Bill Gates SSN is 539-60-5125. That is public knowledge and has been for years (his address is too). Now do you think he's lost his house or has any trouble using credit cards?
How would you lose your house due to bad credit anyway? Once you've been approved and bought the house, as long as you make payments, you're not going to get your house taken away no matter how bad your credit becomes.
That said, the fact that anyone would store SSNs on something such as a laptop just shows that they need to get smacked around a little bit.
I wish more people would do it. In fact, I wish every SSN in the country was suddenly released to the public. The problem isn't using an SSN as an identifier. As you've explained, it makes a pretty good one. The problem is treating SSNs as secret information. As was said by another poster, and I agree, if they just published everyone's SSN in the phone book it'd solve the whole problem.
Now: what abou the whole "credit check" thing? Let's ask a more fundamental question--why is the SSN required for this sort of thing at all?
Because that's what the credit reporting agencies use as a key into their database.
Or for transcript verification?
Most schools have an SSN on your transcript. It's pretty much the most permanent thing about you. Changing your SSN is hard, and you need a pretty good reason to do it.
Funny thing that, doesn't the Social Security Act specify that the SSN is not meant to be used as identification except for Social Security purposes?
No, it doesn't.
You hit the nail on the head with the word "easy". It's easy. "Easy" is not always good, and in this case, it is shit. "Easy" is what made some plank store this sort of crap on a laptop, probably in Excel, probably unencrypted. "Easy" in this case is bad.
I don't see how.
As this link mentions, one of the problems is that there is no law _preventing_ business (including schools) from requiring this supposedly private piece of information as a precondition for delivering services, without making allowance for an alternative.
I don't see how that's a problem.
So I think in this case we can replace "easy" with "unprofessional", "lazy", "unethical" even.
By your definition, perhaps, but you've failed to back it up with any real evidence.
It's basically an SSN (same format and everything), but I think it's called something different, since the people aren't entitled to social security.
That said, not everyone in the country has an SSN. I've been debating whether or not I should give one to my children (if I ever have any children), or if I should let them choose for themselves whether or not to get one. At least one disadvantage is if they don't have an SSN, you can't claim them on your taxes for stuff like the child tax credit.
But you're assuming it's a bad thing in the first place. If someone wants to give someone a loan without first checking that they actually are who they say they are, why should I care just because they say they're me? Sure, up to a year later I'll notice a false statement on my credit report, and I'll have to make a phone call or 2 to get it removed, but ultimately the person who really gets screwed over is the person who made the loan in the first place.
There's enough disincentive against banks in just blindly giving away this information. The only part that's really going to hurt you is if your bank is willing to give out your other sensitive data (like your balances or your last checks paid) to someone who just gives your SSN. Yeah, that might suck if you're hiding that information for some reason, but not all banks are that lax with their information. If your bank is, maybe it's time to have a chat with them, and/or get a better bank.
They're not unique forever, because the government recycles them after a few years.
Insightful? This is patently false. There are some instances of multiple people having the same SSN, but these were accidental, and not intentional, and the government will issue a new SSN for people who are in this situation.
why can't they just generate an artificial ID number for all their students?
Read my reply to the parent. The school definitely needs your SSN. It probably shouldn't be used as a primary key, since there's a (very slim) chance it's not going to be unique, and not all students will have an SSN. But don't the vast majority of foreign students have a government issued ID number already (just not to be used for employment purposes)?
They definitely need it so they can file a 1098-T at the end of the year. They probably also need it so they can do a credit check on you, both to determine if they're going to admit you, as well as to determine whether or not you qualify for whatever tuition plans they offer (unless you're prepaying in cash, the school is giving you a loan). If you're a transfer student, they need it so they can verify your transcript, this could perhaps be done in another way, using your name, addresses, birth date, etc., but it's a lot easier to just see the SSN on the transcript and match it to the SSN in your profile.
Why does anybody outside the government?
The same basic reasons. Either they need it to report something to the government, to check your credit, or to match up files.
The real problem is that banks, credit bureaus, and schools are allowed to continue to pretend that knowing someone's SSN and birthdate is proof of anything.
Schools maybe, but what bank or credit bureau does such a thing?
