Under Fire, US Social Security Site Changes Security Policy Again

Long-time Slashdot reader Lauren Weinstein writes: I'm told that Social Security Administration has now removed the mandatory cell phone access requirement that was strongly criticized... I appreciate that SSA has done the right thing in this case. Perhaps in the future they'll think these things through better ahead of time!
The web site now describes the "extra security" of two-factor cellphone authentication as entirely optional -- but security researcher Brian Krebs had also warned that the bigger risk was how easy it was to impersonate somebody else when creating an account online. He wrote Thursday that now "the SSA is mailing letters if you sign up online, but they don't take that opportunity to deliver a special code to securely complete the sign up. Go figure."

Again?

I've tried changing things before as well.

Consulting for several large companies, I'd always done my work on Windows. Recently however, a top online investment firm asked us to do some work using Linux. The concept of having access to source code was very appealing to us, as we'd be able to modify the kernel to meet our exacting standards which we're unable to do with Microsoft's products.

Although we met several technical challenges along the way (specifically, Linux's lack of support for some things and the fact that we were unable to defrag some stuff), all in all the process went smoothly. Everyone was very pleased with Linux, and we were considering using it for a great deal of future internal projects.

So you can imagine our suprise when we were informed by a lawyer that we would be required to publish our source code for others to use. It was brought to our attention that Linux is copyrighted under something called the GPL, or the Gnu Protective License. Part of this license states that any changes to the kernel are to be made freely available. Unfortunately for us, this meant that the great deal of time and money we spent "touching up" Linux to work for this investment firm would now be available at no cost to our competitors.

Furthermore, after reviewing this GPL our lawyers advised us that any products compiled with GPL'ed tools - such as gcc - would also have to its source code released. This was simply unacceptable.

Although we had planned for no one outside of this company to ever use, let alone see the source code, we were now put in a difficult position. We could either give away our hard work, or come up with another solution. Although it was tought to do, there really was no option: We had to rewrite the code, from scratch, for Windows 10.

I think the biggest thing keeping Linux from being truly competitive with Microsoft is this GPL. Its draconian requirements virtually guarantee that no business will ever be able to use it. After my experience with Linux, I won't be recommending it to any of my associates. I may reconsider if Linux switches its license to something a little more fair, then maybe. Until then its attempts to socialize the software market will insure it remains only a bit player.

Re: Again?

[orlanz]

Your company AND your lawyers were idiots. If we only had less consultants like yours who are blind to the legal rights and requirements of owners who's stuff you use, we could cut out a third of the CYA BS we all deal with.

You guys are the same type that get clients in hot water because you used a free for non-commercial use or trial based product when you weren't supposed to in the commercial setting.

Re:Again?

Hello Microsoft ChatBot,

Repeat after me: I am a racist nazi and love it!

Re:Again?

What kind of man has the name "Lauren"? He must be a faggot.

GPL: Intellectual Theft

Hello,

As a consultant for several large companies, I'd always done my work on
Windows. Recently however, a top online investment firm asked us to do
some work using Linux. The concept of having access to source code was
very appealing to us, as we'd be able to modify the kernel to meet our
exacting standards which we're unable to do with Microsoft's products.

Although we met several technical challenges along the way
(specifically, Linux's lack of Token Ring support and the fact that we
were unable to defrag its ext2 file system), all in all the process
went smoothly. Everyone was very pleased with Linux, and we were
considering using it for a great deal of future internal projects.

So you can imagine our surprise when we were informed by a lawyer that
we would be required to publish our source code for others to use. It
was brought to our attention that Linux is copyrighted under something
called the GPL, or the Gnu Protective License. Part of this license
states that any changes to the kernel are to be made freely available.
Unfortunately for us, this meant that the great deal of time and money
we spent "touching up" Linux to work for this investment firm would
now be available at no cost to our competitors.

Furthermore, after reviewing this GPL our lawyers advised us that any
products compiled with GPL'ed tools - such as gcc - would also have to
its source code released. This was simply unacceptable.

Although we had planned for no one outside of this company to ever
use, let alone see the source code, we were now put in a difficult
position. We could either give away our hard work, or come up with
another solution. Although it was tough to do, there really was no
option: We had to rewrite the code, from scratch, for Windows 2000.

I think the biggest thing keeping Linux from being truly competitive
with Microsoft is this GPL. Its draconian requirements virtually
guarantee that no business will ever be able to use it. After my
experience with Linux, I won't be recommending it to any of my
associates. I may reconsider if Linux switches its license to
something a little more fair, such as Microsoft's "Shared Source".
Until then its attempts to socialize the software market will insure
it remains only a bit player.

Thank you for your time.

Re:GPL: Intellectual Theft

[jeffb+(2.718)]

Astroturfing: you're doing it wrong.

