×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Cornell Computer Theft Puts 45,000 At Risk of Identity Theft

timothy posted more than 4 years ago | from the into-the-gorges-with-the-thief dept.

Privacy 91

PL/SQL Guy writes "This afternoon, Cornell alerted over 45,000 current and former members of the University community that their confidential personal information — including name and social security number — had been leaked when a University-owned computer was stolen. A Cornell employee had access to this data for troubleshooting purposes, and the files storing the sensitive information were being stored on a computer that was not physically secure. The university is not disclosing details about the theft. This isn't the first breach for Cornell; last June, a computer at Cornell used for administrative purposes was hacked, and the University alerted 2,500 students and alumni that their personal information had potentially been stolen."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

91 comments

Steal my willy (-1, Troll)

Anonymous Coward | more than 4 years ago | (#28459763)

Imagine your willy being smacked until it bleeds!

Willy on Wheels!

Keeping User Data in a University.... (4, Insightful)

introspekt.i (1233118) | more than 4 years ago | (#28459829)

Is like trying to hold water in a sifter. It's only a matter of time before some doofus puts an .xls file with everybody's info into a web share and then says "hackers compromised the [publicly available] private student data". Not like I haven't had any experience with this....or anything.

Re:Keeping User Data in a University.... (5, Interesting)

LaskoVortex (1153471) | more than 4 years ago | (#28459913)

I was once emailed word file with about 300 student's names, birthdates, social security numbers, and yes, user passwords for their university accounts. It was not encrypted and it was unsolicited--she needed help "opening" it. I promptly encrypted the file, deleted the original from my pop account, and then went to her computer and changed the name to have a ".doc" suffix. She was magically able to open it after that.

These are the people we entrust with our sensitive information.

Re:Keeping User Data in a University.... (1)

bertoelcon (1557907) | more than 4 years ago | (#28460221)

These are the people we entrust with our sensitive information.

You are only as strong as the weakest link, and they should really some really basic security training for every person in an office setting.

TrueCrypt should be required on all such computers (1)

Futurepower(R) (558542) | more than 3 years ago | (#28467979)

All computers with sensitive information should have partitions entirely encrypted with TrueCrypt [truecrypt.org] . Then a stolen computer would yield no information.

TrueCrypt can encrypt even the OS partition.

From Cornell's weak excuses, June 2009 Data Theft - Frequently Asked Questions [cornell.edu] , a quote: "In June, 2009, a Cornell-owned computer that contained a large amount of administrative data was stolen. Our review of a current backup of the files on the system revealed that confidential personal data for about 45,000 current and former staff and students, and some dependents, had been present."

TrueCrypt is so fast that there is no noticeable change in speed of the computer.

TrueCrypt is completely free and open source. (1)

Futurepower(R) (558542) | more than 3 years ago | (#28468005)

I forgot to mention that TrueCrypt is completely free and open source. TrueCrypt has a history of being very reliable.

Re:TrueCrypt should be required on all such comput (1)

bertoelcon (1557907) | more than 3 years ago | (#28468835)

No offense, but you seem to be bordering on TrueCrypt advertising or even fanboing when you triple post like that. Not that TrueCrypt isn't good, but unencrypted emails are still a present weak point, along with ignorant that send them.

Sorry, I wasn't passionate enough. --grin-- (1)

Futurepower(R) (558542) | more than 3 years ago | (#28470069)

"... you seem to be bordering on TrueCrypt advertising..."

I didn't mean to be "bordering on advertising". I meant to be extremely intensely advertising.

I don't have any connection with the people who make TrueCrypt. I am only a very, very happy user. I've been using TrueCrypt for more than 3 years, through many versions, with no problems.

TrueCrypt is an excellent resolution of a huge problem.

Well, that's gotta' be mod abuse. (0, Offtopic)

Gazzonyx (982402) | more than 4 years ago | (#28460247)

I have no idea why this is modded funny. The correct moderation for this is +1 "We feel your pain, please revoke the user's privs. Immediately"

Re:Well, that's gotta' be mod abuse. (0)

Anonymous Coward | more than 4 years ago | (#28462741)

If you'll notice, on the list of mods funny is just below informative. It was likely an errant click. I've only been a mod four or five times and I've already accidentally modded a post as interesting when I meant informative.

Re:Well, that's gotta' be mod abuse. (1)

quadrox (1174915) | more than 3 years ago | (#28464523)

While we are being completely OT, I have a question about your sig - how is that supposed to work?

If I mod something up it is because I believe in what is being said in that post. If I did not personally believe what is being said (e.g. because I have counter arguments, my experience has been different etc.) I have absolutely no reason to mod someone up. The same is true vice versa for downmods.

I would appreciate help on how I should prevent my own beliefs/knowledge/opinions from interfering with my moderation. I just don't see how it is possible.

Re:Well, that's gotta' be mod abuse. (1)

cbiltcliffe (186293) | more than 3 years ago | (#28465603)

You're not supposed to moderate so much on the topic, as the amount of information and presentation of said info.
If they bring forward a point you don't agree with, but fully support it with evidence, logical arguments, etc, then you mod it up, or at least, don't mod it down.

If they just say "Lunix/Winblows/CrackOS sucks cuz my homie knows a guy who's friend got a virus on it!" well...then you troll mod into oblivion.

