[somewhat OT] Re: [TriLUG] Linux Lab

Mike Johnson mike at enoch.org
Mon Nov 4 22:00:28 EST 2002


Tom 'spot' Callaway [tcallawa at redhat.com] wrote:

> Once, while I was a student at NCSU, a friend asked me to go to the 
> records office to pick up some sorority paperwork for her, since she 
> wasn't done with her project (due that day), so I did. They never carded 
> me, or asked me who I was. I simply asked for the paperwork for the 
> sorority (no specifics, just like that), and they handed me a lengthy 
> printout. It contained the names, addresses, phone numbers, and SSNs of 
> all the people who had signed up to rush for that sorority.
> 
> 100 freshmen SSNs may seem like immaterial, but not if they are passwords.
> Makes for a nasty ddos.

Um, I gotta step in here.  You point out that one hundred social
security numbers, complete with names and addresses, are easy to come
by, and you're worried about access to some silly accounts that could be
used as a ddos?

Er, the account access is really the least of the worries, here.  That
is -all- the information needed to pose as that person for the purposes
of attaining credit.  From there, things just go downhill.

Social security numbers are -supposed- to be secure, they are supposed
to be -very- protected.  While some people don't treat them as
preciously as they should be, those people are wrong.  Now, that doesn't
mean they should be used as passwords.  Banks can mail out PIN numbers,
why couldn't a university mail out a password?

Frankly, I'm more concerned that an organization that has my personal
information (I gradidated from NCSU) hands it out so freely than I am
about a piddly little ddos.
 
> IMHO, a far better method would be to assign random passwords to users, 
> then give the passwords to them in person. It is by no means a foolproof 
> system, but it is a far less obvious one.

See above.  Mail them out.  Or, hand them out with the student ID.

Mike
-- 
"Would you like to take advantage of wiretap Wednesdays?" 
     -- Fed on Sealab 2021

GNUPG Key fingerprint = ACD2 2F2F C151 FB35 B3AF  C821 89C4 DF9A 5DDD 95D1
GNUPG Key = http://www.enoch.org/mike/mike.pubkey.asc

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <http://www.trilug.org/pipermail/trilug/attachments/20021104/c67e76b1/attachment.pgp>


More information about the TriLUG mailing list