tag:blogger.com,1999:blog-29245024.post416217119572754641..comments2023-06-17T07:57:18.521-04:00Comments on Andy, ITGuy: Maybe he didn't really think this through.Andy, ITGuyhttp://www.blogger.com/profile/09237512546845510001noreply@blogger.comBlogger1125tag:blogger.com,1999:blog-29245024.post-466167893139915202007-07-15T23:00:00.000-04:002007-07-15T23:00:00.000-04:00Hey Andy,Admittedly I have not read about this bre...Hey Andy,<BR/><BR/>Admittedly I have not read about this breach, but you make some good points in your comments IMO.<BR/><BR/>Your comments:<BR/>1. Absolutely! Employee ID numbers, student numbers, etc. are much better solutions. I worked on the Threat & Vulnerability team for a major US bank a few years ago and everyone's login to their intranet site was their SSN!<BR/><BR/>2. PKI is a nightmare if not designed effectively from the beginning. Poorly done PKI is worse than no PKI.<BR/><BR/>3. Absolutely NO reason for SSN's anywhere on a college campus with the possible exception of a financial aid office. Would be even better if the financial aid office would only use the SSN temporarily (and not store them).<BR/><BR/>4. RIGHT ON! Security is everyone's job. Funny thing is, Security is NOT an IT function at all. Portions of security require close interaction and support from IT, but IT is never responsible for securing data.<BR/><BR/>I don't really blame FDR. I don't think FDR could have forseen what business has done with SSNs. Social Security Numbers were NEVER meant to be used as personal identifiers for any purpose other than to keep track of your Social Security account.<BR/><BR/>Keep up the good work Andy. Fightin' the good fight.The Trusted Toolkithttps://www.blogger.com/profile/09458946353122421828noreply@blogger.com