Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How Cornell Plans To Purge Campus Computers of Personal Data

timothy posted more than 3 years ago | from the very-very-carefully dept.

Education 164

and so forth writes "Cornell lost a laptop last year with SSNs. Now, they've mandated scanning every computer at the University for the following items: social security numbers; credit card numbers; driver's license numbers; bank account numbers; and protected health information, as defined by HIPAA. The main tools are Identityfinder (commercial software for Windows and Mac), spider (Cornell software for Windows from 2008) and Find_SSN (python script from Virginia Tech). The effort raises both technical questions (false positives, anyone?) and practical issues (should I trust closed source software to do this?). Have other Universities succeeded at removing confidential data? Success, here, should probably be gauged in terms of diminished legal liability after the attempted clean up has been completed." Note: this program affects the computers of university employees and offices, rather than students' personal machines.

cancel ×

164 comments

Good Idea (1)

RegTooLate (1135209) | more than 3 years ago | (#33914186)

Get that data out of there! If it isn't your system and the data shouldn't be there, no problem scanning for the bad stuff.

This is easy (3, Interesting)

Hatta (162192) | more than 3 years ago | (#33914192)

After logging off, revert to the last backup. If there's no data on the computer, there's no personal data on the computer. Anything you need saved goes on removable storage.

Re:This is easy (1)

garcia (6573) | more than 3 years ago | (#33914244)

Well, there are two possibilities in this scenario:

1. The process takes entirely too long and if the person doesn't wait and walks away or just turns it off, the thief could still get the data. They used rdist when I was in college for campus kiosk computers. It was fucking miserable to wait for one of these bastards to boot or shutdown in the case of there being a problem which required a reboot (at the time a frequent necessity).

2. The computer isn't permitted to store any data and thus becomes pretty useless.

Actually, storing no data can be a good thing (3, Interesting)

davidwr (791652) | more than 3 years ago | (#33914348)

In an age of always-connected, treating computers as "smart terminals" with no long-term local storage save an encrypted self-destructing-on-wrong-password cache can be very useful.

Re:This is easy (1)

omni123 (1622083) | more than 3 years ago | (#33914894)

And then the staff store the data on the removable storage and it makes it even easier to walk away with. Now instead of a desktop security breach, someone drops their usb drive on the train...

Re:This is easy (2, Informative)

dissy (172727) | more than 3 years ago | (#33914896)

"1. The process takes entirely too long and if the person doesn't wait and walks away or just turns it off, the thief could still get the data. They used rdist when I was in college for campus kiosk computers. It was fucking miserable to wait for one of these bastards to boot or shutdown in the case of there being a problem which required a reboot (at the time a frequent necessity)."

Eww, yea that's not the best way to do it at all (Having to wait on anything that is.)

For Windows XP I use a program called Windows SteadyState [wikipedia.org] , which unfortunately Microsoft seems to be discontinuing as so far as not supporting any OS past XP 32bit.

There is also a commercial solution known as Deep Freeze [faronics.com] that does the same task but for a lot more operating systems.

Basically all your root drive / C drive changes are held in memory in a separate copy-on-write partition that appears merged with the real data.
None of the FAT entries are maintained for that outside of RAM however, so even yanking the plug will do the same thing as a normal shutdown, and there is no waiting beyond what you wait now to reboot. All changes to the drive just instantly disappear and the drive space is reclaimed.

you too might be a sociopath (-1, Troll)

gumbi west (610122) | more than 3 years ago | (#33914346)

trying to get around rules like this where the end result is self reward and might hurt others is very anti-social.

Re:This is easy (1)

icebike (68054) | more than 3 years ago | (#33914672)

After logging off, revert to the last backup. If there's no data on the computer, there's no personal data on the computer. Anything you need saved goes on removable storage.

The article pertains to staff computers.

Are you saying a prof can't use his university supplied staff computer to work up a lesson plan, unless he puts that plan on some other storage?

You pretty much remove a major portion of the utility of the PC when you start insisting the be reverted on every reboot.

Re:This is easy (1)

Surt (22457) | more than 3 years ago | (#33915046)

Yes, everyone is moving this direction now. They don't use local storage for their lesson plans, they use a NAS. Now instead of the data being stuck on your desktop when you forget it, it's on an everywhere accessible network location.

Re:This is easy (1)

LurkerXXX (667952) | more than 3 years ago | (#33914704)

That's pretty dumb. Removable storage just means some bad guy can walk away with the data on the external drive.

What Identityfinder does (our university mandated putting it on all faculty and staff computers at the beginning of the year) is force you to decide to either remove the data from the machine, or *encrypt it*.

Re:This is easy (1)

OnePumpChump (1560417) | more than 3 years ago | (#33914784)

This is how the library at which I work does it, except it doesn't delete EVERYTHING, just all browser settings and temporary files...you have to restart the computer to start completely fresh.

Re:This is easy (1)

Surt (22457) | more than 3 years ago | (#33915032)

Surely you mean anything you need saved goes to the university cloud storage, so they can keep it physically secured. Your usb flash drive is a bit easy to snatch.

Good luck to that. Like ANY hard disk (0)

Anonymous Coward | more than 3 years ago | (#33914194)

Like any hard disk, it soon fills to near capacity. Sort of like the only elevator in a 4-story housing project when the plumbing is out.

What does "computers of university employees" mean (3, Insightful)

Entropius (188861) | more than 3 years ago | (#33914228)

Does this include professors?

I know a lot of scientists who would be quite annoyed if the people from the IT department (who are clueless policy-obsessed wankers at my institution) came in and wanted to search through a bunch of simulation results and LaTeX files looking for SSN's.

Re:What does "computers of university employees" m (4, Insightful)

topham (32406) | more than 3 years ago | (#33914254)

a) too fucking bad.
b) Sign this waver that says you are legally responsible if your repository of data were to contain information such as SSN/Credit Card etc.

