Low tech information disclosure in Boulder

KIA DUMPSTERHere’s a data breach in progress story from right here in Colorado. In the Peoples Republic of Boulder to be exact. I can say that – I live here. Anyway the Boulder Daily Camera reports it like this.

BOULDER, Colo. — Police have chained up 10 recycling bins outside Boulder’s now-defunct Anderson Kia car dealership after learning that the bins were stuffed with personal information from the dealership’s former customers.

All of the folders contained Social Security numbers, driver’s license information, photos, phone numbers and financial information for Kia customers.

Come on guys. Ever hear of a paper shredder? You might at least have attempted to sell the info or use it yourselves for nefarious purposes. Then we’d know you were crooks. Rather than just morons.

Law School network FAIL

So the other day my future daughter-in-law has this bizarre incident with her email account at the University of Maryland at Baltimore (Go Terps!) School of Law. Seems that she got one of those “time to change your password” messages, so like any tech savvy person who has been indoctrinated (and browbeat) by me she chooses a good strong password. System seems to take it okay only it’s obvious by several days later when she isn’t getting any email that something is wrong. So she calls the IT support guys who determine that the root of the problem is that their email system doesn’t like her new password. Apparently this antique system allows only 8-character passwords with only alphanumeric characters, so clearly her 14-character alphanumeric and special characters won’t work. Specifically the system really can’t deal with the semicolon character she used. Say what??!! Whoa dudes – party like it’s 1990! It gets better.

After recovering from the initial shock she asks them to reset the password and she’ll try to come up with a new one using the standards in place when she was a toddler. Sorry, says the IT support guy, but this will require “code changes” and since this is the weekend, that guy won’t be in until Monday. Eventually they decide to call the mystery email coder in to make the changes that will fix the problem. So four hours later she has a brand spanking new classic, eminently hackable password for her main law school account.

So where do I even start with a debacle of this magnitude? How about with a disclaimer. My son, who as you might guess also goes to UMB law school, tells me that UMB’s network is completely separate from and vastly superior to the law school’s network. So with that out of the way, where in the world did they find a POP server that lame? Coding? Give me a break, I’ll chalk that up to untrained and marginally functional tech support. Given the environment I’d imagine a student work study (read slave labor) gig. As for the 4 hour fix, I’m guessing 3 hours and 45 minutes to get onsite, 5 mins to reset the password and 10 minutes to write the notification. All in all not a stellar performance.

But herein lies the real problem. Given that this is a law school, all of those pissed off students who will be compromised when their data is lost in the coming breach will be lawyers. I’m thinking that’s a pretty big risk of litigation. Also one can only assume that the overall network, including the law school WiFi net, is as secure and well managed as the email server. Actually I have it on good authority that this is in fact the case. Holy pending lawsuit, Batman!

So let me end this with a plea to the security group that meets at the Barnes and Noble in Inner Harbor make an attempt to save these jokers from themselves. Unless of course you are sniping that free WiFi. And reading juicy emails from law students.