Comments of "I agree" don't add anything useful to the conversation, and only serve to fill up the database tables of /. servers, so these sometimes get downmodded.

Comments that state a point and try to back it up with random web links that don't even support their view, posted in the hope of readers thinking "He's got references. Must be right." without even reading said links, should also be modded down.

You're right, though, it can be difficult to properly mod, due to your own preconceptions interfering. But you've kind of got to put yourself outside the discussion, and see it from that point of view.
That's very likely why you can't comment and mod the same story. If you get involved in the conversation, the preconceptions become even more solid and difficult to put aside when moderating. That, and people (read: jerks) will mod down anybody who responds to their postings and disagrees with them....

Of course, if somebody puts forth a radically stupid idea, no matter how well supported with anecdotal evidence (I read about a guy who got trapped in a sinking car because he couldn't get his seatbelt undone, so nobody should have to wear seatbelts because they obviously kill people!) then you still have a right to mod down. Although there should be a "-1 Moron" mod for that....

Re:Well, that's gotta' be mod abuse. (1)

quadrox (1174915) | more than 3 years ago | (#28466217)

Thanks for your reply. What I really needed was gnapsters introduction though "The point of the moderation system is not to make sure that only "true" things get posted," - that really helped get the point accross :)

Re:Well, that's gotta' be mod abuse. (0)

Anonymous Coward | more than 3 years ago | (#28470777)

off topic

Re:Well, that's gotta' be mod abuse. (1)

gnapster (1401889) | more than 3 years ago | (#28465655)

The point of the moderation system is not to make sure that only "true" things get posted, or that we only see what we agree with. It is to help sift through the comments for anything which is a worthwhile contribution to the discussion. From the FAQ [slashdot.org] : "The moderation system is designed to sort the gems and the crap from the steady stream of information that flows through the pipe." When all the comments are in and the moderators have finished their work, you should be able to read the thread at +3 (or so) and see exactly those comments that are worth reading. This may include points of view which are apparently wrong, but are still well constructed and represent the thought of a significant portion of a population.

We are here to have engaging discussions. The moderation system is not about rewarding or penalizing writers, but helping readers. My rule of thumb is: if I'm glad I read it, I mod up. If it was a royal waste of my time, I mod down.

Re:Well, that's gotta' be mod abuse. (1)

quadrox (1174915) | more than 3 years ago | (#28466183)

Ok thanks, although I have read most of the FAQ I somehow missed that point. If that is the intention of the moderation system I will try to stick with it in the future. My only problem has been that it is very difficult to mod something "insightfull" if it is clear to me that the poster is obviously wrong - even if he supplies plenty of arguments. But if the moderation system is mostly about the, shall we say "form" of the post instead of the actual content I see the point.

Re:Well, that's gotta' be mod abuse. (1)

gnapster (1401889) | more than 3 years ago | (#28466497)

Do take my advice with a grain of salt. The truth is that I have not been moderating for very long. But my understanding of the spirit of the thing has been that, at the end of the day, we want to see a discussion thread filled with interesting and enjoyable comments, and nothing else.

Re:Keeping User Data in a University.... (2, Insightful)

tnk1 (899206) | more than 4 years ago | (#28460307)

Hell, I once worked at a place where HR sent the spreadsheet that contained every employee and their salaries in it to ALLSTAFF, not once, but twice. At the time I was the mail administrator, and it was a gigantic pain in the ass. I really didn't even have time to write a script to do it, I had to login to the server, and use Pine to turn everyone's mail into just another folder that I could access and I manually went in and had to find and delete the mail from like 300 people's inboxes.

Obviously, to this day, I'm nearly certain that a not insignificant fraction of the staff had actually downloaded it from the POP3 server before I could get to it, but I was too frenzied to actually get a count as I was tabbing around and deleting like a mad man.

Of course, the major question is, between my experience and this one.... why the fuck do people compile these things, load them into attachments or laptops and then do the stupidest things imaginable with them? Why do you need a list of everyone's salary or 45,000 people's social security numbers??? For what conceivable purpose would you take that out of the office or email it in bulk somewhere?

It just goes to show. No one cares about security until it's too late to care about it. If its not too late to care about it, they'll continue to ignore it, even after an incident until they have finally given away anything that could possibly be of value. At my business, I probably moved too fast to delete the file, so they had to screw up again to ensure their failure. At Cornell, losing 2500 accounts was too puny, so they needed to upgrade. Of course, given that there are like 17,000 undergrads at Cornell, they will probably need to screw up a few more times to make sure they have well and truly screwed over everyone who has attended there for the past decade or two.

I'm not bitter.

Re:Keeping User Data in a University.... (1)

commodoresloat (172735) | more than 4 years ago | (#28462349)

Hell, I once worked at a place where HR sent the spreadsheet that contained every employee and their salaries in it to ALLSTAFF, not once, but twice.

Try working for the state. I was sent such a spreadsheet twice myself in my current employment -- published in the campus newspaper. Salary information isn't always private; it depends who's footing the bill.

Re:Keeping User Data in a University.... (2, Insightful)

stephanruby (542433) | more than 4 years ago | (#28463987)

Why do you need a list of everyone's salary or 45,000 people's social security numbers???

Those lists become handy when you need to fire someone. You start with the highest salaried people, and then you slowly work yourself down the list until you recognize someone you dislike, or until you simply don't recognize a name.