I don't get the premise of the article. Scanning for credit card data and SSN is quite easy and simple. It's no more intrusive than a virus scan. Being opened, or closed source doesn't make any bloody difference either.

Intrusion detection systems should also be running and scanning for data that conforms with SSN or creditcard formats.

Re:What does "computers of university employees" m (0)

Anonymous Coward | more than 3 years ago | (#33914292)

SSN numbers are not strictly structured like credit card numbers. this results in false positives.. There are things you can do to narrow this down, such as no all 0 values for any of the three sets, and the first set goes up to something like 760 as its highest ... but that's it. They could have spaces, dashes, nothing.

Re:What does "computers of university employees" m (0)

Anonymous Coward | more than 3 years ago | (#33915160)

772 at its highest for now. Starting in June of 2011 the SSA will issue "random" numbers up through 899 for the first three digits.

Re:What does "computers of university employees" m (0)

Anonymous Coward | more than 3 years ago | (#33914436)

And a) is the reason my department does not trust IT cowboys with any of our data. This is data that cost actual money to generate, not some shit we downloaded off BitTorrent for fun. I hope you get fired.

Re:What does "computers of university employees" m (2, Insightful)

fluffy99 (870997) | more than 3 years ago | (#33914618)

And a) is the reason my department does not trust IT cowboys with any of our data. This is data that cost actual money to generate, not some shit we downloaded off BitTorrent for fun. I hope you get fired.

Well are you an arrogant and self-important little bugger. The fact is that improperly retaining and losing privacy act data costs money and reputation too (just ask the Veterans Administration). Potentially a lot more than some professors grading data where he stupidly tracks students by their full soc number. Or the sociology researcher keeping a huge database of personal info on their test subjects. The mandate for this action did not originate with the IT folks, but they were tasked to implement the policy. Stop being a little prick and try to understand the bigger picture.

Besides the article didn't say it was going to delete the data. It said "cleanup" which could be anything from a script that pops up when it detects questionable data, or even maybe it just moves it off of theft-prone laptops and desktops onto a central file server.

Many institutions are going the route of encryption. Hard drives are encrypted, and anything stored onto removeable media gets encrypted. A pain in the ass to be sure, but it does allow management to claim that no data was compromise if a laptop disappears.

Re:What does "computers of university employees" m (1)

Entropius (188861) | more than 3 years ago | (#33915154)

As someone who works rather intimately with the department-level IT guys at a university, this would be a disaster. They don't have time to install automatic encryption software on everyone's disk, and *we* don't have time to wait on the computer to run crypto on it. Yes, disk encryption software is pretty fast -- but it's slower than the RAID we're pulling the data from, and the CPU is busy doing other things.

If you can't trust your professors to follow *reasonable* instructions about the protection of personal data without the nonsense of installing software on everyone's boxes, then you shouldn't trust them to work for you.

Re:What does "computers of university employees" m (1)

bigstrat2003 (1058574) | more than 3 years ago | (#33914710)

And that "I know better" attitude is precisely why the university is going to be putting this program in place. To say nothing of the reputation damage, HIPAA violations ain't cheap. So your "this data cost money" argument falls completely flat when doing nothing can cost money as well.

Re:What does "computers of university employees" m (0)

Anonymous Coward | more than 3 years ago | (#33914780)

Are you a PHD?

Re:What does "computers of university employees" m (1)

topham (32406) | more than 3 years ago | (#33914874)

I have 20 years of IT experience, including bringing a companies into PCI compliance after a breach.

Scanning data, identifying what it contains and locking it down are not difficult tasks. 99% of the data scanned is unlikely to trip false positives and is a complete non-issue. The remaining data can be quickly categorized as likely, or unlikely to be relevant with an appropriate perusal. The remaining data, actual non-compliant data, will consume the most time in dealing with properly.

The first step is to identify who has data that actually meets the qualifications and which has to be dealt with. If you simply ask you -WILL- be lied to.

Re:What does "computers of university employees" m (1)

Lehk228 (705449) | more than 3 years ago | (#33914914)

so what you are saying is that i need to be storing socials as integers rather than strings, so they don't look like socials?

Re:What does "computers of university employees" m (0)

Anonymous Coward | more than 3 years ago | (#33915066)

I just facepalmed at this, and then again when I realized it is probably happening. Hurray for obscurity.

Re:What does "computers of university employees" m (2, Informative)

fluffy99 (870997) | more than 3 years ago | (#33915274)

so what you are saying is that i need to be storing socials as integers rather than strings, so they don't look like socials?

No it means you need to be storing the data in an encrypted file/folder. Believe it or not, doing it right is sometimes easier than trying to hide what is arguably illegal activity.

Re:What does "computers of university employees" m (1)

Entropius (188861) | more than 3 years ago | (#33915714)

Why does anyone ever need to store the SSN's of students, anyway?

Re:What does "computers of university employees" m (0)

Anonymous Coward | more than 3 years ago | (#33915076)

I used one of these tools that once that found some false positives in its own source when I ran it. Not kidding.

Re:What does "computers of university employees" m (2, Interesting)

interkin3tic (1469267) | more than 3 years ago | (#33914890)

b) Sign this waver that says you are legally responsible if your repository of data were to contain information such as SSN/Credit Card etc.

Unless he then shoves the waiver up the manager of the IT department's nose, that waiver won't do anything, the IT department will refer him to a secretary who will refer him to some policy and the comittee for something or other who will meet once a year and won't discuss it with him. Universities are usually more bureaucratic and inflexible than your local DMV.

Which is why Cornell will try to scan every computer on campus, not just those ones which are likely to have student or employee information on them. Got an apple IIe running a very old but still functional instrument? It may be more convinient to just lie to the IT department. Some are understanding, whereas others would insist you get a new computer. If you would have to spend $10k to replace the equipment, that's not really their department.