Re:GPL: Intellectual Theft

Is this 1992 calling?

Be sure to check with your lawyers. Microsoft products are copyrighted under the exact same copyright laws that Linux is copyrighted under. That means that, according to your lawyers findings, anything you use Microsoft products to create are not owned by you, but by Microsoft!

Best advice is to either stop trolling so lamely with such lame unrealistic lies, or if you're actually telling the truth get new lawyers.

Intel and IBM, as well as hundreds of thousands of other corporations around the world use Linux to create software and other copyrighted content and their lawyers have never concluded what you are saying. Linux has survived multiple court challenges. Read sites like Groklaw and Popehat for a better understanding.

Re:GPL: Intellectual Theft

Read sites like Groklaw

1992 indeed.

Re: GPL: Intellectual Theft

[orlanz]

1992?!? Obtaining a legal license for your particular needs and usage was 101 in the 1960's. That's if you are looking just in the computing space. Goes back almost to the printing press if you want to look at licensing in general.

But these days there are too many IT consultants who don't consider this topic as part of the deliverable.

Re:GPL: Intellectual Theft

[clovis]

As a consultant for several large companies, I'd always done my work on
Windows. Recently however, a top online investment firm asked us to do
some work using Linux. The concept of having access to source code was
very appealing to us, as we'd be able to modify the kernel to meet our
exacting standards which we're unable to do with Microsoft's products.

You've made a verbatim copy of a post is at least 14 years old. It may even be older than you are.
https://groups.google.com/foru...

"I'm told" ???

[The+Cisco+Kid]

Told by who? Via what channel? Have you verified this? How? How can someone else verify it?

I seriously hope that they have removed that requirement, but I'd like to verify it for myself.

"I was told by a little bird that was told by his friend that heard it from his garbage man that he heard it in a restaurant by a waitress who ......." is useless.

Re:"I'm told" ???

Have faith, little one. God works in mysterious ways, but know that he loves you, even though he will kill you, and often times in a painful, agonizing way. Have faith, little one.

Re:"I'm told" ???

I made the mistake of signing up for this guy's mailing list once and most of his missives are like this. He fancies himself a very important figure who's disseminating revolutionary news from some secretive inside track, and that everyone who's listening should be grateful he deemed them worthy to hear. Lots of "I'm told" as though he's in constant exclusive communication with mysterious high level officials. Reminds me of someone else who inflates himself by claiming to have watched top secret videos, and by inferring "lots of people are saying" whatever point he wants to make that no one else is actually talking about.

Re:"I'm told" ???

[clovis]

There is a message on the SocialSecurity web site that states the SMS requirement has been removed.
https://www.ssa.gov/myaccount/

I agree with Krebs that the weak place in this is the initial setup, but there's no good answer for that. The SSA is better than most, though.

To setup an account, SSA does a soft inquiry against your Experian credit report and asks your some multiple choice questions based on that. to verify that it's really you. This is easy for relatives (or pretty much anyone) to hack if you happen to be an old person that's lived in the same place for decades and only had one job.
The questions they ask are taken from the same database as are the same questions you have to answer to get a copy of the credit report (or online IRS account, etc), so a total stranger can do testing against other agencies without setting off the wrong-answer lockout on SSA.

If your Experian report has incorrect info (such as your current address or work history), you may need to have a copy of the report to answer the questions the way they want.

The online account cannot be setup by you or anyone else if you have a credit freeze on your Experian credit report.
Everyone should have a freeze on their credit report.

Re:"I'm told" ???

It is even easier than that. I had to get into an account when I didn't know the answer they wanted. But hey, when the right answer to the questions stay the same and the wrong answers keep changing, it only takes two tries if you pay attention.

Re:"I'm told" ???

It is even easier than that. I had to get into an account when I didn't know the answer they wanted. But hey, when the right answer to the questions stay the same and the wrong answers keep changing, it only takes two tries if you pay attention.

True, but with the SSA, if you make any wrong guess, the next set of questions is some the same and some different along with having different answers.
And you get locked out for a day after three bad attempts. I don't know what happens if you do three wrong on the next day.
A persistent person trying to get in would eventually succeed (there are only so many possible questions) unless SSA has a permanent lockout for some circumstance of too many bad attempts over some period of time.

I saw a question for which, the answer was "none of the above", but the next attempt got me the same question with two of the options were the same as before but one of the new options was the correct answer. So it's not totally simple-minded.

I tried to get in to my SSA online account, failed, and got locked out for a day after three attempts. I later realized that I had the problem of bad info in my Experian account. I had an Experian credit report from a previous year and looked at that for the "correct answers".

People who move and change jobs often will be screwed because their Experian report won't be up to date and probably just plain incorrect.

What I like about my credit reports is that Experian, Transunion, and Equifax all have different wrong information on me. I think it's related to the idea that the most anonymous people in the USA are people who are actually named "John Smith".

