Australian Government Loses DVD With Personal Info Of Everyone In Its 'Stay Smart Online' Program

from the stay-smart-online-by-not-giving-your-info-to-the-gov't dept

Slashdot points us to a bit of irony, in which it appears the Australian government ended up exposing the personal info of a bunch of citizens who had signed up for "stay smart online" alerts. Apparently, one way to stay smart online is to not sign up for "stay smart online" alerts from the Australian government. The issue was that a contractor who was running the program, AusCERT, had put all of the info -- including "usernames, email addresses, memorable phrases (used as password reminders) and cryptographically hashed passwords" -- onto a DVD and mailed it to another contractor who was taking over the program. And... it got lost in the mail. At least the passwords were hashed. But, you'd expect to be a bit safer than that when giving your information to the government for a "stay smart online" program...


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    Torg (profile), Jul 9th, 2012 @ 3:22pm

    Who the hell uses DVDs to transmit information?

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    Alana (profile), Jul 9th, 2012 @ 3:24pm

    You're expecting the government to be smart about the internet.

    The government.

    To be smart. About the internet.

    :|

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Jul 9th, 2012 @ 3:28pm

    Did the salt the hash? Because if they didn't...

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    That Anonymous Coward (profile), Jul 9th, 2012 @ 3:38pm

    This is object lesson 1.
    If you want to smart and safe online, don't trust the government.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Jul 9th, 2012 @ 3:41pm

    Re:

    Ha! That's a joke, right?

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    Jikap (profile), Jul 9th, 2012 @ 3:45pm

    I guess they could use a 'Stay Smart Offline' program as well...

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    Josh in CharlotteNC (profile), Jul 9th, 2012 @ 3:49pm

    Re:

    Never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway. -Andrew Tanenbaum

    Though seriously, it was AusCERT. If it was some random for profit government contractor, I'd expect this level of carelessness. These guys are supposed to be pros.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    tyler d, Jul 9th, 2012 @ 3:56pm

    First rule of stay smart on line...

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    That One Guy (profile), Jul 9th, 2012 @ 4:00pm

    Working as intended

    Seems to me this program is working exactly as it should be, given the first rule of online safety:

    Don't give out personal information unless you absolutely have to, and even then do so as little as possible.

    A person who would provide anyone with "usernames, email addresses, memorable phrases (used as password reminders) and cryptographically hashed passwords" has already proven that they've failed Online Safety 101. The ones who passed were the people smart enough to not hand over the info.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Jul 9th, 2012 @ 4:54pm

    From Their Website...

    "Encrypt sensitive information. If you keep personal or financial information on your computer, consider taking steps to encrypt and protect sensitive files and folders."

    They forgot to add "Because we won't".

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    Hephaestus (profile), Jul 9th, 2012 @ 5:06pm

    Re:

    Object Lesson 1
    If you want to stay safe anywhere, don't trust the government.

    FTFY

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    pyro, Jul 9th, 2012 @ 5:08pm

    Yep... Proud to be Australian... It's up there with good ol' Stephen COnroy: http://www.youtube.com/watch?v=1gl7X6peh-w

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Jul 9th, 2012 @ 5:22pm

    Re:

    Naw, it would conflict with their stay stupid offline program

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Lozine, Jul 9th, 2012 @ 5:30pm

    HAHAHHA government and the internet? Gooood luck with that.

     

    reply to this | link to this | view in thread ]

  15.  
    icon
    Mega1987 (profile), Jul 9th, 2012 @ 8:21pm

    And those guys says having everyone's info in their database is safe.

    Try consulting a professional before doing such things...

    And Who in the world contain those data in a DVD? It's better to extract those from the net to it's intended destination.

    Wait a moment... You guys Hate cloud-networking since it's a good source for those piracy thingies... so you go old school on high capacity PHYSICAL storage medium.

    Now, you end up loosing such valuable data that anyone who got them will have a field day hacking those accounts to hell...

    Nice job, and sorry for the term, c@\/3|\/|3|\|$...

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    VMax, Jul 9th, 2012 @ 9:14pm

    Re: Re:

    "If you want to stay safe anywhere, don't trust anyone"

    FTFY

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Alan, Jul 9th, 2012 @ 10:48pm

    I'd bet they probably collected the data and then realised they had no clue how to protect it. Their solution being a dvd because it can't be hacked... which is kind's sad xD

     

    reply to this | link to this | view in thread ]

  18.  
    icon
    PaulT (profile), Jul 10th, 2012 @ 12:31am

    Re: Working as intended

    "A person who would provide anyone with "usernames, email addresses, memorable phrases (used as password reminders) and cryptographically hashed passwords" has already proven that they've failed Online Safety 101."

    Erm, given that you have an account here, haven't you already handed that information to Techdirt? There's nothing to suggest that the details lost were for anything other than the agency's own service...

     

    reply to this | link to this | view in thread ]

  19.  
    icon
    BentFranklin (profile), Jul 10th, 2012 @ 6:11am

    Wait, what? Security contractors never heard of ssh? That's kind of scary.

    Or is it that security contractors don't trust ssh? That would be hella scary.

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    That One Guy (profile), Jul 10th, 2012 @ 7:06am

    Re: Re: Working as intended

    Fair enough, though I'd argue that providing all of your email address to a site to sign up isn't exactly giving out much.

    As far as what was lost, the post doesn't go into details, so you could be right, and it could just be the info to go with that particular service, which would be kinda funny, as a service designed to show people proper online safety botches their own lesson, but not too bad overall.

     

    reply to this | link to this | view in thread ]

  21.  
    icon
    PaulT (profile), Jul 10th, 2012 @ 7:33am

    Re: Re: Re: Working as intended

    There's one valuable lesson - no matter how trustworthy the government agency, data will always end up in the hands of the lowest bidder. No matter how secure the company's reputation, data will end up in the hands of the lowest paid employee, who isn't paid enough to care about your security.

    In terms of actual damage, there's probably not a lot of real risk unless the people involved have been using the same passwords for everything, use the same reminder questions for everything and answer any spam email they get as though it's real. Time to find out if they learned anything I suppose...

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This