Australian Government Loses DVD With Personal Info Of Everyone In Its 'Stay Smart Online' Program
from the stay-smart-online-by-not-giving-your-info-to-the-gov't dept
Slashdot points us to a bit of irony, in which it appears the Australian government ended up exposing the personal info of a bunch of citizens who had signed up for “stay smart online” alerts. Apparently, one way to stay smart online is to not sign up for “stay smart online” alerts from the Australian government. The issue was that a contractor who was running the program, AusCERT, had put all of the info — including “usernames, email addresses, memorable phrases (used as password reminders) and cryptographically hashed passwords” — onto a DVD and mailed it to another contractor who was taking over the program. And… it got lost in the mail. At least the passwords were hashed. But, you’d expect to be a bit safer than that when giving your information to the government for a “stay smart online” program…
Filed Under: australia, password hash, security
Comments on “Australian Government Loses DVD With Personal Info Of Everyone In Its 'Stay Smart Online' Program”
Who the hell uses DVDs to transmit information?
Never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway. -Andrew Tanenbaum
Though seriously, it was AusCERT. If it was some random for profit government contractor, I’d expect this level of carelessness. These guys are supposed to be pros.
You’re expecting the government to be smart about the internet.
To be smart. About the internet.
Did the salt the hash? Because if they didn’t…
Ha! That’s a joke, right?
This is object lesson 1.
If you want to smart and safe online, don’t trust the government.
Object Lesson 1
If you want to stay safe anywhere, don’t trust the government.
Re: Re: Re:
“If you want to stay safe anywhere, don’t trust anyone”
I guess they could use a ‘Stay Smart Offline’ program as well…
Naw, it would conflict with their stay stupid offline program
First rule of stay smart on line…
Working as intended
Seems to me this program is working exactly as it should be, given the first rule of online safety:
Don’t give out personal information unless you absolutely have to, and even then do so as little as possible.
A person who would provide anyone with “usernames, email addresses, memorable phrases (used as password reminders) and cryptographically hashed passwords” has already proven that they’ve failed Online Safety 101. The ones who passed were the people smart enough to not hand over the info.
Re: Working as intended
“A person who would provide anyone with “usernames, email addresses, memorable phrases (used as password reminders) and cryptographically hashed passwords” has already proven that they’ve failed Online Safety 101.”
Erm, given that you have an account here, haven’t you already handed that information to Techdirt? There’s nothing to suggest that the details lost were for anything other than the agency’s own service…
Re: Re: Working as intended
Fair enough, though I’d argue that providing all of your email address to a site to sign up isn’t exactly giving out much.
As far as what was lost, the post doesn’t go into details, so you could be right, and it could just be the info to go with that particular service, which would be kinda funny, as a service designed to show people proper online safety botches their own lesson, but not too bad overall.
Re: Re: Re: Working as intended
There’s one valuable lesson – no matter how trustworthy the government agency, data will always end up in the hands of the lowest bidder. No matter how secure the company’s reputation, data will end up in the hands of the lowest paid employee, who isn’t paid enough to care about your security.
In terms of actual damage, there’s probably not a lot of real risk unless the people involved have been using the same passwords for everything, use the same reminder questions for everything and answer any spam email they get as though it’s real. Time to find out if they learned anything I suppose…
From Their Website...
“Encrypt sensitive information. If you keep personal or financial information on your computer, consider taking steps to encrypt and protect sensitive files and folders.”
They forgot to add “Because we won’t”.
Yep… Proud to be Australian… It’s up there with good ol’ Stephen COnroy: http://www.youtube.com/watch?v=1gl7X6peh-w
HAHAHHA government and the internet? Gooood luck with that.
And those guys says having everyone’s info in their database is safe.
Try consulting a professional before doing such things…
And Who in the world contain those data in a DVD? It’s better to extract those from the net to it’s intended destination.
Wait a moment… You guys Hate cloud-networking since it’s a good source for those piracy thingies… so you go old school on high capacity PHYSICAL storage medium.
Now, you end up loosing such valuable data that anyone who got them will have a field day hacking those accounts to hell…
Nice job, and sorry for the term, c@/3|/|3||$…
I’d bet they probably collected the data and then realised they had no clue how to protect it. Their solution being a dvd because it can’t be hacked… which is kind’s sad xD
Wait, what? Security contractors never heard of ssh? That’s kind of scary.
Or is it that security contractors don’t trust ssh? That would be hella scary.