nanog mailing list archives

Re: Stanford Hack Exposes 10,000

From: Daniel Golding <dgolding () burtongroup com>
Date: Thu, 26 May 2005 13:01:24 -0400



People are missing the point a bit. Most schools HAVE switched over to new
numbering systems. Most student ID's have school-specific ID numbers. The
problems are:

1) Older student records are indexed by SSN and they must be retained.
2) Some information is still indexed by SSN out of necessity - student
financial aid for example

That means you have a translation database somewhere, with all those SSNs
and the new student index numbers.

SSNs are already forbidden going forward at pretty much all school. For
example, they can't be used to post grades. However, the need to retain them
for backwards compatibility remains. Education institutions need a clear set
of guidelines for handling sensitive data like that. A good start would be
that such data can only be stored in an encrypted format in a physically
secure facility. 

Yes, that seems obvious, but it doesn't happen. Considering the sort of free
wheeling environment prevalent in University networks, you would think they
would be a bastion of high security. Sadly, this isn't the case.

- Dan

On 5/26/05 6:10 AM, "Michael.Dillon () radianz com"
<Michael.Dillon () radianz com> wrote:

Around about whenever the US Federal Government gets the hint and
passes a bill which makes it illegal to use social security numbers
for any purpose other than the administration of social security.


Wrong answer. Federal laws do not stop people from doing stupid
things and they do not stop people from doing illegal things.

What we need is a Hollywood blockbuster in which some highschool
hackers wreak havoc by aquiring SSNs from gradesheets and using
mother's maiden names to steal lots of money and identities.
Then, pointy-haired bosses will ask their sysadmins to make sure
that it can't happen in their department.

Hollywood movies change people's behavior. Federal laws do not.

--Michael Dillon


-- 
Daniel Golding
Network and Telecommunications Strategies
Burton Group

Current thread:

Re: Stanford Hack Exposes 10,000, (continued)
- Re: Stanford Hack Exposes 10,000 Adam McKenna (May 25)
  - Re: Stanford Hack Exposes 10,000 Mark Newton (May 25)
    - Message not available
    - Re: Stanford Hack Exposes 10,000 Jay R. Ashworth (May 25)
    - Re: Stanford Hack Exposes 10,000 Michael . Dillon (May 26)
    - Re: Stanford Hack Exposes 10,000 Jay R. Ashworth (May 26)
    - Re: Stanford Hack Exposes 10,000 Jon Lewis (May 26)
    - Re: Stanford Hack Exposes 10,000 Florian Weimer (May 26)
    - Re: Stanford Hack Exposes 10,000 Bob Vaughan (May 27)
    - Re: Stanford Hack Exposes 10,000 Nicole (May 31)
    - Re: Stanford Hack Exposes 10,000 Stephen Sprunk (May 26)
    - Re: Stanford Hack Exposes 10,000 Daniel Golding (May 26)
    - Re: Stanford Hack Exposes 10,000 Edward Lewis (May 26)
    - Re: Stanford Hack Exposes 10,000 Joel Jaeggli (May 26)
- Re: Stanford Hack Exposes 10,000 Eric Brunner-Williams in Portland Maine (May 26)
- Re: Stanford Hack Exposes 10,000 Fergie (Paul Ferguson) (May 25)
  - Re: Stanford Hack Exposes 10,000 Adam McKenna (May 25)
- RE: Stanford Hack Exposes 10,000 Dave Hilton (May 25)
- Re: Stanford Hack Exposes 10,000 Fergie (Paul Ferguson) (May 25)