Slashdot Mirror
U of C Student Information Compromised
fhqwhgads writes "SFTP access to the University of Chicago's web server has been temporarily blocked as Networking Services and Information Technology (NSIT) responds to 'the discovery by a campus web developer that files containing social security numbers were located on a portion of a public server that could be accessed by web developers not associated with the site.' The Chicago Maroon is reporting that this was done without escalation of privileges, and that some files were accessible from the internet."
About 3 years ago I ended up finding a site that had a similar problem. It was on a University site and was devoted to students asking their instructor a question. The questions were something like this:
HI MY NAME IS COLLAGE FRESHMAN. MY SOCIAL SECURITY NUMBER IS XXX-XX-XXXX. i WASNT IN CLASS TODAY AND WANTED TO KNOW IF THERE WAS ANY HOMEWORK DUE.
Each entry (about 50) had students names and social security numbers.
I contacted the instructor via email and let him know about the problem. The email was acknowledged but 3 months later, the SSNs were still up.
I then contacted one of the students. The page was 'secured' in 1 day.
I do not see the need for Colleges to have our SSNs or track the students via that number. I don't think they care enough to be responsible.
It could be worse, it could be Monday.
I bet a large chunk of this problem stems from the fact that many (or most) colleges use your SSN as your Student ID Number.
About 8 years ago, a City College of San Francisco sent out a bunch of postcards to the students (There are tens of thousands of part-time students there). The postcard (No envelope) contained some information on how to register, and a reminder of the students Student ID Number-- which was a SSN. On a fricken postcard.
94% of Repubs and 21% of Dems voted to renew the Patriot Act
As an alumni of the U of C, I have to say I'm not surprised. DCS was never permitted near the IS office and the enmity between the two just caused IS to be the most frequent target of pranks by DCS students.
So long and thanks for all the fish . . . !!!
the problem is the "It cant happen to me, not in this little town, that only happens in the big city" mindset of old applied to technology. it seems like no one will learn untill it is too late for them.
the worst part is there is not a god damned thing I can do about it, everyone, like trained trones gives it out freely, without thought of the consequences, and when the policy is questioned, they look at me like my tin foil hat is too tight or something...
It seems like most of the focus is on how universites and companies aren't doing enough to secure this data, and that somehow if they try hard enough identity theft will go away.
That is completely the wrong problem to solve.
The true problem is that we have developed a system where knowing somebody's identifying information (name, address, SSN, DOB, etc) gives you power. Instead of approaching the impossible task of keeping this information secure, we should instead approach the solvable task of dismantling the system that gives this information so much power.
Imagine that the "master tape" of SSNs for every citizen in the United States had been publicly leaked, and that it was being openly shared on P2P networks. How would we put the cat back in the bag? If you can solve that question, then you are on the right path.
One idea: pass a law prohibiting anyone, governmental or non-governmental, from using the SSN for any purpose other than administrating social security taxes. Take the power away from that number. Since nobody would ask for it, or care what it was, for anything except your social security taxes, no harm could come from sharing it.