Re:What does "computers of university employees" m (1)

Surt (22457) | more than 3 years ago | (#33915056)

Well, a closed source solution could intermittently save a convenient credit card, and send it over the network to the author.

I think not (1)

Quadraginta (902985) | more than 3 years ago | (#33915450)

The only difficulty with this attitude is that it's only going to work for the Russian and Dance Departments. If you try it in Physics or Chemistry or Engineering, where a generic professor can be responsible for $1 to $2 million a year in no strings attached research overhead that goes straight into the university's hungry coffers, you will be quickly educated in the different levels of deference applied to cost centers (like IT) and profit centers (like research departments).

I might add that it's possible a place as prestigious in these fields as Cornell might be able to get away with it, because they think, not unreasonably, that for any professor pissed enough to start looking at moving they can find 10 eager replacements, but few universities further down the academic pecking order will be able to do the same.

Re:I think not (1)

topham (32406) | more than 3 years ago | (#33915488)

When you are the legal entity responsible for the data you get to draw up the rules.
And, while these types of people like to think they are above and beyond rules and regulations the equipment they use is not their personal property. Property purchased, supplied, or on the premises of such an organization is subject to the rules and regulations.

This stuff isn't a game. It's not about building pyramids, pleasing egos, or otherwise.

By the way, being responsible for a couple million dollars / year is jack-squate when you risk significant fines per record per incident; never mind revocation of said grants because of violations.

Re:What does "computers of university employees" m (0)

Anonymous Coward | more than 3 years ago | (#33915786)

Being opened, or closed source doesn't make any bloody difference either.

You're obviously new here. Closed source software written by trained professionals at trusted security corporations under government scrutiny is evil, and considered insecure.

Bloated open source software, written by 52 basement dwellers who flunked out of college, and 2 Iranian intelligence officers posing as basement dwellers who flunked out of college, is considered secure.

Re:What does "computers of university employees" m (1)

BitterOak (537666) | more than 3 years ago | (#33914286)

Does this include professors?

I know a lot of scientists who would be quite annoyed if the people from the IT department (who are clueless policy-obsessed wankers at my institution) came in and wanted to search through a bunch of simulation results and LaTeX files looking for SSN's.

As someone who has worked in an academic research group, I can attest to that. If such a program were instituted at my university, myself and others in our group would probably be less than forthcoming about the number and location of computers in our group. We certainly wouldn't relish the idea of giving folks from the IT department root access to all our Unix/Linux boxes which they would probably need to perform the kind of scan they're trying to perform.

I'm guessing, however, that this measure applies to administrative computers and not academic/research. That would only make sense.

Re:What does "computers of university employees" m (1, Informative)

Anonymous Coward | more than 3 years ago | (#33914514)

I work at a university, I generally agree with your assessment. The vast majority of academic types get uncomfortable with any kind of monitoring. They do seem to accept that IT has admin rights on most things. What's great is that they refuse to accept any kind of content filtering on the campus network connection. I've also heard of professors having their connections shutdown for excessive bandwidth use who raised hell because it interfered with their academic freedom. I remember one story about a professor who got shutdown while streaming a video to his class, apparently that is a very good way to piss the entire academic division of the college off.

Re:What does "computers of university employees" m (1)

Entropius (188861) | more than 3 years ago | (#33915168)

Luckily the physics department I work for has our own IT guy, who knows the students and faculty and can cut through the bullshit.

Re:What does "computers of university employees" m (1)

LurkerXXX (667952) | more than 3 years ago | (#33914836)

Yes it does include professors. As a Ph.D. doing medically related research at a university, I've got some PHI data I need to include in some studies. It's encrypted and stored on secured servers. That's the way it's supposed to be. All the scanning software does is make sure you have it encrypted and not just lying around. THAT'S A GOOD THING.

Other reasons professors who aren't working with medical research need to do it.. Some of our departments used to use student SSNs for a lot of things. Data tends to just accumulate over the years and most of them didn't think a thing of it. Then some desktops/laptops with that data on it got stolen. Suddenly the University found it had to send out letters to LOTS of alumni (you know, those folks they rely on for donations) telling them that their SSNs and other personal data was stolen, and they were now at risk for identity theft. Lots of those alum then said they would never donate to the university again till it was ensured that couldn't happen to them or anyone else so easily again. Hence the big push this year to secure data that should have been secured years ago.

If you worked at our university and decided to 'be less than forthcoming about the number and location of computers in your group', you would soon find yourself looking for another university to employ you.

Re:What does "computers of university employees" m (1)

Entropius (188861) | more than 3 years ago | (#33915186)

Then the correct policy is "Don't haphazardly store personal data on machines without considering what you are doing". There is no reason to barge into Dr. Smith's office, who's madly creating his slides for the conference next week while trying to babysit a supercomputer at Berkeley while fending off emails from his students, and insist in a very bureaucratic tone that you have to scan his workstation, the RAID, his other computer, his student's computer, and the two computers used to monitor various instruments (which the other students are taking data on) for SSN's.

Re:What does "computers of university employees" m (4, Interesting)

fluffy99 (870997) | more than 3 years ago | (#33915308)

Then the correct policy is "Don't haphazardly store personal data on machines without considering what you are doing". There is no reason to barge into Dr. Smith's office, who's madly creating his slides for the conference next week while trying to babysit a supercomputer at Berkeley while fending off emails from his students, and insist in a very bureaucratic tone that you have to scan his workstation, the RAID, his other computer, his student's computer, and the two computers used to monitor various instruments (which the other students are taking data on) for SSN's.

Unfortunately, Dr Smith is taking his laptop to the conference. He's much too busy to go on travel without taking all of his data with him on the laptop, such as his students grading info (SSNs) or info on the other proprietary projects he's working on. He he's too important to worry about such trivialities such as data protection policies issued by those idiots on the Board of Directors. After all drive encryption slows things down too much he hears, but in truth he doesn't know how to set it up. Of course his laptop gets stolen and now the University has to report that data was compromised. Suddenly Dr Smith is no longer an asset to the university but rather a liability.

