Use whatever's convenient for you, as in whatever works. I have an XP laptop for work with customers, a FreeBSD file & print server at home, a M0n0wall firewall, a second playing-around drive for my laptop with Debian Woody, a couple of live filesystem CDs with Auditor and other similar security-relevant distros as well as a Knoppix CD for recovery, and I'm buying a Powerbook soon to get real work done (network security analysis type stuff, PITA under Windows.)
OS evangelism is stupid, and you have some good points about usability.
As for your printing woes, please do have a look at CUPS--it's the mutt's nutts for UNIX printing as far as I'm concerned.
Agreed. I think that a lot of the hysteria surrounding cell phones (for example, the ability to turn gas stations into firebombs) is bogus. Likewise, a large reason behind aircraft cell phone bans seems to be that they cause problems for providers when attempting to peer with every single mast over the tri-state area at the same time.
But as you state, you simply don't know what radio waves interfere with which electronics under what variations of a given condition. As for bluetooth, various implementations of it are specced to 2m, 10m, 30m, 100m & up. But as to how far the traffic can actually carry...
That said, I still think the best reason to ban cell phones on planes was laid out by a letter to the editor in a recent economist: because they're (really fucking) annoying. Do you want to spend 8 hours surrounded by "HI, I'M ON A PLANE"?
Well, I think you're right--all of a sudden you'd have millions of pissed off gamers taking a quick glance at their PC, then looking again, and thinking, "hmm, maybe America's Army isn't such a bad bet after all."
All the army guys would have to do then is promise the XBOX Live outage victims that they could play with something like this, or this, or these or even better, one of these
Conveniently leave out the part about pushups and getting yelled/shot at and you'd have hordes of HALO fanatics breaking down your doors to come join up. So hey, Al Qaeda, if you're reading this, better leave XBOX Live alone!
That makes sense--I'm coming from a Swiss IP (but going to google.com, not.ch) -- accessing from a.uk IP via nph-proxy on a box there, I get download.com (legit) and freedownload.com (not legit.)
Didn't realize that Google targeted its ads based on source IP, but it does make sense.
Shitty trick. But that said, googling for Firefox gives me a ton of legitimate links, including to mozilla.org, some Firefox evangelism pages, and loads of other "real" sites.
The only sponsored link I get is to the download.com Firefox download page. Did someone bitch Google out? Do they respond to this sort of thing?
I am currently consulting for a large drug company; I was asked to help evaluate and deploy a small firewall device to protect networked diagnostics equipment at customer sites. The device had to be -small -cheap (less than ca.$250) -robust and a whole slew of other qualities, including having to work in an environment where ca. 3,000 boxes could be easily managed individually, by non-technical field service staff (as there's no chance of central management access to customer nets.)
We settled on M0n0wall running on a PCEngines WRAP board, after evaluating a pretty extensive number of commercial and a few open source products or packages.
I was really impressed by the openness that this (mainly Microsoft) shop showed towards this sort of thing--I encountered none of the "but if it's proprietary it's more secure" or "if it's proprietary, we have someone to sue" garbage you often get from management. There are good reasons to pick commercial, non-open software products, but these are entirely dependent on the companies that sell them.
In addition, what I really appreciated about this client was their willingness to put the developer on retainer while he finishes his studies, and to kick him some cash for time spent making changes, 3rd level support, etc. The guy who wrote M0n0 is a really superb and bright individual, and it's great to see a large company sponsor such people (plus it's costing them absolute peanuts.)
Depends on where you show ID. If it's to prove your age, whatnot, that's one thing. However, unlike many countries, I don't believe the US has any legal requirement to make you carry an ID.
That's not to say that a lot of people wouldn't like to change that, but I'm very wary of even having ID on me in the US.
Well, we're actually still working on whether they're a member of homo sapiens at all. Our experts will have a close look at the "American" thing soon after that.
:-)
Actually, I've liked most Canadians I've met, but about 90% of them have tended to get reeeeallly self-righteous and huffily defensive about the whole nationality thing. If you want to see a Canadian turn bright red, ask him which part of the US he's from, hee hee.
Given that an hour of your time spent watching ads costs about $1
A lot more than that, actually, hence below:
Disagree? Don't watch TV!
