University of Chicago, 24,000+ SSNs, Unsecured File server

The action is motivated by the discovery by a campus web developer that files containing social security numbers were located on a portion of a public server that could be accessed by web developers not associated with the site. He had pointed this out last November, at which time all of the several dozen files were believed to have been moved to more secure networks. Last week, however, the same web developer found that several of the files were found to be still on the server.

“These files have now all been moved to secure locations, and we also feel confident that the information in these files was not misused,” said Bob Bartlett, Director of Network Based Services for Networking Services and Information Technologies.

From University of Chicago, via Slashdot.
[Update: Thanks to DM for a pointer to the Chicago Maroon story, “Private records discovered on server,” which says it affects all alumni from 1990-2002, and all students enrolled in autumn quarter, 2002. DM also says there are roughly 1,000 students admitted each year, and 8,000 grad students at a given time, for a roughly estimated total of 24,000 or more.]

Those Who Forget History

Some folks calling themselves “American Rhetoric” have put up a page entitled “Top 100 Speeches.” On further examination of the site, it’s

the 100 most significant American political speeches of the 20th century, according to a list compiled by Professors Stephen E. Lucas and Martin J. Medhurst. Dr. Lucas is Evjue-Bascom Professor in the Humanities and Professor of Communication Arts at the University of Wisconsin at Madison. Dr. Medhurst is Distinguished Professor of Rhetoric and Communication at Baylor University (Texas). 137 leading scholars of American public address were asked to recommend speeches on the basis of social and political impact, and rhetorical artistry.

But the headline on the page says “Top 100,” which is certainly misleading. Its an interesting list. (Via Todd Zywicki at Volokh, who also refers to it as a top 100, rather than a top 100 of the 20th century.)


Over at “Statistical Modelling,” Sam discusses “Sabermetricians vs. Gut-metricians:”

There’s a little debate going on in baseball right now about whether decisions should be made using statistics (a sabermetrician is a person who studies baseball statistics) or instincts. Two books are widely considered illustrative of the two sides of the debate. Moneyball, by Michael Lewis, is about the Oakland A’s and their general manager Billy Beane. Beane, with the second-lowest payroll in baseball in 2002, set out to put together an affordable team of undervalued players, using a lot of scouting and statistics. Three nights in August, by Buzz Bissinger, is about St. Louis Cardinals’ manager Tony La Russa, and is seen by some as a counter to Moneyball, with La Russa relying much more on guts when making decisions.

There are two problems with this. One is that the distinction just isn’t that sharp: Billy Beane also makes some gut-based decisions, and Tony La Russa looks at statistics.

At this point, its not clear to me if Sam has read the book (which I enjoyed thoroughly.) One of Lewis’ main points in Moneyball is that baseball statistics measure a set of things which were of interest when they started recording stats. They measured things that were “obviously” important, like how many times a player hit the ball, and how many times they made mistakes.

There is great danger is measuring things because they’re easy to measure, and not validating that they are either causitive or correlated with what you want to measure.

Sabermetrics is an attempt to find things which correlate with teams winning games, and to measure those things.

For example, “saves” by pitchers are highly overrated. Beane noticed this, and used it to improve the sale value of pitchers he didn’t want. Batting average is overrated, because there are two ways to get on base: To get a hit, and to walk. A player who walks often is worth more than one who walks back to the dugout. Errors are a completely subjective measure of “Did that player make a play that I think he could have made?” And they don’t correlate with wins or losses.

Another important point is that, in contrast to Sam’s assertion, there is time to regress baseball games. You can’t do it in real time, but there are very, very few unique situations in baseball. You can run all the stats you want on a compute farm, and then see if the numbers change over the course of a season. “Go for the steal?” Well, no. Steals produce too many outs, and not enough runs. It may be exciting, but it won’t win you the game.

(Thanks to Nat Gertler reverse engineering Amazon’s image engine, and sharing his knowledge in “Abusing Amazon Images.”)

Small Bits of Chaos: Continuity, Texas, Stealth Bomber

  • Todd Seavey has a well-written and entertaining long article on continuity in long series. I’ll leave the continuity error as an exercise for readers.

    In fact, so many necessary plot details of Episode III are already known that the ticket-selling site already has a lengthy summary of the film on its site, as if it had already come out and we all knew with encyclopedic certainty what it would contain. And indeed, barring a final, complete mental breakdown on Lucas’s part, we are reasonably assured that the film will not simply be a tangential, three-hour-long musical about Chewbacca (perversely, one can’t help thinking that it would still make hundreds of millions of dollars even if it were)

  • A new law in Texas (SB 99, signed May 20th) “>forbids denial of credit to ID theft victims. Its not clear if you can be charged an excessively high rate; I suspect the bankers will have a field day evading this one.

    And to play devil’s advocate, once your ID has been stolen, are you more likely to have it stolen again? Do you even want people extending credit that you’re going to have to clean up? The current credit system is broken; we need a serious re-think.

