr]

Thanks for the additional info. I'll admit, I've still not read the other links like that Maroon article.

In the post you replied to, I was specifically trying to quell the absoluteism and idiocity that is too common on slashdot (by a minority I like to believe).
I primarily wanted to point out that lower pay than the industry doesn't mean there aren't talented people. There are a lot of talented people in NSIT, on campus, and at most if not all Universities. I know plenty of people who are more than smart enough and talented enough to do the grind in corporate. I know some who have and immediately returned.

I'm not excusing NSIT or WHO EVER was directly or passively involved. It's a major F up. I can't imagine why a file with SS#s were up there in the first place (though I've done this work long enough to know that just because I can't see the purpose outside the black box, that doesn't mean it isn't there).

thanks,
ffakr

Re:Bigger Problem

[Ffakr]

I wish I could edit posts. :-)
I went and reread my initial post and I can easily see that it appears to let NSIT off the hook too easily. I really intended to say 'don't crucify them yet till you know the facts' but it did come out as 'this isn't their fault, it's the outside web developers'.
I didn't intend that, I only ment to demonstrate that it's more complex an issue that nsit must have done it.

That's what I get for posting just before bed.

Google Search!!

[TubeSteak]

Uni & Colleges are notorious for their insecure networks.
They practically bleed information.

http://www.google.com/search?q=site:edu

You can dig up SSN's, passwords, and various other juicy tidbits.

College mailing lists are also nice treasure trove. They tend to be publicly archived, but the people mailing stuff out don't seem to be aware of the fact.

They're also a good read just for the intra-office drama.

Focus is on the wrong problem.

[Distan]

It seems like most of the focus is on how universites and companies aren't doing enough to secure this data, and that somehow if they try hard enough identity theft will go away.

That is completely the wrong problem to solve.

The true problem is that we have developed a system where knowing somebody's identifying information (name, address, SSN, DOB, etc) gives you power. Instead of approaching the impossible task of keeping this information secure, we should instead approach the solvable task of dismantling the system that gives this information so much power.

Imagine that the "master tape" of SSNs for every citizen in the United States had been publicly leaked, and that it was being openly shared on P2P networks. How would we put the cat back in the bag? If you can solve that question, then you are on the right path.

One idea: pass a law prohibiting anyone, governmental or non-governmental, from using the SSN for any purpose other than administrating social security taxes. Take the power away from that number. Since nobody would ask for it, or care what it was, for anything except your social security taxes, no harm could come from sharing it.

Re:Focus is on the wrong problem.

[TubeSteak]

Two words: Mission Creep

Re:Focus is on the wrong problem.

[john_anderson_ii]

I agree that is the right track of thought. Unfortunately, the alternatives might put us back in the same boat.

When applying for a credit card, what would we use as personal identification if the SSN was omitted. Wouldn't that then mean that anyone who know my address, name and phone number, i.e. anyone who has access to the white pages would be able to take out a credit card in my name? Short of biometrics I don't see an alternative. Maybe I'm not creative enough.

Re:Focus is on the wrong problem.

[George+Tirebuyer]

The SSA should issue two types of numbers. Your Social Security Account number which remains a secret known only to you and them that is permanent. and a pointer number for public consumption that can be changed on demand to be used on tax forms and by banks etc. The SSA computers could keep track of whether the public number is active and matches the name given.

Re:Focus is on the wrong problem.

[pregister]

Public and private key SSNs? Nifty.

Re:Focus is on the wrong problem.

[toddestan]

When applying for a credit card, what would we use as personal identification if the SSN was omitted. Wouldn't that then mean that anyone who know my address, name and phone number, i.e. anyone who has access to the white pages would be able to take out a credit card in my name?

And how exactly is that different from the current situation?

Re:Focus is on the wrong problem.

[john_anderson_ii]

It's no different. That's exactly the point.

Wow...

[coop0030]

Either companies (or schools in this case) are getting more careless with delicate information, or it is being publicized more. I would tend to think that some organizations are getting so large that they can't possibly keep track of where all their information is at all times.

I am not that concerned about identity theft as others, but it is happening so often that maybe these companies should be held accountable.

I mean, just last week alone 600,000 people had their identities sold from 6 seperate banks (this was a little different, but still...).

@#$@#$ NSIT

I *work* in Desktop support at U of C and this is how I find out about it...

Alumna reaction

[jokestress]

I have sent three letters to the U of C Registrar's Office this year after two department secretaries supplied information to a cyberstalker about me from their available files. Cal Black, the Registrar, said he'd get back to me, but of course he didn't. What a bunch of Maroons. Not surprised here.

Re:Alumna reaction

[terranwannabe]

Well, gee, since his name is THOMAS Black (http://dos.uchicago.edu/staff.html),I'm not surprised he never got back to you. It always helps to make sure of the name of the person you're talking to...shows a little respect.

