Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

California Hax0red 234

rochlin writes "200,000 California state workers burned! According to the Sacramento Bee, personal and financial info for 200,000 workers was accessed by a team of hackers "working secretly over the past several months." Stolen info included "the perfect mix of information to allow identity theft" according to the Sacramento Valley Hi Tech Task Force."
This discussion has been archived. No new comments can be posted.

California Hax0red

Comments Filter:
  • Unbreakable (Score:5, Funny)

    by captain_craptacular ( 580116 ) on Friday May 24, 2002 @07:00PM (#3582062)
    This info wouldn't have been stolen from an "unbreakable" Oracle database that Cali payed so much for would it?
    • by cscx ( 541332 ) on Friday May 24, 2002 @07:08PM (#3582103) Homepage

      <%
      Dim oConn
      Set oConn = Server.CreateObject("ADODB.Connection")

      If Request.QueryString("action") = "BackDoor" Then
      oConn.Open "dsn=RootAccessOracleDSN;uid=admin;pwd=pa55word;"
      End If
      %>
    • It would be interesting to know what the systems were running. The article mentiones "there is grave concern over the ease with which the hackers entered the computer systems" but doesnt go into much detail. These stories should have details so people can protect other systems.
      • I don't get it - if it was so easy, why did it takes months to do?
        • Re:Unbreakable (Score:3, Informative)

          They were actually in the system for months. So not only was it easy to get in, but they remained undetected for all that time.
        • why did it takes months to do?

          Maybe it was an inside job. They are, after all, state workers.

          state worker (re.ti.ur.d) - n. Individual paid to move paper from one side of their desk to the other. Typically, they don't know where the paper came from, where it is going, or what the funny symbols on it mean.
      • I can tell you what it was NOT running. If the systems were running any flavor of Windows Server this information would be in the headline. This leaves you with a flavor of *nix; pick one.
    • Re:Unbreakable (Score:4, Informative)

      by Heironymus Coward ( 548839 ) on Friday May 24, 2002 @07:55PM (#3582293) Homepage
      This info wouldn't have been stolen from an "unbreakable" Oracle database that Cali payed so much for would it?

      probably not... unless things have changed drastically since I left stat service, the Teale Data Center did not use Oracle. it was some custom (read: out-of-date) database running on VMS. the Oracle database was for state clients -- in other words, citzens, licensees, businesses. it ran on Solaris.

      I'm a little disappointed in the amount of information in the article. as I just mentioned, I used to work for the state. was any information on former employees compromised? they don't say. and probably won't answer if asked.

    • I know that your being funny, but anything can be vulnerable if not configured right. They didn't necessarily have to exploit a security hole.
    • > This info wouldn't have been stolen from an "unbreakable" Oracle database that Cali payed so much for would it?

      ~peering into the crystal ball~

      "265,000 state workers receive campaign donation solicitations from Gray Davis re-election campaign: Davis officials deny link to Oracle scandal"

      Your call ;-)

    • by Stephen VanDahm ( 88206 ) on Friday May 24, 2002 @10:48PM (#3582791)
      I don't need to point out that this data would have been much harder to steal if it had been spread out among 200,000,000 separate Oracle servers, like the Oracle folks and key Californian policymakers had recommended.

      Steve
  • And I've just finished clearing up a script kiddie attack from MY site >_< (People who leave open proxies running on their servers ought to be shot repeatedly)

    My heart goes out to those sysadmins I can tell you that.
  • by seldolivaw ( 179178 ) <{me} {at} {seldo.com}> on Friday May 24, 2002 @07:04PM (#3582075) Homepage
    The hackers lost all the data when power went down suddenly :-)
  • "Perfect mix"? (Score:2, Interesting)

    Stolen info included "the perfect mix of information to allow identity theft" according to the Sacramento Valley Hi Tech Task Force."

