How Cornell Plans To Purge Campus Computers of Personal Data 164
and so forth writes "Cornell lost a laptop last year with SSNs. Now, they've mandated scanning every computer at the University for the following items: social security numbers; credit card numbers; driver's license numbers; bank account numbers; and protected health information, as defined by HIPAA. The main tools are Identityfinder (commercial software for Windows and Mac), spider (Cornell software for Windows from 2008) and Find_SSN (python script from Virginia Tech). The effort raises both technical questions (false positives, anyone?) and practical issues (should I trust closed source software to do this?). Have other Universities succeeded at removing confidential data? Success, here, should probably be gauged in terms of diminished legal liability after the attempted clean up has been completed." Note: this program affects the computers of university employees and offices, rather than students' personal machines.
What does "computers of university employees" mean (Score:4, Insightful)
Does this include professors?
I know a lot of scientists who would be quite annoyed if the people from the IT department (who are clueless policy-obsessed wankers at my institution) came in and wanted to search through a bunch of simulation results and LaTeX files looking for SSN's.
Re:What does "computers of university employees" m (Score:5, Insightful)
a) too fucking bad.
b) Sign this waver that says you are legally responsible if your repository of data were to contain information such as SSN/Credit Card etc.
I don't get the premise of the article. Scanning for credit card data and SSN is quite easy and simple. It's no more intrusive than a virus scan. Being opened, or closed source doesn't make any bloody difference either.
Intrusion detection systems should also be running and scanning for data that conforms with SSN or creditcard formats.
Re:What does "computers of university employees" m (Score:3, Insightful)
And a) is the reason my department does not trust IT cowboys with any of our data. This is data that cost actual money to generate, not some shit we downloaded off BitTorrent for fun. I hope you get fired.
Well are you an arrogant and self-important little bugger. The fact is that improperly retaining and losing privacy act data costs money and reputation too (just ask the Veterans Administration). Potentially a lot more than some professors grading data where he stupidly tracks students by their full soc number. Or the sociology researcher keeping a huge database of personal info on their test subjects. The mandate for this action did not originate with the IT folks, but they were tasked to implement the policy. Stop being a little prick and try to understand the bigger picture.
Besides the article didn't say it was going to delete the data. It said "cleanup" which could be anything from a script that pops up when it detects questionable data, or even maybe it just moves it off of theft-prone laptops and desktops onto a central file server.
Many institutions are going the route of encryption. Hard drives are encrypted, and anything stored onto removeable media gets encrypted. A pain in the ass to be sure, but it does allow management to claim that no data was compromise if a laptop disappears.
Trusting closed-source software (Score:3, Insightful)
Should you trust closed source software? (Score:4, Insightful)
Should you trust the bank managing your transactions?
Should you trust closed source software in medical equipment?
Should you trust SAP to manage your financial transactions?
Should you trust a Windows computer for anything more important than your gmail password?
Should you trust Google Chrome when logging into your netbanking?
You know what? I think on the grand scheme of things trusting a piece of closed source software specifically designed to search for information made by a company which would literally be sued into oblivion if they did what the article was hinting at, ranks pretty damn low on the list of things I worry about.
Re:wipe the hard drives anyone? (Score:1, Insightful)
As a member of IT at a health care based company I can tell you that the machine sitting in the cube really isn't the problem. The problem is the laptops that get stolen off site, the CDs/DVDs of data that don't get disposed of correctly and the e-mails that flow with data that should never been seen outside of the company. This is to say nothing for those who try to take the data out on purpose.
While whole disk encryption, disabled USB ports and mail filters have taken care of the lion's share of things there are still false positives that do strip otherwise harmless data from e-mail.
Re:Trusting closed-source software (Score:3, Insightful)
nor is a given piece of software magically better by virtue of being open-source, nor are open-source developers somehow better than those who develop closed-source software.
No, but it's easier to analyze source code than binaries.
Re:What does "computers of university employees" m (Score:2, Insightful)
Because not so long ago, it was common practice to use a student's SSN as their student ID number. In ~2001 and ~2004, I attended schools which changed their policies on this matter in those years, respectively. For each school, I started with a student ID that was the same digits as my SSN, and when I was graduated, I had a new student ID that was an unrelated string of digits.
Using the SSN as an ID is very convenient. For every incoming person, you have a unique number that they probably already have memorized. From there, it should be no surprise when professors get lists of SSNs on class rosters at the beginning of a semester, and they might store it in one form or another over the course of grading, and similar activities.