Australian Government Loses DVD With Personal Info Of Everyone In Its 'Stay Smart Online' Program

from the stay-smart-online-by-not-giving-your-info-to-the-gov't dept

Slashdot points us to a bit of irony, in which it appears the Australian government ended up exposing the personal info of a bunch of citizens who had signed up for "stay smart online" alerts. Apparently, one way to stay smart online is to not sign up for "stay smart online" alerts from the Australian government. The issue was that a contractor who was running the program, AusCERT, had put all of the info -- including "usernames, email addresses, memorable phrases (used as password reminders) and cryptographically hashed passwords" -- onto a DVD and mailed it to another contractor who was taking over the program. And... it got lost in the mail. At least the passwords were hashed. But, you'd expect to be a bit safer than that when giving your information to the government for a "stay smart online" program...
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: australia, password hash, security
Companies: auscert


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Torg (profile), 9 Jul 2012 @ 3:22pm

    Who the hell uses DVDs to transmit information?

    link to this | view in thread ]

  2. icon
    Alana (profile), 9 Jul 2012 @ 3:24pm

    You're expecting the government to be smart about the internet.

    The government.

    To be smart. About the internet.

    :|

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 9 Jul 2012 @ 3:28pm

    Did the salt the hash? Because if they didn't...

    link to this | view in thread ]

  4. icon
    That Anonymous Coward (profile), 9 Jul 2012 @ 3:38pm

    This is object lesson 1.
    If you want to smart and safe online, don't trust the government.

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 9 Jul 2012 @ 3:41pm

    Re:

    Ha! That's a joke, right?

    link to this | view in thread ]

  6. icon
    Jikap (profile), 9 Jul 2012 @ 3:45pm

    I guess they could use a 'Stay Smart Offline' program as well...

    link to this | view in thread ]

  7. icon
    Josh in CharlotteNC (profile), 9 Jul 2012 @ 3:49pm

    Re:

    Never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway. -Andrew Tanenbaum

    Though seriously, it was AusCERT. If it was some random for profit government contractor, I'd expect this level of carelessness. These guys are supposed to be pros.

    link to this | view in thread ]

  8. identicon
    tyler d, 9 Jul 2012 @ 3:56pm

    First rule of stay smart on line...

    link to this | view in thread ]

  9. icon
    That One Guy (profile), 9 Jul 2012 @ 4:00pm

    Working as intended

    Seems to me this program is working exactly as it should be, given the first rule of online safety:

    Don't give out personal information unless you absolutely have to, and even then do so as little as possible.

    A person who would provide anyone with "usernames, email addresses, memorable phrases (used as password reminders) and cryptographically hashed passwords" has already proven that they've failed Online Safety 101. The ones who passed were the people smart enough to not hand over the info.

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 9 Jul 2012 @ 4:54pm

    From Their Website...

    "Encrypt sensitive information. If you keep personal or financial information on your computer, consider taking steps to encrypt and protect sensitive files and folders."

    They forgot to add "Because we won't".

    link to this | view in thread ]

  11. icon
    Hephaestus (profile), 9 Jul 2012 @ 5:06pm

    Re:

    Object Lesson 1
    If you want to stay safe anywhere, don't trust the government.

    FTFY

    link to this | view in thread ]

  12. identicon
    pyro, 9 Jul 2012 @ 5:08pm

    Yep... Proud to be Australian... It's up there with good ol' Stephen COnroy: http://www.youtube.com/watch?v=1gl7X6peh-w

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 9 Jul 2012 @ 5:22pm

    Re:

    Naw, it would conflict with their stay stupid offline program

    link to this | view in thread ]

  14. identicon
    Lozine, 9 Jul 2012 @ 5:30pm

    HAHAHHA government and the internet? Gooood luck with that.

    link to this | view in thread ]

  15. icon
    Mega1987 (profile), 9 Jul 2012 @ 8:21pm

    And those guys says having everyone's info in their database is safe.

    Try consulting a professional before doing such things...

    And Who in the world contain those data in a DVD? It's better to extract those from the net to it's intended destination.

    Wait a moment... You guys Hate cloud-networking since it's a good source for those piracy thingies... so you go old school on high capacity PHYSICAL storage medium.

    Now, you end up loosing such valuable data that anyone who got them will have a field day hacking those accounts to hell...

    Nice job, and sorry for the term, c@\/3|\/|3|\|$...

    link to this | view in thread ]

  16. identicon
    VMax, 9 Jul 2012 @ 9:14pm

    Re: Re:

    "If you want to stay safe anywhere, don't trust anyone"

    FTFY

    link to this | view in thread ]

  17. identicon
    Alan, 9 Jul 2012 @ 10:48pm

    I'd bet they probably collected the data and then realised they had no clue how to protect it. Their solution being a dvd because it can't be hacked... which is kind's sad xD

    link to this | view in thread ]

  18. icon
    PaulT (profile), 10 Jul 2012 @ 12:31am

    Re: Working as intended

    "A person who would provide anyone with "usernames, email addresses, memorable phrases (used as password reminders) and cryptographically hashed passwords" has already proven that they've failed Online Safety 101."

    Erm, given that you have an account here, haven't you already handed that information to Techdirt? There's nothing to suggest that the details lost were for anything other than the agency's own service...

    link to this | view in thread ]

  19. icon
    BentFranklin (profile), 10 Jul 2012 @ 6:11am

    Wait, what? Security contractors never heard of ssh? That's kind of scary.

    Or is it that security contractors don't trust ssh? That would be hella scary.

    link to this | view in thread ]

  20. icon
    That One Guy (profile), 10 Jul 2012 @ 7:06am

    Re: Re: Working as intended

    Fair enough, though I'd argue that providing all of your email address to a site to sign up isn't exactly giving out much.

    As far as what was lost, the post doesn't go into details, so you could be right, and it could just be the info to go with that particular service, which would be kinda funny, as a service designed to show people proper online safety botches their own lesson, but not too bad overall.

    link to this | view in thread ]

  21. icon
    PaulT (profile), 10 Jul 2012 @ 7:33am

    Re: Re: Re: Working as intended

    There's one valuable lesson - no matter how trustworthy the government agency, data will always end up in the hands of the lowest bidder. No matter how secure the company's reputation, data will end up in the hands of the lowest paid employee, who isn't paid enough to care about your security.

    In terms of actual damage, there's probably not a lot of real risk unless the people involved have been using the same passwords for everything, use the same reminder questions for everything and answer any spam email they get as though it's real. Time to find out if they learned anything I suppose...

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.