Re:Keeping User Data in a University.... (1)

cbiltcliffe (186293) | more than 3 years ago | (#28465707)

I really didn't even have time to write a script to do it, I had to login to the server, and use Pine to turn everyone's mail into just another folder that I could access and I manually went in and had to find and delete the mail from like 300 people's inboxes.

Obviously, to this day, I'm nearly certain that a not insignificant fraction of the staff had actually downloaded it from the POP3 server before I could get to it, but I was too frenzied to actually get a count as I was tabbing around and deleting like a mad man.

Why wasn't your first thought to turn off the POP3 server and any webmail or other access people might have had?
Sure, it's a pain, and you'll get helpdesk calls asking "Why can't I get email?" Just say, "There's a problem with the server, we're working on it." If you have an internal technical website (and you should, which should also be policy that it's the first place for people to check when they have a problem with something other than their own computer not turning on), post a quick message on it stating that there's a problem with the email system - and you're not lying - and it will be resolved as soon as possible.

Then, take an hour or so to write your script, don't answer the phone, start it running, and go to lunch.
When you get back, check a random sampling of mailboxes to make sure it's gone, fire up POP3 again, and send a message to the HR moron, stating that it was determined that the attachment they sent was flagged by your security filters as being a potential breach, which is what shut down the email system, and not to ever do anything that stupid again.

Re:Keeping User Data in a University.... (1)

Hadlock (143607) | more than 4 years ago | (#28460655)

I'm curious why universities need social security numbers at all. Last time I checked (never), the SS administration wasn't the one writing student aid checks. There's no federal database of who has what degrees (except perhaps MD degrees). Until 2004 or so the University of Texas Arlington used your initials and the last 4 digits of your SSN in your email address (which is the facebook login for most anyone who joined facebook at UTA prior to 2004, for you identity thieves).
 
UT Arlington (UTA) specializes in Engineering, Computer Science, and Social Services. Go figure.

It couldn't have happened when I went there (1)

billstewart (78916) | more than 4 years ago | (#28460867)

That kind of theft couldn't have happened back when I was a student at Cornell, in the mid-late 70s. First of all, there was only one computer used for most campus activities, a mainframe that lived in a data center out by the airport, so nobody could have stolen it :-) (There were some PDP-11s and such in a few engineering departments (though not CS - it was mostly the physics people and maybe a random department in the business or ag school), and the card readers that we used to talk to the mainframe really were DG Novas with 4KB of memory. But none of them would have had payroll or anything like that - that lived on the mainframe.)

But more importantly, we didn't use Social Security Numbers, except for payroll processing for employees. We used Student ID Numbers, which were a 6-digit number that wasn't particularly linked to anything. I don't remember if I had to give my SSN when applying, but probably not.

Re:It couldn't have happened when I went there (1)

Hadlock (143607) | more than 4 years ago | (#28461015)

Yeah, but back in MY day, we had to walk uphill BOTH ways, from the Dorm to the Library (where the mainframe terminals were), uphill to the cafeteria (where the food was), BACK uphill to the library, and finally uphill to the cafeteria again, and even further uphill to the dorm. Why the Dorm, Library and Cafeteria were on opposite ends of the campus, on top of steep hills, I'll never know.
 
And it snowed. Every day. In Texas. In August. All four years.
 
AND we didn't have the internet to plagiarize from or Wikipedia to research from.

Re:It couldn't have happened when I went there (0)

Anonymous Coward | more than 4 years ago | (#28461581)

Should we get off your lawn now, grandpa?

Re:It couldn't have happened when I went there (1, Informative)

Anonymous Coward | more than 4 years ago | (#28461787)

Cornell still uses the Cornell student ID (printed on your ID card) for everything internal. If someone knows that, they can -- with a little social engineering -- pretty much impersonate you for any in-person campus service like manually changing your schedule or getting meals in your name (if you have a meal plan).

I assume they need SSNs for any students they employ. Also, every college I applied to required it on the application as a unique identifier because they do not want to deal with names (your SSN is on every single page of the common app [wikipedia.org] ).

Re:Keeping User Data in a University.... (1)

mlts (1038732) | more than 4 years ago | (#28462469)

Sometimes I wonder if universities should just use some cryptographic hash of that material. If they had the SSN and user info, they can generate the ID, if a computer system didn't, the ID would still be useful for a primary or secondary key for that student, staff, or faculty.

A simple mechanism would be concatting the info that doesn't change information together in a predetermined way (the first first and last name registered with the school and the SSN), perhaps adding a random password that is a shared secret among the trusted university computers, SHA-512-ing the string, and mod that output with the length of how long you want the university ID (6-8 numbers should be workable.) Finally, add some form of date for the month and year with the university (this cuts down on the chance of a colission), and voila, a workable student ID that can be generated from the user's data on the secure systems, but finding any secret info from the student ID number is virtually impossible, other than the date they started with the university.

Re:Keeping User Data in a University.... (1)

cbiltcliffe (186293) | more than 3 years ago | (#28465823)

voila, a workable student ID that can be generated from the user's data on the secure systems, but finding any secret info from the student ID number is virtually impossible, other than the date they started with the university.

Until some dumbass admin who thinks "I know what I'm doing. It'll be fine." starts downloading trojanned cracks from infected-keygens.biz on the secure server....