Sorry, but anyone who has worked in IT or even law enforcement knows damn well that users will ignore written policies unless there is some level of monitoring and enforcement. Just scroll up a bit and you'll see examples of those guys posting stuff like "just store the ssn as an integer so they scripts don't find it".

Re:What does "computers of university employees" m (1)

Obfuscant (592200) | more than 3 years ago | (#33914334)

Does this include professors?

Are they employees? Do they conduct "university business"?

All employees must acknowledge their custodial responsibility for the university information on the computer(s) and associated storage they use in the conduct of university business, whether university property or personally owned. This includes:

  • * The internal drives of their workstations, both laptops and desktops;
  • * External drives;
  • * Mobile devices such as smart phones and PDAs;
  • * Portable media, such as USB flash drives, used to store or transport university data;
  • * Email messages and associated attachments, including copies stored on an email server;
  • * Network file spaces assigned for individual use, such as roaming profiles and personal folders on file servers.

I have, in the past, used my desktop system to order things from suppliers. That is clearly "doing university business". Sometimes I save mail messages on my file servers. I sometimes plug a USB stick into one of them. I have about two dozen USB sticks.

Re:What does "computers of university employees" m (0)

Anonymous Coward | more than 3 years ago | (#33914458)

What's bad is when a university exposes one's SSN when simply logging into one's e-mail. I mean, the way e-mail is accessed, you can see one's entire SSN on one of the webpages. So, if someone somehow gets your university's e-mail address password, they have your SSN too.

Re:What does "computers of university employees" m (3, Interesting)

TimHunter (174406) | more than 3 years ago | (#33914600)

A prominent cancer researcher at UNC-Chapel Hill is fighting the demotion and pay cut she received after a computer server she oversees was hacked, exposing about 180,000 patient files.

http://www.newsobserver.com/2010/10/14/739551/unc-cancer-scientist-appeals-her.html [newsobserver.com] .

What researchers need to understand (1)

Sycraft-fu (314770) | more than 3 years ago | (#33915536)

Is that while they can have sensitive data, they need to protect it. That does often mean working with the "meal 'ole IT department." I highly doubt Cornell will say "Nobody can have any private data, at all, ever." Not only would it is dumb to preclude them from getting some grants, it wouldn't work since their student records, payroll, etc will have said info. What they are probably doing is making sure that if you do have it, you secure it.

This is a real problem with some researchers. They just wanna do their own thing, they can't be bothered with things like patching their computers, having good passwords, and encryption. That all works fine... Until it doesn't, until something like this happens.

We have that problem all the time in our department. Not patient files getting exposed but researchers that don't want to play ball. They want all their grad students to have administrative access to all systems. They don't want to run a virus scanner because it is "slow." They don't want to patch their system because they can't have them "rebooting all the time." More or less they are just being lazy and arrogant and thus refusing to take any security precautions. This does, of course, lead to systems getting virused. Now given our line of work (engineering) this has thus far not been a major issue. However if there was personal data on a system, it would be.

So that is the kind of thing that schools are getting proactive about. They are saying "If you have sensitive data on your system you WILL meet some standards, you can't just do whatever you want."

This kind of shit has to happen. While an academic environment demands freedoms that a corporate environment doesn't have, that doesn't mean it can be the wild west, not anymore. The Internet is a dangerous place, so you have to take precautions with computers connected to it. Not a ton, nothing real arduous, you just have to be careful. When it comes to sensitive data, additional precautions need to be taken.

Re:What does "computers of university employees" m (1)

hoytak (1148181) | more than 3 years ago | (#33914788)

"Why the $#%$ is the 834,734,123,233rd digit of pi wrong in my code?"

Then 6 weeks of debugging by a grad student...

Re:What does "computers of university employees" m (0)

Anonymous Coward | more than 3 years ago | (#33915330)

Don't be an idiot. They'll scan and report. You'd get an email listing files that contain numbers that look like SSNs, credit card info etc. As someone who recently ran such a scan (using Spider) on corporate file servers I can confirm that the effort of following up on the false positives would have killed me. So I discussed the process with the users first - and agreed that they'll investigate the scan results. That way they manage their own data.

Re:What does "computers of university employees" m (0)

Anonymous Coward | more than 3 years ago | (#33915564)

I really doubt they would bother the professors with this. I am a student at Cornell and I really doubt anyone in the physics group I work for would want to take the time to run a scan. The article didn't mention faculty here don't have access to much personal data, my major advisor can not even access my grades, so there isn't much to worry about from them. The thing I worry about is another staff members downloading the data to their personal computer on an unencrypted drive then loosing it. All of our data is stored on a server and managed through PeopleSoft (yuck) so there is no reason for any of them to have a local copy of anything. The only users that use the data that heavily have extremely fast connections to the servers so having to do everything remotely doesn't really add that much latency.

Our IT department is actually pretty good which has always made me wonder why it's taken so long to implement something like this. Scanning every university computer across campus is a large task but they have had the infrastructure for doing that for a long time. They do stuff like this regularly to several thousand university computers when deploying updates across several different platforms (win7, XP, OSX, and Ubuntu mainly).

Re:What does "computers of university employees" m (1)

Entropius (188861) | more than 3 years ago | (#33915694)

re: PeopleSoft:

I'm at University of Arizona. We switched to PeopleSoft this summer, at the cost of $60 million or so (which we can't afford at all -- maybe you have read about our crazy governor?).

Semester starts, grad students don't get paid (sometimes) for a month, grad students get bills for tuition we're not supposed to and get charged late fees, secretaries can't do their jobs helping students ... TOTAL NIGHTMARE, and everyone blames it on this PeopleSoft thing.

