Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror

Trojan Compromises Oregon Taxpayers 250

Posted by samzenpus
from the but-the-internet-is-for-porn dept.
Blair writes "An employee at the Oregon Department of Revenue downloaded a trojan file from a porn site, possibly compromising up to 2,200 taxpayers. An information technology security officer with the state said, 'the released data likely involved names, addresses or Social Security numbers, or possibly in some cases all three.' I guess some of our public workers are having too much fun after all."
This discussion has been archived. No new comments can be posted.

Trojan Compromises Oregon Taxpayers

Comments Filter:
  • Cliché (Score:2, Funny)

    by TheGatekeeper (309483)
    Cue trojan condom jokes, where's my +5 funny?
  • by jd (1658) <<moc.oohay> <ta> <kapimi>> on Wednesday June 14, 2006 @11:00PM (#15537603) Homepage Journal
    No wonder my taxes this year were so high. Hey, guys, I can't pay for Trimet on my own!
  • moron! (Score:5, Insightful)

    by eobanb (823187) on Wednesday June 14, 2006 @11:09PM (#15537643) Homepage
    Forgive my crudeness, but...what an idiot!

    Actually there seem to be multiple failures in this. Running Windows, not employing some sort of web filtering software, lax rules on conduct...I don't know where to even begin.
    • Re:moron! (Score:3, Interesting)

      by megaditto (982598)
      Actually there seem to be multiple failures in this. Running Windows, not employing some sort of web filtering software,[...] Actually, this is not surprizing at all. Remember all the red tape envolved!!!! To deploy 'web filtering software', a request has to be generated, afeasibility study needs to be performed, a 'validation' process has to be followed, SOPs have to be written, then the whole thing re-certified in its entirety (used to be, you would need to re-certify each component again after modifyin
    • Re:moron! (Score:5, Informative)

      by Anonymous Coward on Wednesday June 14, 2006 @11:41PM (#15537783)
      We should list the failures. Otherwise we don't learn anything. Since events like this are occurring all over the place, there is obviously an issue with government security controls. I'll start:

      1. Allowing private data to be stored on a workstation that has access to the Internet.
      2. Failure to encrypt private data or a private key (presumably) when the computer is connected to the Internet.
      3. Allowing a user who has access to private data to access sites that do not have anything to do with official duties.
      4. Failure to log data packets sent on a secure computer (not every packet, but at least the bytes sent).

      All of these have the same root cause: the government and government employees did not consider the private data in their custody important enough to require rigorous controls and rigorous controls were not implemented. We could break down the problems into training issues, operational issues, etc., and politicians certainly will. But I would guess that the issue was due to a lack of political motivation to hold accountable every state IT group that has access to private data. Secure networks with access to classified or private information can be built, like the SIPRNET [wikipedia.org], but people didn't think the private data was important enough. It will change in Oregon (at least for the Dept. of Revenue) due to this incident, but elsewhere in the country people will carry on business as usual, until it affects them.

      Anyone want to guess how long it takes before Social Security numbers become worthless because of these data intrusions? We know the government isn't going to learn.
      • Re:moron! (Score:3, Insightful)

        by Secrity (742221)
        Social Security numbers should never have had any value to anybody except to track an individual's Social Security (not IRS) taxes and benefits.

        There are only four entities that should have your Social Security number; Yourself, your spouse, your employer, and the US Social Security Administration. Nobody else should have your Social Security number; not the IRS, no state or local governments, and especially; not the banks, lenders or credit bureaus.

        When Social Security numbers were introduced, man
    • Re:moron! (Score:4, Informative)

      by Anonymous Coward on Thursday June 15, 2006 @12:01AM (#15537860)
      I work for a school district in California and as part of my duties I am responsible for the content filter (squid children+dansguardian+squid parent peers) and I parse the content to sarg logs with a few custom reports. One of those reports is between the hours of 3-5pm and on

      I can tell you, the majority of web usage during the hours where students are not present (90%+ of bandwidth utilization yearly, nearly 100% during Late Nov/all Dec) is personal shopping. Sure, there is a good deal of sports and a spattering of news sites as well. But the people your tax dollars pay to be doing work, are spending your tax dollars and getting paid to do it.