Re:Keeping User Data in a University.... (1)

mpe (36238) | more than 3 years ago | (#28469283)

I'm curious why universities need social security numbers at all.

Except for their current employees. Though by the sounds of things they don't bother to remove this information from the records of past employees...

Re:Keeping User Data in a University.... (0)

Anonymous Coward | more than 4 years ago | (#28461265)

My first question: what the hell were passwords doing in a .doc?

I used to be the sysadmin for a high school, and I actually found two semi-legitimate reasons to have a password list:

[1] The F/OSS Basmati retrieve-your-grades-over-the-Web system assigns each student a random 6-character password, like ABC12D. Of course, teachers would blab them over the phone to any caller claiming to be a parent, no matter how many times I told them not to.

[2] The school cafeteria managers fell under the umbrella of the district food services office. The sysadmin there said that he maintained a file listing all the cafeteria manager's passwords. Before I could give him the usual lecture, he pointed out that, to get cafeteria managers at what our school district pays them, they REALLY have to scrape the bottom of the barrel, and they wind up with people incapable of memorizing passwords. He was telling cafeteria managers their own passwords on a weekly basis.

Re:Keeping User Data in a University.... (1)

LaskoVortex (1153471) | more than 4 years ago | (#28462239)

My first question: what the hell were passwords doing in a .doc?

In the old days (C. 2000), students applied for an account and then the authentication info was mailed to them in hard-copy through the department. I don't know the exact route, but at some point, a secretary was required to create a "merge mail" with the info for the new batch of students each year. You can see how the merge mail database might be a handy document to send another (clueless) secretary if said secretary needed some trivial amount of information that might be in that database.

I'm sure this kind of stuff still goes on.

Re:Keeping User Data in a University.... (1)

mlts (1038732) | more than 4 years ago | (#28462287)

I'm going to actually state this is a case where selective DRM (more specifically Microsoft's IRM in pre-2008, and RMS currently) would be a good thing.

Say this .doc file was protected with Microsoft's IRM and it got outside the company. Users who were authorized from the RM server would be able to view it, but to those who didn't have access, it would be encrypted and useless without the key. Yes, an authorized user likely could make a copy of it without the rights management encumberance, but IRM systems are more to protect against a document escaping a company as opposed to limiting use against authorized users.

Re:Keeping User Data in a University.... (1)

cbiltcliffe (186293) | more than 3 years ago | (#28465913)

Yes, but IRM and DRM are two completely different things.

IRM allows a company to control who gets to see their own documents.

DRM allows a company to control what consumers have to repurchase.

The difference being, that the company using IRM is in control of their own use of their own internal documents, while the company using DRM is attempting to control the entire public's use of files that are meant to be used by the public.

Having said that, IRM can still be a pain for whistleblowers attempting to alert the public to something illegal their company is doing.

Re:Keeping User Data in a University.... (1)

kelnos (564113) | more than 3 years ago | (#28470881)

I absolutely hate to say -- or even think -- this, but... this sounds like a great argument for TPM/DRM/TCPA/whatever it's called.

Let's face it: you can't educate users about security. Many people will understand, but many will not. And it just takes a few people who don't get it to cause a problem.

In the instance of your example, it would be useful if the person who created that original .doc file could have placed restrictions on the file such that at least 1) it can't be sent anywhere unencrypted, 2) it can't be stored on an unencrypted medium, 3) data cannot be copied out of the document and into an unsecured location.

Sure, you can always use the analog hole (manually retype the information into a new document), but one would *hope* that the restrictions placed on the file would make someone think twice about doing that, and possibly realise that the restrictions are there for a reason. Or perhaps I'm just giving people too much credit and am foolishly thinking you can solve a social problem with a technical solution.

But seriously... it's astounding how blatantly careless and idiotic some people are when dealing with sensitive information.

(Cornell alum here who fortunately has *not* so far been notified that his data was among that leaked.)

Re:Keeping User Data in a University.... (3, Interesting)

hairyfeet (841228) | more than 4 years ago | (#28463055)

It isn't just universities. One Sunday I'm relaxing with a smoke after having to come into class to help those behind when I get a call "Where yo at?" I'm at class, just got done. Why? "You ain't gonna believe this shit. I'm about 10 blocks north of you. You got your truck?" yep, what else would I drive? "Good. Get over here NOW"

So I get over there to where Chuck works at and the Teleco next door has put out a ton of 1.5-3Ghz boxes out on the curb. Being a nice Sunday and I don't mind a little exercise for some free parts I helped Chuck load them up, in return for picking a couple of the nicer ones for me of course. We get them to his place, unload them and I say "let's fire them up to see if any has an OS or if they have been stripped. Now not only do these boxes still have the nice little XP Pro OEM stickers on them, but the OS is STILL installed and they didn't bother deleting squat. Accounts, CC numbers, the whole nine yards was just sitting their unencrypted on the drives. Most didn't even need a username to log on. Lucky for them we just wanted the PCs and not the data or we could have had ourselves an ID theft field day.

So it isn't just the schools. Over the years you'd be surprised how many "throw aways" I've ended up with that had major data on them. CC numbers, bank accounts, just stupid the amount of data they leave. I'm frankly shocked that MORE data theft hasn't occurred than what we have seen. I guess a lot of the guys are like me and just want a free PC and wipe the suckers.

