More details from the University of Maryland.

So far, this looks to affect only 1 of the 16 institutions in the system
posted by ryanshepard at 2:23 PM on April 1, 2021

We need some sort of secure alternative to the social security number for identifying people. Maybe some sort fo public/private key combination? At this point, is there anyone over the age of two that hasn't had their SSN compromised?
posted by scottatdrake at 2:31 PM on April 1, 2021 [10 favorites]

We need some sort of secure alternative to the social security number for identifying people.

B-word in 3... 2...

Or just hash the first 1000 base pairs of my DNA, that'll work too. Something locality-preserving; y'know, for the random gamma ray acquired mutations.
posted by supercres at 2:38 PM on April 1, 2021

Something locality-preserving

Plot twist: everyone related to each other gets the same nu-SSN.
posted by supercres at 2:43 PM on April 1, 2021 [2 favorites]

We need some sort of secure alternative to the social security number for identifying people. Maybe some sort of public/private key combination?

This particular wheel has already been pretty thoroughly invented.

Prolly want to live in an actual democracy before rolling it out though.
posted by flabdablet at 2:49 PM on April 1, 2021 [9 favorites]

I once had a job interview for a support position at Accellion. We could not come to an agreement on salary.

It's six or seven years later, I got out of tech and teach US History and World Geography at a nearby high school. Even with the massive pay cut, I still made the right choice. The people at Accellion were really nice, and it sounded (at the time) like an interesting product... but I do NOT envy them today.

Good luck, everyone!
posted by dfm500 at 2:55 PM on April 1, 2021 [4 favorites]

Anyone know if there's data from former students? Asking for, uh, basically every single person I know
posted by potrzebie at 3:16 PM on April 1, 2021 [5 favorites]

The “E-stonia Option” is a thing we could accomplish. But that would be a tool of government functioning well to accomplish government goals.

And the Republican party believes that’s an ilegitimate outcome to seek, so they will prvent anything that approaches it.

A functioning government which does anything more than project military power and protect of private captal/white supremacy is something the Republicans have have shown to be against.
posted by Pirate-Bartender-Zombie-Monkey at 3:20 PM on April 1, 2021 [5 favorites]

We need some sort of secure alternative to the social security number for identifying people.

For many years now, I have been putting down a fake SSN every time I am asked for it, with a few exceptions like banks and legally required services.
It has never once caused a problem, I am still able to be billed for services, be identified and generally participate in society.

A lot of places just ask for it because it is on the form, especially places like doctors offices, etc.

I used to just leave it blank, but explaining why I wouldn't give the dentist any more information than they actually need just got tedious, so fake number it is.

I am under no real illusion that it enhances my privacy in any meaningful way, but in general I find that providing the least amount of information possible to random entities is a good practice.

(For those wondering, I don't just make one up, I use one that the SSN will not issue.)
posted by madajb at 3:48 PM on April 1, 2021 [13 favorites]

The trail of Bitcoin addresses allegedly links all that money to online illegal drug sales tracked by FBI and Interpol. [science.org]

Is it possible to detect when a ransomed bitcoin is "cashed" or otherwise used - to determine that that bitcoin was the proceed of a ransom?

Like, marked bank notes - when the criminal tries to spend it, law enforcement can determine that it's tainted?
posted by porpoise at 4:02 PM on April 1, 2021

Like, marked bank notes - when the criminal tries to spend it, law enforcement can determine that it's tainted?


Kinda? The problem ends up being that 1 bitcoin can be subdivided into 100,000,000 pieces and recombined with others (and there's services whose entire purpose is doing this), so you end up with a question of "1 ransomed coin gets marked as tainted. It was then broken apart into 1 million people's wallets. Do you blacklist all 1 million wallets? Do something else? etc"

(this isn't to exonerate Bitcoin, designing a system such that it's an obstacle is no excuse, but for the purpose of answering the question)
posted by CrystalDave at 4:12 PM on April 1, 2021 [3 favorites]

These leaks seem to happen almost monthly. Does anything ever come of them? As in, are people’s bank accounts drained or tons of fake credit cards issued? Or has it mostly been the threat of real damages? I’m not trying to ask in a shitty way - I was just realizing I haven’t seen a major story like “Six million people declare bankruptcy after data leak at Starbucks”.
posted by double bubble at 4:16 PM on April 1, 2021 [3 favorites]

Or maybe the better question is, what are the real world consequences of these data leaks beyond threat of stolen identities?
posted by double bubble at 4:17 PM on April 1, 2021 [2 favorites]

Or maybe the better question is, what are the real world consequences of these data leaks beyond threat of stolen identities?


Depends on the data leak. When it's home depot or starbucks or whatever the credit card companies just quietly close all the credit cards affected and deal with fraudulent charges. I went through a year where I got my debit or credit card reissued every 2 or 3 months due to this nonsense.

When it's SSNs, I assume they're being sold and used for anyone who needs a fake SSN that's tied to a real name, i.e. one that will pass a basic first order check to see that it exists and the name/address/whatever matches

Other stuff? Who knows. Often passwords are obtained and those are usually tried a bajillion places to see if they work somewhere else and they probably get some hits out of that.


Re: marked bitcoin... as mentioned, it's not very hard to money launder bitcoin. Even without like splitting it up into a million pieces, you can also just turn it into cash and then back into bitcoin or something else, and how would anyone know those are the "same" bitcoin

But an interesting side effect of the fact that all bitcoin transactions are public is that if you can get ahold of the bitcoin wallet ransomers are using, then you can tabulate how often people pay and how much they pay. In the early days of ransomware there would usually just be a single address (I think the first wave of wannacry was this way?) and so it was really easy to tell how much the attackers were making. You could also see that they were a/b testing different ransom amounts and stuff like that.

