- cross-posted to:
- technology@lemmy.world
- cybersecurity@sh.itjust.works
- cross-posted to:
- technology@lemmy.world
- cybersecurity@sh.itjust.works
cross-posted from: https://lemmy.ca/post/60478981
Borges alleges that a little-known federal tech team called the Department of Government Efficiency, or DOGE, copied the government’s master Social Security database into a cloud system that lacked normal oversight.
If his account is correct, the mishandling of this information could expose hundreds of millions of people to fraud and abuse for the rest of their lives.
You must log in or # to comment.
Yep.
Thats Elon’s tech expertise right there.
Quite literally doxxed the entire country and more than likely comprimised the security of basically everything he touched.
In a sane world, he’d be in some kind of fucking hyper prison, for directing and overseeing the largest data breach essentially in all of history.
If somebody hacked in remotely and did this… they would be in hyper prison, serving like thousands of life sentences.
Well, I already have no credit, what with the poverty.
That won’t stop people from opening accounts in your name or filing your taxes wrong so that they get your refund.
That’s true enough. It could always get worse.
Reminder, everyone should have frozen their credit at all three bureaus after the Equifax breach anyway. Everyone’s identity has been compromised for a while.
Remember, freeze on all your credit accounts. In fact this should be an opt out situation at this point, you should have to request NOT to have a freeze on your accounts at all anymore.
And it shouldnt cost money to unfreeze
From what I know it was a per state basis.
It doesn’t anymore.
I think most sane, thinking people assumed data theft was going on all along. It was the main purpose of DOGE, who were placed in our institutions by a corrupt president and pretended to be there to save the government money.
Open article, Ctrl+F “DOGE”, yep.
Srsly. The way they were shoving their way into every sensitive system, it would’ve been a miracle if this had not happened.
Spoiler: They won’t change them.
The entire concept of a single number that you share with every employer and can be used to impersonate you and steal your identity is already mind-bogglingly stupid.Mind-boggingly stupid has another name: the American way!
National ID cards are not a way to impersonate someone, because they ARE NOT authentication. By themselves, they’re almost public information, and just because you know someone’s ID number does not mean you’re them, like nobody thinks you’re someone else just because you know their phone number.
Many countries are rolling out ID cards that do include authentication - they have integrated chips, like bank cards, and you can use your secret pin to prove you’re who you say you are, but that’s totally different.
The US system is what’s mind bogglingly stupid. There’s this magic number that you’re supposed to keep secret because nobody has any other way of checking if someone is who they say they are?
The Estonian system with these cards is absolutely amazing and should be a role model for the world.
The system was never designed to be used for anything beyond Social Security, and from the beginning using it as an identifier has been discouraged. That doesn’t stop companies from using it like that though.
Using it as an identifier isn’t really a problem. Using at as credentials, being somehow able to impersonate someone just by reciting a not very secret identifier, that is mind-bogglingly stupid.
Well, they probably wouldn’t if there was a viable alternative.
And was specifically restricted, back in the day.
Just make social security numbers public information at this point. Who cares. Don’t develop your security model around a users SS number being secret.
This number is required sharing so often by the time you hit middle age, there are good odds it’s in the wind already.
before 2011 the first three digits was the local when you requested one which is usually when you where born at the hospitals location and the next two are about when. When they ask for last 4 they are asking the the 4 digits that can’t be sussed out. for security.
Right? Which really puts the number in the wind.
My original uni ID was my SSN. It also was on our driving licenses for a bit, IIRC
At university in the 90s they publicsllt posted grades by ssn instead of name.
My driver’s license ID number was my ssn. Then they changed it to a different number, but I got a state ID as a backup with a pic in case the license was lost and that type of ID had my ssn. No idea what the state ID uses any more, but probably not that since apparently the very insecure and public nine digit number magically became super secret because credit companies wanted it to be.
I started in the late '90s as well. I can’t remember for sure if the exams/grades were posted by SSN. I have some memory of that, but I also have seen it in videos and I’m not sure if I’m conflating the two.
At this point my ss number has been stolen by so many people I’m not sure this matters.
I still want Elon nailed to a pole by his genitalia and set on fire for what he and big balls did.
But I use to work for the DOD and the Chinese kept breaking into OPM’s computers and stealing everything about me. So I’m pretty sure my clone is out there somewhere enjoying my high credit score.
you wouldn’t have a high credit score if you had a clone out there abusing it.
Maybe they just wanted to live a good, honest life and needed a good Citizen Consumer Score to be allowed to.
That’s why you freeze your credit to prevent fraud applications. It’s super easy to do but most people don’t know that you can freeze/unfreeze it anytime by creating an account with the big 3 bureaus.
The whole idea that we have some permanent “secret” number which is used to uniquely identify us is just really, really dumb in this day and age. There are better solutions, but they are hard, cost money and will probably face an insane level of political resistance. So, we continue to lurch on with the dead corpse of a bad idea that is social security numbers. But hey, at least it’s cheap, right?
What if social security was instead a gpg key pair?
Although it will probably become a blue checkmarked profile on X.com
Do you have any idea how many people will lose their key?
Could set up a key escrow with the issuing agency so there is a recovery mechanism if they can prove their identity through other means. That’s at least as secure as the current model in terms of issuance.
Ideally we would move towards self-sovereign identities, but that’s a whole other effort.
You’re thinking of digital signatures, which have their own issues to solve.
That’s really my thinking on it. Though, I would do the same thing the US Government does for ID cards now: smartcards.
So, we already have the Read ID act, which started the standardization of ID in the US, let’s take it one step further. The US Government stands up a PKI infrastructure, which then issues subordinate issuer certificates to the States. The States are then in charge of issuing each person a smartcard with a personal digital certificate. These cards would be tied to drivers licenses or state ID cards, much as Real IDs are today. There would need to be a Federal standard on what types of card technologies would need to be used. And we’d probably want both contact chip and NFC communications.When you want to access Government services or specific areas which actually need that level of identity confirmation, you would go through a similar process to any digital certificate login. You tap/dip the card, enter a pin and the systems exchange an encrypted nonce to verify the private key. I’d also want to see some regulation around when you can be asked to use it. With GDPR style fines (e.g. 5% of global revenue, per incident) behind those regulations.
To throw a bone at the “think of the children” crowd, to get them on-board politically, it would also be interesting to investigate the possibility using the system for age verification, without providing identification to anyone. E.g. using something akin to a zero-knowledge proof, or just a bit which can be set when signing a nonce which shows that the ID is valid for whatever age is required for something. But maybe that’s just my not-quite-awake brain coughing up silly ideas.
a little-known federal tech team called the Department of Government Efficiency, or DOGE
Little-known? Really?
deleted by creator
And I bet if they are changed or reissued, certain people won’t be given one.