      Individuals who get caught have their internet disabled and *might* be written up. Being written up in government means you might be able to have it used against you if you: a) sexually harass someone, or b) come to work drunk/stoned. As far as penalties in government work, umm... there aren't really any. I do have to pay state income tax (with no other income source than the state) of course there are lots of other inefficiencies, rampant graft, overly complex beurocratic heirarchies and completely complacent unions but such are the benefits of socialism.
      • Well if you're in charge of blocking websites then filter out the personal shopping ones. No one would get written up.
        Now, I'm not too sure how the hell 90% of the bandwidth during non-school hours could all be personal shopping and have no one get caught, perhaps I misunderstood your comment.
      • Re:moron! (Score:3, Insightful)

        by djupedal (584558)
        nearly 100% during Late Nov/all Dec) is personal shopping

        'Cake & eat it too' kind of Sheriff you are, eh?

        There is a reason you're only a filter nazi and the school admin is an admin...

        Most employers know that their employees shop online via their work computer - and most don't break a sweat of it, because it is either allow it or face having them absent an entire afternoon just to drop by Border's. Shopping online for 30 minutes can take the place of driving around, looking for parking, cruisin
        • Re:moron! (Score:2, Insightful)

          by Mr Z (6791)

          BINGO! And that time not spent driving around hells half acre to get some chores done leads to a less stressed, happier employee. And, in the case of teachers, more time at home to grade papers. :-) It's not like teachers do all their work on site between 8AM and 5PM.

          --Joe
        • And if the lazy fucking slackers are taking paid time off to go shopping then their sorry 'the-world-owes-me' asses should be fired and replaced with someone who'll, say, actually do the job. In the current economy, with so many looking for decent employment this should be an insanely easy thing to do.

          When I taught middle school I was also in charge of the network for the schools I was at. The hype was all about the 'improper access' that kids might have to the internet, but nearly all the violations were
    • Re:moron! (Score:5, Informative)

      by Anonymous Coward on Thursday June 15, 2006 @12:54AM (#15538010)
      Why do you assume there was no web filtering software?
      There was. Major player in the industry, updated every day.
      Virus software on the desktops set to update ever 2 hours.
      This was a zero day exploit from a non-obvious, not yet blocked web site.
      It reported back only via port 80.
      The trojan wasn't picked up by virus protection until after we reported it, which was after we discovered it.
      He might have been an idiot, but not a dumb one.
      As for rules on conduct, suprisingly, browsing porn is actually against the rules.
      You have to sign an Internet Use agreement before you can use the Internet.
      Windows? Well, we have no choice there.
      There were some things that the tech staff has asked for that we now are likely to change, but the tech stuff is much better than I've seen in the other agencies.
      • Hey! This is Slashdot, we don't like 'facts' around here. They have an obvious bias towards the truth.
      • "You have to sign an Internet Use agreement before you can use the Internet."

        Nuff said.

        MORON!
        DUMBASS!
        TOO STUPID TO LIVE!

        Get the idea?
    • I fully agree with you except for one point. I'm pretty sure looking at porn with government computers isn't allowed, so...... they did one thing right.
    • having web access on a box with access to confidential data was the mistake.

      • Yes. And that list the AC put together earlier was a damn good summary, though I could think of things to add.

        For what computers cost these days, if the guy really needed web access, they could have issued him two machines in a red/black environment. I like air gaps. They're almost as good as not storing the data in the first place.
    • You are right - there are multiple failures here, and they aren't good.

      Can you imagine how much worse this would be if the data compromised included the GPS information that the good state of Oregon seems to want to collect from your car usage patterns? Suddenly, this information on the usage and driving patterns of every single car in the state of Oregon would/could be used by black hats - the number of cars stolen might just drop your jaw.

