SoylentNews is people
SoylentNews
from the don't-even-think-about-editing-the-URL dept.
Confused governor says looking at webpage's HTML is criminal hacking:
Gov. Mike Parson is sick and tired of all these sophisticated, no-good hackers and he's not going to take it any more. It's too bad the Missouri Republican has no idea what he's talking about.
During a Thursday press conference, the confused elected official lashed out at a journalist who reported a vulnerability in an official Department of Elementary and Secondary Education website. The reporter, notably, waited until officials fixed the error before publishing the story. The flaw? The website apparently included teachers' Social Security numbers in the HTML.
"Though no private information was clearly visible nor searchable on any of the web pages, the newspaper found that teachers' Social Security numbers were contained in the HTML source code of the pages involved," reported the St. Louis Post Dispatch.
Parson, who apparently has never heard of "view source," obliquely threatened the Post reporter with prosecution.
"The state is committing to bring to justice anyone who hacked our system and anyone who aided or encouraged them to do so — in accordance with what Missouri law allows AND requires," wrote Parson.
[... - plenty snipped - ...] Parson, in other words, has no idea what he's talking about.
canopic jug augments that with the following other sources:
Governor Mike Parson wishes that ctrl-u or f12 will become illegal. This was actually a breach of personal information, including SSANs, for over 100,000 people.
https://text.npr.org/1046124278
https://www.salon.com/2021/10/14/missouri-governor-threatens-criminal-prosecution-of-reporter-found-security-flaw-in-state-site_partner/
https://itwire.com/security/missouri-goes-after-man-who-looked-at-source-code-on-state-site.html
https://www.rollingstone.com/politics/politics-news/missouri-governor-teacher-data-hacking-1242493/
https://coldstreams.com/2021/10/14/no-it-isnt-missouri-governor-says-viewing-html-source-code-containing-private-data-the-state-published-on-every-page-is-a-crime/
https://abc17news.com/news/missouri/2021/10/14/gov-parson-threatens-legal-action-against-reporter-who-exposed-flaw-on-state-education-departments-website/
https://heavy.com/news/gov-mike-parson-html-source-code-decoded-ssn/
(Score: 2, Informative) by Anonymous Coward on Monday October 18 2021, @11:06AM (13 children)
SoylentNews Number is leaked for every user in wvery cmment on this site.
isn't the real problem that SSN are used as ID itself in USA. aka a pwd rather than uid it really is.
(Score: 3, Interesting) by Anonymous Coward on Monday October 18 2021, @11:27AM (6 children)
Yes, SSN in the US is used as a personal identifier. Even though the Social Security Administration themselves do not guarantee a unique number per person. Yes, the SSA has issued the same number to different people -- they don't mean to do it, but they sometimes do, and they deal with it by weaseling with the "not guaranteed unique" disclaimer. Sadly this is usually discovered after the effected people have grown up and try to get a job, and then the collision is discovered. Trying to get the SSA to fix a mistake from 20 years ago is a challenge.
As a database designer in my former life, I can't remember how many programmers I had to almost beat down when they wanted to use SSN as the key identifier for a person. Especially in a case that had a rare but well-known exception that required putting a non-American into the system (no, they didn't even have a Fed Tax ID either).
(Score: 3, Informative) by linuxrocks123 on Monday October 18 2021, @09:10PM (5 children)
This is complete and utter bullshit. It is not the case that a valid SSN should ever map to more than one person. The reverse is not true: it is quite possible that one person could have two SSNs. That's not a great thing to have happen, but sometimes it does, and the SSA can deal with it by adding the earnings under one to the earnings under the other. However, it is the case that no SSN will ever map to more than one person, unless one of them is lying and using someone else's SSN (i.e. illegal immigrants). Think about it: how would the SSA figure out what your benefit should be if it can't tell how much money you paid in Social Security tax? And how can the SSA figure out what you paid in tax if all your earnings are commingled with someone else's earnings?