Re:Keeping User Data in a University.... (0)

Anonymous Coward | more than 3 years ago | (#28465325)

Especially at an idiotic university like one of the Ivies. Can we please just firebomb them and be done with it?

Social security numbers are worthless (4, Interesting)

Jimmy_B (129296) | more than 4 years ago | (#28459837)

At this point, social security numbers are so widely distributed that the only sensible thing to do is to publish them all in the phone book, so no one will be able to pretend they mean anything. If a scammer wants to use someone else's identity to defraud a bank, then the black market will sell them cheap and in bulk. The real problem is that creditors are allowed to issue debts without attempting to contact the person whose name they're using, and then try to collect those debts when the scammer runs off with the money.

Re:Social security numbers are worthless (-1, Troll)

Anonymous Coward | more than 4 years ago | (#28460079)

Goatse has had an anus transplant!

Groundbreaking [goatse.fr] new surgical technique.

Re:Social security numbers are worthless (1)

sexconker (1179573) | more than 4 years ago | (#28460179)

Did some work for an electrical union (the office managing people's pensions and such) a couple of summers during high school.

We'd have people's names, SSNs, partial addresses, etc.

We needed to get mailings out to them.

Just hop on this website, click the "yes I'm authorized to look at this information" button, and then type in a name, phone number, partial address, or ssn.

You get a neat list of all peopel with that name/number/address/ssn (often multiple people with the same ssn LOL). You even get a cool little family tree graphed out for you.

Your SSN is out there , just waiting to be plucked by some unscrupulous intern.

Creditor's problem (1)

cockpitcomp (1575439) | more than 4 years ago | (#28460383)

Identifying clients should be the creditor's problem, not mine. I have little control over my own SSN, but I am supposed to now buy ID theft insurance? Seems like Trans Union, TRW, Visa and the like should be able to figure something out.

Re:Creditor's problem (1)

techno-vampire (666512) | more than 4 years ago | (#28460479)

You need to buy ID theft insurance because TRW, Visa and so on can't figure out to keep your personal data secure. It's exactly the same as the way you have to buy, install and use a third-party anti-virus because Microsoft can't figure out how to keep its OS secure.

Re:Creditor's problem (0)

Anonymous Coward | more than 4 years ago | (#28461077)

Question: How do you stop someone from randomly downloading an executable virus and running it, putting any kind of os block on it will not work (see UAC). The only option is to monitor what they are doing and stop it once its detected. Hence Antivirus and similar solutions. You have to prevent the user from themselves. They own their computer and should be able to do whatever they want, but you also have to keep them from harming themselves as well.

Re:Creditor's problem (0)

Anonymous Coward | more than 4 years ago | (#28461909)

Except with Windows I can just not use it. With credit there's no alternative. (Even if I don't use credit, my SSN still exists and someone else could get credit with it if they know it.)

Re:Social security numbers are worthless (1)

zizinya (1584487) | more than 4 years ago | (#28460559)

There's not much that can actually be done with an SSN and nothing more. A potential id thief needs a lot more to work with in order to acually do some real damage.

Re:Social security numbers are worthless (1)

schmaustech (766915) | more than 4 years ago | (#28460791)

There's not much that can actually be done with an SSN and nothing more. A potential id thief needs a lot more to work with in order to acually do some real damage.

You forget that with a little Google action, one can probably gain that additional information to make the Social Security number worth something. Having the name and SS is a start and it would only a little sleuthing to get the rest.

Re:Social security numbers are worthless (0)

Anonymous Coward | more than 4 years ago | (#28461755)

I think in some states, people can do a credit freeze for free, or for a fee. Like, I think in Washington state, it's like $10 to freeze, $10 to unfreeze, which should prevent people from opening up bank accounts, credit cards, etc., I think.

Re:Social security numbers are worthless (1)

mpe (36238) | more than 3 years ago | (#28470261)

At this point, social security numbers are so widely distributed that the only sensible thing to do is to publish them all in the phone book,

The point is they are "identifiers" rather than "authenticators".

so no one will be able to pretend they mean anything.

You underestimate the abilities of fools. Nothing is likely to stop them believing that a collection of identifiers equates to an authenticator.

from Ivy League to Bush League (1)

Anonymous Coward | more than 4 years ago | (#28459867)

Wow.. social security numbers.. on PERSONAL COMPUTERS!!!! Outrageous. What that data is doing on anything but computers locked behind doors in a data center is beyond comprehension.

Cornell has dropped out of the Ivy league and entered the bush league.

hosers.

Re:from Ivy League to Bush League (1, Insightful)

Anonymous Coward | more than 4 years ago | (#28459927)

I assure you it is news to no one involved with Cornell that the IT department (CIT) is utterly incompetent. If anyone had any doubts, the recent rollout of PeopleSoft silenced them when they could not hand out financial aid for a semester because they could not get the system to work and course pre-enrollment (which a lot of people want to start right on time to get into popular classes) failed with random COBOL errors, was taken down, and reinstated a day or so later.

Re:from Ivy League to Bush League (0)

Anonymous Coward | more than 4 years ago | (#28460421)

I thought they were rolling out PeopleSoft like a decade ago or something when I was a student. And yes, I also worked at CIT as a student, so I know what you mean. There are some good people there, and then there were a load of complete fuckups. Ithaca is hardly the IT mecca of the Northeast... or anywhere, so you're not dealing with the deepest talent pool for employees.

