Schneier on Security
A blog covering security and security technology.
« Defeating Microsoft BitLocker |
| Howard Schmidt to be Named U.S. Cybersecurity Czar »
December 21, 2009
Santa's Naughty–Nice Database Hacked
This is very serious.
EDITED TO ADD (12/11): Form letters from Santa, informing children of the breach. Jack Bauer (of 24) interrogates Santa.
Posted on December 21, 2009 at 12:58 PM
• 16 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
That is EPIC! I love it. What a great analogy using one of the oldest stories I can think of.
I am just depressed I never thought of this.
On a serious note, it really does show alot of what is wrong with data mining today. No matter what the reason, it should never happen, for reasons mentioned in this story, 1 name or age wrong and someone's life can be negativly effected.
Fine, no present for you this year, Eddie.
Poor St. Nick. Always maligned by the hollywood elite and the MSM at Christmas. Now even the bloggers are taking pot shots. I never even had a chance with that one.
Lucky for me, MY list says I'll get plenty of you in your afterlife.
The following letter will be courier-delivered by reindeer on December 25th to billions world-wide:
December 25 2009
[Child Name Redacted]
I'm writing to inform you of a recent crime committed against North Pole Industries that MAY have resulted in your name, address, Social Security number, and Virtue/Turpitude Ratio (VTR), being viewed by businesses that are not allowed access to such information. We have reason to believe your personal information may have been obtained by unauthorized third parties, and we deeply regret any inconvenience this event may cause you.
Although we have been informed that disclosing too many details of the crime may hurt on-going criminal investigations, we wanted to provide you with some information related to this incident that may help you protect yourself against identity theft. First and foremost, we are actively working with the appropriate police agencies on this matter.
We believe that several individuals, posing as legitimate supernatural toy-delivery agents, recently committed fraud. These individuals bypassed our stringent database security by claiming in writing to have a lawful purpose for accessing information about individuals, when in fact, they did not. When the fraud was discovered, access to information was discontinued and the authorities were notified.
Our business customers use our database to verify the suitability of children to receive gifts from supernatural agents, often as part of a graduated reward system (e.g. pony, socks, or coal). We rely on information, including public records, that are available to any citizen with supenatural surveillance powers, or to any local council member in the UK. This includes information about school detention, truancy, cruelty to small animals, nose-picking, and sister taunting. We also use public information, such as nicknames.
There are some actions that only you can take to protect yourself from misuse of information about you obtained illegally from our database. Industry experts recommend that you place a Fraud Alert on your Virtue Report by calling the toll-free number of any of the three Virtue Bureaus listed on the attached sheet. [Attached: Contact Info for various for-pay shit lists]. Your Virtue Report will be sent to you free of charge.
When you receive your Virtue Reports, please review them carefully. Look for inquiries from religious holidays that you do not celebrate, and unexplained gifts inappropriate for your age group. If there are items that you did not authorize, immediately notify the virtue bureau by telephone and in writing (which means like by e-mail or twitter, except printed out on a sheet of paper and send by postal service, with a stamp. Ask your parents to help you).
We have set up a toll free number to accept calls with questions, and to provide any additional advice and support we can, in a helpful recording. To speak to someone about the information in this letter, please call +00-1-877-[number redacted] between the hours of 6 a.m. and 6:10 a.m. Western Pacific time, Thursday through Friday. We hope this information is helpful to you and regret any inconvenience this may cause you.
CEO, North Pole Industries
I call fake. Santa still does things the old fashioned way - with paper and pen.
I have GOT to meet this Jane Doe
Dear Parent (of Child)
St. Claus takes his responsibilities to comply with national, state and local laws very seriously. In accordance with California Civil Code 1798.29, it is my duty to inform you that your child's unencrypted personal information is reasonably believed to have been acquired by unauthorized persons and supernatural entities.
In order to track which children have been naughty or nice, as well as where to deliver gifts, Claus Industries must maintain aggregated records of Naughtiness (TM) and Nicety (TM) as well as the physical addresses at which children are expected to be on Christmas Day, in combination with the full and complete names ("True Name") of your children.
In 2009 for reasons of economy Claus Industries made the decision to switch from HAL to Diviner as our database provider of choice. Name notwithstanding, we did not realize that Diviner is under the majority ownership of an entity whom a devout Christian would refer to as the Adversary. Due to ongoing law enforcement operations and celestial-infernal disputes, we are unable to fully disclose the exact nature of the breach at this time.
It is your responsibility to guard your personal identity information from compromise or misuse. A True Name can be used to access information, blackmail, compel obedience, possess and in rare cases destroy the soul of any entity, possibly including your child(ren).
Because of the disclosure of your True Name, you may wish to contact NameGuard or other magikal name protection services. Christian subscribers are reminded that invoking the name of your Savior provides absolute protection; however, this safety message is not intended to discriminate against believers in other faiths. Renaming your child may also be an option that you may wish to consider at this time.
Atheists are advised that no action is necessary or advised in response to this message.
If any gift received on or around Christmas Day smells of fire, brimstone or other noxious substances, please immediately discard according to your jurisdiction's guidelines for the handling of household hazardous waste.
As our age databaase has been corrupted, please hand this letter to your minor child if and only if they are over fifteen (15) years of age. It is necessary to remind you that we are a mandatory reporter of Naughtiness (TM) and Nicety (TM) to a number of supernatural reporting bureaus and reputation tracking activities.
This message has also been posted on various Web sites including NORAD and santa.com
We appreciate the opportunity to gift your child(ren) with toys during each yearly holiday season and appreciate your patience as we resolve this matter.
E. Scrooge, Esq.
(for Clause Industries)
I thought Santa would have Bruce as a consultant. With such an important operation, you want the best around. I think Santa needs a copy of "Schneier On Security"
Just Great... I'm finally good all year and now all I'm gonna get for Christmas is a year of credit monitoring...
Excellent, now combining data from Google earth's "Santa tracking" and estimating his sweep of the nice kids to be optimal, we can pinpoint Santa with a high accuracy, assault him and profit!
"Lucky for me, MY list says I'll get plenty of you in your afterlife."
It is my duty to inform you that after an energy audit it has been found you are not subject to carbon trading and thus you will have to put out your highly ineficient inferno.
Due to this audits in other areas have shown that your practices are manualy intensive and thus inefficient.
After an apporopriate consideration it has been decided that your techniques are so antiquated they are now actualy looked upon by humans as being preferable to the other option (Harping on about cloud hopping) as it nearly aproximates their current existance.
Thus you are having your franchise removed and it is being reasigned to an appropriate corperate entity.
Hence forward your duties will be carried out by B-Helz-a-snub Inc on a PPI PFI contract.
We at Celestial Managment hope that you will find happiness in your future endevers.
Dante of Moderner
Senior Pecurment Manager.
I love it.
Happy Christmas to you and yours, Bruce.
[quote = "Nicholas Claus"]
Our business customers use our database to verify the suitability of children to receive gifts from supernatural agents, often as part of a graduated reward system (e.g. pony, socks, or coal).
FYI, Nicholas Claus:
The hackers were looking for the names and addresses of the girls on the naughty list.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.