      I'd push hard to preserve the gas tax! It not only preserves your p
    • I think you began in the right place.
    • It seems to come up every couple months in the media (at least). Stories about how people are browsing pron on their work computer. I mean, come on, how stupid can you be? How bad is your job? And these aren't low ranking secretaries (although i'm sure it happens). Most of the time when you hear about it on the local news, it's high ranking city officials. Not that pron is evil or anything, but it's not something that you should be looking at on office hours. Is it really that common for people to do
    • I think there should be a law that attaches liability to owners of such information. If holding that information and letting it out can result in you paying steep damages, then companies and governments will think twice about a having such a bad security policy like that place has... Or at least they will buy insurance and the victims don't get screwed like they do now.

    • How about this one: I misfiled my state taxes and had to send in an additional check to cover difference (phone entry system, transposed a number). The instructions indicated that I had to write my social security number ON THE CHECK!

      I wrote them a note stating how irresponsible this was... causing delays in its processing. For those out there who are too young, or haven't been educated on such matters: think about how many folks will get to see that check. Now think... they have your name, financial instit
      • What the hell are you complaining about? That a government employee will be seeing your SSN? Oh my god, the shock and horror! Guess what else they can see: your checking account and routing number. That's almost as big of a concern as your SSN since that's all it takes to drain your account. There will ALWAYS be confidential information on tax returns, that's why they're confidential. And employees hired to handle this information are properly screened. No, I'm not saying that the government never fails to
        • No, genius, it is n
          t.
          First, the state gov't processes it. I am not sure how many handle, but I bet the majority of the folks in their check processing department otherwise would not know my SSN. Why do they need my SSN to process a check?

          The check does not stay in just their hands. It eventually gets handed to someone at a third party bank that I do NOT do business with. Jillian the cashier now gets to see my SSN and all my banking information. She hands that off to someone who does the reconciliation. It g
    • RTFA= they had web filtering software. What they didn't have is:

      a) an outgoing desktop firewall
      or
      b) limited functionality browsers on the desktop.

      I just don't see why the Department of Administrative Services insists that everybody needs IE 6.0, the most unsafe browser immaginable, on the desktop. That's just asking for this kind of abuse.
    • Now that PCs are so cheap there is no excuse to not build a system intentionally for the job at hand.
      If the job is to manage high value and sensitive date then why use a known flawed home OS?
      Just read down the "features" of XP-professional, how many people consider all that multimedia junk applicable to business uses?

      People should start to get fired for running Windows!
    • Yeah, there's something about Oregon government workers. I used to work there too!

      I heard about this manager who not only surfed pr0n at work, but printed it out on the full-color plotter as a poster to take home! Needless to say, he didn't stay very long after that.

      The IT staff was a hilariously incompetent bunch. I remember that they wanted to upgrade all the computers, so they bought a pallet full of 486 OverDrive chip upgrades. By the time the purchase order got in and their overpriced, sleazy vendor go
  • by mcpkaaos (449561) on Wednesday June 14, 2006 @11:10PM (#15537650)
    What was real data doing on a workstation with Internet access in the first place? One would think (hope?) that such data would be under heavy lock and key and only accessible by the software written to manage it or, when absolutely necessary, a trusted administrator with lotsa logging.

    It is absolutely amazing to me that this event was even possible.
    • a trusted administrator with lotsa logging

      A competent admin is working elsewhere, where s/he is paid accordingly. The IT leftovers, not able to get hired by the private sector, get to work for the Govt... Generalization, of course, but more true than not.

      Remember, in 2006, nearly 5 years after 9/11, most FBI employees still do not have a work email access, or the ability to do multiple word searches (e.g. cannot search for "bin laden", have to enter just "bin", then scroll down, because of the space charact
      • Depends on alot of things I should say.

        I work part time as sysadmin for the government, and I chose to do so because, well, things happen at a slower pace. When I'm not working here, I got my studies to tend to, so I love a job where I don't have to stress anything, and when I'm off work - I'm off, theres no calling me at 3 a.m. because something doesn't work. If it's broken people just send an email and expect me to deal with it when I find the time to do so.
    • The problem is that once the trojan is on the network it travels through the whole network.

      FTA:
      may have been compromised by an ex-employee's unauthorized use of a computer,

      It doesn't say that it was downloades on the computer that held the information.
      • Trojans [webopedia.com] don't replicate. While its payload might, the trojan itself is just a delivery mechanism.

