HS Students Steal SSNs to Prove They Can 701
thatshortkid writes "Local news in Chicago is reporting about two Hinsdale Central High School students who breached their school's computer system and retrieved all of their peers' (plus staff's) Social Security Numbers. They claim they have destroyed the information and haven't given it out, but the SSA and FTC have been alerted for good measure. While they claim their motive was to prove that the breach could take place and no malice was involved, they face possible school disciplinary action and criminal charges."
Re:ridiculous (Score:5, Informative)
Re:Well, is hacking... (Score:5, Informative)
In many cases (especially recently), SSNs are applied for semi-automatically through the hospital someone is born in, so in that case the hospital location would determine the prefix.
Personally, I didn't have a SSN until I was 23 (and only then because I couldn't avoid it anymore without causing myself hassles with otherwise-decent employers that I didn't feel like hassling with), so my prefix is the same as the office I applied through when I got mine at age 23, nothing to do with my birth location.
Re:Civil Disobediance has its price. (Score:3, Informative)
That would be "tyrants" and "patriots", not martyrs. (Though, I suppose a patriat who acts in a way that will result in his death for a noble effort, and recognotion thereof, is a martyr.)
Re:Well, is hacking... (Score:3, Informative)
I should have clarified myself. The SSN state code is based off of the location of the mail collection where you requested it. So, if you lived in the sticks near a border of a state, and went to the other states Post office, you'd get a SSN associated to that state you requested it from.
Usually, it is requested automatically when you're born these days. For example, my parents were living in Indiana when I was born, but I was born in Ohio (neaest hospital). As a resulty, the request was sent from an Ohio Post office. Hence, I have a Ohio SSN.
Re:Anonymous snail mail- really? (Score:1, Informative)
Plus there's the postmark info, fingerprints, the easily identified stocks of paper and ink you used... (hope you bought it w/cash) Not to mention the DNA on skin flakes you forgot to wipe off, and the saliva on the back of the stamp. And all the cameras that recorded you grinning as you bought the paper and then caught you later dropping in that public mailbox.
On the other hand, they never got the anthrax guy(s)...
Re:ridiculous (Score:1, Informative)
The students commited the act months ago!
What a dumbass. I bet that if you were on the jury for someone who killed their parents, and that person threw himself on the mercy of the court on account of his being an orphan, you'd be weeping your eyes out. "That poor soul lost his parents and is alone in the world!"
Take that messenger, indeed. More like: Take that punks! I hope you like community college.
Re:ridiculous (Score:5, Informative)
I would think that people would have learned from the example of Randall Schwartz. You especially don't want to do it with someone who would be publically embarrassed by it because you're at high risk that they will file charges.
Re:Well, is hacking... (Score:3, Informative)
There's even some 10 digit SSN's out there. It has to do with the 1950 military personnel or something (Im still unclear about this one) and their distinctions therof.
Most systems that have SSN coding do not account for this, nor do they account for a few 8 digit SSN's used during the thirties (when SS was enacted). Most of the 8 digit ones were renewed to the now 9 standard, but it was not a requirement to have the 9 vs the 8.
Hopefully, this site will help you understand.http://www.ssa.gov/foia/stateweb.html [ssa.gov]
Gross or willful negligence by school admin (Score:3, Informative)
Focusing on the kids is a load of bullshit anyway. What was the personal data doing on a server accessible from a home computer? It sounds to me like the school administration is trying to create a smoke screen for their gross or willful negligence.
If the personal data was on a Microsoft server AND it was connected to the Internet, then the school system is in for a world of hurt in the courts: Willful negligence.
Re:ridiculous (Score:3, Informative)
And the proper way to show this is with a teacher or network person next to you, after telling the school of the possible problem and your desire to show them how it may be exploited (in writing). I am not sure of what type of exploit this was however it may have very well been possible to show that one can take the SSNs without taking everyones (take your friends or whatever).
Re:Not the Real Problem (Score:3, Informative)
We don't need RealID or anything other stupid thing, we just need to enforce the existing laws. Just like almost everything else Congress passes new laws about.
An alternative approach... (Score:3, Informative)
A bit too far (Score:2, Informative)
Now your SSN is your life for the most part.
Yes, this is true--though only to a certain extent--but your following argument is quite overstated:
If somsone has your number, they dont even need to know anything else to screw you over. With the number they can do searches and find your name and current residance. With that info they can sign up for credit cards in your name and screw over your credit.
If this were true, nobody would ever bother to steal a "list of SSNs" from a database! They would just randomly choose any 9-digit number. The security (or lack thereof) is in the linkage between the SSN and a person.
They can basicly steal your identity just by knowing that one special number.
Again, this an oversimplification. They still need to know whom that SSN represents. A reverse-lookup, if it existed, would imply that lists of SSNs wouldn't need to be stolen in the first place. Of course the kids in TFA most likely obtained more than just a list of raw 9-digit numbers; they probably also got the linkages between the SSNs and their owners.
Re:Why does a High School have student SSNs? (Score:2, Informative)
Re:Why does a High School have student SSNs? (Score:3, Informative)
Our school system recently (this year) went from SSN as the student identifier to a 5 digit random ID number. These are used for things such as attendance records, academic records, etc. I think one reason we do have (and we do) students' SSN is for communicating with other school systems who may have their own ID number scheme. Or maybe hospitals. I'm not saying this justifies the school having all this info but that's probably one reason.