  • In the darn, they’re good, category, Google Maps maps a stealth bomber. (Isn’t that impossible?) Via Outer-Court

Small Bits of Chaos: Hal Stern, Lexis-Nexis Hackers, UK ID Cards, Bolton

  • Hal Stern has a blog! Hi, Hal!
  • Wired News has a long story, “Database Hackers Reveal Tactics,” about the kids who broke into Lexis-Nexis. There’s some interesting bits. Most interesting to me is that none of these kids seem to have lawyers telling them to shut up.
  • The BBC has an article on British reactions to ID cards:

    A German diplomat told me: “Nobody thinks about it, nobody questions it… if you’re in trouble, you just show it… we don’t mind giving information if it’s necessary.”

    the independent Information Commissioner, Richard Thomas…said the phenomenon had “a strong continental European flavour”, citing the example of communist east Europe and fascist Spain in the 20th century.

    What is clear, though, is that for Tony Blair the introduction of identity cards is a key part of establishing his political legacy before he steps down as prime minister. Cynics might say that is the real business requirement.

  • The Counterterrorism Blog has a fascinating post on “BOLTON AND THE ART OF COOKING INTELLIGENCE:”

    No one really appreciates what Bolton tried to do to the NIO for Latin America (NIO/LA). I have been privileged to know the NIO/LA for almost 19 years. He was my predecessor as the Honduran analyst and helped me learn the ropes and set the standard for doing good analysis. He is one of the best and brightest within the analytical community. Yet he has been vilified by some. I never cease to be amazed that a man like the NIO/LA, who started off in Washington working for Republican Congressman can be vilified by Republicans as some sort of liberal, Democratic activist.

Valdosta State University (Georgia) , 40,000 SSNs, hacker

The Associated Press reports “Identity theft risk widens at Valdosta State:”

VALDOSTA — A computer identity breach at Valdosta State University has widened, with authorities now saying up to 40,000 people could have had their Social Security numbers accessed by a computer hacker last week.

The breach was larger than originally thought, said school spokesman Joe Newton.

The computer server contained information on VSU 1Cards, which are combination identification and debit cards that could be used to buy food or books on campus or check out library materials.

Those at risk are all students since 1997, current employees and those who left from 1997 to 1999, Newton said.

The University has a press release, and a “fraud concern” page, which links to a lookup page:

Use this form to determine whether or not your identification number was potentially exposed during the incident of unauthorized access to 1Card Services which occurred on May 17, 2005. When you enter your VSU ID number or Social Security number the form will lookup your number and respond to inform you whether or not your identification number was potentially exposed.

Will they never learn? Could they not do lookup by name?

(Via the new Identity Theft Blog.)

676,000 Victims

I first covered the improper disclosures by Wachovia, Bank of America, Commerce Bancorp, and PNC Bank NA employees last week. It’s now up to 676,000 accounts, all New Jersey residents. The Census Bureau estimates that in 2003, New Jersey had 8,638,396 residents. Thus, around 8% of the people of New Jersey are affected by Orazio Lembo, Jr and his associates. (So far; I see no reason to expect that more won’t come out. In fact, if this grows like Lexis-Nexis did, it would seem reasonable to assume that sufficient personal information to commit identity theft fraud-by-impersonation against most of the population of New Jersey is in the hands of a crime ring.

If it grows like that or not, the trickle of breach announcements that started with Choicepoint has grown to a stream. Soon, it will be a deluge, and it will change many things.

First, it will change the way credit is granted. Today, with a name and social security number, I may be able to get credit. If I add to that an address, phone number, or date of birth, I’m set. Some enterprising lawyer is going to look at the number of news articles around the fraud, the number of people whose personal information has leaked, and find a court that will agree that using only data that’s been leaked like that is careless, and that the costs need to be shifted from the consumer onto the bank.

What will replace it will likely be a scoring based system, based on odds that you are you. Some people will suggest that a national ID card would help here, but they’re wrong. Any single factor that is used to loan money will be attacked, because that’s where the money is.

Secondly, such a change will put the banks between the liability rock and the money-laundering hard place. Banks are required by a raft of laws to spy on know their customers and gossip about them to the feds with a set of reports that are already burdensome:

“Under the Bank Secrecy Act, banks fill out more than 13 million cash transaction reports annually,” said Rock. “In my area, many of these reports are filed for small businesses like delis, gas stations and flower shops, which have nothing to do with potentially criminal activity. The 35-year-old rules related to cash transaction reports have lost their usefulness due to several developments, including more extensive suspicious activity reporting.”

I would expect that the banks will push to not be liable. This would be a mistake. Far better would be to stop spying on customers.

I expect that Congress will step in, but choosing a set of actions will be hard. Adjusting the availability and cost of credit is bad. Having a set of complex rules like the Financial Services Modernization act is bad. Letting identity theft run unchecked is worse than either.

The best course of action is probably imposing liability on anyone who holds government-authenticated data on their customers; shrinking the set of organizations who need to (ideally to none); and providing a safe harbor for any organization that provides “best of class” help to victims of a breach of data that they held.

Congress being who they are, we’ll get the identity theft mitigation act of 2005, holding banks and credit agencies immune for their “well intentioned” mistakes, a federal department of repairing your credit, and longer sentences for identity thefts committed within 500 yards of a school.

