Slashdot Mirror
Government-Aided Phishing
Anonymous writes "A Florida county is posting the Social Security numbers, bank account info and other sensitive data of hundreds of thousands of current and former residents on its public Web site, Computerworld is reporting. A county official says there's no problem, since the postings are in compliance with state law requiring public availability of records." From the article: "The breach stems from the county's failure to redact or remove sensitive data from images of public documents such as property records and family court documents, Hogman said. Included in the documents that are publicly available are dates of birth and Social Security numbers of minors, images of signatures. passport numbers, green card details and bank account information."
Hmm... posting it on slashdot DEFINATELY won't draw phisher's attention to it...
What the hell made Florida ever think that this was a good idea?
FanFictionRecs.net
Have you ever been sued for a bad debt? If so, chances are your signature, along with your application for whatever loan or credit you defaulted on is all public record. That usually contains a whole lot of personal information, not just limited to your SSN.
time is a perception of a being's consciousness
time is your 6th sense, the wierd ones are 7+
When you are the victim of identity theft you know who to sue: Sue Baldwin,
Broward County, and the State of Florida. Two out of three deep-pockets isn't bad.
this is the same county who's police intimidated, threatened, and were just plain jerks to an undercover journalist attempting to find a "police officer complaint form":h tml (watch part 1 and 2, videos on the right)
http://cbs4.com/topstories/local_story_033170755.
and then retaliated against the journalist after the piece aired:
http://cbs4.com/local/local_story_086232143.html
-- lol pwned
The thing is these records are required to be public. A lot of counties in Florida just decide to blank out all important information, or simply not publish the entire document on their web sites. I would have to argue that the county in question is actually do what is required by law, and nothing less.
It's really not fair at all to say that a record is "Public" if you have to drive to the office and pay $4/hr for a parking spot (if you're lucky enough to find one). Besides, most courhouses have rules like "no weapons", where you will see every officer in the place carrying a gun.
Should people be subjected to phishing? no. The information that is on record at courthouses shouldn't be enough to make phishing targets, but that's not the fault of the courthouse.
"And we have seen and do testify that the Father sent the Son to be the Savior of the World"
1 John 4:14
Wrong. The Privacy Act of 1974 only applies to the executive branch of the federal government.
Mea navis aericumbens anguillis abundat
I started searching for my friends and family. I found a number of their documents online with just a couple of clicks. Absolutely ridiculous! I called my senator (state and federal) and I urge you to do the same.
Mid-Eastern Pennsylvania Gaming Convention
No, they're definately in there. Some quick Googling (heck, one name is in TFA) finds them pretty quick. I was kind of suprised that I could access the site from a foreign IP, as its pretty routine nowadays to limit that (I can't get my own credit reports without using a US based proxy, presumably because they were worried about fraud, and I had a devil of a time reading Dubya's campaign site during the 2004 election) for sensitive sites. Now, generally when we're talking about, say, e-mail delivery I'm 100% in favor of non-discrimination at the institutional level... but could you folks in Flordia strongly consider doing something about this if you start getting a lot of accesses from, say, *.ru?
Help poke pirates in the eyepatch, arr.
I'm doing a search now to test a theory: .aspx page, which means that it's probably an IIS server back-ended by a MSSQL database. Given that they would want the text search to be case insensitive, it is quite possible that they were sloppy and used a SELECT * WHERE [last_name] LIKE @search_string (ok, they probably listed only the columns they wanted, you get the idea though). It is also possible that there is no limit defined for the number of records to return.
The site is an
If all of the above is true, then the search I started should return everything between 1/1/1978 and 4/10/2006 in the database, assuming that their server survives the request. If this is true, this means that getting everything in their database is a trivial task, and that they are exposing a lot of people to identity theft, very easily. Further, even if they go through and redact the data later, it is probably too late, as the data would have been long since scraped. This is one time that I hope a slashdotting kills a server.
Necessity is the mother of invention.
Laziness is the father.
You don't need to go to your bank. Just print up a "demand draft" on your printer with the holder's account information (available on any check) and home address. If you can get the account holder to answer "yes" to any question about their account (in my grandma's case, "Is your bank account held in this city?"), the banks won't even go after you for fraud. That's sufficient authorization.
u s-response-to-my-letter.html
Surely, I must be exaggerating. Sadly, no. See:
http://wamublamesgrandma.blogspot.com/2006/03/wam
Anyway, I've been flogging this dead horse for a while now, but the flip side of institutional laziness with sensitive information is what institutions -- in this case, Washington Mutual -- allow bad guys to do with the information.
Full details here:
http://wamublamesgrandma.blogspot.com/
Given the huge amount of poor people with massive debt, sure.
The problem with having bad credit isn't not being able to get credit, it's not being able to get credit at a reasonable interest rate. Identity theives, not planning on paying the bills, don't give a shit about the interest rate.