Funny thing; I realized a little while ago that I actually _don't_. The only times I turn on the TV is when grabbing a quick breakfast, while getting dressed, or on mute while playing games online. And it just occurred to me this morning that (a) it's always CNN or cartoon network, and (b) given the drivel on those, I might as well get a couple of lava lamps:-)
You're correct, but this doesn't (or does, but only marginally) apply to, say cable--you are paying a premium exactly to get the kind of content that's advertised (new shows, in order, no commercials.)
Apparently PVRs and off-the-air recording is illegal in.au (according to other posters; I dunno, I'm not Australian) but personally in the case of cable TV, it seems to me almost analogous to owning a CD and then downloading the contents of the same...
Web bugs = easily foiled by reading mails as text. Not to mention by rule-based interception on mail malicious code & scripting scanners, if you're a company. We've mainly used them to track (stupid) scammers and email frauds, which is what they're mainly good for.
As for the scripts, be very aware that, depending on your legal environment, introducing undocumented or unauthorized (assuming you don't clearly state their existence in an EULA or acknowledged contract) means to subvert, say, company network security protection mechanisms may open you up to legal action. Kind of a catch-22: either you make the "phone-home" part of a doc/file very transparent and obvious (so the nasties would know where to look for it) or you hide its existence, in which case you're "hacking". Good luck:-)
Without going into too much detail, it's because a lot of IT people don't know how to "sell" themselves, don't know how to do good powerpoint presentations, don't know how to present concepts and the "so what?" behind them without detail clutter, don't understand where "the business" is coming from, and very often don't want to or don't care.
This is a vicious generalization, I realize. But in my experience, it has often held true.
A senior management offsite for $2k/day? Whoa, let me know where you found that, I have some clients whose management would LOVE to save 95% of their offsite costs.:-)
Seriously though, I think he's referring to the 'CPA mentality' more than using them as a literal example. Part of the general tendency of techs to see anything non-tech as "the business". And I can attest to the problem of bean counters' tending to curb innovation and open culture in favor of excessive process orientation and cost awareness.
He's got a few terms and concepts mixed up (shareholder value et al) but his point's kinda valid.
If that were true there would be way more fraud then there actually is.
It happens, it happens quite a bit, and just because it doesn't happen more than it does is more a testament to the fact that there are easier ways of scamming money from people. If it happens to an individual, it's quite a hassle for them, with potentially tragic consequences, wouldn't you agree?
You're not even living in the US
Nice ad-hominem. I am a US citizen, I've lived in the US for most of my life. Yours is about as stupid a statement as "all Americans are fat and never travel abroad." "No clue?" Bite me. I've probably been dealing with identity-related issues for quite a bit longer than you. I shouldn't even dignify that with a response.
Your examples are reasons why SSNs shouldn't be used as a password, not as identification.
No, I'm saying that SSNs should not be used as either. They should be used as designed, which is as an attribute of an identity, which is fundamentally different. I suggest you do some reading up on identity management. If you're really interested in the topic, I'll be glad to recommend a few good books.
Experian doesn't know anything about your pension.
No, they don't. However, they could. In fact, anyone with their scope of knowledge of my identity and its aforementioned attributes, could. And that's what I don't want.
No one forces anyone to use experian...
I don't. I also don't patronize, knowingly, any company which utilizes their services.
But you know what? When I attended UC Berkeley, a publicly funded institution, as a California resident, I had no choice but to give them my SSN and a whole lot of other information. And don't give me any crap about "you could have chosen not to attend." All public universities require this. Partially for the legitimate reason of identifying me to Social Security, but to a large degree because they're too lazy to come up with a better mechanism, and too ignorant of proper ways of dealing with this information to implement proper safeguards against theft. And gee, what do you know? A laptop the stuff was stored on was stolen.
No, the data probably won't be used against anyone, as it's likely some crack-addict who'll sell it for a quick fix. That's not the point though, as it could have been. And that's what you don't seem to comprehend.
Well, it _is_ your money; one thing a lot of people seem to forget is that it's not a question of owing the government some inherent debt of gratitude (and cash), but rather of holding your elected representatives and their minions accountable for what they do with your dough.
