Skip to main content

The Death Master File...a blackhat's dream come true

First, watch this CBS 60 Minutes special on the Social Security Administration's Death Master File:

The ultimate hack, from a blackhat/rogue government perspective, is the one that has significant negative impact on the financial stability of a country one can figure out who is responsible.

The Death Master File meets all of the prerequisite criteria:

  • Large quantities of data? Check.
  • Has significant financial consequences for anyone who gets into it? Check.
  • Individuals can't readily find out if they are on the file or not? Check.
  • Relatively easy to add anyone to the file? Probably check (e.g. plop some malware on funeral home computers and get remote access to adding entries to the file).
  • Takes years to get off the file? Check.
  • Has recurrent consequences for the rest of the individual's life? Check.
  • No way to track additions back to the original source? Check.
  • The head honcho at the Social Security Administration doesn't really care about "accidental" additions and only seems to care about paying out too much money? Check.

You really couldn't ask for a more perfect combination. It's pretty shocking when you think about it - zero safeguards, no one seems to care, and it has major repercussions for affected individuals (e.g. homelessness). Destroying the U.S. is quite literally available on an unprotected digital silver platter. There are so many different ways that this could go sideways I'm not really sure where to start other than to write a blog post about it to raise awareness.

As a software developer, the one thing that REALLY irks me is this:

There is a $200 annual subscription fee to access the data and is restricted to government entities and businesses with a need for the data. Individuals can't write a script to watch for the unfortunate event of being added to the list. The list is supposedly a very lucrative source of income, which means that every business out there seems to use it. Sorry, but my tax dollars aren't for NTIS to run an e-commerce store. Data for all or data for none.

The U.S. government is ill-equipped to handle modern threats - writing laws and charging money for access to the data doesn't close blatant security holes. Who was the person who decided to not bother with change tracking in this rather critical database? That's ridiculous and they should be fired and drop-kicked out the door. Also, to simply not care about those people whose lives the Social Security Administration has messed up is rather messed up too. The U.S. has enemies who would love nothing more than to destroy the country. Adding people to the Death Master File seems like a pretty easy way to accomplish such a task.