These days they tend to have many wallets, maybe even 1 wallet per target which makes it very difficult to effectively track. Still, though, researchers try to get as many of those wallets as they can and try to trace it back to upstream entities to see if they can find more wallets etc. Like most money-laundering-detection, it's something that you can do in aggregate but not individually. Like you can point to a flow of transactions and say "this correlates well with money laundering activity" but it can be harder to point at a single transaction and say "this is evidence of illicit activity"
posted by RustyBrooks at 5:23 PM on April 1, 2021 [6 favorites]

(For those wondering, I don't just make one up, I use one that the SSN will not issue.)

Please tell me the number you use starts with 666
posted by Mr.Encyclopedia at 6:11 PM on April 1, 2021 [5 favorites]

Bitcoin delenda est.
posted by heatherlogan at 6:12 PM on April 1, 2021 [4 favorites]

The Risky Business podcast has been talking about this for some time, watching it get worse and worse.

Because it was sold as a transfer point for sensitive documents, it's like the worst possible system to abandon. :7(
posted by wenestvedt at 6:29 PM on April 1, 2021

We need some sort of secure alternative to the social security number for identifying people.

SSNs are perfectly serviceable for identifying people. What we need are strong penalties for anyone who misuses them to authenticate people. An SSN should be like your email address, safe to give to anyone who needs a unique identifier to tell you apart from everyone else with the same name.

Most of the problems would go away overnight if the regulatory framework was changed to require companies to authenticate people. The horror stories are usually along the lines of someone getting a credit card or similar because a bank negligently misused a SSN for authentication. If they had to eat the costs unless they could convince a court that they’d verified your identity (e.g. photo ID match), or if a credit reporting agency faced automatic financial penalties for false reports, the problem would evaporate.
posted by adamsc at 6:39 PM on April 1, 2021 [26 favorites]

Weaponizing the Web

Because cyberweapons are inexpensive in comparison with traditional ordnance and are available for anyone to discover, they have diminished the security advantage held by countries with outsize defense budgets. Shortly after the Stuxnet attack, for example, Iran mobilized what it claimed was the fourth-largest cyber army in the world, which then unleashed a sustained two-year assault on forty-six American banks and financial companies that shut people out of their accounts and cost those institutions millions of dollars. The hackers also breached the controls of an American dam. While it was the wrong one—the hackers apparently confused a small dam in Westchester County, New York, with a major dam in Oregon—it demonstrated the threat to essential, life-sustaining infrastructure posed by weaponized computer code.
posted by They sucked his brains out! at 8:47 PM on April 1, 2021 [2 favorites]

The follow-on thought about "weaponizing" is eg this Google Team called "Project Zero" ran a blog series on previously-unknown security bugs* 'in the wild' where they shut down a bot network only to have the later indications that they were western nation's counter-terrorism bots.

*: security researchers will notify you on non-public channels with 30, 45 or 90 days to fix before they announce to the world, but with a bug already exploited to attack systems, you have zero days of notice to react.
posted by k3ninho at 1:50 AM on April 2, 2021 [1 favorite]

in general I find that providing the least amount of information possible to random entities is a good practice.

I like to amuse myself by supplying a different fake date of birth to every entity who wants mine for what I consider to be frivolous reasons. I keep track of these lies inside the same KeePass database file my passwords are in.

This way, if anyone should ever threaten me with exposure of a purported date of birth to demonstrate the success of their 1337 H4xx0r Skillz, I'll be able look up the quoted birth date to find out who leaked it.

Everybody who demands an email address as an identifier also gets a unique variant for the same reason.
posted by flabdablet at 5:37 AM on April 2, 2021

SSNs are perfectly serviceable for identifying people.

SSNs are not unique. This was a major point taught in 400 level DBMS classes in the 90's, as associate professors who did database work as their day-jobs had to resolve the issue, and shared their war stories

SSN Database Key Problems
Jon Finke, RPI, 1995

An even worse key to use, is the SS number. RPI has a number of students who do not have an SS number when they enter. As a result, RPI issues them a fake number. Often these students later need to get an official SS number and RPI updates their records with the new number. From the standpoint of the student record system, this is no big deal. They update their file with the new number and go on their way. For Simon, this is trickier. A comparison is made for identicial names with different SS numbers. If one is found, other checks are made to see is this a case of duplicate names (and there are some), duplicate records (these happen too), or an actual SS number change. If it is a change, another program is run which update the few Simon tables which actually have SS number recorded. There are about 100 people per year who have their SS number changed.

posted by mikelieman at 7:13 AM on April 2, 2021 [2 favorites]

This is bad news for some universities already suffering from the past year.
posted by doctornemo at 7:41 AM on April 2, 2021

SSNs are perfectly serviceable for identifying people.

SSNs are not unique. This was a major point taught in 400 level DBMS classes in the 90's, as associate professors who did database work as their day-jobs had to resolve the issue, and shared their war stories

That’s not quite what the paper you cited says: there’s a separate problem that you need to have a way to handle people without SSNs and you need a change process but the thing which wasn’t unique appears to be the fake number RPI used because their system didn’t account for the first problem.

There’s a deeper misunderstanding, which is that we’re not talking about the same thing. That paper is about the wisdom of using SSNs as a database primary key, whereas I was talking about using it as an identifier. Note the example of an email address: people change those, too, and you can’t rely on it lasting for life but it’s far more unique than someone’s name, etc. A better design for this is something like a UUID database key and a related table of identifiers — that makes it easy to handle foreigners, changes, etc. because you don’t need to rewrite every record in your database and you can recognize that, say, student X arrived with Chilean ID Y but then got a green card and is now #Z to the U.S. government without having to pick only one identifier.
posted by adamsc at 7:13 AM on April 3, 2021 [2 favorites]