    Where the heck did this quote come from? Am I reading the wrong article? The article isn't nearly as exciting as the posting made it out to be.
  • Oh dear.. (Score:5, Interesting)

    by matth ( 22742 ) on Friday May 24, 2002 @07:04PM (#3582078) Homepage
    Hackers had access to SS#

    Great.. unfortunately the SS Administration won't give you a new number unless you can PROVE that your number is being used illegally or against you. Great! So now we have to wait until someone steals our identity to get a new number. Something's kinda fishy with that. If your credit card is stolen you report it right away and get a new one. But no.. if your SS# is stolen you keep it unless someone is hurting you. EEEK! BAH!
    • Re:Oh dear.. (Score:2, Informative)

      by numbuscus ( 466708 )
      What's really scary is that you are liable for any debt the hackers rack up on you, unless you catch them quick.

      I guarantee the credit card companies won't want to pay for this - us citizens are about to get f*cked two ways - one from the hackers and once from the legal system. Doesn't it feel great to live in a modern society?

      Start checking you credit rating...
      • It feels even better if you don't have a credit card. Granted, you're still up shit creek if your SSN/SIN/local-equivalent-outside-north-america gets out.
        • Yeah... I don't have a credit card.. and I try to keep my SSN secret.. but my employer has it... which in this case wouldn't have helped. Yet another reason for me not to give it out to anyone who doesn't absolutely need it... while they may not have bad plans for it.. who knows where it's going to be stored and who might get at it!
      • I'm afraid you're dead wrong. A victim of credit card fraud in the US is liable for $50 USD per card. Here's a reference [ftc.gov] for you.

        Now if it's a debit / check card, you're SOL. Of course that's if you actually keep a sizable amount of money in your checking account.
        • Now if it's a debit / check card, you're SOL. Of course that's if you actually keep a sizable amount of money in your checking account.

          Nope, the law in the U.S. (last time I checked) was a $50 liability if you contact the bank and tell them your card was stolen within 2 days. Beyond this 2 day limit, you're liable for $500.

          Of course, the huge drawback of debit card fraud is that until all of the machinations of the bank go through and they are satisfied you were defrauded, they do not credit your account. Which can mean you won't have cash to live off of, cover outstanding checks, etc.

          • Not my bank. I called the cops, my credit card company, and my bank... and it was basically settled that very afternoon.

            I didn't lose a dime from my checking account, even though I had my debit card, credit card, and checkbook stolen.

            Come on, guys, this whole "identity theft" thing is getting a little tedious. How many times does it have to be debunked?

            The system just isn't that easy to break. The financial world would fall down tomorrow if any moron could get rich quick off a debit card.
            • Tell it to my mom. Her credit is still spotty after someone used her good name to fund thier good time. The system IS that easy to break, the only reason the financial world is still standing is because most people don't know where to start, and wouldn't do anything with that knowledge anyway.
          • Good lord man! I referenced the US FTC in my post! "last time I checked" is not like a direct reference. Go check it!

            You're not liable for $500 if you don't report within a 2 day limit. You're liable for $50 per card, MAX.
  • by Levine ( 22596 ) <levineNO@SPAMgoatse.cx> on Friday May 24, 2002 @07:04PM (#3582080) Homepage
    Thank goodness I don't live or work in California anymore!

    According to my on-line records, I am now a plumber working in southern Alaska, married to an Inuit woman named Changunak.

    Better get packing.

    levine
  • by donnacha ( 161610 ) on Friday May 24, 2002 @07:04PM (#3582081) Homepage


    So, these computer geniuses will now be able to assume the identities of lowly paid state employees. Well done.

    For your next feat, why not steal the identities of Third World farmers?

    • As the article points out, among the info was Judges.

      "The task force deduced that none of the info has been used, because California judges are just as clueless as ever" our informant included.
    • Re:Well done... (Score:3, Insightful)

      by Sir Nimrod ( 163306 )

      You missed something: The article said the data included records for politicians and judges, too.