Re:Alumna reaction

[jokestress]

Actually, he wrote back today to say he was still working on it. Said they'd had several meetings on this recently. I had his name correct in the letter. It had been so long since I'd originally written him, I'd forgotten his name when mentioning him here.

Same thing for Purdue University

[geders]

http://www.itap.purdue.edu/newsroom/news.cfm?newsI D=436

Only affected about 11,360 current and former employees...joy. They have switched over to a new numbering system, but only a few of the computer systems can handle the new numbers. They tell us to not use the new numbers just yet. Hehe...looks like by the _end_ of 2006 they'll have switched over...

Ignorance is Strength

[Doc+Ruby]

These SSN "leaks" will all be fixed by Bush. He'll replace the SSNs with an actual universal ID#, used throughout the American Hegemony, and destroy Social Security itself. Everyone knows socialism is dead, so Social Security is no security at all, right? Instead, we'll have Capital Security, in an "ownership society", where anyone's identity can be bought for a price, and security is just another profitable industry.

Re:Ignorance is Strength

[Doc+Ruby]

You fascists are getting so tired that your mask is slipping. Bush tries to destroy Social Security, simultaneously pushing a mandatory, international universal ID card among the rising tide of identity theft. And you demand that Americans be gunned down against the wall.

You blame some imaginary Social Security threat to the Constitution on FDR, though it's been 50 years, and we've become much more fascist, not Communist, ever since. With even the "Number of the Beast" remaining merely a bureaucratic method for ensuring minimal pensions, rather than certain poverty, for hundreds of millions of Americans. Your parents and grandparents, no doubt, included. Until your boys got control, when they started destroying everything they touched. And all you you've got is nonsense about Communists, gloating over presidential assassinations, fascist cliches about presidents and irrelevant blowjobs. And breathless demands for your fellow Americans to be executed.

Thank you for clarifying just what kind of fascist zombies are lined up behind Bush, your hero. I'm not waiting for the state to execute you, Anonymous fascist Coward. Why don't you come out behind your anonymous apron, your whining for the state to make the scary people go away? Why don't you come out here to NYC, so I can pull your head out of your ass, right before I rip it off your neck?

Question?

[anandpur]

How long it will take some one to compile complete (nearly) database of all US citizens. That will include almost vital information. What will be its use?

Re:Question?

[disposable60]

You've never heard of Equifax, ChoicePoint, TransUnion, or MBNA?

It's not your information. It's information about you.
-- John Ford, Vice President, Equifax

Re:Meanwhile

[rovingeyes]

Hmmm... Anynomous coward posting about compromised SSNs. Hey do you have any spare I can use? Man my credit history is fucked up ;)

Re:For once,

[raolin]

Oh come on, I'm sure we can find SOMETHING here to pin on IE, we just need to look harder.

Just a quick FYI

[skwang]

As a UC student I just want to let slashdotters know that the university does not use our SSN as our student ID.

That doesn't excuse the networking staff from allowing this breech to occur, but I thought I would set the record straight.

Re:Just a quick FYI

[Vann_v2]

Krypton was never designed to be a secure place to store files, and has thousands of users. This is no different than making files in your home directory world readable and then being surprised when users on the same machine can -- *gasp* -- read your files.

None of these files were ever, as far as I know, available directly from the internet. You had to have access to Krypton, at the least.

Re:Just a quick FYI

[Vann_v2]

First off, no, the problem is being fixed over this weekend. Even if someone does something stupid again, the files will not be exposed to other users.

Second, Chicago does not use SSNs as student IDs.

Re:Just a quick FYI

[44BSD]

It takes a whole weekend to do this?

# find /home -print0 | xargs chmod og-rwx

Re:Just a quick FYI

[Vann_v2]

I hope you're never put in charge of a serious web server.

I don't think you understand the size of Krypton and just how many files and users of various levels of access there are.

But how else do you learn your SSN?

[llevity]

If my university hadn't used SSN's as individual identification numbers, I would have never learned it. At least I got something out of the pricey education.

365/24 SPAM

[peter303]

Targeted selling to everyone, everwhere, all the time.

big school ...

[whitehatlurker]

From TFA "And there are 656,000 files on this system, each created by different people.

Wow. 656000+ people at that school. No wonder they can only put up one file apiece, and that the admins can't educate all of their people to not use that one file to post sensitive data.

if you are expecting...

[smartsaga]

your info to be secure in this country... you are nuts. PERIOD

Why?

The U.S. could not avoid the hijacking of airplanes in front of everybody and you want your personal info to be safe? HA!!

Seriously, this country, the people, have no real respect for one's job. Why? Well, it was even on the Simpsons show. Homer even said "do it the American way, do it half ass!" or something like that.