Re:What does "computers of university employees" m (1)

pthreadunixman (1370403) | more than 3 years ago | (#33915836)

That's nothing. California spent $650 million switching the CSU system over to PeopleSoft.

We'll get right on that. (2, Funny)

blair1q (305137) | more than 3 years ago | (#33914238)

We'll get on that, just as soon as our Y2K-bug vulnerability scan is done running.

Government, Corporate, and Institutional scanning. (0, Troll)

upuv (1201447) | more than 3 years ago | (#33914242)

I'm 100% for this. Personal computers account for very little in data losses. It's these "work" machines that account for the majority of the major information losses around the world.

As long as people are dumb / lazy enough to keep documents in the clear on their machines there will be losses.

I would also go as far as to make certain quantities of types information on a machine illegal as well. For example: 1,000 SSN's, stored on a portable data device un-encrypted is a fine of $10,000. 100,000 SSN's stored on a portable data device un-encrypted is jail time.

The other half... (1)

Jah-Wren Ryel (80510) | more than 3 years ago | (#33914262)

It sounds like they are looking to catch accidental leaks.
I would like to know if they have examined their policies to reduce over-collection of unnecessary data.
If they never collect it in the first place, then they never have to worry about losing control of it later on.

Re:The other half... (1)

fluffy99 (870997) | more than 3 years ago | (#33914658)

It sounds like they are looking to catch accidental leaks.
I would like to know if they have examined their policies to reduce over-collection of unnecessary data.
If they never collect it in the first place, then they never have to worry about losing control of it later on.

Most leaks aren't accidental. It's laptops which never should have had the data saved locally getting stolen, or systems getting hacked into. First step is understanding where the data is, the second step is removing it from where it shouldn't be, and third providing adequate protection for the areas it must remain (ie encryption).

You have an excellent point about it being overcollected in the first place. Technically the way most institutions use SSNs isn't legal anyway. In the US its only legal to use it for taxation purposes, so businesses claim they need it to file some tax paperwork. Of course then using it as your primary ID is retarded.

Re:The other half... (0)

Anonymous Coward | more than 3 years ago | (#33915692)

They have (at least somewhat). A few years ago we had scans run on all our Cornell-owned computers to make sure that we didn't have SSNs etc. lying around and we get regular notices about this stuff. The problem is the necessary data, but fortunately most of that admin stuff (payroll, expenses, etc.) is server-based. And most schools, including Cornell, stopped using SSNs as IDs long ago.

Cautionary Tale: Rat Penis Data (3, Funny)

seebs (15766) | more than 3 years ago | (#33914314)

http://www.langston.com/Fun_People/1994/1994AXP.html [langston.com]

Excerpt:

And the war continued, with progressively more redundant copies using
progressively more of the disk farm, and the encryption methods evolving
under the selection pressure of the system administrators' decryption
efforts.

DBAN (0, Offtopic)

tverbeek (457094) | more than 3 years ago | (#33914316)

Have they tried DBAN [dban.org] ?

Re:DBAN (0)

Anonymous Coward | more than 3 years ago | (#33914670)

They aren't talking about wiping data off end of life machines. They are talking about desktops and laptops that people are actively using and could have identifiable information on them.

I have looked into this myself at my university. (Actually I have been to a few nercomp events that Cornell has spoken at). The last time i did work related to finding SSNs and CC numbers i found way to many false positives. There was also disagree on who would actually be responsible for searching for this sensative data

DBAN is a great tool for wiping drives, but its not good for this situation

Re:DBAN (1, Funny)

Anonymous Coward | more than 3 years ago | (#33914724)

That being said DBAN is the right tool for the job all the time. I need to remove a folder.. I'll just dban the whole disk. The folder is now gone... Problem solved.

Re:DBAN (0)

Anonymous Coward | more than 3 years ago | (#33915190)

methinks he was joking

I hear fdisk works well (1)

davidwr (791652) | more than 3 years ago | (#33914326)

DD is open source though, and it's hard to beat erasure-by-thermite for entertainment value.

Re:I hear fdisk works well (1)

Lehk228 (705449) | more than 3 years ago | (#33914918)

dban is easier and faster

That sounds much easier than (0)

Anonymous Coward | more than 3 years ago | (#33914332)

encrypting the hard drive!

Please FWD: (1)

dasdrewid (653176) | more than 3 years ago | (#33914368)

To Rice U.: http://www.media.rice.edu/media/NewsBot.asp?MODE=VIEW&ID=14734 [rice.edu]

Seriously. Has no one ever heard of encryption? Or just not allowing people to copy personal data onto computers/media not behind at least 1 locked door?

Re:Please FWD: (1)

Lord Ender (156273) | more than 3 years ago | (#33915114)

Disk encryption has some serious usability and productivity issues. Specifically: to have even 128 bits of encryption, you must have a twenty-character completely random password. And performance will be hurt with it--ALL data must travel through the CPU. There's no DMA with encryption.

Re:Please FWD: (1)

michaelok (1892648) | more than 3 years ago | (#33915282)

Sure, of course that's a disadvantage and you would only want to encrypt when you need to. Although there are solutions, I believe IBM has a hardware solution for DB2 on the mainframe called "Crypto Express", so they are able offload the number crunching.

Encrypt active machines, secure wipe disposals. (1)

Zaphod-AVA (471116) | more than 3 years ago | (#33914386)

Constantly scanning every machine for sensitive data is too difficult to be effective.

Simply encrypt active machines, and use secure erase/destruction policies for retired hard drives.

Re:Encrypt active machines, secure wipe disposals. (1)

bpsbr_ernie (1121681) | more than 3 years ago | (#33914556)

It's a university, they need to over engineer it, someones thesis probably depends on it. :)

Re:Encrypt active machines, secure wipe disposals. (1)

cbhacking (979169) | more than 3 years ago | (#33914570)

Seriosuly. There are a couple of full-volume encryption options available right now, Windows (Vista and up) even has a built-in one. Lacking that, encrypt individual files (all versions of Windows since 2000) or use an encrypted folder or volume image created using any number of third-party options.

