UC Berkeley information disclosure gets press...

Tue Jan 06 2004 00:00:00 GMT+0000 (Coordinated Universal Time)

Great Techsplotation article by AnnaLee Newitz... look for it in the SF Bay Gaurdian and the Metro in Si Valley... some juicy parts:

Last week I received a letter about the possible theft of my personal information from a UC Berkeley computer. It was dated Oct. 15 and had taken three months to reach me. The letter helpfully informed me that "an unidentified individual" had hacked into one of UC Berkeley's "datasets" and that "some information" about me "was potentially available in these records." It concluded with some information about the dangers of identity theft and the number of a detective in the UC Police Department whom I could call.

I haven't been a student at UC Berkeley since 1998. But for some reason, my driver's license number and a very outdated address are still archived there. In fact, it was the outdated address that probably kept me from getting the letter in a timely fashion. Luckily, somebody I know is still in the flat where I lived in 1998. He passed the letter on to me.

[...]

These issues around disclosure go a lot deeper than you probably realize. One of the big debates among technical types in the security industry is how to report a vulnerability you find in a piece of software, or even whether to report it at all. Do you tell Sun Microsystems you've discovered a way to hack its server code if you know it's going to ignore you and let its users remain unprotected? Or do you tell other hackers about the vulnerability and let them fuck around with a bunch of Solaris boxes until Sun freaks out and releases a patch? Or, if you're a real mercenary, do you sell information about the vulnerability to the highest bidder and let the rest of the world be damned?

Geeks often say computer networks are a compromise between security and usability. The more you lock a system down, the harder it is to teach ordinary users to deal with it and the more difficult it is to administer. S.B. 1386, like many pieces of computer-related legislation, adds to this difficulty. The question is whether we can make the law usable.

Posted by joebeone at Enero 6, 2004 10:11 PM