It seems like this could be solved with a public database of SSNs and birthdays. Once you list yourself, you can tell credit bureaus and banks that this information has been widely published, and therefore anybody who acts like it's a secret is negligent.
I am too chicken to go first, though.
The problem is, you'd probably be negligent for listing yourself in such a database.
If you really want to make harder to get a loan, just call up the three credit bureaus and tell them that your identity was stolen. They'll put a note on your credit report and you basically won't be able to do anything by phone any more.
Hmm, I did some research into this, and apparently it was just a rumor. Instead I found:
United States v. Brown, 600 F.2d 248, 252 (10 th Cir. 1979) - noting that the Supreme Court had established "that the self-incrimination privilege can be employed to protect the taxpayer from revealing the information as to an illegal source of income, but does not protect him from disclosing the amount of his income," the court said Brown made "an illegal effort to stretch the Fifth Amendment to include a taxpayer who wishes to avoid filing a return.
If the IRS had a policy of not sharing information related to that part of their dealings with any other government agency, even under subpoena, perhaps they could get around the 5th Amendment issue.
Isn't there an open source program out there that can create files in Word format? Or has Microsoft successfully made the Word format itself part illegal to use in OSS?
People just cannot memorize enough randomness to defeat that kind of attack.
It doesn't need to be completely random, though, just random enough, and if you need more than basic security you need to have more than just password protection anyway. For instance, in addition to encryption, you might want to use some steganography. It's possible to encrypt something so that different passwords give you different files. If what you're encrypting doesn't have an easily recognizable signature you can thwart all but the most sophisticated of dictionary attacks. If what you're doing is that top-secret, maybe you don't even want to store it on disk in the first place. Keep it in ram, and add in self-destruct code if there are too many bad password attempts. Now you're going to make it really difficult for someone to get a copy of the data. I guess it's theoretically possible for someone to take apart the computer while it's still running and make a copy of the ram somehow, but I think now we're talking about a science fiction novel.
I think that about the best you can go in practice is use a nice little program that stores your passwords and keep all of them random and different.
For web passwords I just use an md5 hash of the website dns name and my "master password". This probably wouldn't be enough to stop the government from brute forcing my master password, and in fact anyone who had even just two of my hashed passwords could do a brute force attack offline, but this isn't exactly top secret information in the first place.
I've even got a little javascript bookmark to put in my password. It pops up a dialog box asking for my master password, takes the domain name of the page from the URL, combines them in some way (I'll leave a little bit of obscurity here), MD5s the result, converts the MD5 into an ASCII string, and enters it into any field on the page which is type=password. I've got a copy of the javascript itself (without the master password) stored in multiple locations online, along with a list of domain names and usernames that I use (in case the domain name changes, which sometimes actually does happen).
Illegal income, such as money from dealing illegal drugs, must be included in your income on Form 1040, line 21, or on Schedule C or Schedule C-EZ (Form 1040) if from your self-employment activity.
Code like checking that a pointer isn't NULL can't be turned into a useful error message for an user.
Assertions aren't for things that can happen. You don't use an assert to check user input, for example. That said, unless you're in some really performance critical code, it's often best to include an assertion and standard error checking. So if you're coding up malloc(), and you get a null pointer somewhere that you're never supposed to get it, if you're in debug mode, you panic, but if you're not in debug mode, maybe you return NULL instead.
Once at the lowest level you've determined that something is wrong, very often the only sensible option is a fatal abort.
Depends how highly available your program needs to be. If it's just an instance of GIMP, maybe it's OK to dump core and exit (even then I'm skeptical, though, it's probably better to give the user the choice whether to abort, retry, or fail).
Another consideration is security, though. If you can't confine the error to a single part of the program and reboot that part, and the program deals with anything security-sensitive, it's probably best to just shut down. Depending just how security-sensitive the program is, you might not even want to come back up until there's manual intervention.
Offering access to download the source code is not the same as including the source code with the binary.
The GPL says "If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code."
I suggest you read the GPL a few times before making pronouncements about what it says.
I wasn't making a pronouncement, I was making a direct quote. That's why I used those quotation marks.
Fine, maybe it was 1988:).... So you're old enough to know that not everyone works for a company which has increased 16-fold since they started working.