At some businesses, especially ones handling sensitive data, having unsecured sensitive data (present in clear text on a removable device, including a laptop) is grounds for termination. I don't think a university needs to go quite that far, but there's no excuse for not having *some* serious data protection requirement.

Re:Encrypt active machines, secure wipe disposals. (0)

Anonymous Coward | more than 3 years ago | (#33914674)

Lacking that, encrypt individual files (all versions of Windows since 2000) or use an encrypted folder or volume image created using any number of third-party options.

As far as I know only the "Professional" versions of Windows XP, Vista and Windows 7 have built in file and file system encryption. So if you're using the "Home" versions of these Windows OS's third party encryption is your only option.

TrueCrypt (0)

Anonymous Coward | more than 3 years ago | (#33914398)

Cornell lost a laptop last year with SSNs. Now, they've mandated scanning every computer

Are they going to at least FUCKING ENCRYPT the laptops now?

Then again, the more SSNs leak, the more likely people are to get pissed off enough to convince the Govt/Banks/etc not to use the SSN as both a username AND password.

Ohio State University (5, Informative)

Anonymous Coward | more than 3 years ago | (#33914482)

Ohio State relies on their institutional data policy [osu.edu] and Disclosure or Exposure of Personal Information policy [osu.edu] . Essentially, any protected information has to be kept on encrypted devices. That worked fairly well, except once they had all their computers encrypted they quit paying the license fees to PGP. They didn't know the software, which they thought was only pre-boot authentication, phoned home and had a DRM time-bomb in it to automatically drop everything Windows was doing, and spend a couple hours decrypting the whole drive after a certain date if the subscription wasn't renewed. I'd be pretty weary of trusting that kind of task to proprietary software, especially if it requires a subscription like ours did. Posted AC for obvious reasons. If it's closed source, you never know what kind of trick the vendor might be able to pull on you.

Re:Ohio State University (0)

Anonymous Coward | more than 3 years ago | (#33915354)

If it's closed source, you never know what kind of trick the vendor might be able to pull on you.

As much as I think the open source GPG would have been better, in this case, I think the problem happened in three steps.

1) You rented software
2) You stopped paying the rent
3) You were surprised that the software had a way to deal with unlicensed users

What else did you think PGP was going to do, lock you out of your data until you payed up? If the license fees were high enough that the "savings" of not paying them was significant for you, then the loss of income from PGP's perspective was too high to just ignore.

Re:Ohio State University (-1)

Anonymous Coward | more than 3 years ago | (#33915544)

I agree, but the point I was trying to make is that in security software there is no back door. The drives were already encrypted. If PGP can remotely shut us down for non-payment, then they can shut us down for any other reason they feel like, and (legal issues aside) we'd be at their mercy. Imagine if your firewall vendor had the arbitrary ability to remotely open you up to the net; once they decide they don't like your political agenda, they get a government request, their company's network was compromised, or someone else discovers a way to exploit this backdoor. We had (falsely) assumed that PGP, being a reputable security company, wouldn't put anything like that in their software. The way I understand it, is we figured on the premise this wasn't snake-oil, we didn't have any reason to keep paying PGP; if a program were truly secure then even the vendor wouldn't be able to crack it open, and I'm not defending OSU, but we felt like if we quit paying their subscription they couldn't do anything about it they already performed their service. Was it a case of DRM doing its job exactly as intended? Sure. While the outcome here is kind of a case of karma bitting OSU in the butt, I believe installing that kind of backdoor in any security product, not just computer software, is shady. If the software is open source, that kind of trick won't fly.

Nuke them from orbit (0)

Anonymous Coward | more than 3 years ago | (#33914490)

Whole disk encryption.

"Nuke them from orbit, it's the only way to be sure"

Not that bad (1, Informative)

Anonymous Coward | more than 3 years ago | (#33914566)

We did this where I work recently, small-ish private university, lots of science, a hospital, etc. All the faculty and staff had to run IDF. The tech guys came in and installed it and showed everyone how to run it but weren't allowed to see it being run. The person was required to run it and sort through the results themselves. All of my department ran it fine, no problems, no complaints, other than spending time sorting results. It really wasn't that big a deal.

So... (2, Informative)

Datamonstar (845886) | more than 3 years ago | (#33914610)

All I have to do now is infect the (probably windows-based) servers that host the scanning software and scan the memory for patterns resembling SSN#'s, ets. and make off with potentially an entire university's personal information? I say memory, cause I know no one would be dumb enough to search for that sort of sensitive information and then actually just log it into a centralized location for no reason. Right? Right?

Re:So... (1)

michaelok (1892648) | more than 3 years ago | (#33915264)

Good thinking. Indeed that is an issue, so of course one needs to have equally good controls around scanning software, and logs, etc. Check out the ISO standard [wikipedia.org] , or similar, for more details.

Why not do it right? (0)

Anonymous Coward | more than 3 years ago | (#33914632)

As a consultant in the data warehousing & financial services industry, I have to deal with data security on a daily basis and scanning is not the solution. You'll never catch everything 100% of the time. Nor do scanners typically scan in real time and typically cant as the data needs to reside on the local disk till its processed. What should be happening is that certain data sets should be classified at defined security levels. Depending on the security level, users who require access should be provided with the the appropriate "Controls" to secure the data from unforseen events. "Controls" mostly meaning encryption which usually equates to some type of whole disk encryption. There's plenty of software packages out there that provide anything from single laptop installations to controlling enterprise wide deployments with very acceptable price points (including free). I've worked with several of these and they hardly add any more complexity to the end user's experience or performance loss. For those environments that are sensitive to performance and cant have a layer of software encryption, "Controls" are usually physically constructed which requires secured data centers and such and one should ask why it would need to be on a laptop in the first place.