Sort of analogous to the point that's often brought up in these discussions--the government does not grant liberties, it is supposed to safeguard them.
Without another lengthy reply, as I really need sleep, one pont:
How are SSNs "insecure"? You seem to be cocnfusing identifiers with passwords.
An identity transaction has three parts: assertion, identification, authentication. While the order depends on the system and context, my name is my assertion as to who I am. Theoretically the "system" should then identify me, and I authenticate, i.e. prove the veracity of who I am, by some means.
How many companies have you dealt with which asked you for your SSN as proof that you are indeed Anthony di Pierro, or in my case, John Salomon? I've encountered way too many to count, including banks, credit card companies, govt. agencies not dealing with SS, etc.
Just how can you use someone's SSN to cause serious financial liability..
See above, and my other post. You're right, it is NOT a password. Repeat it again with me. A social security number is not a password. But a whole lot of organizations use it as an equivalent. Maybe you should ask them to repeat it again with you, instead of me.
Interestingly enough, I've never been asked for the equivalent of an SSN (AHV here in Switzerland) for stuff here that isn't related to my pension or my taxes (which are directly related to my pension.) If I must identify myself, I have a machine-readable photo ID, such as a passport or a driver's license, or for those who want one, a national ID card (note: voluntary, always has been.)
No fingerprints, no mess. How do I get that? A birth certificate, for example. Unfortunately, communities here require you to register when you move, which is a problem, but at least there are strong and proven (although not infallible) data protection frameworks in place to make sure nasty little eyes don't see that information.
As to why SSNs should not be used for identification with your example of credit reporting agencies: (a) unless someone like Equifax has foolproof mechanisms to prevent this, which they don't, someone with knowledge of my personal details from obtaining more information than they should about my background. (b) You may be comfortable living in a glass box, I am not. My pension information is, as far as I'm concerned, my business, not Experian's. (c) Someone with access to such an 'aggregate' identifier (remember above? Not a password, but often used as one?) can, for lack of a better word, fuck me for all I'm worth. And a few other reasons which I'm too tired to type.
I realize the need for identification, even though I have issues with the idea of credit rating agencies (although I won't argue that they serve a purpose.) However, I maintain that the SSN is a messy way of doing it, contrary to its purpose.
Anyway, I understand your point, I simply disagree with it, and am now going to bed. Thank you for a good discussion.
Someone who has this information on their laptop loses it
Why was it on a _laptop_ in the first place? Regardless of who hangs in the end for the financial liability, damage is caused. The problem with your argument is the assumption of a "victimless crime"--assuming someone got hold of 100,000 SSNs, as well as associated data allowing you to assume the identity of an existing person, there's a good chance your $1,000 example would be multiplied quite a bit. Even _if_ the person whose persona was thieved were proven innocent, the result would be harm to everyone in the form of tougher loan criteria, higher fees, etc.
Think of it this way: a fair amount of what Visa charges you in interest & fees goes towards insuring them against credit card fraud. After the ChoicePoint exploit, one African gentleman was caught only after submitting loan applications under at least 40 assumed personas, and having received approval for quite a few of them.
The loss of the SSN is not the cause per se; it is the piss-poor awareness of data protection best practices that led the data to being on a _laptop_ in the first place, and the piss-poor system that led to a perceived requirement to collect that information in a manner not necessarily directly related to social security-relevant purposes.
Pardon me if I'm being thick here, but I am really having trouble understanding how I am not explaining myself. I believe the system is broken, for reasons I tried to state very clearly, and I think the behavior (or lack thereof) that led to the theft of this information in such a manner being possible is equally broken.
Regarding your example, we're not just talking about loans here--here are afewrandomlinks on the topic of identity theft, with plenty of information on potential consequences.
Your argument is perfectly legit, no a strawman at all, except for the part about stealing money from Bill--of course not. But Bill's not Sam T. Gradstudent, so fallacy of equation there.
to "opt out" of the federal databases, if only by not applying for or accepting federal student aid.
Interesting point. Essentially it's analogous to not forcing you to give your SSN to any businesses, but also not prohibiting business from requiring it in exchange for goods or services. As in "it's our money, we can decide what we want in exchange for it."