If the SSA messed up and gave the same SSN to two people, they would probably cancel it and assign new numbers to each of the two people affected. If they'd both worked under the messed-up SSN, they'd have to manually go through the work history and copy the appropriate parts of the work history to the newly assigned replacement numbers.
SSNs don't work for what they are designed to do unless each one uniquely identifies a person. So, yes, they do that. That fact is orthogonal to whether they should be used as a key in a database, but don't lie and spread BS to get your way on that argument.
(Score: 0) by Anonymous Coward on Tuesday October 19 2021, @12:28AM (2 children)
When a person is deceased. The pools of available SSNs are not actually sufficient to cover every person in America past, present, or future. That said, normally they are issued out in blocks, geographically and then regionally so nowadays there should not be many duplicates happening. However back in the day thanks to clerical errors it was possible that SSN ranges got reused before one party died, or go double used by two people in adjacent areas (or rarely different states).
So yeah while the SSN was MEANT to be a unique identifier for tax purposes, it has in effect never been a definitively unique identifier.
(Score: 4, Informative) by linuxrocks123 on Tuesday October 19 2021, @01:04AM (1 child)
BULL. SHIT.
https://www.ssa.gov/history/hfaq.html [ssa.gov]
(Score: 2) by Immerman on Tuesday October 19 2021, @03:25AM
I'm not so sure about "generations to come". 9 digits means exactly 1 billion possible SS Numbers (including the invalid ones) , meaning Americans alive *today* are using roughly 1/3 of all possible numbers, While everyone who got a SS number since 1936 and subsequently died has removed numbers from the pool. We've probably got fewer never-used SS numbers available than there are currently-active numbers, and will need to revise the system within a few decades. Aka 1 to 2 generations.
(Score: 2) by Immerman on Tuesday October 19 2021, @03:31AM
Last I heard, 000-00-0000 is still by far the most popular SSN in the country, "belonging" to a huge number of lawfully admitted non-citizens.
Any time you have a required field for a non-required value, you *will* have duplicates. If you're very, very lucky there will only be one, easily identified placeholder value.
It's practically become the CS101 example of why you should *never* assume any user-supplied value is actually unique. Precisely because so many legacy programmers DID make that assumption, much to the occasional aggravation of everyone using their software for ever after.
(Score: 1, Interesting) by Anonymous Coward on Tuesday October 19 2021, @03:20PM
You're a fucking idiot. There, we've exchanged insults.
Sure, you're describing the way the whole SS system is supposed to work. Unfortunately reality is a trifle bit different.
First, the SSA doesn't knowingly issue the same number to more than one person. And yeah, once that mistake is discovered, they'll fix it by giving new numbers. But it takes a looooong fucking time. Until that long fucking time, any system that uses the numbers still has to fucking deal with the fucking problem.
Second, the reason the SSA does not guarantee unique numbers is partly to dodge any legal liability associated with such mixups, and to avoid having to deal with multiple people paying into the system under the same number, which happens all the fucking time due to illegal aliens stealing other people's SSNs.
Look, I worked in a very large state at one of their very large pension systems. We had different people claiming the same SSN all the fucking time. Sometimes it was typos on the forms their employers sent us when signing up. Rarely it was the SSA assigning the same number to different people. Usually it was identity theft. When we detected duplication, all we could do was ask the two (or more) employer agencies to double-check the SSN with the employee. If they both came back claiming that the number was correct, we weren't allowed to do anything sane like report it to the SSA, or call the fucking police, or even notify the poor employees that someone was probably stealing their identity. We tried reporting it to the SSA once, and they told us not to bother them with it. They just want the money flowing in, and they're content to wait until someone actually goes to draw on their Social Security to figure out who gets which payments. After all, if one or both of them die or get deported, then they won't have to fix it, will they?
So, yeah, sure, SSNs should only be one per person. Out in the actual world, they aren't, and real computer systems that actually do real work have to be able to deal with that shit.
