The following text is copyright 2002 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.


Can the DMCA hide Social Security Numbers?


By Scott Bradner


It was an interesting week to be in the Ivy League as long as you were not at Princeton or Yale, and it was a depressing week if you are remotely interested in Internet security.


For being the elite of American higher education officials at Princeton and Yale sure showed how the technically and procedurally clueless do things.  Yale put up a web site to let prospective students find out if they has been admitted to the university.  That, in itself, was a good thing to do.  It sure beats waiting around for months to see if you get a fat or thin envelope in snail mail.  But in an almost perfect demonstration of poor security, Yale decided to control access by asking for readily available information.  All someone needed to know was a name, social security number and a date of birth and they could find out what Yale thought of an applicant.  Sad to say this is data that can be discovered quite easily by wandering around the Internet.  But it's also data that is provided by applicants to other schools.  For example, to Princeton.  So if the same person applied to both schools Princeton officials would have all the information they needed to access the Yale web site, and, apparently, at least one Princeton official did just that.   Both players in this farce, the one that used such stupid "security" and the one that broke the "security," give higher education a bad name.


Then only a few days later Hewlett Packard decided that hiding security flaws was more important than finding and fixing them and looked around for the biggest stick it could find to drive the point home.  


The story, the best that I can figure out from published reports, is that a research group called SnoSoft found some security problems in HP's version of UNIX.  SnoSoft started talking with HP about some of these problems this past spring but then a researcher affiliated with SnoSoft sent a note to a popular bug reporting list that included a description of a problem and a link to a program to exploit it.  This freaked out HP, which proceeded to sent a letter to SnoSoft threatening prosecution under the Digital Millennium Copyright Act (the infamous DMCA).  You know, the overly broad law that claims to be protecting copyrighted materials.   A big stick indeed - penalties of up to $500K & 5 years in jail.


Publishing information about security flaws is a controversial process but by its actions HP is telling me that it is not particularly interested in actual computer security.  Shooting messengers real dead is not a good way to find out about bugs that the bad guys know about but you do not.  HP's actions are indistinguishable from those of an organization that is consciously trying to weaken our defenses against hostile attacks.


But if the DMCA can be used in this way, maybe the US government can sue itself for making SSNs so easy to find out that Yale's tissue paper security could be broken.


disclaimer:  Harvard does know how to spell "security" but the above spelling lesson is my own.