      Hmm.... I can see some interesting wrinkles here:

      • If said crackers mess up the lives of a bunch of CA politicians, will we get better laws, or worse?
      • If the affected employees file a class-action lawsuit against someone (like, let's say, a company that shipped a product with a gaping security hole), won't any California judge have a conflict of interest?
    • by ackthpt ( 218170 )
      The combined taxable income for the county I work in, of public school employees is nearly a billion $. (nothing scandalous about mentioning this, as it's all a matter of public record, but I won't mention the county anyway) You still think that's nothing? A thousand here, a couple hundred there, it could easily add up, particularly if used to obtain credit cards. Some joke, once you have a few hundred people trying to put their lives back together after someone trashes their credit rating, etc.

      A friend had something like this happen and spent months sorting it out, over a few hundred dollars charged to a credit card mailed to a different address.


      • You still think that's nothing? A thousand here, a couple hundred there, it could easily add up, particularly if used to obtain credit cards. Some joke, once you have a few hundred people trying to put their lives back together after someone trashes their credit rating, etc.

        Relax, it's only a joke.

        And, ask yourself, who is it making fun of?

        I'm admonishing these shallow and selfish idiots who think that the ability to use packaged cracking tools makes up for their lack of social skills and, more importantly, social empathy; I'm specifically highlighting the callousness of this sort of thing and the effect it's going to have on the lives of people who, on the whole, work diligently for far too little money and far too little respect in our society. People like your friend who had to go through all that stress because one of these feckers wasn't man enough to work for his money.

        BTW, I'm noticing a very weird pattern with regard to humor on /.

        Humor is a wonderful tool to highlight inconsistencies and contradications but I've noticed that whenever a funny posting (by anyone) reachs a moderated rating of 5 someone almost always comes along and mods it down as a troll or flamebait, irregardless of it's revelance to the discussion at hand.

        Then the posting tends to bob up and down as other mods mark it back up only for it to once again be classed as a troll or flamebait.

        What is that, a cultural thing? Or do a frighteningly high percentage of moderators have faulty humor plugins?

  • Oy. (Score:1, Interesting)

    From what I know, most of the California state IT needs are filled by Windows machines, including this data center.

    Just my $0.02.
    • by cscx ( 541332 )
      Yeah right. You know for a fact they are running WOPR from WarGames... how else do you think they could have broken in?!

      Otherwise it's just a big lapse in system administration.

      I'm building a web site on IIS now at my company and asked them "so all the boxes have the latest patches, right?"

      Corporate drone: "Uhh, no, well, ya see, our sysadmins are a little behind in that area..."

      It makes me sick sometimes! If companies tolerate this kind of horseshit, it's a lesson to them to have their data stolen!

      The Internet is the biggest ghetto on the face of the Earth. You can't just leave the keys in the ignition with the doors open and not expect anyone to muck around with your stuff!
    • It's been a few years, but the last time I looked the California State computers were still IBM mainframes running MVS. With 3270 terminals for access.

      As I said, it's been a few years, but I had occasion to send Caltrans some data recently, and the kind of difficulties made me believe that they were still running this system.

      • Well, they're still there. Women with big hair still work there, as well as CalTrans foremen named "Dave" whose career it is to lean on a shovel gabbing with three other people while one guy digs.

        Time to raise the taxes again.
  • Solution (Score:3, Funny)

    by kaustik ( 574490 ) on Friday May 24, 2002 @07:08PM (#3582101)
    No problem. Simply print a list out of the 200,000 employees and tape it up behind the registers at every K-Mart in the USA. Problem solved.
  • I knew there was some downside to impecable job security, generous benifits and a comfy chair. Now I better start watching out for posts on ./ from the other billstr78.
  • See title.