There are several problems here:
1. It's not private money, it's government, i.e. public money. The government is not a private for-profit enterprise. 2. Educational institutions would not differentiate between financial aid recipients and those who do not get any dough. So if I'm paying for college at an institution which admits financial aid recipients, I cannot choose to not have the school submit my information. Which sort of leads us to point 3. Should there be a differentiation between public institutions (public as in "belongs to the people") and private? A private university can operate for profit, but like the government, a public school is not meant to operate for profit.
So my same philosophical point applies--they should not be allowed to say "unless you give x, you don't give y", unless of course that's money/fees or something similar directly relevant for the service they provide.
Now if you pass a law saying "well they just have to require this information from everyone regardless", that's a different story, and just a stupid law to boot..
I just had this discussion. As you say, the "not to be used for identification" part refers to the card itself, as I could not find it in the SSA. However, I believe there is a speech by FDR introducing FICA in which he specifically stated that it would not be used for "big brother"-ish purposes.
Anyway, I stand by my argument that use of SSN for identification is stupid, and cross-purpose use of this sort of number is a Bad Thing (tm).
I wonder whether, once India completely loses competitive price advantage to China, NY state will also have to pay outsourced unemployment benefits?:-)
Because that's what the credit reporting agencies use as a key into their database.
...which is part of my point. It's wrong. You do not use a number designed to allocate, as its name states, social security benefits, as an identifier for non-SS-related financial info.
Most schools have an SSN on your transcript. It's pretty much the most permanent thing about you. Changing your SSN is hard, and you need a pretty good reason to do it.
Fair enough, but you you _can_ do it, and you can get a new one. So there's not much point in using it as an identifier. Any identification mechanism which _can_ be changed without the knowledge of the system using it is not useful as an identification mechanism. And no, I don't have a better idea--I refuse to bring up something like personal ID cards or biometrics or other "solutions" that open up a pandora's box of issues.
No, it doesn't.
My mistake, the SSA does not explicitly say so. Older cards (including mine) say "not to be used for identification" which, for some reason, no longer seems to appear. Good catch. As I stated, there are no laws preventing business from using it as an identifier, although I stand by my assertion that it was never intended for use as an ID number; if you dig a bit, you may be able to find the relevant FDR speech introducing FICA. If memory serves, the "will never be used for identification", at least for 30 years after 1935, is a direct quote.
I don't see how.
Then we're talking past each other. I'm a security consultant and am confronted with the catastrophic results of laziness and choosing the 'easy' path (or at least what is perceived as such) on a near daily basis at my clients'. Refusal to use basic crypto & authentication mechanisms because it requires procedural rethinking or retraining is such an example.
Most examples of identity theft are not the result of caffeine-fueled Russian mafia h@x0r breakins, but rather exploits of some fairly basic mistakes--viz. the tourist who lets the Hong Kong shop clerk out of his sight with a credit card, the refusal of most major US banks to even consider decent two-factor authentication for cost reasons, etc.
I don't see how that's a problem.
You may not have an issue with using an insecure mechanism that's subject to compromise and misuse this easily to identify yourself, but I do.
The only remotely "positive" thing about using SSNs as identifiers is that they are understood to be insecure, as opposed to biometrics, which are (mistakenly) widely believed to be safe, so if I am affected I can, such as happened to many individuals in the ChoicePoint breakin, have recourse.
By your definition, perhaps, but you've failed to back it up with any real evidence.
Are you just being contrarian? Confidential student data which could be used to cause serious financial liability to individuals was stored on a laptop in a poorly secured facility (I graduated from Berkeley; stealing laptops is not black magic at a university that size.) There was obviously some fundamental failure of awareness, information security management processes and basic user responsibility here.
Once again, maybe you simply do not care--I assume this attitude partially results from never having this sort of thing happen to you. Many others have, and do. Frankly, I find the idea that "it works, leave it, I don't care if it's fundamentally broken and vulnerable to compromise" pretty obtuse.