In the software development industry, which I thought was clear from the context of my original post.
No, it wasn't, not at all. What exactly was supposed to make that clear, the fact that the job you were bragging about was with a company which hires a lot of high-tech people?
Seriously, man, you're living in a dream world. You probably graduated from college some time around 1999/2000 and got a job making way too much money with no effort whatsoever. That's great man, hold on to it, but just know that out in the real world people generally have to work hard to make $50K/year.
And next time you refer to high-tech jobs, don't refer to them as "the real world". That's what was so confusing.
It reflects that statements like "To someone who has been out in the real world for more than a couple of years, $50K represents maybe 9 months salary" and "Unless you're a dirt-poor college student or someone who just graduated a few months ago, $50K really isn't that much when compared to your salary" are extremely ignorant. I didn't realize he was only talking about people in "high-tech jobs".
Really? I guess I've just never noticed it. For instance, where's the written offer that comes with Firefox? I figured most people were using the fact that "offering equivalent access to copy the source code from the same place counts as distribution of the source code".
I've always felt that using a computer without virus protection was like having unprotected sex without a condom with multiple partners.
Usually it was one of those Amiga demo programs that people downloaded from BBSes to show off the Amiga's graphics and sound. Someone would infect it with a virus and pass it around.
Software distribution has really changed since those days. I can't even think of a recent example of a major company distributing a software with a virus in it, on Windows or on Mac. Nowadays the worry is from worms and trojans. And if you have a firewall, don't open email attachments, and only download from reputable companies, you're pretty much safe from those.
Unless you're a dirt-poor college student or someone who just graduated a few months ago, $50K really isn't that much when compared to your salary.
To someone who has been out in the real world for more than a couple of years, $50K represents maybe 9 months salary--which is hardly worth getting fired from your job for.
Wow, man, you need a good dose of the real world. For your sake I hope you don't get it, though. (The average salary in the US is $37,000. Hundreds of millions of us would strongly disagree with your assertion that "$50K really isn't that much".) In your case, maybe your stock options are worth more than $50K, but judging from your description of how stock options work I doubt it.
Slashdot Mirror
Bill Gates SSN is 539-60-5125. That is public knowledge and has been for years (his address is too). Now do you think he's lost his house or has any trouble using credit cards?
How would you lose your house due to bad credit anyway? Once you've been approved and bought the house, as long as you make payments, you're not going to get your house taken away no matter how bad your credit becomes.
That said, the fact that anyone would store SSNs on something such as a laptop just shows that they need to get smacked around a little bit.
I wish more people would do it. In fact, I wish every SSN in the country was suddenly released to the public. The problem isn't using an SSN as an identifier. As you've explained, it makes a pretty good one. The problem is treating SSNs as secret information. As was said by another poster, and I agree, if they just published everyone's SSN in the phone book it'd solve the whole problem.
Now: what abou the whole "credit check" thing? Let's ask a more fundamental question--why is the SSN required for this sort of thing at all?
Because that's what the credit reporting agencies use as a key into their database.
Or for transcript verification?
Most schools have an SSN on your transcript. It's pretty much the most permanent thing about you. Changing your SSN is hard, and you need a pretty good reason to do it.
Funny thing that, doesn't the Social Security Act specify that the SSN is not meant to be used as identification except for Social Security purposes?
No, it doesn't.
You hit the nail on the head with the word "easy". It's easy. "Easy" is not always good, and in this case, it is shit. "Easy" is what made some plank store this sort of crap on a laptop, probably in Excel, probably unencrypted. "Easy" in this case is bad.
I don't see how.
As this link mentions, one of the problems is that there is no law _preventing_ business (including schools) from requiring this supposedly private piece of information as a precondition for delivering services, without making allowance for an alternative.
I don't see how that's a problem.
So I think in this case we can replace "easy" with "unprofessional", "lazy", "unethical" even.
By your definition, perhaps, but you've failed to back it up with any real evidence.
It's basically an SSN (same format and everything), but I think it's called something different, since the people aren't entitled to social security.