        From the article:

        The "trojan" program attached to the file may have sent taxpayer information back to the source when the computer was turned on again.

        That suggests to me that only the workstation was compromised, as does this:

        McLaughlin said the department determined on May 15 that the computer was being improperly used and on May 23 that some data may have been captured and sent out.

    • by Sentri (910293) *
      Most people just dont give a damn about conmputer security.

      This is the same old story over again, it shouldnt suprise you, why? Here's [wikipedia.org] some links [thinkgeek.com] to get [ubergoth.net] you started [dansdata.com]
    • My guess is they had the data locally in Excel spreadsheets, fiddling with things. Everyone's PC has Internet access these days - it's hard to function without it. Many people have secure information on their hard drives too.

      The alternative is thin-clients, which haven't ever taken off, mostly because they tend to be harder to use.
      • by mcpkaaos (449561) on Wednesday June 14, 2006 @11:56PM (#15537841)
        My guess is they had the data locally in Excel spreadsheets, fiddling with things.


        Dummy data. In all my years as a software engineer I have never worked with real or production data. There is never a reason for it, so just dummy something up and use that. Then situations like this are simply impossible.

        Many people have secure information on their hard drives too.


        Not in the Department of Revenue. At least, they shouldn't. That they obviously do should be a huge cause for concern and a process audit or three.
    • by KnowledgeFreak (528963) on Wednesday June 14, 2006 @11:53PM (#15537827)
      Mod this guy up, he knows what he's talking about. I work with Data in the private sector and data like this cannot be on an unprotected machine.

      What he's saying is that the data should only be on an oracle or whatever database where only reporting applications can run pre-written reporting programs on it, Those program will then return reports to the idiot business people. Those reports will not return a soc. or other identifying info all at the same (and rarely that stuff at all).

      The reporting monkeys take *that* home. No one actaully gets to see the data. This is exactly what part of sarbanes oxley is forcing the private sector to do with customer credit card data and other sensitive info.
      • Mod this guy up, he knows what he's talking about. I work with Data in the private sector and data like this cannot be on an unprotected machine.

        People (not you, necessarily) in this thread have immediately jumped on a public/private sector distinction. But I don't think that's so much the cause of variance. Instead, security, finally, varies by resource allocation. If a body, public or private, puts the right resources and personnel towards security, then things will be better. If they don't, things

      • What he's saying is that the data should only be on an oracle or whatever database where only reporting applications can run pre-written reporting programs on it, Those program will then return reports to the idiot business people. Those reports will not return a soc. or other identifying info all at the same (and rarely that stuff at all).

        You seem to be forgetting about the developers who design these things and the reports that the idiot business people run. Only 2,200 records were compromised? Soun

      • I work with Data in the private sector and data like this cannot be on an unprotected machine.

        I don't know what companies you've been working for, but out there in the real world, people tend to run things by the seat of their pants. I've seen data, including credit card data, stored in a database on a windows 2000 server directly connected to the internet. I've had data worth millions of dollars emailed to me on the same machine I browsed Slashdot on during lunch. It was a windows 2000 machine too.

        That's just personal expierience. I've heard stories of critical data sitting in USB shared drives, secured by nothing but friction to their sockets. Private company files transferred to the upstairs office via a hotmail account. Databases being backed up to iPods. The list goes on.

        These stories didn't come from government or other public organisations. No. These are stories straight from private industry, that magical market force that will save us all. If you think people actually follow the rules out there in the real world, you'd do better to think again.
      • I work with Data in the private sector

        You work with Data? I always thought he were just a fictionary Star Trek character ...
        SCNR :-)
    • ...then at least kept in encrypted files as per FIPS-180. (Yes, that's a Federal standard, but damnit, States should abide by SOME standards. Well, given the VA fiasco, it would be nice if the Federal Government did as well...)

      First off, you are right that direct access is Bad. Very Bad. In fact, internal systems should ideally be going through proxies and a firewall to prevent random applications (such as viruses) from setting up their own connections. For what is presumably a fairly low-bandwidth facility

      • internal systems should ideally be going through proxies and a firewall to prevent random applications (such as viruses) from setting up their own connections.