Slashdot Mirror
Use whatever's convenient for you, as in whatever works. I have an XP laptop for work with customers, a FreeBSD file & print server at home, a M0n0wall firewall, a second playing-around drive for my laptop with Debian Woody, a couple of live filesystem CDs with Auditor and other similar security-relevant distros as well as a Knoppix CD for recovery, and I'm buying a Powerbook soon to get real work done (network security analysis type stuff, PITA under Windows.)
OS evangelism is stupid, and you have some good points about usability.
As for your printing woes, please do have a look at CUPS--it's the mutt's nutts for UNIX printing as far as I'm concerned.
Agreed. I think that a lot of the hysteria surrounding cell phones (for example, the ability to turn gas stations into firebombs) is bogus. Likewise, a large reason behind aircraft cell phone bans seems to be that they cause problems for providers when attempting to peer with every single mast over the tri-state area at the same time.
But as you state, you simply don't know what radio waves interfere with which electronics under what variations of a given condition. As for bluetooth, various implementations of it are specced to 2m, 10m, 30m, 100m & up. But as to how far the traffic can actually carry...
That said, I still think the best reason to ban cell phones on planes was laid out by a letter to the editor in a recent economist: because they're (really fucking) annoying. Do you want to spend 8 hours surrounded by "HI, I'M ON A PLANE"?
Well, I think you're right--all of a sudden you'd have millions of pissed off gamers taking a quick glance at their PC, then looking again, and thinking, "hmm, maybe America's Army isn't such a bad bet after all."
All the army guys would have to do then is promise the XBOX Live outage victims that they could play with something like this, or this, or these or even better, one of these
Conveniently leave out the part about pushups and getting yelled/shot at and you'd have hordes of HALO fanatics breaking down your doors to come join up. So hey, Al Qaeda, if you're reading this, better leave XBOX Live alone!
Hey, it's a perfectly legit way of making some cash on the side--everyone's doing it, look at Michael Jackson :-)
That makes sense--I'm coming from a Swiss IP (but going to google.com, not .ch) -- accessing from a .uk IP via nph-proxy on a box there, I get download.com (legit) and freedownload.com (not legit.)
Didn't realize that Google targeted its ads based on source IP, but it does make sense.
Shitty trick. But that said, googling for Firefox gives me a ton of legitimate links, including to mozilla.org, some Firefox evangelism pages, and loads of other "real" sites.
The only sponsored link I get is to the download.com Firefox download page. Did someone bitch Google out? Do they respond to this sort of thing?
I am currently consulting for a large drug company; I was asked to help evaluate and deploy a small firewall device to protect networked diagnostics equipment at customer sites. The device had to be
-small
-cheap (less than ca.$250)
-robust
and a whole slew of other qualities, including having to work in an environment where ca. 3,000 boxes could be easily managed individually, by non-technical field service staff (as there's no chance of central management access to customer nets.)
We settled on M0n0wall running on a PCEngines WRAP board, after evaluating a pretty extensive number of commercial and a few open source products or packages.
I was really impressed by the openness that this (mainly Microsoft) shop showed towards this sort of thing--I encountered none of the "but if it's proprietary it's more secure" or "if it's proprietary, we have someone to sue" garbage you often get from management. There are good reasons to pick commercial, non-open software products, but these are entirely dependent on the companies that sell them.
In addition, what I really appreciated about this client was their willingness to put the developer on retainer while he finishes his studies, and to kick him some cash for time spent making changes, 3rd level support, etc. The guy who wrote M0n0 is a really superb and bright individual, and it's great to see a large company sponsor such people (plus it's costing them absolute peanuts.)
Depends on where you show ID. If it's to prove your age, whatnot, that's one thing. However, unlike many countries, I don't believe the US has any legal requirement to make you carry an ID.
That's not to say that a lot of people wouldn't like to change that, but I'm very wary of even having ID on me in the US.
Well, we're actually still working on whether they're a member of homo sapiens at all. Our experts will have a close look at the "American" thing soon after that.
:-)
Actually, I've liked most Canadians I've met, but about 90% of them have tended to get reeeeallly self-righteous and huffily defensive about the whole nationality thing. If you want to see a Canadian turn bright red, ask him which part of the US he's from, hee hee.
Given that an hour of your time spent watching ads costs about $1
:-)
A lot more than that, actually, hence below:
Disagree? Don't watch TV!
