tag:blogger.com,1999:blog-26036687.post8778940734799194481..comments2023-10-28T11:34:33.746-04:00Comments on a geocentric view: Let's Play Good Idea, Bad Ideamollishkahttp://www.blogger.com/profile/16056975190057844089noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-26036687.post-12965510776165842742007-09-16T13:45:00.000-04:002007-09-16T13:45:00.000-04:00I just happen to be one of those 3,500 chemistry s...I just happen to be one of those 3,500 chemistry student's whose SSN and DOB was on Prof. Coleman's laptop. In case anyone was wondering if someone was in fact using the information to try and fraudulently obtain credit cards...they are.Anonymoushttps://www.blogger.com/profile/05162025861981351260noreply@blogger.comtag:blogger.com,1999:blog-26036687.post-36750134253926116632007-05-15T16:00:00.000-04:002007-05-15T16:00:00.000-04:00What would you suggest as an alternative to authen...<I>What would you suggest as an alternative to authentication?</I><BR/><BR/>What I'm suggesting is that SSNs are fine for identification, that is as a number used to identify people. In this sense, it's like a name except that it doesn't vary (e.g., on marriage), doesn't have lots of different forms (middle name present/absent, just middle initial, short vs long form, etc) and is different for each person.<BR/><BR/>However, using it for authentication, like a password, is clearly broken. The odd thing is that the US seems to think that this is necessary. There's no equivalent in the UK, for example, and as far as I know in the rest of Europe either. While there's plenty of "identity theft" here I believe it's somewhat less of a problem than in the US so clearly the use of SSNs isn't helping to prevent it.<BR/><BR/>If some sort of general password is to be used for access to government facilities then it should be separate from a person's identification number and there should be a mechanism to allow it to be changed.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-26036687.post-36781033120175741032007-05-08T23:58:00.000-04:002007-05-08T23:58:00.000-04:00Ed: What would you suggest as an alternative to au...Ed: What would you suggest as an alternative to authentication?<BR/><BR/>Jacob: but wasn't this a leftover problem from Back When? They certainly didn't use SSNs as IDs when I went through ... the two independent problems seem to be (a) the mostly extinct problem of using SSNs as student IDs and people who shouldn't have had access to this information to begin with being sent it—sometimes unknowingly, and (b) poor (or a total lack of) encryption/people not realizing what is on their computers. The first problem can essentially be fixed at the flip of a few switches, but the second is clearly more difficult since it involves more people, and it's the one that since people can have really old information on their computers causes problems when laptops disappear.mollishkahttps://www.blogger.com/profile/16056975190057844089noreply@blogger.comtag:blogger.com,1999:blog-26036687.post-72554063608289877552007-05-08T15:56:00.000-04:002007-05-08T15:56:00.000-04:00While MIT switched away from using SSN as ID numbe...While MIT switched away from using SSN as ID number to using newly assigned ID numbers during my time there, the problem of faculty/staff having private info on their laptops (what the heck for?) and then said laptops being stolen is not special to Ohio. It has happened repeatedly (repeatedly?!) at MIT in recent years. There was a Boston Globe article (and probably also some in The Tech) not many months ago about this common occurance at universities in the Boston area.<BR/><BR/>See, for example:<BR/>http://mathhut.blogspot.com/2006/05/mit-and-my-ss.html<BR/><BR/>And I know that there are more recent articles than these from spring 2005:<BR/>http://www.boston.com/news/education/higher/articles/2005/04/12/tufts_warns_alumni_on_breach/<BR/>http://www.boston.com/news/education/higher/articles/2005/03/18/colleges_on_their_guard_against_id_security_threats/Quarkhttps://www.blogger.com/profile/00566203978205948595noreply@blogger.comtag:blogger.com,1999:blog-26036687.post-67699191582384839102007-05-08T11:39:00.000-04:002007-05-08T11:39:00.000-04:00There's always encryption.As early as 1995, you co...There's always encryption.<BR/><BR/>As early as 1995, you could get an encrypting file system for Linux. Once set up, it just worked. If you leave the laptop on, when the screensaver kicked in, you needed a password to unlock it. If you powered it down, you needed the password to mount the data file system. Setting it up was non-trivial, though. Really stupid export laws, etc. What a pain.<BR/><BR/>This Linux filesystem should be portable to OS/X Macs now. I think there's a Windows solution too.Stephenhttps://www.blogger.com/profile/03934169832326108710noreply@blogger.comtag:blogger.com,1999:blog-26036687.post-48592189646825540142007-05-08T07:53:00.000-04:002007-05-08T07:53:00.000-04:00When is the US going to get past this stupid notio...When is the US going to get past this stupid notion that it is sensible to allocate a person a password at birth in a semi-guessable systematic manner, not allow that person to change the password and insist that it be used for authentication to a large number of disperate entities?<BR/><BR/>SSNs are not secret. They should not be treated as secret. They definitely should never be used for authentication, as oppposed to identification. Anybody who uses them for authentication is acting entirely irresponsibly.<BR/><BR/>Yours sincerely,<BR/><BR/>Ed, from the UK where he is seriously worried that we might well wind up making the same sort of stupid mistakes over the next few years as the national identity register is introduced.Anonymousnoreply@blogger.com