In their defense, I will say that Cornell has always had trouble due to the decentralized nature of the IT, between the various colleges and the departments all having their own servers and staff and the problems that creates. That mostly affected me working in support, however. I don't know if that played a role in the PeopleSoft migration.

Are they still using CORNELLC? Fond memories those.

Re:from Ivy League to Bush League (0)

Anonymous Coward | more than 3 years ago | (#28465761)

CIT is much better than it used to be. But, it is still a beaurocracy, and hampered as such. Over the past year, CIT has also had a lot of resources dedicated to replacing the entire email/calendaring infrastructure - all for one person, our new University President (we're moving to MS Exchange).

De-centralized IT is quite necessary. There is no way a centralized organization can meet the many diverse needs of individual departments (so providing a one size fits all solution is very hard... and CIT has a history of not listening to the needs of its customers... it is turning that around). That said, some things that make sense to centralize are centralized. More problems arise from needing to upgrade a piece of IT infrastructure the whole campus uses, but CIT doesn't "own", so is only a contractor when the owner decides what to do.

CornellC still exists.

The PeopleSoft rollout continues. It's the never-ending project.

Re:from Ivy League to Bush League (0)

Anonymous Coward | more than 4 years ago | (#28463683)

Serves the antisemitic bastards right!

Go Columbia!!!

I was one of the 45K (5, Insightful)

Anonymous Coward | more than 4 years ago | (#28459971)

It is extremely frustrating. I encrypt my personal data when it is under my control. It is unforgivable that an institution that I pay this much can't do the same.

I wonder (2, Interesting)

Anonymous Coward | more than 4 years ago | (#28460013)

how many times identity theft isn't reported, the high school I went to had a case reported that some kids had stolen the SS numbers from the schools network. I know because I was called in and questioned about it. I didn't do it, and I don't know if they ever found out, I don't think they did as no one was expelled. The IT Department was totally fucked though as a network with vulnerability like that was... well you get the idea.

              I was on the network and saw some teachers files however, so I wonder if some other kids got further than I did. I knew not to let my, "young curiosity" go any further. College applications, let alone scholarships were at stake and fooling around the network like that was not worth not going to college.

                My point being, this was reported, and the results were inconclusive, what if they questioned the person who actually got the SSN's, and he got away with it. I wonder if a few credit cards in my name will be opened up in Asia in a few years, or already.

Troubleshooting? (1)

iamhigh (1252742) | more than 4 years ago | (#28460065)

WTF do you need the actual data for? You don't know that a SSN is 9 numbers and possibly 2 dashes? Why do you need actual data on a computer that can be stolen?

Re:Troubleshooting? (0)

Anonymous Coward | more than 4 years ago | (#28460321)

Because the system must be tested with multiple combinations of 0-9 at every digit. And no, not some randomly generated permutations either... I'm talking real data testing here.
Otherwise our use cases will useless and the testing incomplete. ... lazy freaking programmers.

- Your friendly Requirements Analyst

Re:Troubleshooting? (1)

ctmurray (1475885) | more than 4 years ago | (#28461799)

My wife was in IT at a large company. For testing purposes they had a set of data for fake employees that contained enough data to provide good testing.

Re:Troubleshooting? (1)

mpe (36238) | more than 3 years ago | (#28470389)

WTF do you need the actual data for? You don't know that a SSN is 9 numbers and possibly 2 dashes? Why do you need actual data on a computer that can be stolen?

It appears to quite often be the case with such "breaches" that there wasn't an especially good reason to be storing said data at all. However without data protection laws which are strongly enforced there is little incentive to store and process only data which is actually needed.

How much is your personal information worth? (1)

MrMista_B (891430) | more than 4 years ago | (#28460119)

Sue them for that amount, x45,000.

Then maybe they'll take this seriously.

Re:How much is your personal information worth? (1)

Leafheart (1120885) | more than 3 years ago | (#28466941)

Answering your question, as long as they are concerned: $0.00.

So, 0 * 45,000 = $0.00

CIT is completely incompetent (2, Insightful)

Anonymous Coward | more than 4 years ago | (#28460131)

This is the same IT department that recently switched over its management software to peoplesoft. A wonderful web app that randomly throws COBOL errors and refuses to function.

Suprise Suprise.

I personally think this person was probably pretty far up the food chain. There was no indication they were let go, and who else would think they were this far above the regulations regarding encryption of personal data.

No Big Deal (0)

Anonymous Coward | more than 4 years ago | (#28460133)

Everything was encrypted, right?

Cornell - Ever heard of it? (0)

Anonymous Coward | more than 4 years ago | (#28460163)

Andy Bernard is going to be upset.

Cross Cornell off the list (1)

Khyber (864651) | more than 4 years ago | (#28460331)

I had considered Cornell for obtaining my Bachelor's - not any longer with this.

Even I have better security practices and I run windows machines without firewalls or AV software.

Over four years without infection! Common fucking sense FTW.

Re:Cross Cornell off the list (2, Funny)

phantomcircuit (938963) | more than 4 years ago | (#28460455)

That is how you're choosing schools? Don't worry I don't think Cornell was even an option.