Funny thing; I realized a little while ago that I actually _don't_. The only times I turn on the TV is when grabbing a quick breakfast, while getting dressed, or on mute while playing games online. And it just occurred to me this morning that (a) it's always CNN or cartoon network, and (b) given the drivel on those, I might as well get a couple of lava lamps
You're correct, but this doesn't (or does, but only marginally) apply to, say cable--you are paying a premium exactly to get the kind of content that's advertised (new shows, in order, no commercials.)
.au (according to other posters; I dunno, I'm not Australian) but personally in the case of cable TV,
Apparently PVRs and off-the-air recording is illegal in
it seems to me almost analogous to owning a CD and then downloading the contents of the same...
Web bugs = easily foiled by reading mails as text. Not to mention by rule-based interception on mail malicious code & scripting scanners, if you're a company. We've mainly used them to track (stupid) scammers and email frauds, which is what they're mainly good for.
:-)
As for the scripts, be very aware that, depending on your legal environment, introducing undocumented or unauthorized (assuming you don't clearly state their existence in an EULA or acknowledged contract) means to subvert, say, company network security protection mechanisms may open you up to legal action. Kind of a catch-22: either you make the "phone-home" part of a doc/file very transparent and obvious (so the nasties would know where to look for it) or you hide its existence, in which case you're "hacking". Good luck
IANAL, just a poor hassled consultant.
Without going into too much detail, it's because a lot of IT people don't know how to "sell" themselves, don't know how to do good powerpoint presentations, don't know how to present concepts and the "so what?" behind them without detail clutter, don't understand where "the business" is coming from, and very often don't want to or don't care.
This is a vicious generalization, I realize. But in my experience, it has often held true.
A senior management offsite for $2k/day? Whoa, let me know where you found that, I have some clients whose management would LOVE to save 95% of their offsite costs. :-)
Seriously though, I think he's referring to the 'CPA mentality' more than using them as a literal example. Part of the general tendency of techs to see anything non-tech as "the business". And I can attest to the problem of bean counters' tending to curb innovation and open culture in favor of excessive process orientation and cost awareness.
He's got a few terms and concepts mixed up (shareholder value et al) but his point's kinda valid.
None...
Good. Now you're catching on.
If that were true there would be way more fraud then there actually is.
It happens, it happens quite a bit, and just because it doesn't happen more than it does is more a testament to the fact that there are easier ways of scamming money from people. If it happens to an individual, it's quite a hassle for them, with potentially tragic consequences, wouldn't you agree?
You're not even living in the US
Nice ad-hominem. I am a US citizen, I've lived in the US for most of my life. Yours is about as stupid a statement as "all Americans are fat and never travel abroad." "No clue?" Bite me. I've probably been dealing with identity-related issues for quite a bit longer than you. I shouldn't even dignify that with a response.
Your examples are reasons why SSNs shouldn't be used as a password, not as identification.
No, I'm saying that SSNs should not be used as either. They should be used as designed, which is as an attribute of an identity, which is fundamentally different. I suggest you do some reading up on identity management. If you're really interested in the topic, I'll be glad to recommend a few good books.
Experian doesn't know anything about your pension.
No, they don't. However, they could. In fact, anyone with their scope of knowledge of my identity and its aforementioned attributes, could. And that's what I don't want.
No one forces anyone to use experian...
I don't. I also don't patronize, knowingly, any company which utilizes their services.
But you know what? When I attended UC Berkeley, a publicly funded institution, as a California resident, I had no choice but to give them my SSN and a whole lot of other information. And don't give me any crap about "you could have chosen not to attend." All public universities require this. Partially for the legitimate reason of identifying me to Social Security, but to a large degree because they're too lazy to come up with a better mechanism, and too ignorant of proper ways of dealing with this information to implement proper safeguards against theft. And gee, what do you know? A laptop the stuff was stored on was stolen.
No, the data probably won't be used against anyone, as it's likely some crack-addict who'll sell it for a quick fix. That's not the point though, as it could have been. And that's what you don't seem to comprehend.