        The "security" provided by proxies is for the most part only perceived security - it's not exactly rocket science for malware to pull the proxy settings from other software such as your web browser and just connect that way.

        they could probably even use layer 7 filtering and block unauthorized applications even if they did have all the correct password
    • by TheViewFromTheGround (607422) on Thursday June 15, 2006 @12:13AM (#15537908) Homepage
      It is absolutely amazing to me that this event was even possible.

      Actually, it isn't that amazing at all. I'm wrapping up a sysadmin gig in the nonprofit world (and moving back to strictly commercial work) right now. Specifically, I'm in legal services, where the IT talent is very thin but some of the privacy and security needs are pretty serious. I can tell you, I know of three legal services organizations or programs in the US that practice anything resembling defense-in-depth. That's why a lot of recent attacks (like the rise of "spear-phishing") use social engineering to get in. Because once you're inside the walls, so to speak, far too many networks are open season that really shouldn't be.

      If you're throwing around passwords in the clear or unecrypted files or have network shares with sensitive information and broad access on the local network, the risk is there because there's always a door to the inside in our pervasive-Internet world. In many cases, that door is through human nature/sociological probability/whatever you want to call it.

      A sysadmin must absolutely assume that there will be a user that is going to pull this kind of stupid crap, and design their defenses around it. But, speaking from experience, go to a big ol' local nonprofit that has lots of sensitive client information and start grilling the sysadmins about defense-in-depth and see what they say. You think they're monitoring all local network segments for malicious traffic with Snort? Encrypting local traffic and keeping a tight lock on any shared resources? Have a containment strategy if they detect an intrusion? Have clear and enforceable policies with respect to data retention or user activity? You'll definitely find folks are running Symantec Enterprise and have a badass firewall, etc, and that's cool, but it just isn't enough.

      Shoot, this isn't local security, but nonetheless some major ASPs that handle donations for nonprofits provide the option of sending credit cards numbers in the clear. Sure, you're looking at a secure page, but some script is actually doing the real POST over straight http, and you never see it.

      Defense-in-depth is going to become more and more critical for everybody, especially small and medium sized businesses that have been marketed elaborate and powerful perimeter defenses and anti-virus companies have hawked products that day-by-day become increasingly irrelevant to the real security threats, which must rely on tightening local security measures and doing actual traffic analysis of the network itself, not just watching for compromises on the client, because those compromises are going to be harder and harder to detect as the compromises become more and more social in nature and frankly, only good for post-mortem analysis, after the catastrophe has already hit.

      A final thought: Elaine Scarry, a philosopher, is writing a book on the meaning of consent in a world where nuclear war is a possibility. I think one could ask some questions about the meaning of technological freedom in a world where a lot of greedy, malicious people are out to clobber any and all security weaknesses on computing machines that store and transmit incredibly sensitive information.

    • What was real data doing on a workstation with Internet access in the first place?
      Diebold automatic teller machines are also connected to the public internet. There are plenty of incompetant fools out there who will make those silly SF ideas of hacking into critical systems and causing havoc possible.
    • Um, I filed my taxes electronically this year. How's that gonna work if they don't have Internet access?

      (But this information definitely should not have been on a computer that was used for downloading porn, or rather, a computer with this information on it definitely should not have been used for downloading porn...)
    • I agree. I sometimes do work for a tax administration. Internet and email access is only possible
      through separate computers in the corridors, in plain sight, on a separate network. The only way
      to move private data to the Internet-enabled computer is by memorizing it. It is terribly
      inconvenient for IT staff, but it works.
  • Though on the bright side, porn site customers finally have a way to get screwed over the internet!
  • by pembo13 (770295) on Wednesday June 14, 2006 @11:25PM (#15537709) Homepage
    = Owned
  • by mojotooth (53330) <.moc.liamg. .ta. .htootojom.> on Wednesday June 14, 2006 @11:27PM (#15537717) Journal
    Only figures... Since most of the money I was supposed to pay my taxes with, I used to buy porn anyway.
    • "Only figures... Since most of the money I was supposed to pay my taxes with, I used to buy porn anyway."

      That what you call cutting out the middle man. Only thing is, I can't remember if cutting out the middle man is considered Good or Bad in the pr0n world....