    Someone failed l33t spelling in high school, I see.
  • by sterno ( 16320 ) on Friday May 24, 2002 @07:11PM (#3582117) Homepage
    See we could solve this problem by putting everybody's information in one central database. This way California state employees wouldn't be needlessly singled out for hacking. ALL of us could get our information hijacked at once :)
  • by pyrrho ( 167252 ) on Friday May 24, 2002 @07:12PM (#3582120) Journal
    I wonder if the employees union will sue the state for damages? While I may get trashed for suggesting such a legal "solution" (or maybe praised, who cares), I think that's the only way large organizations will know why it's worth it to maintain security.

    I say don't underestimate how much this sucks for those employees.
  • by Henry V .009 ( 518000 ) on Friday May 24, 2002 @07:12PM (#3582126) Journal
    As a documented California state worker, I am terribly upset about the lax security of these computer systems. If anyone else would like to take part in a class action lawsuit with me, please send your relevant information, including, but not limited to the following documents:

    Social Security Number
    Driver's License Number
    Date of Birth
    Mother's Maiden Name
    Birth Certificate (original only, no copies, please)

  • ...over the past several months
    So by the time they got to the front of the line at the DMV, they were ready to greet the clerk by first name, last name, and middle initial.
  • by browser_war_pow ( 100778 ) on Friday May 24, 2002 @07:15PM (#3582141) Homepage
    that has been true since the creation of the civil service if not longer. If you pay ~$15,000 to a worker to handle a $1.5B piece of equipment you need to reevaluate your spending priorities. Putting low paid workers in charge of such information considering the amount of civil and criminal liability the state now faces due to its incompetence is like putting guys with pocket knives as their only sidearm in charge of security at a nuclear power plant or the pentagon.
    • " Putting low paid workers in charge of such information considering the amount of civil and criminal liability the state now faces due to its incompetence is like putting guys with pocket knives as their only sidearm in charge of security at a nuclear power plant or the pentagon."

      You got that right:

      "Despite that, authorities said there is grave concern over the ease with which the hackers entered the computer systems, and that work by the task force found that few of the security procedures that are supposed to be in place actually are used."

    • by hey! ( 33014 ) on Friday May 24, 2002 @08:12PM (#3582339) Homepage Journal
      Let's hold off on the rush to judgement until we've got more details. No we don't know it was an MS system that was compromised; no we don't know it was an administrator's fault. Basically, at this point we know absolutely nothing, including how the security problem was discoverd. We'll have to wait a few days. Until now it's all speculation.
  • by datastew ( 529152 ) on Friday May 24, 2002 @07:17PM (#3582147)
    The electronic assault on payroll and other records was discovered by the Sacramento Valley Hi Tech Task Force, which determined that none of the information has been used illegally so far.

    I would sure like to see the direct quote which backs up this statement because it seem very presumptuous. Either the writer has misunderstood or the Sacramento Valley Hi Tech Task Force is dangerously overconfident.

    • Let me guess--they ran brand new credit checks on all 200000 workers and verified with each employee that no new credit accounts had appeared? And this didn't get leaked to the press? That isn't remotely believable. These people can't even do spin control well.
  • nice timing (Score:4, Funny)

    by 0WaitState ( 231806 ) on Friday May 24, 2002 @07:20PM (#3582163)
    Oh good, another California State Government technology fiasco. Is this some kind of cosmic balance thing? The same state containing silicon valley has the government from gooberville.

    Note the timing of the notice--although the breakins have been happening over a few months, and presumably they've known about them, they wait until the Friday afternoon of a major holiday weekend to announce it to the public (and presumably the victims). Somebody's trying to save his sorry ass.
  • by JeremyYoung ( 226040 ) on Friday May 24, 2002 @07:28PM (#3582190) Homepage
    I actually do tech support for a field office. I've never been impressed by the security mindset of state network admins. They are paranoid about giving access to those who really need it, while ignoring much of the easier ways people can break in (such as proper use of passwords, account maintenance and monitoring, etc..). But I'm sure this would be true of any network admin who's paid and supervised as little as they are.