Well, it _is_ your money; one thing a lot of people seem to forget is that it's not a question of owing the government some inherent debt of gratitude (and cash), but rather of holding your elected representatives and their minions accountable for what they do with your dough.
:-)
Sort of analogous to the point that's often brought up in these discussions--the government does not grant liberties, it is supposed to safeguard them.
Now back to reality...
Without another lengthy reply, as I really need sleep, one pont:
How are SSNs "insecure"? You seem to be cocnfusing identifiers with passwords.
An identity transaction has three parts: assertion, identification, authentication. While the order depends on the system and context, my name is my assertion as to who I am. Theoretically the "system" should then identify me, and I authenticate, i.e. prove the veracity of who I am, by some means.
How many companies have you dealt with which asked you for your SSN as proof that you are indeed Anthony di Pierro, or in my case, John Salomon? I've encountered way too many to count, including banks, credit card companies, govt. agencies not dealing with SS, etc.
Just how can you use someone's SSN to cause serious financial liability..
See above, and my other post. You're right, it is NOT a password. Repeat it again with me. A social security number is not a password. But a whole lot of organizations use it as an equivalent. Maybe you should ask them to repeat it again with you, instead of me.
Interestingly enough, I've never been asked for the equivalent of an SSN (AHV here in Switzerland) for stuff here that isn't related to my pension or my taxes (which are directly related to my pension.) If I must identify myself, I have a machine-readable photo ID, such as a passport or a driver's license, or for those who want one, a national ID card (note: voluntary, always has been.)
No fingerprints, no mess. How do I get that? A birth certificate, for example. Unfortunately, communities here require you to register when you move, which is a problem, but at least there are strong and proven (although not infallible) data protection frameworks in place to make sure nasty little eyes don't see that information.
As to why SSNs should not be used for identification with your example of credit reporting agencies: (a) unless someone like Equifax has foolproof mechanisms to prevent this, which they don't, someone with knowledge of my personal details from obtaining more information than they should about my background. (b) You may be comfortable living in a glass box, I am not. My pension information is, as far as I'm concerned, my business, not Experian's. (c) Someone with access to such an 'aggregate' identifier (remember above? Not a password, but often used as one?) can, for lack of a better word, fuck me for all I'm worth. And a few other reasons which I'm too tired to type.
I realize the need for identification, even though I have issues with the idea of credit rating agencies (although I won't argue that they serve a purpose.) However, I maintain that the SSN is a messy way of doing it, contrary to its purpose.
Anyway, I understand your point, I simply disagree with it, and am now going to bed. Thank you for a good discussion.
Someone who has this information on their laptop loses it
Why was it on a _laptop_ in the first place? Regardless of who hangs in the end for the financial liability, damage is caused. The problem with your argument is the assumption of a "victimless crime"--assuming someone got hold of 100,000 SSNs, as well as associated data allowing you to assume the identity of an existing person, there's a good chance your $1,000 example would be multiplied quite a bit. Even _if_ the person whose persona was thieved were proven innocent, the result would be harm to everyone in the form of tougher loan criteria, higher fees, etc.
Think of it this way: a fair amount of what Visa charges you in interest & fees goes towards insuring them against credit card fraud. After the ChoicePoint exploit, one African gentleman was caught only after submitting loan applications under at least 40 assumed personas, and having received approval for quite a few of them.
The loss of the SSN is not the cause per se; it is the piss-poor awareness of data protection best practices that led the data to being on a _laptop_ in the first place, and the piss-poor system that led to a perceived requirement to collect that information in a manner not necessarily directly related to social security-relevant purposes.
Pardon me if I'm being thick here, but I am really having trouble understanding how I am not explaining myself. I believe the system is broken, for reasons I tried to state very clearly,
and I think the behavior (or lack thereof) that led to the theft of this information in such a manner being possible is equally broken.
Regarding your example, we're not just talking about loans here--here are a few random links on the topic of identity theft, with plenty of information on potential consequences.
Your argument is perfectly legit, no a strawman at all, except for the part about stealing money from Bill--of course not. But Bill's not Sam T. Gradstudent, so fallacy of equation there.
I'm glad the Welsh are finally getting into the whole chemical thing.
Well, it sounds like some village in Wales...
to "opt out" of the federal databases, if only by not applying for or accepting federal student aid.