(Score: 4, Interesting) by isostatic on Monday October 18 2021, @11:28AM (5 children)
Correct, it's no more secure than your name. It's benefit is to disambiguate people, so "Joe Bloggs" and "Joe Bloggs" aren't mixed up (even then I believe there are edge cases where SSN have been dual-assigned, some people have more than one SSN, etc).
Passport numbers and credit card numbers are also public information -- stay in any hotel in the world and they are taken. Which is fine if it's your username.
To identify yourself in the US you present your SSN (fine, as you aluce to, mine is "isostatic"), and then you convince the person you are who you say you are.
The standard for confirming that the username is yours on this website is a password. Not great, but for the low importance of this site it's adequate.
To log into my bank I need my userid, password, and a 2fa approval, which is better, although the trust is just one-way.
A secure fashion would be to have the SSN and a public key being listed on the blockchain, and you would use your private key to authenticate yourself. The person you're authenticating with could be confirmed by you by checking the public key.
If your key were revoked on the blockchain you'd know about it, if you did that because you lose control of your private key, that's fine. If someone else revokes it you'd know.
Doesn't solve the "my private key was lost without my knowledge" issue, nor the "I lost my private key" issue, but unlike SSN your private key should not even be able to leave the device you're using to authenticate so the first is far less of a problem than the SSN.
(Score: 2) by PiMuNu on Monday October 18 2021, @01:04PM (1 child)
One can generate a private key as a QR code or similar; thus possible to have a paper back up (which is roughly as secure/insecure as a passport).
Nb: I note in Europe all of the covid vaccination certificates hold a QR code that maps to a unique ID in a database somewhere. It functions more like a username than a password, but thought it might be of interest.
(Score: 2) by isostatic on Tuesday October 19 2021, @09:40AM
I had to have a covid passport to get into an event for work in the UK, it was a time limited QR code, which is reasonable for that specific use (you can't use that QR code to pretend to be me so security isn't critical, and it's time limited so damage is limited if it leaks)
It does rely on a central database though, which I guess realistically would be the case with any government ID -- people will lose their private key (either file, printed or on a yubi key), and require a new one, which will require certain levels of protection from the government -- I guess like getting a replacement passport. And as it's people, there will be all sorts of scams where your private key is acquired and copied, through social engineering or just plain theft, possibly without you even knowing. If every transaction was stored on a blockchain you could at least get instant notification when your ID was used (and anyone like a bank using your ID without should be treated as if they haven't seen the ID)
But I'm getting dangerously close to discussing "identity theft" -- https://www.theguardian.com/commentisfree/2018/nov/25/identity-theft-is-daylight-robbery-banks [theguardian.com]
(Score: 3, Insightful) by owl on Monday October 18 2021, @04:53PM (1 child)
The problem in the US is that the SSN has been used as both user-identifier and as password (where knowledge of the SSN authenticated that "you are who you say you are"). And the worst of the lot are the businesses that use it as both user-identifier and password simultaneously. Which has led to the current state of affairs where "release" of the SSN is a "breach".
It was always only ever meant to be a user-identifier, and should never have become a password. Sadly it did become a password, leading to the current mess.
(Score: 2) by isostatic on Tuesday October 19 2021, @09:26AM
Technically it shouldn't even be used as a username (or ID - mine is 365 on this site), as it's not guaranteed to be unique
(Score: 0, Offtopic) by mcgrew on Monday October 18 2021, @06:27PM
Correct, it's no more secure than your name.
I see you've never worked with large databases, or if you did you were ineptly incompetent. Your name alone is the absolutely WORST identifier. Remember when Senator Paul Simon was on SNL with the singer Paul Simon? Unless you live in a tiny state there are a dozen people with the same name as you living in your state. I know from handling databases working for Illinois (retired now).
Carbon, The only element in the known universe to ever gain sentience