Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Cornell Plans To Purge Campus Computers of Personal Data

Posted by timothy on from the very-very-carefully dept.

and so forth writes "Cornell lost a laptop last year with SSNs. Now, they've mandated scanning every computer at the University for the following items: social security numbers; credit card numbers; driver's license numbers; bank account numbers; and protected health information, as defined by HIPAA. The main tools are Identityfinder (commercial software for Windows and Mac), spider (Cornell software for Windows from 2008) and Find_SSN (python script from Virginia Tech). The effort raises both technical questions (false positives, anyone?) and practical issues (should I trust closed source software to do this?). Have other Universities succeeded at removing confidential data? Success, here, should probably be gauged in terms of diminished legal liability after the attempted clean up has been completed." Note: this program affects the computers of university employees and offices, rather than students' personal machines.

8 of 164 comments (clear)

  1. Ohio State University by Anonymous Coward · · Score: 5, Informative

    Ohio State relies on their institutional data policy and Disclosure or Exposure of Personal Information policy. Essentially, any protected information has to be kept on encrypted devices. That worked fairly well, except once they had all their computers encrypted they quit paying the license fees to PGP. They didn't know the software, which they thought was only pre-boot authentication, phoned home and had a DRM time-bomb in it to automatically drop everything Windows was doing, and spend a couple hours decrypting the whole drive after a certain date if the subscription wasn't renewed. I'd be pretty weary of trusting that kind of task to proprietary software, especially if it requires a subscription like ours did. Posted AC for obvious reasons. If it's closed source, you never know what kind of trick the vendor might be able to pull on you.

  2. Re:What does "computers of university employees" m by Anonymous Coward · · Score: 1, Informative

    I work at a university, I generally agree with your assessment. The vast majority of academic types get uncomfortable with any kind of monitoring. They do seem to accept that IT has admin rights on most things. What's great is that they refuse to accept any kind of content filtering on the campus network connection. I've also heard of professors having their connections shutdown for excessive bandwidth use who raised hell because it interfered with their academic freedom. I remember one story about a professor who got shutdown while streaming a video to his class, apparently that is a very good way to piss the entire academic division of the college off.

  3. Not that bad by Anonymous Coward · · Score: 1, Informative

    We did this where I work recently, small-ish private university, lots of science, a hospital, etc. All the faculty and staff had to run IDF. The tech guys came in and installed it and showed everyone how to run it but weren't allowed to see it being run. The person was required to run it and sort through the results themselves. All of my department ran it fine, no problems, no complaints, other than spending time sorting results. It really wasn't that big a deal.

  4. So... by Datamonstar · · Score: 2, Informative

    All I have to do now is infect the (probably windows-based) servers that host the scanning software and scan the memory for patterns resembling SSN#'s, ets. and make off with potentially an entire university's personal information? I say memory, cause I know no one would be dumb enough to search for that sort of sensitive information and then actually just log it into a centralized location for no reason. Right? Right?

    --
    The eternal struggle of good vs. evil begins within one's self.
  5. TrueCrypt is your friend! by ad454 · · Score: 2, Informative

    Although it is good to make sure that any computer does not have any unnecessary personal/private data, and also good to have searching software that might help locate some or most of it. It is unrealistic to except to be able to insure that such data will be kept off all computers, especially when there might be some situations where there is a legitimate need to have access to such data offline.

    The best solution is to use whole disk encryption with the free opensource TrueCrypt software.

    Although it is a shame that TrueCrypt does not support whole disk encryption on the Mac yet. At least there are some less trust-worthy closed options like PGP Whole Disk Encryption, which would be better than nothing.

  6. Re:This is easy by dissy · · Score: 2, Informative

    "1. The process takes entirely too long and if the person doesn't wait and walks away or just turns it off, the thief could still get the data. They used rdist when I was in college for campus kiosk computers. It was fucking miserable to wait for one of these bastards to boot or shutdown in the case of there being a problem which required a reboot (at the time a frequent necessity)."

    Eww, yea that's not the best way to do it at all (Having to wait on anything that is.)

    For Windows XP I use a program called Windows SteadyState, which unfortunately Microsoft seems to be discontinuing as so far as not supporting any OS past XP 32bit.

    There is also a commercial solution known as Deep Freeze that does the same task but for a lot more operating systems.

    Basically all your root drive / C drive changes are held in memory in a separate copy-on-write partition that appears merged with the real data.
    None of the FAT entries are maintained for that outside of RAM however, so even yanking the plug will do the same thing as a normal shutdown, and there is no waiting beyond what you wait now to reboot. All changes to the drive just instantly disappear and the drive space is reclaimed.

  7. Re:What does "computers of university employees" m by fluffy99 · · Score: 2, Informative

    so what you are saying is that i need to be storing socials as integers rather than strings, so they don't look like socials?

    No it means you need to be storing the data in an encrypted file/folder. Believe it or not, doing it right is sometimes easier than trying to hide what is arguably illegal activity.

  8. Re:Good Idea by TheCarp · · Score: 2, Informative

    It only seems like a good idea. Its likely to miss things, and have false positives.

    A better idea is...mandate full disk encryption. I have done it on my linux based laptop for years, 3 years before my company mandated it. Now, its mandatory. They rolled out a canned solution for departments that want it and don't know any better, and to the rest of us just say "its your ass if its not encrypted" and they make everyone certify, every six months, that if they use a laptop for work, its disk is encrypted.

    Problem solved. No scanning needed.

    -Steve

    --
    "I opened my eyes, and everything went dark again"