...stop rambling...
Interesting point. Essentially it's analogous to not forcing you to give your SSN to any businesses, but also not prohibiting business from requiring it in exchange for goods or services. As in "it's our money, we can decide what we want in exchange for it."
There are several problems here:
1. It's not private money, it's government, i.e. public money. The government is not a private for-profit enterprise.
2. Educational institutions would not differentiate between financial aid recipients and those who do not get any dough. So if I'm paying for college at an institution which admits financial aid recipients, I cannot choose to not have the school submit my information. Which sort of leads us to point
3. Should there be a differentiation between public institutions (public as in "belongs to the people") and private? A private university can operate for profit, but like the government, a public school is not meant to operate for profit.
So my same philosophical point applies--they should not be allowed to say "unless you give x, you don't give y", unless of course that's money/fees or something similar directly relevant for the service they provide.
Now if you pass a law saying "well they just have to require this information from everyone regardless", that's a different story, and just a stupid law to boot..
Hey,
I just had this discussion. As you say, the "not to be used for identification" part refers to the card itself, as I could not find it in the SSA. However, I believe there is a speech by FDR introducing FICA in which he specifically stated that it would not be used for "big brother"-ish purposes.
Anyway, I stand by my argument that use of SSN for identification is stupid, and cross-purpose use of this sort of number is a Bad Thing (tm).
Remember, ROT13 _twice_ for extra security!
I wonder whether, once India completely loses competitive price advantage to China, NY state will also have to pay outsourced unemployment benefits? :-)
They'll probably store it on a laptop.
Because that's what the credit reporting agencies use as a key into their database.
Most schools have an SSN on your transcript. It's pretty much the most permanent thing about you. Changing your SSN is hard, and you need a pretty good reason to do it.
Fair enough, but you you _can_ do it, and you can get a new one. So there's not much point in using it as an identifier. Any identification mechanism which _can_ be changed without the knowledge of the system using it is not useful as an identification mechanism. And no, I don't have a better idea--I refuse to bring up something like personal ID cards or biometrics or other "solutions" that open up a pandora's box of issues.
No, it doesn't.
My mistake, the SSA does not explicitly say so. Older cards (including mine) say "not to be used for identification" which, for some reason, no longer seems to appear. Good catch. As I stated, there are no laws preventing business from using it as an identifier, although I stand by my assertion that it was never intended for use as an ID number; if you dig a bit, you may be able to find the relevant FDR speech introducing FICA. If memory serves, the "will never be used for identification", at least for 30 years after 1935, is a direct quote.
I don't see how.
Then we're talking past each other. I'm a security consultant and am confronted with the catastrophic results of laziness and choosing the 'easy' path (or at least what is perceived as such) on a near daily basis at my clients'. Refusal to use basic crypto & authentication mechanisms because it requires procedural rethinking or retraining is such an example.
Most examples of identity theft are not the result of caffeine-fueled Russian mafia h@x0r breakins, but rather exploits of some fairly basic mistakes--viz. the tourist who lets the Hong Kong shop clerk out of his sight with a credit card, the refusal of most major US banks to even consider decent two-factor authentication for cost reasons, etc.
I don't see how that's a problem.
You may not have an issue with using an insecure mechanism that's subject to compromise and misuse this easily to identify yourself, but I do.
The only remotely "positive" thing about using SSNs as identifiers is that they are understood to be insecure, as opposed to biometrics, which are (mistakenly) widely believed to be safe, so if I am affected I can, such as happened to many individuals in the ChoicePoint breakin, have recourse.
By your definition, perhaps, but you've failed to back it up with any real evidence.
Are you just being contrarian? Confidential student data which could be used to cause serious financial liability to individuals was stored on a laptop in a poorly secured facility (I graduated from Berkeley; stealing laptops is not black magic at a university that size.) There was obviously some fundamental failure of awareness, information security management processes and basic user responsibility here.
Once again, maybe you simply do not care--I assume this attitude partially results from never having this sort of thing happen to you. Many others have, and do. Frankly, I find the idea that "it works, leave it, I don't care if it's fundamentally broken and vulnerable to compromise" pretty obtuse.