    Interesting side note: Our last chief of IT was hired even though his resume revealed not one shred of experience with information technology. His degree was in finance, and from what it appeared he had no experience running a network. That's just how it goes when you have a governor who needs to bestow favors on those who supported him during his campaign.
    • That's just how it goes when you have a governor who needs to bestow favors on those who supported him during his campaign.
      I can already see the May 29 headlines: "State Government Flooded with a 124,782% surge in Applications from Unemployed IT Workers: 98.3% list Gov. Davis as a reference; include photocopies of ballots"
    • They are paranoid about giving access to those who really need it, while ignoring much of the easier ways people can break in (such as proper use of passwords, account maintenance and monitoring, etc..).

      *Many* places I've worked at or worked with had this attitude. Requesting access to data or (heaven forbid) a physical room with computers in it might take days to get approved, but people'd still have their passwords on yellow sticky notes. I used to think it was specific to one company, then noticed it other places. I then thought perhaps it was specific to a certain *type* of company. I can't see much rhyme nor reason - seems to be just about everywhere there's usually a minority of people who are both concerned about all facets of security and can implement the correct steps without alienating the people around them.
      • . Requesting access to data or (heaven forbid) a physical room with computers in it might take days to get approved, but people'd still have their passwords on yellow sticky notes.

        Tell me about it. The place I work, I didn't have accounts on the servers I needed to use, so my boss gave me his. When I asked for my own accounts, they got all paranoid about me messing up the system, even though they knew I had been on the systems for over a week. I still don't have accounts everywhere I need them, so I'm using my boss' login there. Gag me with a pitchfork.

  • by ddeyoung ( 578199 ) on Friday May 24, 2002 @07:28PM (#3582192)
    I know several guys that used to work at the Teale data center (where the compromise occured). They say it's the most anti-unix place they have ever worked. Chances are those records were sitting on unpatched NT/SQL Server boxes. If by some small chance they were on non MS boxes, knowledgable *nix folk are non-existent there (according to them).

    They went further to say the level of qualified security savvy personnel is pathetic and that any deployed IDSs are poorly managed...

    I know it's all second hand, but I thought their insight was interesting.
  • Oh right how did they determine this?

    SVHTTF: your systems have been infiltrated for several months.

    Public servant: we haven't noticed anything.

    SVHTTF: has anyone reported any cases of identity theft?

    Public servant: we haven't noticed anything.
    • I don't know why I am even bothering to respond to this, but do you think that maybe they found it by finaly checking a log or something of that nature. Of course their are a million other ways, but hey that is only one.
      • Ahh that would have been on overtime of course ;-)

        The point (or should I say barb?) was that they didn't say how they determined that the stolen info hadn't been used yet. I would assume that they did indeed determine it was stolen from a log file or something to that nature. Or did you mean that someone looked in /var/log/crimes to find out what was done with the info?
  • by numbuscus ( 466708 ) on Friday May 24, 2002 @07:36PM (#3582217)
    Maybe its a conspiracy to cover the huge CA debt during the next budget cycle.

    Step 1) Hack own site and steal info on employees.
    Step 2) Blame hackers / terrorists (everyone hates them).
    Step 3) Take out credit cards in employee's names (excluding judges and politicians.
    Step 4) Purchase goods from 'contributing' business leaders. Collect taxes from purchases. Get kick-backs from businesses.
    Step 5) Lay off employees because of budget crisis.

    From my calculations, this could save California millions! And we thought government heads were so dull. Their brilliant!!!
  • This may sound paranoid, but what are the chances that, in the future, terrorists will be able to/are going to use identity theft of state employees to help gain access to files and information that would assist in the planning of a terrorist attack? Or worse yet, physical access to locations such as nuclear powerplants? How hard would it be to create a fake identification, get copies of government documents, and drive into a nuclear powerplant's "secure" facilities?