That said, not everyone in the country has an SSN. I've been debating whether or not I should give one to my children (if I ever have any children), or if I should let them choose for themselves whether or not to get one. At least one disadvantage is if they don't have an SSN, you can't claim them on your taxes for stuff like the child tax credit.
But you're assuming it's a bad thing in the first place. If someone wants to give someone a loan without first checking that they actually are who they say they are, why should I care just because they say they're me? Sure, up to a year later I'll notice a false statement on my credit report, and I'll have to make a phone call or 2 to get it removed, but ultimately the person who really gets screwed over is the person who made the loan in the first place.
There's enough disincentive against banks in just blindly giving away this information. The only part that's really going to hurt you is if your bank is willing to give out your other sensitive data (like your balances or your last checks paid) to someone who just gives your SSN. Yeah, that might suck if you're hiding that information for some reason, but not all banks are that lax with their information. If your bank is, maybe it's time to have a chat with them, and/or get a better bank.
They're not unique forever, because the government recycles them after a few years.
Insightful? This is patently false. There are some instances of multiple people having the same SSN, but these were accidental, and not intentional, and the government will issue a new SSN for people who are in this situation.
why can't they just generate an artificial ID number for all their students?
Read my reply to the parent. The school definitely needs your SSN. It probably shouldn't be used as a primary key, since there's a (very slim) chance it's not going to be unique, and not all students will have an SSN. But don't the vast majority of foreign students have a government issued ID number already (just not to be used for employment purposes)?
Why does a school need our SSNs?
They definitely need it so they can file a 1098-T at the end of the year. They probably also need it so they can do a credit check on you, both to determine if they're going to admit you, as well as to determine whether or not you qualify for whatever tuition plans they offer (unless you're prepaying in cash, the school is giving you a loan). If you're a transfer student, they need it so they can verify your transcript, this could perhaps be done in another way, using your name, addresses, birth date, etc., but it's a lot easier to just see the SSN on the transcript and match it to the SSN in your profile.
Why does anybody outside the government?
The same basic reasons. Either they need it to report something to the government, to check your credit, or to match up files.
The real problem is that banks, credit bureaus, and schools are allowed to continue to pretend that knowing someone's SSN and birthdate is proof of anything.
Schools maybe, but what bank or credit bureau does such a thing?
It seems like this could be solved with a public database of SSNs and birthdays. Once you list yourself, you can tell credit bureaus and banks that this information has been widely published, and therefore anybody who acts like it's a secret is negligent.
I am too chicken to go first, though.
The problem is, you'd probably be negligent for listing yourself in such a database.
If you really want to make harder to get a loan, just call up the three credit bureaus and tell them that your identity was stolen. They'll put a note on your credit report and you basically won't be able to do anything by phone any more.
I fail to see how this is a good thing, though.
No, my identity may have been copied, but my identity certainly wasn't stolen.
I guess that makes sense.
If the IRS had a policy of not sharing information related to that part of their dealings with any other government agency, even under subpoena, perhaps they could get around the 5th Amendment issue.
Actually, they do, for precisely that reason.
Isn't there an open source program out there that can create files in Word format? Or has Microsoft successfully made the Word format itself part illegal to use in OSS?
People just cannot memorize enough randomness to defeat that kind of attack.
It doesn't need to be completely random, though, just random enough, and if you need more than basic security you need to have more than just password protection anyway. For instance, in addition to encryption, you might want to use some steganography. It's possible to encrypt something so that different passwords give you different files. If what you're encrypting doesn't have an easily recognizable signature you can thwart all but the most sophisticated of dictionary attacks. If what you're doing is that top-secret, maybe you don't even want to store it on disk in the first place. Keep it in ram, and add in self-destruct code if there are too many bad password attempts. Now you're going to make it really difficult for someone to get a copy of the data. I guess it's theoretically possible for someone to take apart the computer while it's still running and make a copy of the ram somehow, but I think now we're talking about a science fiction novel.
I think that about the best you can go in practice is use a nice little program that stores your passwords and keep all of them random and different.
For web passwords I just use an md5 hash of the website dns name and my "master password". This probably wouldn't be enough to stop the government from brute forcing my master password, and in fact anyone who had even just two of my hashed passwords could do a brute force attack offline, but this isn't exactly top secret information in the first place.
