Berkeley Grads' Identity Data Stolen 289
yali writes "Did you get a graduate degree from Berkeley? Or maybe you just applied but didn't go there? If so, your identity may have been stolen. A laptop was stolen containing names, social security numbers, birthdates, and addresses of grad students, alumni, and applicants. University police suspect that the thief just wanted the laptop, but the irony of California's mandatory notification law is that the thief may now know they have something even more valuable. Berkeley has set up a website with information on the breach."
Secret (Score:5, Insightful)
Granted, this will not prevent all leaks as even the State Department [computerworld.com], CIA and FBI [crimelynx.com] have had problems with missing laptops, but they are getting better about data confidentiality and security through training and implementation of protocols designed to limit leaks and unauthorized access.
Why do they need the SSNs? (Score:5, Insightful)
Why does a school need our SSNs? Why does anybody outside the government?
Here in Minnesota, I need to provide my SSN now just for fishing and hunting licenses. WTF?
Re:Why do they need the SSNs? (Score:5, Insightful)
they don't NEED to but they CAN and so they do.
Privacy (Score:5, Insightful)
I don't just mean everyone gathering less personal information, I also mean making sure that what they do gather is adequately protected. You have a resonsibility to your clients, customers, whatever.
Re:Why do they need the SSNs? (Score:3, Insightful)
Re:Why do they need the SSNs? (Score:2, Insightful)
Yeah, but what's the thief gonnado with it? (Score:2, Insightful)
It's a problem if he knows this and knows someone who knows what to do with the data, but at least with disclosure the victims know they are at risk.
My identity stolen? (Score:2, Insightful)
No, my identity may have been copied, but my identity certainly wasn't stolen.
Re:It's easy to encrypt in Windows (Score:2, Insightful)
I'd bet your paycheck that the password to login is on a post-it stuck to the laptop's keyboard!
"Of course, there are issues with losing the encryption key, but as it's a laptop, and probably only has the one harddrive, I would expect the person to be keeping a backup somewhere else."
HAHAHAHAA! A Windows user? I wouldn't count on it!
Why all on a latop? (Score:5, Insightful)
Sensitive information should be placed in a central repository and then encrypted and guarded. The mere fact that someone can download this to a laptop shows that their mindset is that this information is just normal stuff like a word document. Before you can have true security organizations need to get this first.
Re:Too much (Score:4, Insightful)
What a lot of "security officers" seem to neglect is that an important part of security is to make what one would want to steal physically difficult, even impossible, to do so. This would perhaps work as a last resort against other stupidities such as forgetting to encrypt or letting non-authorized persons in a restricted zone.
Incidentally, a laptop doesn't even need to be stolen. Call any train station or airline and ask them how many laptops are forgotten each day. Each week. Each month.
Nobody raises an eyebrow when they see someone carrying a laptop on a university campus. Someone trying to haul a big machine would draw more attention.
Re:It's easy to encrypt in Windows (Score:3, Insightful)
Windows, love it or hate it, makes it very easy to secure your data on a laptop
I am not sure Windows has anything to do with it as any OS supports crypto, the question is why did an application designed to hold social security numbers on a insecure PC not encrypt the data store?
Users will not do anything they do not have to. An encrypting/decrypting files leave copies of data un-encrypted on the disk. So blaming the user is not it either.
I would blame whomever aquired and authorized the use of the software (even if it is the user). This application was not designed for this type of use. And how did the data get on the laptop? Likely unencrypted ftp or perhaps a insecure CIFS share where the passwords are routinely cracked.
And how much spyware did the use load on the system?
Far too few are really too interested in security. For many it is lip service as they continue to practice careless computing.
get them SSN's (Score:2, Insightful)
Without an SSN you can't get financial aid. I was born on a commune near the Canadian border and didn't have either a birth certificate or SSN for many, many years.
Eventually I got the opportunity to go to Moscow. It took me almost 2 years to get a passport. Needless to say I missed the trip.
I then applied to college and got accepted. Since we are dirt poor I applied for financial aid. They promptly said, sorry you are not enlisted with the selective service. I said no shit. They said no money. I then went to enlist with the SS (selective service) and they said "who the fuck are you, what do mean you don't have an SSN, get one and come back." I finally got a SSN when I was 17 years old, enlisted Selective service, got financial aid, went to UCLA and now am your typical suburban programmer with a wife and family (my way of rebelling against being born in the fucking woods).
The moral, get your kids a SSN. Don't punish them because you hate the government.
Re:Why do they need the SSNs? (Score:2, Insightful)
More like
Score:+5 Scary!