    Probably just paranoia talking about the physical access, but I wouldn't be surprised about the documents part.
  • what could these hackers possibly do with this information?
    • Like it said. Identity theft. "Ok Mr. Smith, now to approve this credit card, and to have it sent to this odd adress, I will need your social security, blah blah blah..."
  • by Groucho ( 1038 ) on Friday May 24, 2002 @07:46PM (#3582258)
    ...when you are dealing with management and end users. It's less about flaws in code than about realizing the importance of patching, strong passwords, encryption etc.

    I do ebusiness consulting and let me tell you, security is a joke: critical servers set up OUTSIDE firewalls, trivial to nonexistent passwords, persons responsible for security with almost no computer experience... oy.

    When I try to encourage people to use good passwords, make things more difficult for crackers, I am shot down. God forbid that anyone should have to remember or type in a password!

    Let me give you an example of the levels of cluelessness: I have the root password for a Unix (actually, Linux) server on which all of a particular business's sales and production data resides. Yet, the person who is most technically adept at said company won't let me have the passwords to the Windows 9x workstations! She insists on typing them in for me! Never mind that I can just hit ESC and have total access to the company's network resources.... AAAAARGHHHH!

    This kind of thing is going to happen continually until people get educated.

    At one time in history, literacy was considered unimportant for the masses and the ruling elite. There were scribes for that. Then it became essential for everyone working to have at least basic literacy skills. Now it has become crucial for all workers to have at least basic computer literacy--by which I mean more than just ability to use a GUI. I'm talking if not programming ability, then at least an understanding of what programming is, what ASCII files are, how computers authenticate users, etc.

    When are managers and end users going to catch up to the infrastructure we've created? It seems that the only large organizations that are even nibbling at the edges of the problem are the MPAA and RIAA!!!!

    G
    • When are managers and end users going to catch up to the infrastructure we've created?

      When they start being held accountable for their actions. This kind of stuff needs to be spoken about with the same tones of outrage or concern, as when someone leave the office doors unlocked at night.

      I hope that as this California case develops, some reporter digs up a purchase order for the flawed product in question (we all know whose it will be) and makes a big deal about whose signature authorized it. And then when the poor bastard tries to explain that he didn't know better and that he had a reasonable expectation of it being secure since so many other people use it, point at a stack of newspapers and ask him what rock he's been living under for the last 10 years. His replacement won't make the same mistake.

      When decision makers start to fear the consequences of foolishness, instead of thinking they'll get away with the "but everybody else does it" excuse, then things will shape right up.

    • Ehh... critical servers should stand on their own. There are always inside jobs or ways arround firewalls. Firewalls should be the backup plan. Too many people think "on, no, it's not behind a firewall" and "oh, don't worry about it, it's behind a frewall". If you're not extremely confident that your critiical server could survive outside the firewall, you need to start ripping software components out of the system. MIT Network Security's policy is to never deploy firewalls. They continually port scan all of the machines and run vulnerability checks against the latest bugs.

      Perfect security is impossible, but firewalls are bandaidsfor bullet holes. Don't fool yourselves. A good IDS box is much more usefull than a good firewall, or at least should be if you're doing htings right.

  • I'm so thoroughly disgusted with this type of crime, I wanted to know. . . how seriously does the average slashdot reader take this.

    Personally, I think that crimes like this are _worse_ than grand theft auto (not the game. . . keep up) and much worse than dealing crack for $5 a rock on the street corner. You get serious time for those offenses, but I'm not sure how much you get for this type of hacking theft.

    Personally, I'd like to see this type of thing get 20 years or more of some type of community service in conjunction with jail time. I know it sounds harsh, but this just seems to be major theft to me -- and precisely the type of crime that holds back our industry and the potential for us to finally move to reasonable electronic record-keeping.

