Slashdot Mirror
How Cornell Plans To Purge Campus Computers of Personal Data
and so forth writes "Cornell lost a laptop last year with SSNs. Now, they've mandated scanning every computer at the University for the following items: social security numbers; credit card numbers; driver's license numbers; bank account numbers; and protected health information, as defined by HIPAA. The main tools are Identityfinder (commercial software for Windows and Mac), spider (Cornell software for Windows from 2008) and Find_SSN (python script from Virginia Tech). The effort raises both technical questions (false positives, anyone?) and practical issues (should I trust closed source software to do this?). Have other Universities succeeded at removing confidential data? Success, here, should probably be gauged in terms of diminished legal liability after the attempted clean up has been completed." Note: this program affects the computers of university employees and offices, rather than students' personal machines.
After logging off, revert to the last backup. If there's no data on the computer, there's no personal data on the computer. Anything you need saved goes on removable storage.
Give me Classic Slashdot or give me death!
Does this include professors?
I know a lot of scientists who would be quite annoyed if the people from the IT department (who are clueless policy-obsessed wankers at my institution) came in and wanted to search through a bunch of simulation results and LaTeX files looking for SSN's.
We'll get on that, just as soon as our Y2K-bug vulnerability scan is done running.
a) too fucking bad.
b) Sign this waver that says you are legally responsible if your repository of data were to contain information such as SSN/Credit Card etc.
I don't get the premise of the article. Scanning for credit card data and SSN is quite easy and simple. It's no more intrusive than a virus scan. Being opened, or closed source doesn't make any bloody difference either.
Intrusion detection systems should also be running and scanning for data that conforms with SSN or creditcard formats.
http://www.langston.com/Fun_People/1994/1994AXP.html
Excerpt:
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
In an age of always-connected, treating computers as "smart terminals" with no long-term local storage save an encrypted self-destructing-on-wrong-password cache can be very useful.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Ohio State relies on their institutional data policy and Disclosure or Exposure of Personal Information policy. Essentially, any protected information has to be kept on encrypted devices. That worked fairly well, except once they had all their computers encrypted they quit paying the license fees to PGP. They didn't know the software, which they thought was only pre-boot authentication, phoned home and had a DRM time-bomb in it to automatically drop everything Windows was doing, and spend a couple hours decrypting the whole drive after a certain date if the subscription wasn't renewed. I'd be pretty weary of trusting that kind of task to proprietary software, especially if it requires a subscription like ours did. Posted AC for obvious reasons. If it's closed source, you never know what kind of trick the vendor might be able to pull on you.
http://www.newsobserver.com/2010/10/14/739551/unc-cancer-scientist-appeals-her.html.
All I have to do now is infect the (probably windows-based) servers that host the scanning software and scan the memory for patterns resembling SSN#'s, ets. and make off with potentially an entire university's personal information? I say memory, cause I know no one would be dumb enough to search for that sort of sensitive information and then actually just log it into a centralized location for no reason. Right? Right?
The eternal struggle of good vs. evil begins within one's self.
And a) is the reason my department does not trust IT cowboys with any of our data. This is data that cost actual money to generate, not some shit we downloaded off BitTorrent for fun. I hope you get fired.
Well are you an arrogant and self-important little bugger. The fact is that improperly retaining and losing privacy act data costs money and reputation too (just ask the Veterans Administration). Potentially a lot more than some professors grading data where he stupidly tracks students by their full soc number. Or the sociology researcher keeping a huge database of personal info on their test subjects. The mandate for this action did not originate with the IT folks, but they were tasked to implement the policy. Stop being a little prick and try to understand the bigger picture.
Besides the article didn't say it was going to delete the data. It said "cleanup" which could be anything from a script that pops up when it detects questionable data, or even maybe it just moves it off of theft-prone laptops and desktops onto a central file server.
Many institutions are going the route of encryption. Hard drives are encrypted, and anything stored onto removeable media gets encrypted. A pain in the ass to be sure, but it does allow management to claim that no data was compromise if a laptop disappears.
Although it is good to make sure that any computer does not have any unnecessary personal/private data, and also good to have searching software that might help locate some or most of it. It is unrealistic to except to be able to insure that such data will be kept off all computers, especially when there might be some situations where there is a legitimate need to have access to such data offline.
The best solution is to use whole disk encryption with the free opensource TrueCrypt software.