    • most of the money I was supposed to pay my taxes with, I used to buy porn anyway.
      Woah woah, you paid for porn? When did this start?
  • There is no reason anyone handling SS numbers should be given this sort of carte blanche access to their computers.
    • I like your idea. Part of the idea of not using windows in my house is so that I do not have deal with a stolen ID (once somebody has your ID, then you move to hell). I make sure that the sites that I give my credit card to, do not run windows (nearly 100% of all CCs yet about 1/3 of the https space). But I have no control of gov sites. or the business desktops. And it is all the idiots that run windows that expose my life. If they are going to run windows, then should limit that risk for their customers. B
  • Wow... (Score:2, Funny)

    by zmilo (815667)
    I knew Oregon had a lot of wood, but this is rediculous!
  • On the other hand (Score:4, Insightful)

    by Sentri (910293) * on Wednesday June 14, 2006 @11:37PM (#15537764) Homepage
    FTA:

    "Electronic files containing personal data of up to 2,200 Oregon taxpayers may have been compromised by an ex-employee's unauthorized use of a computer, the Oregon Department of Revenue said Tuesday."

    Lets read that again

    Electronic files containing personal data of up to 2,200 Oregon taxpayers may have been compromised by an ex-employee's unauthorized use of a computer, the Oregon Department of Revenue said Tuesday.

    EX-EMPLOYEEE!
    What the hell was an ex employee doing on site, surfing porn. Forget computational security, what about physical security.

    In the words of Napoleon Dynamite "Freakin Idiot!"
  • I just saw on CNN that some stupid government people in arizona and virginia opened up a public record accessible online. Maricopa county http://recorder.maricopa.gov/recdocdata/GetRecData Select.asp [maricopa.gov] And the one who complain Virginia Watchdog http://www.opcva.com/watchdog/ [opcva.com]
  • How come there were no filters in place ?
    I mean, it is the taxpayers money that are paying for that computer, internet link and his time.

    Yes, I know it is possible to circunvect those filter. But people who can circunvect filters are not likely to catch those trojans.
    • You'd be surpriced how government offices are run...

      Employees who hook the -unused- built-in 56K modem into the phoneline to bypass filters to be able to read personal emails and what not, infecting the network without an admin being able to do much other then glueing the sockets shut to physically make it impossible to use that modem.

      Government employees aren't particulary the brightest or security-aware lot; I've heard quite shocking stories of consultants working for [Belgian] government instances.

  • by whitehatlurker (867714) on Wednesday June 14, 2006 @11:52PM (#15537824) Journal
    Here's a better version. [oregonlive.com] The site did hassle me about where I lived for a bit, until I said I was a foreigner.


    Quote from this one: "We maybe had a false sense of security," O'Meara said.


    Whoa, maybe. Y'think?


    The Trojan horse gathered the equivalent of 7,000 text pages of data.
      Somewhere a scammer is very, very busy.

    • 7000 pages? (Score:2, Interesting)

      by afaik_ianal (918433)

      More than 1,300 people face identity theft after a state employee let in data-stealing spyware.

      and

      The Trojan horse gathered the equivalent of 7,000 text pages of data. But O'Meara said his staff spent weeks poring over the data and found no tax files or financial information. He said it was limited to Social Security numbers, names and addresses.

      So that's ~5.3 "pages of text" per person they got only the SSN, name and address for. Either people in Oregon have really long names and addresses, or something e

  • by Tickle Cricket (845932) on Wednesday June 14, 2006 @11:55PM (#15537834)
    You get a Trojan!
    You die of dysentary lol
  • by Sparr0 (451780) <sparr0@gmail.com> on Wednesday June 14, 2006 @11:55PM (#15537835) Homepage Journal
    None of that information is secret. Your SSN, Address, and Name are all public information, the subject of numerous public records that anyone patient enough can pay $.10 per copy to get. Or just visit the appropriate county records website [broward.org].
  • So... (Score:2, Funny)

    by getwhipped (902948)
    Is that a link to the trojan or the porn site?
  • Is it just my perception or is this becoming routine now?