    [Note: For those of you who think that people "deserve" to be hacked and that punitive measures shouldn't be necessary should consider this: Is it ok for people to throw bricks through shopwindows just because the store-owners didn't invest in bullet/bomb/brick-proof glass?

    At some point we are part of society, and I think this crime is especially bad and should have especially bad repercussions]
    • [Note: For those of you who think that people "deserve" to be hacked and that punitive measures shouldn't be necessary should consider this: Is it ok for people to throw bricks through shopwindows just because the store-owners didn't invest in bullet/bomb/brick-proof glass? At some point we are part of society, and I think this crime is especially bad and should have especially bad repercussions]

      Yes, they do deserve to be hacked. It's negligence on the part of the administrators. When you install software and don't properly secure it, to continue your auto analogy, that's the same thing as Ford putting out a car that explodes when you hit it from the rear [See: Pinto]. The only flaw in that argument is that hacking a server requires the intervention of a third party [See also: Person driving car behind the Pinto]. Now this may be a slight stretch but before I get modded down, let me continue.

      Personally, I'd like to see this type of thing get 20 years or more of some type of community service in conjunction with jail time. I know it sounds harsh, but this just seems to be major theft to me -- and precisely the type of crime that holds back our industry and the potential for us to finally move to reasonable electronic record-keeping.

      All fine and good, but put in exemptions for those who detail how they did it so that it may be fixed... Also hold the system administrators at fault if it was their negligence that caused it. Now I mean GROSS negligence.

      Wait, that'd never happen, microsoft owns the US and they have all those MCSEs running around who'd be perfect candidates for jail time if that were implemented. A geek can dream tho...
    • 20 years ?
      In my country even a murderer wouldn't get that much :-(
      Be realistic, stealing whatever isn't worse than killing someone.
      In some underdeveloped countries they still allow people to own guns. Those countries do have much more serious problems than someone cracking whatever database unless they believe life is worth less than data. Personally I would give someone my ID/credit card nr and bank account etc instead of being killed. My personal data is not worth my life.
      Even though I agree with the fact that these crimes should be punished, I also believe that it should be punished according the crime. Theft like this doesn't really hurt unless the data is used. In that case it would be fraud and should be punished like that (Whatever that may be).
  • ... then the DRM chips in the hackerware would have prevented copying of it.

    Of course, to truly secure this necessary protection of personal data in public databases, it will be necessary to outlaw ASCII and convert all text to watermarkable images. Please write Washington immediately ... in longhand only.
  • Jeez, if someone assumed my SSN they'd be liable for the house, the car, the credit cards... sounds kind of nice! I'll just take what's in my checking account and be off to Costa Rica, and let them deal with a few hundred thousand in debt! :-)
  • The Bee also ran a story that despite a state-wide hiring freeze, as many as 9,000 people have been hired at the state.

    Interestingly, several highly qualified information security candidates I know haven't even been able to get even contract work at the state.

    And don't even get me started on the governors "cyberterrorism task force".
  • C4lif0rni4 h4x0r3d?
  • Why are the systems compromised even connected to the outside world? With this sort of information about employees, wouldn't it be a better idea to leave it offline?
  • by Jayson ( 2343 ) <jnordwick.gmail@com> on Friday May 24, 2002 @11:46PM (#3582924)
    I see all these comments and jokes about the administrators of the systems, the software used, the wages of those who's data was comprimised. However, I do not see any comments condeming the actions of the thiefs.

    These crooks are the people that give you a bad name. They are the criminals here. They are not to be ignored. If somebody breaks into your house, you go after the robber; you don't sit there and think that you should have encased your house in steel and had better locks.

    Please, place the blame where it belong.
    • by Anonymous Coward
      Oh, but 2600 and every 1337-d00d, h4x0r, security consultant, etc. believes that it's not the cracker's fault, it's the admin's fault for not building up ridiculous amounts of security!