Although it is a shame that TrueCrypt does not support whole disk encryption on the Mac yet. At least there are some less trust-worthy closed options like PGP Whole Disk Encryption, which would be better than nothing.
The OP says that a practical issue is whether one should trust closed source software to do this? Because, of course, being closed source should implicitly invoke gloomy music, dark clouds and cause people to break out in a cold sweat? Seriously, enough with this bullc*** already... There's nothing inherently wrong with running closed source software, nor is a given piece of software magically better by virtue of being open-source, nor are open-source developers somehow better than those who develop closed-source software. There's legitimate arguments to be made that open-source has advantages. That open-source is, somehow, more trustworthy, isn't one such argument. And it's high time we stopped peddling it as one, or accepting it as one.
b) Sign this waver that says you are legally responsible if your repository of data were to contain information such as SSN/Credit Card etc.
Unless he then shoves the waiver up the manager of the IT department's nose, that waiver won't do anything, the IT department will refer him to a secretary who will refer him to some policy and the comittee for something or other who will meet once a year and won't discuss it with him. Universities are usually more bureaucratic and inflexible than your local DMV.
Which is why Cornell will try to scan every computer on campus, not just those ones which are likely to have student or employee information on them. Got an apple IIe running a very old but still functional instrument? It may be more convinient to just lie to the IT department. Some are understanding, whereas others would insist you get a new computer. If you would have to spend $10k to replace the equipment, that's not really their department.
Should you trust closed source software to do this scan?
Should you trust the bank managing your transactions?
Should you trust closed source software in medical equipment?
Should you trust SAP to manage your financial transactions?
Should you trust a Windows computer for anything more important than your gmail password?
Should you trust Google Chrome when logging into your netbanking?
You know what? I think on the grand scheme of things trusting a piece of closed source software specifically designed to search for information made by a company which would literally be sued into oblivion if they did what the article was hinting at, ranks pretty damn low on the list of things I worry about.
so what you are saying is that i need to be storing socials as integers rather than strings, so they don't look like socials?
No it means you need to be storing the data in an encrypted file/folder. Believe it or not, doing it right is sometimes easier than trying to hide what is arguably illegal activity.
Then the correct policy is "Don't haphazardly store personal data on machines without considering what you are doing". There is no reason to barge into Dr. Smith's office, who's madly creating his slides for the conference next week while trying to babysit a supercomputer at Berkeley while fending off emails from his students, and insist in a very bureaucratic tone that you have to scan his workstation, the RAID, his other computer, his student's computer, and the two computers used to monitor various instruments (which the other students are taking data on) for SSN's.
Unfortunately, Dr Smith is taking his laptop to the conference. He's much too busy to go on travel without taking all of his data with him on the laptop, such as his students grading info (SSNs) or info on the other proprietary projects he's working on. He he's too important to worry about such trivialities such as data protection policies issued by those idiots on the Board of Directors. After all drive encryption slows things down too much he hears, but in truth he doesn't know how to set it up. Of course his laptop gets stolen and now the University has to report that data was compromised. Suddenly Dr Smith is no longer an asset to the university but rather a liability.
Sorry, but anyone who has worked in IT or even law enforcement knows damn well that users will ignore written policies unless there is some level of monitoring and enforcement. Just scroll up a bit and you'll see examples of those guys posting stuff like "just store the ssn as an integer so they scripts don't find it".
Because not so long ago, it was common practice to use a student's SSN as their student ID number. In ~2001 and ~2004, I attended schools which changed their policies on this matter in those years, respectively. For each school, I started with a student ID that was the same digits as my SSN, and when I was graduated, I had a new student ID that was an unrelated string of digits.
Using the SSN as an ID is very convenient. For every incoming person, you have a unique number that they probably already have memorized. From there, it should be no surprise when professors get lists of SSNs on class rosters at the beginning of a semester, and they might store it in one form or another over the course of grading, and similar activities.
It only seems like a good idea. Its likely to miss things, and have false positives.
A better idea is...mandate full disk encryption. I have done it on my linux based laptop for years, 3 years before my company mandated it. Now, its mandatory. They rolled out a canned solution for departments that want it and don't know any better, and to the rest of us just say "its your ass if its not encrypted" and they make everyone certify, every six months, that if they use a laptop for work, its disk is encrypted.
Problem solved. No scanning needed.
-Steve
"I opened my eyes, and everything went dark again"