UK Judge: Samsung Wins Over Apple In Patent... >>
<< NYPD Put Couple On 'Wanted' Poster For...
 tdicon 

(Mis)Uses of Technology

by Mike Masnick

Mon, Jul 9th 2012 3:11pm




Filed Under:
australia, password hash, security

Companies:
auscert


Australian Government Loses DVD With Personal Info Of Everyone In Its 'Stay Smart Online' Program

from the stay-smart-online-by-not-giving-your-info-to-the-gov't dept

Slashdot points us to a bit of irony, in which it appears the Australian government ended up exposing the personal info of a bunch of citizens who had signed up for "stay smart online" alerts. Apparently, one way to stay smart online is to not sign up for "stay smart online" alerts from the Australian government. The issue was that a contractor who was running the program, AusCERT, had put all of the info -- including "usernames, email addresses, memorable phrases (used as password reminders) and cryptographically hashed passwords" -- onto a DVD and mailed it to another contractor who was taking over the program. And... it got lost in the mail. At least the passwords were hashed. But, you'd expect to be a bit safer than that when giving your information to the government for a "stay smart online" program...

21 Comments | Leave a Comment

If you liked this post, you may also be interested in...

Reader Comments (rss)

(Flattened / Threaded)

  •  
    icon
    Torg (profile), Jul 9th, 2012 @ 3:22pm

    Who the hell uses DVDs to transmit information?

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Josh in CharlotteNC (profile), Jul 9th, 2012 @ 3:49pm

      Re:

      Never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway. -Andrew Tanenbaum

      Though seriously, it was AusCERT. If it was some random for profit government contractor, I'd expect this level of carelessness. These guys are supposed to be pros.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    Alana (profile), Jul 9th, 2012 @ 3:24pm

    You're expecting the government to be smart about the internet.

    The government.

    To be smart. About the internet.

    :|

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jul 9th, 2012 @ 3:28pm

    Did the salt the hash? Because if they didn't...

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    That Anonymous Coward (profile), Jul 9th, 2012 @ 3:38pm

    This is object lesson 1.
    If you want to smart and safe online, don't trust the government.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Jikap (profile), Jul 9th, 2012 @ 3:45pm

    I guess they could use a 'Stay Smart Offline' program as well...

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    tyler d, Jul 9th, 2012 @ 3:56pm

    First rule of stay smart on line...

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    That One Guy (profile), Jul 9th, 2012 @ 4:00pm

    Working as intended

    Seems to me this program is working exactly as it should be, given the first rule of online safety:

    Don't give out personal information unless you absolutely have to, and even then do so as little as possible.

    A person who would provide anyone with "usernames, email addresses, memorable phrases (used as password reminders) and cryptographically hashed passwords" has already proven that they've failed Online Safety 101. The ones who passed were the people smart enough to not hand over the info.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      PaulT (profile), Jul 10th, 2012 @ 12:31am

      Re: Working as intended

      "A person who would provide anyone with "usernames, email addresses, memorable phrases (used as password reminders) and cryptographically hashed passwords" has already proven that they've failed Online Safety 101."

      Erm, given that you have an account here, haven't you already handed that information to Techdirt? There's nothing to suggest that the details lost were for anything other than the agency's own service...

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        That One Guy (profile), Jul 10th, 2012 @ 7:06am

        Re: Re: Working as intended

        Fair enough, though I'd argue that providing all of your email address to a site to sign up isn't exactly giving out much.

        As far as what was lost, the post doesn't go into details, so you could be right, and it could just be the info to go with that particular service, which would be kinda funny, as a service designed to show people proper online safety botches their own lesson, but not too bad overall.

         

        reply to this | link to this | view in chronology ]

        •  
          icon
          PaulT (profile), Jul 10th, 2012 @ 7:33am

          Re: Re: Re: Working as intended

          There's one valuable lesson - no matter how trustworthy the government agency, data will always end up in the hands of the lowest bidder. No matter how secure the company's reputation, data will end up in the hands of the lowest paid employee, who isn't paid enough to care about your security.

          In terms of actual damage, there's probably not a lot of real risk unless the people involved have been using the same passwords for everything, use the same reminder questions for everything and answer any spam email they get as though it's real. Time to find out if they learned anything I suppose...

           

          reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jul 9th, 2012 @ 4:54pm

    From Their Website...

    "Encrypt sensitive information. If you keep personal or financial information on your computer, consider taking steps to encrypt and protect sensitive files and folders."

    They forgot to add "Because we won't".

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    pyro, Jul 9th, 2012 @ 5:08pm

    Yep... Proud to be Australian... It's up there with good ol' Stephen COnroy: http://www.youtube.com/watch?v=1gl7X6peh-w

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Lozine, Jul 9th, 2012 @ 5:30pm

    HAHAHHA government and the internet? Gooood luck with that.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Mega1987 (profile), Jul 9th, 2012 @ 8:21pm

    And those guys says having everyone's info in their database is safe.

    Try consulting a professional before doing such things...

    And Who in the world contain those data in a DVD? It's better to extract those from the net to it's intended destination.

    Wait a moment... You guys Hate cloud-networking since it's a good source for those piracy thingies... so you go old school on high capacity PHYSICAL storage medium.

    Now, you end up loosing such valuable data that anyone who got them will have a field day hacking those accounts to hell...

    Nice job, and sorry for the term, c@\/3|\/|3|\|$...

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Alan, Jul 9th, 2012 @ 10:48pm

    I'd bet they probably collected the data and then realised they had no clue how to protect it. Their solution being a dvd because it can't be hacked... which is kind's sad xD

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    BentFranklin (profile), Jul 10th, 2012 @ 6:11am

    Wait, what? Security contractors never heard of ssh? That's kind of scary.

    Or is it that security contractors don't trust ssh? That would be hella scary.

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
UK Judge: Samsung Wins Over Apple In Patent... >>
<< NYPD Put Couple On 'Wanted' Poster For...
 tdicon 
Follow Techdirt
Flattr rss rss
A word from our Sponsors...
Sponsored Resource
Essential Reading
Techdirt Reading List
Techdirt Insider Chat

A word from our Sponsors...
Recent Stories

Wednesday

7:50am: First Hand Account Of Judicial Smackdown Of Prenda In Minnesota (5)
5:51am: Quack Professor Releases Dumbest Violent Video Game Theory Ever (27)
3:46am: How Low Can Drones Go? (35)

Tuesday

11:19pm: Prenda Gets Some Tiny Bit Of Good News, As It May Get Out Of Two Critical Cases (15)
8:16pm: Ridiculous Timing: Obama Administration Responds To Spying On AP By Pushing Journalist Shield Law That Wouldn't Matter (26)
5:00pm: DailyDirt: Weapons In The Sky (8)
4:02pm: Bad Day For Prenda Continues: Judge Rejects Stay, Adds $1k Per Day For Each Day They Don't Pay Up (51)
3:01pm: Angry Judge Tells Prenda To Stop Falsifying Alan Cooper's Signature; Calls It Fraud (51)
2:15pm: More Details Emerge On Key Legal Fight Over DMCA Abuse (25)
1:04pm: NYC Says Renting Out Your Place Via Airbnb Is Running An Illegal Hotel (35)
More arrow
A word from our Sponsors...

Close

Email This