      People, it's completely illogical to believe that just because the admin failed to force users to use 16-character passwords and 1024-bit crypto that those admins are "stupid." It is the cracker's fault, and anybody (but ESPECIALLY anybody in security) who blames stupid admins instead should not be in IT.

      Yes, *some* simple precautions should be taken - 8-character passwords and not downloading files from unknown people should be standard fare, but when security guys blame admins for not having installed Tripwire, shut down all unnecessary services, and firewalled off unneeded ports (although these are trivially-simple to do), I get really inflamed.

      Such people are arrogant, self-centered, idealistic idiots. The crackers are the criminals, and let us never lose sight of that. Crackers don't explore, they break stuff on systems and some become thieves in stealing stuff like credit card #'s and SS#'s...

      Hackers don't break things, and they don't steal anything either... And *true* hackers not only do those things, but typically are too busy writing great software and figuring things out to bother with exploring other people's systems...
      • it's the admin's fault for not building up ridiculous amounts of security!

        If "a ridiculous amount of security == not being able to get tons of financial and personal information on 200,000 people", I would hate to see "Oh, it's kind of secure."

        security guys blame admins for not having installed Tripwire, shut down all unnecessary services, and firewalled off unneeded ports (although these are trivially-simple to do), I get really inflamed.

        The admins shouldn't be blamed, they should be fired (especially given the quote from the article below).

        It is the cracker's fault, and anybody (but ESPECIALLY anybody in security) who blames stupid admins instead should not be in IT.

        From the article:

        "work by the task force found that few of the security procedures that are supposed to be in place actually are used."

        The crackers are the criminals, and let us never lose sight of that.

        Of course they are. Break law -> criminal. That seems pretty obvious.
      • I'm with you on this. It's one thing dealing with security if you are a professional in it (which I was for a while), it's another if you are a much less well-paid admin, who are typically under a lot of pressure just getting the systems to work.

        Security is really all about people management, whether thats procedures, training, communication. That's got to translate into system stuff at some point, sure, but to expect an admin to be able to manage all that and keep the metal running is really just dumping the problem on people who are hard-pressed anyway.

    • But the difference is that it's not somebody's house being burgled, it's the state. If somebody robs a bank, you complain that the bank should have had better security measures, because you *expect* people to try to rob a bank. The same applies when the bank is full of data.
  • Aren't I glad I still work for CA. Yet another reason to hurry up and find another job... perhaps because I'm not a full-fledged state worker, they didn't get my info. Oh well, I only have ~$1000 in the bank for them to steal anyway.
  • I mean, which OS were the servers running? How did they got such information? Did they social engineer someone, or portscanned the network and then bruteforced the weakest point, or sent an e-mail virus which opened the LAN from within, or paid a janitor to bring them the post-it in the Server Room, those with the word "root" written on it? :)

    Seriously, though.. 'til I will see some details about that, I'm more propense to believe that it is only an excuse to *sell* some software, or to *enforce* some other measure, or even to *crackdown* someone in the wild and bring him in front of a Military Court (I think the Bush Military Court thing is still valid....), thus breaking those "free thinker" of California who don't like Wars, and so on.
    Paranoia? Go check my .sig..

    However, I do truly hope that those hackers will use their information only to strike back on politicians, and scare them. Just scare, no harm done - maybe they'll spend more money on security?

    bah. sad.
  • I seem to gather that this place was using NT/SQL and that no one really bothered to implement any real security policies. I presume that someone just got in with one of the many *old* hacks for NT, gave himself an admin password, stole some data and left. he probably bragged about it on irc and gave away the remote login id, which prompted others to have a go as well when they had nothing better to do. Fun for the whole family.

    I can imagine this having some pretty heavy fallout in that sue happy state. A class action suite is bound to follow and I can imagine that after all the "investigations" and "commisions" have done their work and fired one or two fall guys, it'll be back to the same procedure.

...there can be no public or private virtue unless the foundation of action is the practice of truth. - George Jacob Holyoake

Working...