I've even got a little javascript bookmark to put in my password. It pops up a dialog box asking for my master password, takes the domain name of the page from the URL, combines them in some way (I'll leave a little bit of obscurity here), MD5s the result, converts the MD5 into an ASCII string, and enters it into any field on the page which is type=password. I've got a copy of the javascript itself (without the master password) stored in multiple locations online, along with a list of domain names and usernames that I use (in case the domain name changes, which sometimes actually does happen).
Unless it's from a self-employment activity!
http://www.irs.gov/publications/p17/ch13.html
I've lost data to assert() checks in other people's software, over trivial things that could have been safely ignored.
That's one reason you shouldn't be using debug mode if you're not debugging the program. Assert() is a tool for debugging.
Code like checking that a pointer isn't NULL can't be turned into a useful error message for an user.
Assertions aren't for things that can happen. You don't use an assert to check user input, for example. That said, unless you're in some really performance critical code, it's often best to include an assertion and standard error checking. So if you're coding up malloc(), and you get a null pointer somewhere that you're never supposed to get it, if you're in debug mode, you panic, but if you're not in debug mode, maybe you return NULL instead.
Once at the lowest level you've determined that something is wrong, very often the only sensible option is a fatal abort.
Depends how highly available your program needs to be. If it's just an instance of GIMP, maybe it's OK to dump core and exit (even then I'm skeptical, though, it's probably better to give the user the choice whether to abort, retry, or fail).
Another consideration is security, though. If you can't confine the error to a single part of the program and reboot that part, and the program deals with anything security-sensitive, it's probably best to just shut down. Depending just how security-sensitive the program is, you might not even want to come back up until there's manual intervention.
A double standard is not the same thing as hypocrisy.
Offering access to download the source code is not the same as including the source code with the binary.
The GPL says "If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code."
I suggest you read the GPL a few times before making pronouncements about what it says.
I wasn't making a pronouncement, I was making a direct quote. That's why I used those quotation marks.
Fine, maybe it was 1988 :).... So you're old enough to know that not everyone works for a company which has increased 16-fold since they started working.
In the software development industry, which I thought was clear from the context of my original post.
No, it wasn't, not at all. What exactly was supposed to make that clear, the fact that the job you were bragging about was with a company which hires a lot of high-tech people?
Seriously, man, you're living in a dream world. You probably graduated from college some time around 1999/2000 and got a job making way too much money with no effort whatsoever. That's great man, hold on to it, but just know that out in the real world people generally have to work hard to make $50K/year.
And next time you refer to high-tech jobs, don't refer to them as "the real world". That's what was so confusing.
It reflects that statements like "To someone who has been out in the real world for more than a couple of years, $50K represents maybe 9 months salary" and "Unless you're a dirt-poor college student or someone who just graduated a few months ago, $50K really isn't that much when compared to your salary" are extremely ignorant. I didn't realize he was only talking about people in "high-tech jobs".
Really? I guess I've just never noticed it. For instance, where's the written offer that comes with Firefox? I figured most people were using the fact that "offering equivalent access to copy the source code from the same place counts as distribution of the source code".
I've always felt that using a computer without virus protection was like having unprotected sex without a condom with multiple partners.
Usually it was one of those Amiga demo programs that people downloaded from BBSes to show off the Amiga's graphics and sound. Someone would infect it with a virus and pass it around.
Software distribution has really changed since those days. I can't even think of a recent example of a major company distributing a software with a virus in it, on Windows or on Mac. Nowadays the worry is from worms and trojans. And if you have a firewall, don't open email attachments, and only download from reputable companies, you're pretty much safe from those.
Unless you're a dirt-poor college student or someone who just graduated a few months ago, $50K really isn't that much when compared to your salary.
To someone who has been out in the real world for more than a couple of years, $50K represents maybe 9 months salary--which is hardly worth getting fired from your job for.
Wow, man, you need a good dose of the real world. For your sake I hope you don't get it, though. (The average salary in the US is $37,000. Hundreds of millions of us would strongly disagree with your assertion that "$50K really isn't that much".) In your case, maybe your stock options are worth more than $50K, but judging from your description of how stock options work I doubt it.