[Update: I was behind on Bruce Schneier’s blog. He covers this in “Massive Data Theft,” and points out the manual nature of the process. (I’ll add, how long it must have gone on.) But more interesting (to me) is a commenter’s question: “why is it that we never hear about this sort of problem in Europe?” The answer is California’s SB 1386, requiring disclosures of such breaches. After Choicepoint flubbed their announcement of a breach in February, a new standard for disclosure has emerged.]

Stanford, 9,900 SSNs, Insecure Career Center computer

The San Jose Mercury News reports that “Computer system hacked at Stanford:”

The FBI and Stanford University are investigating how someone hacked into a computer system containing information about people looking for work through the university’s Career Development Center.

University spokesman Jack Hubbard said there was no evidence that any data had actually been acquired by the hacker, but that the university is sending letters to about 9,600 clients of the career center and about 300 company recruiters to notify them about the security breach.

The database contains clients’ names, resumes, letters of recommendation and Social Security number, but no financial, credit card, driver’s license or other governmental identification information, Stanford said. Some of the recruiter records contained a credit card number, but no other confidential information.

Stanford has an FAQ, and a statement claiming that they’re preparing to be sued
exercising an “abundance of caution [in] providing written notice.”

No word on if the database designer who decided to insist on SSNs at the career center is now arguing with the unemployment people about their demand for an SSN…

Don’t Be So Proud Of This Technological Terror You’ve Created

The New York Times reports on the “Customs-Trade Partnership Against Terrorism” in “U.S. Effort to Secure Foreign Ports Is Faulted:”

The Department of Homeland Security’s effort to extend its antiterrorism campaign overseas by enlisting help from importers and foreign ports has been so flawed that the program may have made it easier at times to smuggle unconventional weapons into the United States, Congressional officials say.

Until last month, importers enrolled in the Customs incentives program – known as the Customs-Trade Partnership Against Terrorism – were automatically designated as a lower risk. Containers shipped by them are inspected once every 306 times, instead of once every 47 times, Customs officials said, permitting faster movement of goods to warehouses owned by Wal-Mart, Home Depot, Lowe’s and other companies.

About 9,000 applications from importers have been submitted so far. But of the 5,000 that have been accepted, Customs officials have only verified that 597 companies were taking the required measures. Those include such steps as putting up fencing around manufacturing plants and watching over loaded containers as they move from the factory to the ship, Mr. Owen said.

We have long had a government culture in which confidence is valued over evidence. (Can you say “Its a slam-dunk?”) But when you combine this with security, a perceived need for secrecy around security measures, and a lack of respect for those who question or doubt (“Not a team player”), we end up with the United States being less secure than we could or should be.

When you then add in shiny bits of technology that are designed to solve our problems, people abdicate their responsibility to that technology. (“The computer says you haven’t paid your bill.” “The scanner didn’t find anything.”)

This is a crisis of leadership. The people who have managed these programs, who have made these decisions, and and who have failed to learn the lessons of history about how these programs fail, must be held accountable.

Meanwhile, Congress is holding hearings on…steroid abuse.

Global Internet Freedom Act in House


It is the sense of Congress that the United States should…

(3) deploy, at the earliest practicable date, technologies aimed at defeating state-sponsored and state-directed Internet jamming by repressive foreign governments and the intimidation and persecution by such governments of their citizens who use the Internet.

Rebecca MacKinnon has the text and references. I have nostalgia (above, right), and hope for the future.

I Could Kill You With These Nose Hair Clippers!

Like I said, I do like rules, rules that make sense. But this is a form of institutional insanity, and someone needs to do an intervention. When a soldier in full uniform, in the company of nothing but other soldiers, is allowed to retain the bayonet for his M-16 and his M-16, yet has to give up his nose hair clippers, we’ve moved into the realm of scenarios that even the writers of Saturday Night Live would reject as way too lame.

Says the Daily Whim in “Drop Those Nose Hair Clippers, Soldier!,” quoting the Atlanta Journal Constitution, via Halfcat.

A note for the Daily Whim’s commentators: TSA employees routinely violate their own rules, and I’ve had them say to me, “If you want to speak to a supervisor, you’re going to miss your flight.”

Two On Secure Software

There’s a placeholder page at NIST for their SAMATE project, (“Software Assurance Metrics and Tool Evaluation”). Interesting stuff if you wonder why its so hard to release secure software.

Also, Lauri@Schedler writes, in Making correct code look good

Reading the article I was wondering what is the point of leaving information about safe and unsafe strings to the person reading / reviewing the written code? I mean, isn’t this kind of automatic processing exactly what computers were originally invented for? In a large software system there would be hundreds or even thousands of statements that must be manually validated for safe/unsafe compliance. Reviewing them is a lot of work. And in a large group someone is bound to forget one letter ‘u’ from their variable names, violating the entire scheme until the mistake is noticed in a review (or not).

Why leave something this important to manual inspection? After all, this kind of situation is exactly what type systems were introduced into programming languages.

Sounds good to me. Maybe the typing system could include a taint analysis, too.