TrueCrypt is your friend! (2, Informative)

ad454 (325846) | more than 3 years ago | (#33914642)

Although it is good to make sure that any computer does not have any unnecessary personal/private data, and also good to have searching software that might help locate some or most of it. It is unrealistic to except to be able to insure that such data will be kept off all computers, especially when there might be some situations where there is a legitimate need to have access to such data offline.

The best solution is to use whole disk encryption with the free opensource TrueCrypt software.

Although it is a shame that TrueCrypt does not support whole disk encryption on the Mac yet. At least there are some less trust-worthy closed options like PGP Whole Disk Encryption, which would be better than nothing.

Silly issue here... (0)

Anonymous Coward | more than 3 years ago | (#33914686)

(should I trust closed source software to do this?)

Cornell is a large enough entity to request an audit of the software used, including a source audit. If they want to say as a condition of using the contract, that they get to do so, it would be an acceptable term.

Whether or not they are qualified to conduct such an audit, well, that's another story.

But if they want to do it, they can...or they'll take their money elsewhere, and well, nobody's going to want that.

I do think they should conduct such an audit though, just like they should if the software were open source.

Might I suggest (0)

Anonymous Coward | more than 3 years ago | (#33914854)

...an alternate solution?

1) encrypt the drive
2) don't lose the damn machine

For the people who blast me on #2 ... that's what #1 is for.

Trusting closed-source software (2, Insightful)

avxo (861854) | more than 3 years ago | (#33914872)

The OP says that a practical issue is whether one should trust closed source software to do this? Because, of course, being closed source should implicitly invoke gloomy music, dark clouds and cause people to break out in a cold sweat? Seriously, enough with this bullc*** already... There's nothing inherently wrong with running closed source software, nor is a given piece of software magically better by virtue of being open-source, nor are open-source developers somehow better than those who develop closed-source software. There's legitimate arguments to be made that open-source has advantages. That open-source is, somehow, more trustworthy, isn't one such argument. And it's high time we stopped peddling it as one, or accepting it as one.

Re:Trusting closed-source software (0)

Anonymous Coward | more than 3 years ago | (#33914902)

As I said, Cornell is a big enough customer they can negotiate for access to the source code if they wish to conduct an audit.

They might even be competent enough to do it properly.

Re:Trusting closed-source software (2, Insightful)

colinrichardday (768814) | more than 3 years ago | (#33915138)

nor is a given piece of software magically better by virtue of being open-source, nor are open-source developers somehow better than those who develop closed-source software.

No, but it's easier to analyze source code than binaries.

I went to Cornell (0)

Anonymous Coward | more than 3 years ago | (#33914888)

Graduated in four years, never studied once, and was drunk all the time!

Just thought I'd mention that...

Re:I went to Cornell (1)

Count_Froggy (781541) | more than 3 years ago | (#33914952)

Spent all your time in Statler, huh?

Re:I went to Cornell (1)

rcb1974 (654474) | more than 3 years ago | (#33915040)

What the heck did you major in? Do you have a good job now?

Re:I went to Cornell (0)

Anonymous Coward | more than 3 years ago | (#33915112)

It's a quote from The Office. Pop Culture reference fail.

If they are really sincere about it... (0)

Anonymous Coward | more than 3 years ago | (#33914984)

why wouldn't they just wipe and rebuild everything?

Maybe I'm being dense.

wipe the hard drives anyone? (0, Flamebait)

savvysteve (1915898) | more than 3 years ago | (#33915000)

If they are so worried about it then just wipe the drives. You can purchase for a reasonable amount of money a utility that will wipe a drive to DOD spec and it couldn't possibly any longer to do that than to run 3 or 4 different scans from various companies.

Re:wipe the hard drives anyone? (1, Insightful)

Anonymous Coward | more than 3 years ago | (#33915124)

You say that until someone who has a laptop gets it stolen.

As a member of IT at a health care based company I can tell you that the machine sitting in the cube really isn't the problem. The problem is the laptops that get stolen off site, the CDs/DVDs of data that don't get disposed of correctly and the e-mails that flow with data that should never been seen outside of the company. This is to say nothing for those who try to take the data out on purpose.

While whole disk encryption, disabled USB ports and mail filters have taken care of the lion's share of things there are still false positives that do strip otherwise harmless data from e-mail.

Largely this is infeasible. (0)

Anonymous Coward | more than 3 years ago | (#33915030)

You cannot tell SSN from any number (pretty much; there are 2 or 3 prefixes (e.g. 666) that are not used) from 001000000 to about 778000000 since there is not so much as a parity bit in there. Even if you look for nnn-nn-nnnn, you get some false positives. I have seen scripts that attempt this, but they wind up flooding you with other strings (zip+4 strings being common cases). If you find labels like "SSN" near the patterns you do somewhat better but looking for that may miss lots of cases.
Credit/debit card numbers and bank routing numbers have construction rules that allow one to tell they follow the rules, but it works a LOT better if you limit yourself to actual
BIN numbers (1st 6 digits) that some bank uses. Many are unused and unassigned.
You can look for, say, the most common first and last names and state abbreviations near zip codes and get some likelihood that there is a name or address there, but these things
give candidates. Nobody should be punished for that. Besides, that kind of thing is present in much innocent correspondence. (Same goes for real cc numbers if in ones or twos. Correspondence
about problems with an account typically contains the account number, sometimes has to for legal reasons. (Affidavits.))
Finding bank account numbers will in practice have to look for routing numbers (1st 9 digits) rather than the last, since the last part varies widely and does not have fixed
format.

