Programmer Humor @programming.dev suy @programming.dev 5mo ago

The government doesn't use SQL

See the post on BlueSky: https://bsky.app/profile/provisionalidea.bsky.social/post/3lhujtm2qkc2i

According to many comments, the US government DOES use SQL, and Musk is not understanding much what's going on.

366

You're viewing a single thread.

366 comments

I'm sure folks on here know this, but you know, there's also that 10K a day that don't so...

What makes this especially funny, to me, is that SSN is the literal text book example (when I was in school anyway) of a "natural" key that you absolutely should never use as a primary key. It is often the representative example of the kinds of data that seems like it'd make a good key but will absolutely fuck you over if you do.

SSN is not unique to a person. ~~They get reused after death, and a person can have more than one in their lifetime (if your id is stolen and you arduously go about getting a new one).~~ Edit: (See responses) It seems I'm misinformed about SSNs, apologies. I have heard from numerous sources that they are not unique to a person, but the specifics of how it happens are unknown to me.

And they're protected information due to all the financials that rely on them, so you don't really want to store them at all (unless you're the SSA, who would have guessed that'd ever come up though!?)

It's so stupid that it would be hilarious if people weren't dying.
- Small correction to an otherwise great explanation: SSNs are not recycled after death.
  
  **Q20: *Are Social Security numbers reused after a person dies?*****A: No. We do not reassign a Social Security number (SSN) after the number holder's death. Even though we have issued over 453 million SSNs so far, and we assign about 5 and one-half million new numbers a year, the current numbering system will provide us with enough new numbers for several generations into the future with no changes in the numbering system.
  
  https://www.ssa.gov/history/hfaq.html
  
  "Several generations" well that is fucking garbage
  
  Nah. It’s worked for 50 years and if we get another 30 then it’s done its job well. Government is supposed to review and adjust things as time goes on and Social Security Numbers weren’t intended to uniquely identify citizens. They probably expected an overhaul to be done by 2020.
  
  They fact that we haven’t reworked portions of it and rely on SSNs to identify citizens shows that we haven’t had a forward-thinking Congress in the last 20 years at minimum.
  
  The entire number is garbage. Change the last digit and you have randomly guessed a perfectly valid SSN.
  
  Less secure than a gift card
  
  Well, it's an identifier, your problem if that you have been using it as some kind of access key
  
  You can guess a phone number as well by changing the last number, but that information has 0 value unless it is coupled with other informations.
  
  well tbf, the standard coming from computing is doubling the bits until it stops being a problem, or with ipv6 practically having more IPs than there are atoms in the entire planet of earth (i think i did the calculation a while ago, and it was like, most of the atoms in earth, so like, not quite, but for all intents and purposes, might as well be)
  
  According to XKCD about 40% of the earth
  
  https://xkcd.com/865/
  
  yeah that sounds about right, someone should make an XKCD search engine i think.
  
  So they’ve issued almost half the possible numbers, current US population is actively using 1/3rd of them. I think unless there is a major drop in birth rates “several generations” is two. Either my great grandkids will be reusing dead people SSNs or there will be 10 digit numbers which is going to be a problem for any systems that coded it as char(9).
  
  Ongoing trends would indicate a significant drop in birth rate is extremely likely. Major cities will most likely be facing population shrinkage by the end of the century
- It's supposed to be unique and might actually be now, but there are def duplicate ssns out there. Craziest identity situation I was told by a project manager of government system that is all about identities. Same First, Same last,same Date of Birth, same SSN; different people.
  
  Weird story, and I have to assume this is data entry error, identity theft, or something else: I couldn't sign up for a hospital billing platform because my name and full birthdate (including year) conflicted with someone else in the system. I called the hospital billing department and they were very confused about the whole situation. It didn't really get resolved, and I basically had to let it go to collections so that I could pay because of the shitty system. I don't have a very common name, and never have had this problem before.
- I don't know all the ways but my identity was stolen and I never knew until my attorney was looking at something else for me in conjunction with the social security commission where I lived, and it popped up under a different name. They then accessed my records using other information, and it was the same number. It took a long time to get it sorted. A few years.
  
  It's happened twice to me, I'm now 41. I was able to get it resolved both times but it was not easy and in the first case seriously hurt my credit score for seven years.
  
  It's not fun.
- SSNs are not reissued after death and never have been. I've been seeing a lot of people comment this, but I'm not sure where they're getting it from. (They're not unique for other reasons, however.)
- Just curious, but if SSNs were not recycled after death, would there be any reason not to use them as a primary key?
  
  They're sequential, so the values above and below yours are valid SSNs of people born in the same hospital around the same time.
  
  This would make it trivially easy to get access to records you shouldn't
  
  Isn't that assuming you have access to doing arbitrary SQL queries on the database? Then you'd by definition have access to records you shouldn't.
  
  No. You can have control over specific parameters of an SQL query though. Look up insecure direct object reference vulnerabilities.
  
  Consider a website that uses the following URL to access the customer account page, by retrieving information from the back-end database: https://insecure-website.com/customer_account?customer_number=132355 Here, the customer number is used directly as a record index in queries that are performed on the back-end database. If no other controls are in place, an attacker can simply modify the customer_number value, bypassing access controls to view the records of other customers.
  
  As the user posted, one human can have more than one SSN in their lifetime. Many humans will never have an SSN. Some of those humans may have a TIN. Some humans may have at least one TIN and one SSN at some point.
  
  What are the situations where you can have more than one SSN?
  
  I'm referencing this, but I'm not actually sure: https://www.ssa.gov/OP_Home/handbook/handbook.14/handbook-1401.html
  
  right I did hear the lifelock guy had to get a new SSN, and also Hilda Schrader Whitcher who's SSN was 078-05-1120 and needed to be reissued after her SSN was used as a placeholder in wallets. These seemed to be very uncommon though, and not something I'd expect most systems to be able to handle.
- (if your id is stolen and you arduously go about getting a new one)
  
  I thought I had lost mine once and got a new SSN card, they don't give you a new number, it's the same number
  
  OP is talking about identity theft, not physically losing your card.

366 comments