    I used to be only concerned in a detached way. Then *today* I received a letter from the student loan people saying, in essence: "We lost a dataset including your information. Sorry! Better contact the credit bureaus, and watch your financial statements. Have a nice day!"

    The only way we are going to have data security is if the parties that fail to secure data are held responsible for the consequences to others. Ideally, that would mean that if someone commits fraud using my stolen data, the organization that lost it has to pay me the actual cost of correcting credit reports, changing all my accounts, compensation for time spent, any lawyers needed, etc..

    Instead the banks are allowed to exploit the situation by selling insurance against it. We can't even get disclosure laws everywhere.

    Well excuse me for ranting. I guess my only point is, the only way the technical and user-education type of solutions will become relevant is if the costs are placed appropriately.

    • We might be better off if there were statutory damages, say $1,000 per individual affected by the security lapse. That would put a value on the data, and encourage organizations to take measures to protect it.
      • say $1,000 per individual affected by the security lapse. That would put a value on the data
        $1,000 is a pittance compared to the potential financial loss, damage to one's credit & identity, and expenses incurred cleaning up someone else's mess.

        And those affected would never see that money anyway, it'd simply be revenue for the states and the lawyers.
        • Possibly, but the point is that it would create a real financial penalty for security lapses, which would be an improvement over the current situation, where, other than some bad p.r., the costs are borne by others.
          • "Possibly, but the point is that it would create a real financial penalty for security lapses, which would be an improvement over the current situation..."

            Maybe, trending towards probably not. There are fines for knowlingly hiring illegal aliens. Wonder how that has worked out... :)

            The real problem is assigning some magical property (uniqueness, secrecy) to a number. It doesn't matter if that number is a SSN or some other number (or ID form). Because if it is widespread enough it will be used by everyone f
  • Ahh yes, cue the obligatory puns of "there are three players in this incident, the people screwing, the people doing the screwing, and We The People getting screwed"
  • by Alioth (221270) <no@spam> on Thursday June 15, 2006 @02:46AM (#15538278) Journal
    Well, at least the employee knows what the internet is for:
    The internet is for porn! http://video.google.com/videoplay?docid=5430343841 227974645 [google.com]
  • by Zero__Kelvin (151819) on Thursday June 15, 2006 @03:32AM (#15538380) Homepage
    Did the "Information Technology Security Officer" happen to say why they were running an OS and application configuration that would let this happen in the first place?

    Noticeably missing from all of the articles I have seen is the name of the OS that was compromised. Is that because the news sites don't know there is more than one OS, because the reporters are incompetant, because Bill Gates will fire them if they mention it (think msnbc subsidiary), or because the reporters figure it is patently obvious that it was Windows since the compromise happened in the first place?
    • It also does not mention that the "Information Technology Security Officer" or his employees clearly are incompetent.
      Even with the nonmentioned prevalent OS it is a snap to configure an office workstation in such a way that ordinary employees are not able to download, install and execute programs (including trojans) from the web.

      It starts by not giving the user an Adminstrator account.
      • From my initial post to which you replied:

        Did the "Information Technology Security Officer" happen to say why they were running an OS and application configuration that would let this happen in the first place?

        From your reply:

        It also does not mention that the "Information Technology Security Officer" or his employees clearly are incompetent. Even with the nonmentioned prevalent OS it is a snap to configure an office workstation in such a way that ordinary employees are not able to download, install and e

  • 1) How (the fuck) is possible to have DOR private database on a computer that is connected to the internet ?
    2) What (the fuck) is DOR employee doing on the internet porn site during working hours ?
    3) Where (the fuck) is this whole world coming to!? (err, is he a prudent republican?)
  • ...to pay taxes in Oregon!
  • The department updated the list of blocked sites every 24 hours, but like fast-multiplying germs, the Web sites overwhelmed its defenses.

    When are people going to learn? The rule in security is denied unless explicitly allowed.

    Simple math says there are an infinite number of sites to be blocked but only a handful of sites to be unblocked!

    I have no sympathy for:
    a) a company that allows the users to install software
    b) a company that allows everything and only blocks after the fact

No one gets sick on Wednesdays.

Working...