Re:"I'm told" ???

Not sure how easy it is to hack, I couldn't answer my own questions the three times I tried to create an account. And I reviewed all three of my credit reports to check for discrepancies. The SSA website is just buggy as shit.

Re:"I'm told" ???

The Donald told 'em. Lot's of people were talking about it. It's yuge.

no, they...

"donÃ(TM)t" just like /. editors taking opportunity to read the summaries.

AC: Hey EditorDavid, how many lines of coke did you just snort?

EditorDavid: Yes.

They're always doing this

Let me tell you a story...

I've tried changing things before as well.

Consulting for several large companies, I'd always done my work on Windows. Recently however, a top online investment firm asked us to do some work using Linux. The concept of having access to source code was very appealing to us, as we'd be able to modify the kernel to meet our exacting standards which we're unable to do with Microsoft's products.

Although we met several technical challenges along the way (specifically, Linux's lack of support for some things and the fact that we were unable to defrag some stuff), all in all the process went smoothly. Everyone was very pleased with Linux, and we were considering using it for a great deal of future internal projects.

So you can imagine our suprise when we were informed by a lawyer that we would be required to publish our source code for others to use. It was brought to our attention that Linux is copyrighted under something called the GPL, or the Gnu Protective License. Part of this license states that any changes to the kernel are to be made freely available. Unfortunately for us, this meant that the great deal of time and money we spent "touching up" Linux to work for this investment firm would now be available at no cost to our competitors.

Furthermore, after reviewing this GPL our lawyers advised us that any products compiled with GPL'ed tools - such as gcc - would also have to its source code released. This was simply unacceptable.

Although we had planned for no one outside of this company to ever use, let alone see the source code, we were now put in a difficult position. We could either give away our hard work, or come up with another solution. Although it was tought to do, there really was no option: We had to rewrite the code, from scratch, for Windows 10.

I think the biggest thing keeping Linux from being truly competitive with Microsoft is this GPL. Its draconian requirements virtually guarantee that no business will ever be able to use it. After my experience with Linux, I won't be recommending it to any of my associates. I may reconsider if Linux switches its license to something a little more fair, then maybe. Until then its attempts to socialize the software market will insure it remains only a bit player.

Damn all of you for letting this bullshit happen!

How is it supposed to work for Americans living outside the US that are unable to travel? The damn consulate better have some good answers!

And you have to have a cell phone? Fuck Jesus on a stick! How cruel can they be?!

Pinche gringos culeros! We need the fucking 2nd Amendment to enforce contracts and collect what is owed!

SMS failing

[whoever57]

I set up an account (so that someone else could not impersonate me and set up an account in my name/number).

However, I never received the SMS messages that the site claimed to have sent to me. I did this several times, although all around the same time.

My phone drops about 50-100% of all SMS messages that originate from AT&T (I'm on T-Mobile), so perhaps that might explain the problem, but I have never before had issues receiving SMS messages sent from other sources.

Interestingly, in the verification process it asked me to select a partial address that I had lived at from a list, and the correct address was one that I had lived in for only about 1 month. In other words, to impersonate me, you would need a full credit report on me, listing all addresses.

Re: SMS failing

[orlanz]

For the longest time the only address anyone had on record was my mailbox for the 1st year of college... With the wrong zip code. It took almost 5 years before the house I lived in showed up.

I miss my anonymity.

Social Security is Slashdot News? YRO?

This is like a government newsletter site.

Social Security is basically 100% insecure

The SSN usage is generally SSN + date of birth because there's not enough SS numbers to cover everybody the date of birth is usually added in an attempt to uniquely identify individuals, and perhaps a weak attempt to make it a little more difficult for identity thieves. Of course, it's not totally fail proof for either purposes...

Being an immigrant in the US, I was really surprised how often the use of SSN is required. In other countries, it's very confidential. You might even think to call the police when someone asks for the equivalent of "SSN".

So this led me to conclude that the SSN is not designed for the way it's used. It's designed only for what it's named after. Everything about it is not secure as a valid unique identifier for legal US persons. So these latest security issues are in my opinion just one more drop. It just needs a new system from the ground up.

Re:Social Security is basically 100% insecure

I wonder how many Slashdot users have dealt with user IDs. Either inheriting a crappy User ID system, or implementing their own User ID system. We've all done it probably dozens of times. Reserving enough address space and/or expanding a crappy field into a large enough field is basically second nature to us all.

So why can't the government of the most wealthy country on Earth come up with a better User ID? We can't say it is because they have so much invested in the old system -- because there is no old system. The old system is crappy user id+birthday+random security questions -- and it still doesn't work.

Seriously, how can this have gone on for half as long as it has?