It is that simple, many americans do it HALF ASS. And people wonder why other countries hate the US. The U.S. has a all the freaking resources needed to protect people's privacy... and it does protect it, HALF ASS. Is HALF ASS enought? obviously not. Your SSN are belong to us... get it?

P.S. I don't even need to RTFA... I just know it is always the same crap. Have a good one.

It happened at Purdue University just last week!

They dubbed it affectionately the "data incident." From a few computers, hackers were able to glean 11,000 (eleven thousand!) staff records, including names, social security numbers, pants sizes, and favorite flavors of ice cream. (OK, so maybe I'm making the last two up.)

Yes, I'm one of the disgruntled staff who must watch his credit for the rest of my life, and I'm pissed off.

There needs to be an appropriate penalty for this.

[the+eric+conspiracy]

Eye-for-eye. If an organization loses security on CC#, SSN, etc. of customers they must publicly post the SSN#s and CC#s of all their excecutives on the default page of a special web site run by the FTC for that purpose.

don crabb would have secured this

[charliebear]

rip donny boy http://www.suntimes.com/output/obituaries/xcrabb.h tml

Re:who actually needs to get your SSN# anyway?

[kalislashdot]

Everyone uses it becasue it is a unique number that everyone has. That is why it became the defacto number to use to ID a person. Only in the last few years did they realize that it was bad. Shoot, my Bank uses SSN for your login ID for its Online Banking. I have old paperwork from the Army that has pages of SSN numbers. It was written on letters sent to me, etc. A few months ago I was asked by a utility comapny for my SSN, I told them no and why do they need it. They said we just need an identifying info, I can also take you drivers license number. Why did they not ask that in the first place.

Will not happen ...

[WindBourne]

until law suits are started. I rarely give my CC to sites that run MS (40% of https but nearly 100% of CC stolen). If ever my ID is stolen via the web, I will be suing the company. If possible, I will try to sue the CIO as well. Until they folks are held personally accountable, nothing will change.

From someone who works with this data.

[dk01]

As a student employee at my university I was amazed at how little security there is on personal information. Sure the data is secure when the admissions department has it but once you start taking classes you are added into countless access databases where most of your information is stored in plain text form and usually not password protected. If someone were to type a wrong email when sending the database as an attachment or if someone's spouse used their laptop they would have access to thousands upon thousands of records. On my second day here I was emailed a database with somewhere around 50,000 entries. Scary. Its unfortunate students aren't warned about the way their data is stored either. When I tell people they get mad at the university (like good college kids should). You'd think the government would start to crack down on the way data is handled in universites. I heard they are busy with a war or something.

Re:From someone who works with this data.

[Master+of+Transhuman]

Email errors do happen, you're right.

The Registration Center at CCSF sent out emails about completed registration to everybody in the campus GroupWise address book last week. Fortunately Groupwise lets you delete emails from other people's mailboxes that you have sent.

I've told them to stop using GroupWise to send out emails, and use the freakin' email list manager they have on the server! That's what list managers are FOR!

Flat files?

[fbg111]

What are SSN's doing in unencrypted flat files anyway? At least encrypt them, better yet store them in an encrypted database field. No human should be able to see someone else's SSN (or CC#, or CC verification code, etc.) on a system, not even the admins. All that should be visible is the variable, not its value.

Technical solution

[44BSD]

~badass$ echo > /etc/motd && chmod 444 /etc/motd

Hello, fellow Maroonian.

This server is connected to the big bad internet.

University policy prohibits the storage of sensitive data upon it.

Employees who violate policy will be fired. Students who violate policy will be expelled.

Have a Nice Day.
^D

Re:Technical solution

[Vann_v2]

That's pretty much what happened, minus the "firing" and "expelling" part.

For the last time!

[realityfighter]

Singular: Alumnus

Plural: Alumni

Can't anyone get this straight? It's absolutely rediculous! ;-)

Re:For the last time!

[NeuroBoy]

You are correct, pedantic, and a poor speller. (Ridiculous, not rediculous...) ;)

Mod parent up

[Skater]

AC is right - I looked through a few and all I saw were blank forms, no actual data.

Not that it matters anyway - Google is merely the tool, and as anyone who has read a file swapping discussion on /. would know, it's not the tool that's bad.

When I went to U of C they did not use SSN!

[Archeopteryx]

They made a big deal about students being known to the University by our names not a number!

This was in the mid-70s.

Sad that it changed.

Re:who actually needs to get your SSN# anyway?

[Master+of+Transhuman]

Check your bank on that login ID.

I thought Wells Fargo needed that, too, until they informed me I could use any login name I want (which, however, is NOT tested for strength apparently). Check whatever account maintenance screen they give you, maybe you can give yourself a strong login name.

Re:It happened at Purdue University just last week

[gregfortune]

Which is different from *two* weeks ago in what way? Seriously, you ought to be watching your credit anyway.