Is it really irony? (Score:3, Insightful)
Unless there is going to be an unconditional format of the hard drive in question, either the thief or the fence (i.e. buyer) would have discovered the data eventually. Given that it's most likely an MS Access database, it shouldn't be too much of a problem extracting those numbers from the file.
In the event that difficulties are encountered, it's not too hard to find someone on the black market who will crack the information (e.g. brute forcing login passwords to gain access to whatever that follows.)
Any irony obtained by the law will only accelerate what would have occurred normally.
Los Alamos (Score:4, Insightful)
Los alamos national lab, contrary to the implied conclusions of all its bad press and false accusations, has in fact shown that the removable disk method is an excellent means of both tracking secret data and minimizing copies of it.
And even better approach is to make it even easier for people to maintain their data in secure forms without inhibiting their use of it. A good example of this is the macintosh laptop. Every macintosh laptop can transparently AES128 encrypt the users home directory and decrypt it upon log in. Of course you can set that up on a linux or Windows machine, but that's not the point. The point is it's already there on every mac ready to go by chekcing a box. It's not something that one has to spec. If you have to trasnfer the data to another machine you dont have to worry about setting this up. Co-workers know your machine has it. It departments can even enforce its use without penalizing the user. Ubiquity and ease of use is the key to getting encryption part of peoples work habits.
I work in aplace where wireless internet connections are not allowed in the building. Yet when I go on travel I use it. Like everyone else I have to remember to turn off the wireless in the laptop before jacking into the building ethernet. So do you think people remember to do that. Well a lot of the time yes but many times no. but with a mac laptop its trivial to configure it so the wireless and ethernet adapters cant be on at the same time. it's impossible to forget. By the way my company spends money to pay people to walk the halls with wireless sniffers and has to discipline workers that forget. All of that is lost productivity as well as the security exposure.
So in conclusion, any company that is concerned about data security that does not use macintoshes is wasting its money. Sure you can make a windows system secure but its the little daily things that keep it secure.
Whoever lost the laptop should be liable (Score:3, Insightful)
Re:Secret (Score:3, Insightful)
That sounds fine and good, and what _should_ be done. But there first needs to be some desire or interest for the government to do such a thing, and there is no evidence of any interest whatsoever. I see government sponsored prime time TV ads reminding us to behave and not get high and to be good mommies and daddies by paying attention to our kids and their homework, but I have yet to of seen an ad about protecting my government initiated and issued social security number. Its still legal for just about anybody to ask for my government social security number with no laws protecting me if that person mishandles or misuses my SSN. Identity theft is practically legal, and there is little to no initiative to pursue or prosecute people that steal (or infringe for those people that are anal about the word "steal") people's identities.
So why doesn't the government actually care about this? Because people are adaptive, and will basically stay at their status quo after an identity theft. A poor person's identity theft will keep them poor, and being that they have little credit, not much theft is going on, and their credit is probably bad already, and they are already behind on their bills, etc. A middle class person will suffer a temporary setback (probably most vulnerable of the classes), but they aren't going to loose their job because someone opened up a bunch of credit accounts in their name. In other words the government will still get paid one way or another. Rich people will still be rich, regardless of an identity theft, and its likely they will take care of the pursuit of the thief themselves.
Basically, from the government's point of view, identity theft is a victimless crime. I know no one personally that has been affected by it, but I've read stories here and other places about it. It basically seems like a pain in the ass, kinda like being hassled by the law or a divorce, but life goes on, and I would only expect for it to escalate a little higher over the next couple of years and then taper off some.
So what is the answer? (Score:2, Insightful)
-An application requires that the user be able to process personal data about clients.
-The Social Security Number and other "sensitive" data is required by US government.
-The application must work across a wide geographical area. The application is on PCs that although locked up in buildings, could be stolen.
-Regardless of connectivity the data application must perform all functions, access all historical records of the client. So it must have some sort of local cache to enable work when connectivity is not available. (Yes, there are many places where reliable high speed network access is not available.)
-Data is reported periodically for aggregation by encrypted synchronization to a central repository.
Considering this, what does one do?
What local cache of the data could you possibly use and how would you secure it?
If someone steals the pc, how would they NOT be able to get into it? And how do I secure hundreds of pcs spread over hundreds of miles that are not connected to a single network?
If I encrypt individual fields in the local database, how do I know when I have done enough of them?
For that matter, what if someone steals the entire central database repository? How would it be possible to guarnatee they can't get it?
I'm dealing with shades of gray- when is the gray dark enough?
Re:Secret (Score:4, Insightful)
Convenience trumps all with security being a close second and privacy a distant third.