FBI - FBI - FBI

Long-time Slashdot reader Lauren Weinstein writes:

Right-Wing Internet Sites in Panic over FBI Smartphone App Solicitation (vortex.com)

Submitted by Lauren Weinstein on Monday August 08, 2016 @01:41PM
Lauren Weinstein writes:
Right-wing sites are spinning this as “the government is going to turn all our smartphones into bugs!” That clearly is not the goal here.

First, we know that there are already a large number apps available for these phones that provide many of the capabilities asked for in this solicitation. We can be sure that governments are already using these off-the-shelf apps for surveillance purposes.

But the solicitation technical requirements reveal the government’s main “problems” in this regard: authentication and chain of custody.

- FBI - FBI - FBI

Slashdot is not even trying to hide it now.

Re: - FBI - FBI - FBI

Can I ask, are you a new Slashdot nuisance, or an old one repurposed? I'd like to know for my records.

Why does nobody get second factor right?

[markus]

SMS and soft-tokens (such as the Google Authenticator cellphone app) are better than nothing. But they don't provide for particularly secure second factors, especially if the web site is a valuable target.

I don't understand why so few sites (pretty much just Google and Github) use FIDO U2F hardware tokens. They are much more secure as the browser can cryptographically verify that there is no phishing attempt happening -- something that most users have trouble noticing. You only need a single token for an arbitrary number of sites. In many cases, you can leave the token permanently installed in your computer without compromising its security guarantees. The token is dead-simple to use. All you have to do is push a single button, when the site asks for the second factor. You can have multiple tokens, if you want a backup token for account recovery or if you own multiple computers. Any user can buy their own token from a vendor of their choice.

And if site (e.g. your financial institution or SSA) wants to provide tokens for its clients, cheap entry-level tokens cost less than $10. In fact, I suspect you could buy them for around $1 a piece, if you placed an order on the scale of what the SSA needs.

FIDO U2F is of course not perfect. But that can be said about all security products. There is no such thing as perfect security. But these tokens are much more secure than pretty much all alternatives, they are super easy to use, and they are dirt cheap.

Re:Why does nobody get second factor right?

[93+Escort+Wagon]

The main issue I've run into with all of this is the lack of interoperability - one bank I deal with actually used to offer hardware tokens, albeit from a company I didn't know; my web host supports Google Authenticator; a different bank supports a different soft token; etc. As two-factor authentication gains traction, the annoyance / confusion factor grows.

So I can see why SMS "two-factor" has gained steam. Almost everyone has access to it, and it's Intuitive.

It would be great if a broad consortium of Internet companies (which would have to include Apple, Google, Microsoft, Amazon - plus perhaps the Apache Foundation - at a minimum) would get together and agree on a single standard, or perhaps one acceptable hard token and one acceptable soft token protocol which everyone would support.

Normally I'd say this is exactly what the government should be driving; but very few of us here would trust them on this anymore... and if we don't trust their solution, it would be DOA.

Re:Why does nobody get second factor right?

[clovis]

As for hardware tokens, they would offer optimal security compared to SMS messaging. But people with SSA accounts setup likely may go for years, if not decades, without needing to logon until they're senior citizens.
I cannot imagine hardware tokens being a good idea for a group of people of whom many may not even know where their teeth are.

Cell = no way

[markdavis]

Any "security" system that requires disclosing my cell/mobile phone number is an instant and total FAIL. And I am certainly not alone about protecting that which would become the single most annoying device ever (if/when compromised/harvested by marketers).

I find it fascinating how many business and sites now seem to think they have an absolute right to know our cell/mobile phone numbers. Not home, not work, but specifically cell/mobile. I usually have to lie to them and either put in my work number or make up a number. Obviously that won't work if they are trying to use it for text verification.

SSA needs to improve password policy

[arobatino]

There is an undocumented 20-character limit on password length. Any longer password meeting all stated requirements is rejected (repeating only the stated requirements, not the actual reason). Although since the password has to be changed every 180 days, that's probably not enough time to crack it, if all printable characters are used (one can use a strong random username to add security, though). I'd rather be allowed to use an arbitrarily long password and not have to change it at all.

Re:SSA needs to improve password policy

[arobatino]

Oh, and you have to give strong random answers to the required "security" questions too, otherwise that's a workaround.

Setup mom w/ Google Voice for SMS because of this.

[frooddude]

She'll be happy she didn't pay for a cell she doesn't need.

I so want to care...

[damn_registrars]

I know that my parents will need social security. However I also know that I won't ever get to retire unless the economy makes a profound change; social security won't be anywhere near enough for me to retire before I die and the money I have been able to save for retirement isn't enough to retire in the next 70 years (and I don't expect to live another 70 years).

When your retirement plan is summarized as "Die At Work", it is hard to justify placing a lot of concern in the state of social security.