The biggest problem is that there are formats (.ppt for example) that contain lots of long numeric strings. If they are scanned it is very easy to find "interesting" patterns in plenty
in them, even though you can see looking at the actual data that this is just chance matching. Many "cc" strings will happen to get the Luhn check digit right.
If you are willing to contact the Social Security Admin to see if a 9 digit string is a real SSN, that gets slow and costly, and the number space STILL overlaps zip+4 and
many other pieces of strings. SSN is hopeless (and should never be an authenticator anyway; at best it might be treated as an identifier only). Card numbers, if recognized
only by being numeric and having check digit, will still give many false positives.
    Also anything trying to parse MS Office formats may well miss data that is hidden in the file but that doesn't show up from the utility. Word and Excel are notorious about not
really expunging information that was "deleted", yet the data can still be there big as life when you examine the file as a byte string. Other Office formats have similar behavior
at times.

Thus while scans for this kind of thing can be used to ask questions, they should not be taken as definitive that something "contraband" is actually present.

Re:Largely this is infeasible. (1)

colinrichardday (768814) | more than 3 years ago | (#33915150)

The biggest problem is that there are formats (.ppt for example) that contain lots of long numeric strings. If they are scanned it is very easy to find "interesting" patterns in plenty in them,

So such scanning might discourage people from using PowerPoint? Would Edward Tufte consider this a problem?

Should you trust closed source software? (3, Insightful)

thegarbz (1787294) | more than 3 years ago | (#33915092)

Should you trust closed source software to do this scan?
Should you trust the bank managing your transactions?
Should you trust closed source software in medical equipment?
Should you trust SAP to manage your financial transactions?
Should you trust a Windows computer for anything more important than your gmail password?
Should you trust Google Chrome when logging into your netbanking?

You know what? I think on the grand scheme of things trusting a piece of closed source software specifically designed to search for information made by a company which would literally be sued into oblivion if they did what the article was hinting at, ranks pretty damn low on the list of things I worry about.

open source is less secure (1)

ldcroberts (747178) | more than 3 years ago | (#33915220)

too easy for someone to get the source and "tweak" it before compiling. Most problems happen on the "inside" - a rogue sys-admin could do anything with open source - no-one is going to be able to prove the binary doesn't match the source or who changed it

They could have just used a crawler... (0)

MrCrassic (994046) | more than 3 years ago | (#33915236)

Something like a Google Search Appliance would have probably taken care of this with much more of a guarantee, though I'm sure the boys at Cornell looked into that.

Re:They could have just used a crawler... (1)

brusk (135896) | more than 3 years ago | (#33915702)

Huh? How could you crawl thousands of laptops and desktops that are not exposed as servers? That's the main thing they're worried about.

Waste of Time (0)

Anonymous Coward | more than 3 years ago | (#33915242)

Why bother? First of all, if a laptop is lost, how would you scan it for anything. Regardless, the best and just about only way to be certain that there isn't a problem is to remove the hard drive and sand it down.

Why is this news? (0)

Anonymous Coward | more than 3 years ago | (#33915294)

My employer (you'll see who in a minute, which is why this is anonymous...) has this exact same policy, informally in 2008 and formalized in 2009.

from http://rules-saps.tamu.edu/PDFs/29.01.99.M1.29.pdf [tamu.edu] :
"4.3 Where feasible, all data files are to be scanned on an annual basis to determine if those files contain SSNs. If SSNs are found or known to be present in a file, they are to be removed or appropriate risk mitigation measures applied (e.g., encryption) if their continued presence is required. The results of the file scanning and risk mitigation measures taken shall be reported during the annual ISAAC process. All SSNs that are to be retained and stored are to be reported to and approved by the Vice President and Associate Provost for Information Technology. The reporting and approval process will be in the manner indicated in the ISAAC process. Specialized information systems that cannot be scanned and are not capable of storing SSNs shall also be documented accordingly as part of the ISAAC process."

We use Identity Finder and Spider to scan. I can honestly say I'm impressed with the accuracy of Identity Finder, and it's really easy to roll out via Group Policy in an Active Directory environment. It's also pretty easy for users to scan their own personal drive space (both local profile and network shares), and for the admin to see everything in a unified console. Spider, on the other hand, for *nix and Mac systems is a pain in the rear, requiring customized regexes to prevent false positives.

As far as those people saying they'll just lie about it? If you have a computer on the network here, there is a record of it. Each device with an IP is assigned an owner and that owner, or their supervisor depending on the department, is responsible for complying with all university policies regarding IT services and data security. There is an annual IT security audit that is required for every system on the network (Texas Administrative Code section 202 plays a large part in that), and the person responsible for filling it out *and* their supervisor are required to sign it verifying that they comply with all the policies and procedures in effect. In other words, it's state law. There is no "academic freedoms" being violated in requiring a scan for confidential or privileged information which the user is not supposed to have stored on their computer in the first place.

There's a pretty easy solution for people who lie about systems or try to hide things. There is much less security risk if the computers in question no longer have network connectivity.

campus IT (0)

Anonymous Coward | more than 3 years ago | (#33915388)

main campus IT can burn in hell. Bunch of incompetent power hungry monkeys. Always instituting some stupid rule. Ugh I loathe any new restrictions. Now departmental IT. Those guys are cool.

Tenured Faculty are a waste!!! (1)

Anonymous Coward | more than 3 years ago | (#33915696)

Look, comming from Penn Sate University. They are already 5 years behind. Faculty do not care who is working as IT, I have had to force people like Dr Bader from PSU Hazleton to abide by computer policy for SSN. Did he care? NO!!!. Faculty ignore it until the DOD claims it at a customs inspection and the only thing people hear is "woops, faculty member lost laptop buy new one now". To many family and students put to much power into faculty since staff cannot control anyone with tenure. Tenure track still rules at a University so I wouldn't also be surprised if staff and faculty that are not tenured seem to be the biggest offenders and the dumbest about it. Why is it parents trust tenured faculty and do not question their ability to understand confidential information? O wait their "ANY" University does not tell them these exceptions that tenured faculty have.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...