Re:Cross Cornell off the list (0)

Anonymous Coward | more than 4 years ago | (#28460685)

believe it or not, the "top 20" colleges or so are basically equivalent (Harvard, MIT, and a few others are (slight) exceptions). Only a few minor differences exist in the strength of the curriculum and the opportunities available. So, no, I would not consider it unreasonable for him to cross Cornell of the list if they can't guarantee that his information will be secure. Save the $60 application fee and go elsewhere--Duke, Northwestern, etc etc (assuming the grades of course).

Re:Cross Cornell off the list (0)

Anonymous Coward | more than 4 years ago | (#28461729)

Unless you want a career in politics. Then you kind of need a Yale or Harvard pigskin. Or a D after your name. But even then...

How many congresscritters have an MIT or Caltech degree? Not many, I'll wager.

-----

He shouldn't cross Cornell off the list just because of a single security breach, though. Just because the other universities haven't been caught with their pants down yet doesn't mean that their belts are properly secured.

Re:Cross Cornell off the list (0)

Anonymous Coward | more than 4 years ago | (#28462565)

Or law. From what I've been told (IANAL, of course), the first thing HR looks at after someone passes the bar and looks for employment is where did they get their law degree from. Pretty much Yale or Harvard is a key to employment, then on down the list.

Its unfair because I am sure that some of the less well known law schools graduate better attorneys than some of the larger ones, but that's life.

Re:Cross Cornell off the list (0)

Anonymous Coward | more than 4 years ago | (#28461863)

Firstly, I don't think the top 20 schools are basically equivalent; the applied engineering and physics (AEP) major at Cornell is widely acknowledged as the most comprehensive and difficult major in existence. The architecture school is unparalleled, the Hotel school (despite its ... shall we say... lack of rigor) is world renowned: simply, strengths reside in every college.

If the original poster makes their decision to avoid Cornell based on the present security snafu, he or she is a bit shortsighted: one foolish employee can drag down any institution with any amount of prestige. Don't be surprised if your chosen institution fails similarly.

Secondly, as a recent alum, I was on this list. They have taken the requisite measures to pay Kroll, Inc. to provide credit monitoring and identity theft restoration services to ALL 45,000. I am not concerned.

Similarly, I am attending UC Berkeley for graduate training in Neuroscience next year and they have ALSO allowed sensitive information to fall into the wrong hands. A breach was detected in their University Health Services in May.

Am I second guessing my attendance at Cornell OR Berkeley? hmmmmm.... ;-). nope.

Gosh, where are my priorities?

CONCLUSION:
Kid, if you need some minutia to tip the scale I hope it's something that actually impacts your education.

Re:Cross Cornell off the list (0)

Anonymous Coward | more than 4 years ago | (#28462523)

I agree with the above; AEP is known to be ridiculous, and architecture and hotel programs are also very well known.

One can definitely find differences between the top 20 schools - quality of instruction, leading areas of research, intelligence of one's peers, etc. Not to mention the factors other than curriculum. You should have a life as an undergrad, after all.

someone forgot to run Spider (1, Informative)

Anonymous Coward | more than 4 years ago | (#28460779)

You'd think, the university that created the Cornell Spider -- http://www2.cit.cornell.edu/security/tools/ -- Would be more diligent to push that out on all their machines. But I work in the *real* world and know all about theory and practice.

Third time's the charm (1)

brusk (135896) | more than 4 years ago | (#28460869)

I just got the email about this yesterday. It's the third time a university I've been associated with has had a major data leak (UCLA, Stanford, Cornell). The upside is that I've had free credit monitoring for the past few years!

Security (1)

kbsoftware (1000159) | more than 4 years ago | (#28461075)

So the moral of the story is if you are looking to educate yourself on security and common sense then Cornell is not where you want to go among other places. It always amazes me it seems to take a few hundred breaches before common sense sings in and simply things like encryption and basic security measures are used.

Absolute Liability? (1)

jmcharry (608079) | more than 4 years ago | (#28461517)

Maybe the solution to this is absolute liability for anyone who keeps personal information on anyone else.

Wow this is bad, did you read this (0)

Anonymous Coward | more than 4 years ago | (#28461741)

http://security.cuinfo.cornell.edu/

As a former student... (1)

singularity (2031) | more than 4 years ago | (#28462289)

I have no idea how far back the stolen data goes, but I was a student at Cornell in the mid-90's. I can assure you that Cornell does not have my current email address (my university address expired after I left), and they do not have my current mailing address, either - I never receive mailed solicitations for money.

On their FAQ page, they assure everyone that they contacted everyone who had their data stolen via email or USPS. I am not saying that I was necessarily one of the victims here, but I am sure that there are other people in the 45,000 for whom that is true.

Full Disk Encryption is just too easy! (1, Informative)

Anonymous Coward | more than 4 years ago | (#28462357)

Fedora has full disk encryption, any newbie can activate it.

What is wrong with these people?

Re:Full Disk Encryption is just too easy! (1)

mlts (1038732) | more than 4 years ago | (#28462627)

In reality, what is needed is FDE systems architected similar to Microsoft's BitLocker that use a TPM chip that is used to validate the boot process, then pass the encryption key to the OS. This will allow servers to boot unattended (although one can have the TPM request a PIN), but still protect the machines from unauthorized access via a live CD.

One can add additional mechanisms to this, for example, a GPS that the TPM can use to validate that a machine is still within the same physical area, or a hardware sensor that detects if the machine is moved from a rack and asks for a PIN before allowing it to boot. Similar with a case intrusion sensor. Yes, a thief can reset the CMOS, but then its hash would change, and the TPM would detect that.

This isn't to say that other FDE systems are bad. However, for servers where having an additional boot passphrase at boot may become more of a liability than an asset, a TPM based boot process would go a long way in ensuring that data on the machine isn't accessed or tampered with, in the case the machine is physically compromised or stolen.

Re:Full Disk Encryption is just too easy! (0)

Anonymous Coward | more than 4 years ago | (#28463771)

That cure is worse than the disease. With a TPM, you get remote attestation and sealed storage which, in concert, would lead to format lock-in of unprecedented proportions.
No thanks, I'll stick to passworded disk encryption, TYVM.

Re:Full Disk Encryption is just too easy! (0)

Anonymous Coward | more than 3 years ago | (#28464267)

TPM have been widespread on most business level workstation and server equipment since 2006. Remote attestation has been limited to being able to deploy boxes such as read-only domain controllers to branch sites to people who don't have admin rights. Sealed storage has been pretty much limited to BitLocker keys.

This isn't to say that this can't be used to enforce OS lock-in and a DRM stack starting from hardware on up, similar to how consoles are protected. However, for businesses, the good outweighs the bad. Since the functionality is on most servers (but shipped disabled), its definitely worth using.

Same as DRM. DRM can keep a stolen document from resulting in a multi-million dollar ID theft, or it can be used to take away people's fair use rights.

I am one of the unfortunate 45,000 (1, Informative)

Anonymous Coward | more than 4 years ago | (#28462589)

I've been reading about similar stuff happening at other places but I didn't think it would occur at Cornell. They are generally pretty good about IT/Security stuff. In any case, the email they sent out links to this FAQ:
http://faq-june2009.cuinfo.cornell.edu

Turns out that it wasn't so much the universities fault as it was the fault of some idiot IT person. An excerpt from the FAQ :

5. Why was this information on a computer?

A member of the Cornell technical staff, who is responsible for supporting our central administrative systems, was using these files to correct transmission errors found in the processing of the files. The data was being used for troubleshooting. Cornell's information security policies and guidelines do not allow unencrypted confidential personal data to be stored on any computer device that is not in a physically secured location. This employee's actions, although unintentional, violated our policy and practices.

At least they are being nice and providing us with a service that will let us monitor our credit history. Great stuff... one more thing to worry about while trying to finish with my dissertation!

Re:I am one of the unfortunate 45,000 (1)

kelnos (564113) | more than 3 years ago | (#28471061)

Turns out that it wasn't so much the universities fault as it was the fault of some idiot IT person.

If the university hired that idiot IT person, then it's the university's fault. Full stop.

alum here (0)

Anonymous Coward | more than 4 years ago | (#28462733)

Cornell alum here. They actually disclosed this breach to us yesterday the 23rd. On the bright side, they'll be paying for 'credit monitoring and identity theft restoration services.' Whatever that means...

SSN = identity? (1)

BraulioBezerra (1321253) | more than 3 years ago | (#28464803)

Let me understand...

There is a government site that returns your signature, photo, complete name, DNA, fingerprint, all passwords, a 3D model of you, your sex tapes, etc., in the case you've lost them... Just put your SSN and you get back your lost identity. Is this the problem with SSNs?

Maybe credit companies just accept that you are someone else just because you know his/her SSN and last name...

At least they admit it.... (2, Insightful)

Bob_Who (926234) | more than 3 years ago | (#28464881)

Everyone else that stores and shares your personal data are too inept to notice their blunders, or won't dare admit it unless they absolutely must. Its best to assume there is no such thing as secure information once you share it with others.

Isnt cornell.... (1)

hesaigo999ca (786966) | more than 3 years ago | (#28466131)

Isn't Cornell....supposed to be one of the biggest and brightest Universities to be out there...they cant afford a good admin with stronger group policies on the network?

Re:Isnt cornell.... (0)

Anonymous Coward | more than 3 years ago | (#28468435)

Correct. CIT (the Cornell centralized IT department) is a mess and they are incompetent. (Last year we got an e-mail warning about a virus on their computers spread by USB autorun. Seriously, what Windows admin doesn't even disable autorun?) In contrast, the one student-run computer lab [cornell.edu] is well-organized and actually has sane security policies.

CIT sucks, not Cornell (0, Offtopic)

tangentreality (1296105) | more than 3 years ago | (#28466515)

I was one of the 45,000. And although I agree that CIT is one of the most incompetent IT staffs I have ever come into contact with, keep in mind that CIT's actions do not necessarily reflect the knowledge of the general student body. I know plenty of freshmen who know more about computers than the CIT staff. It's frustrating when you call the IT department and then YOU have to explain to THEM how to fix the problem you're having with your internet connection.

So for all of you bashing Cornell: going to Cornell won't mean that you learn less about computers and security because of the IT staff being dumb. Knowledge of IT staff does not equal quality of classes when the selection process for hiring those staff members is as bad as it is. On top of that, most of the people who should be IT staff don't want to be. And at any school you'll have problems with the administration or the staff being incompetent in some way, that's just how it works.
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...