CIPP Guide » Hacking

Information privacy Way Back when?

jbrook — Wed, 14 May 2008 04:20:24 +0000

Have you ever visited archive.org or used their Way Back machine? It’s a catalog of the Internet, and in my opinion one of the most ambitious projects undertaken. The sheer volumes of data astounds me. They don’t measure in Gigabytes, Terrabytes, or even Petabytes. They’re into the Exabytes, and pushing beyond. Cloud computing (and Jeff Bezos) don’t look quite so foolish now.

The site’s mission is to preserve the historical aspect of the net. Granted, some of my earliest ‘net memories aren’t quite the same without the VGA resolution monitor, Netscape, Windows 95, or modem chirps, but the pages are accurate.

The same issues surrounding public records (see the recent interview w/ Barbra Symonds) exist with the Net’s archival. Storing that much information at anyone’s fingertips can be dangerous, especially without any controls. I’m not a proponent of regulations; more so of education. So here goes:

If you’ve played around with Google Hacking or Search Engine Optimization, you probably know a page taken down remains in a search engine like Google’s cache indefinitely – more or less. If it’s instead updated, it’s reindexed and the cache changes.

That same page remains on the Way Back machine – not reindexed, just indefinitely. No updates, no cache changes, just another revision for another month/week/day. Elliott Spitzer’s call girls – indexed. Paris Hilton - logged. The Virginia Watchdog’s privacy work – stored.

Even if a judge orders a cease and desist in the latest scandal, and the site is taken down, most judges are not tech savvy enough to understand the ramifications of the web and the proliferation of digital data. The people who wanted the info already have the Virginia congressman’s social security info, or the former Florida Governor’s Social Security Number on a house purchase. The judge simply can’t erase every person’s hard drive, and nothing’s preventing any one of those individuals from reposting it.

The privacy implications are obvious; the web’s persistence is unyielding. The laws and regulations studied as a Certified Information Privacy Professional (CIPP) exist, but legislation lags the world of technology, most times significantly so.

Let’s face it. Your personal information won’t change any time soon. Your mother will still have the same maiden name, your Date Of Birth (except for women) will remain constant, and without serious appeals, your Social Security Number isn’t going anywhere. Once it’s out there, it’s out for good. And site’s like the Way Back machine will perpetuate any disclosures. Again, it’s not a good thing, or a bad thing, but an education lesson.

Those typos I made 7 years ago in a conference submission – even without the Net’s archive they’re still there, with a relatively high page score. Almost wish I’d spell checked one more time.

Hacking attack targets epileptics

jbrook — Sun, 20 Apr 2008 19:05:21 +0000

I find ‘America’s Funniest Videos’ entertaining. I get ‘Jackass’… They scare people, gross them out, or generally bewilder. But they don’t intentionally go out and drop toilet bowls on people’s heads or put others lives in danger.

What I don’t get is the recent hack of the Epilepsy Foundation forums, changing posts so that they displayed flashing strobes and trippy patterns. I find this behavior reprehensible. To sully a non-profit’s reputation, and attack unsuspecting seizure disorder suffers, many of whom may be incapcitated by the strobes or patterns. Thankfully most of them probably don’t know what happened, essentially blacking out, except for an awful headache or coffee covered keyboard. The Epilepsy Foundation responded quickly, impresive for a Sunday, holiday, and a non-profit.

Seizures consist of multiple neurons in the brain firing out of sequence. The random firings may be localized and cause an absence episode, or generalized Tonic Clonic events (previously known as Grand Mal) where the afflicted lose muscle control and physically convulse.

After the main event, there are typically aftershocks. Just as after an earthquake the ground may move a little more easily, so too is the case for epileptics. People may be epsiode free for a year or more by successful diagnosis, drug therapy, or even brain surgery. They may have just resumed a normal lifestyle of heading to the grocery store or walking to the park, and now have to worry about something they would have been resistant to a week earlier. Imagine a fear of seizing in a crosswalk, or while chopping celery.

For a demonstration, do something honorable or with meaning. I find it one thing to engage in protests: ruin a fur with red paint, DoS or defile a website, or even common financial thievery. The Epilepsy Foundation attack is the digital equivalent to randomly finding a guy on the street and beating them up. Lawless anarchy must not be tolerated from a bunch of little hooligans.

Hacking "Linked-In": Working around the social part of social networking

jbrook — Wed, 14 Jun 2006 22:50:00 +0000

Original Post on 14-Jun-06 4:50pm
I use “Linked-In” for a social networking, and online contact management tool. It’s quite convenient, nearly a true peer-to-peer instantiation of a friend of a friend tool (at least in the free version) and pretty indicative of most of these sites. In order to connect with someone, you either must have their email address and send them an invitation, or ask someone you’re already connected with for an introduction, all brokered by Linked-In. I say nearly a true peer-to-peer social networking tool, as there are a couple of ways to bypass their system. Take a look at the following “Linked-In” profile:

Computer & Network Security Professional
Greater Los Angeles Area | Computer & Network Security
Experience:
Sales
Northrop Grumman
Computer & Network Security Industry
1985 – Present (21 years)
Business Development Manager
Lockheed
Computer & Network Security Industry
1995 – 2006 (11 years)
Business Development Manager
Boeing
Computer & Network Security Industry
1995 – 2006 (11 years)
Business Development Manager
Northrop
Computer & Network Security Industry
1985 – 2006 (21 years)
Business Development Manager
Blue Lance
Computer & Network Security Industry
1995 – 2006 (11 years)
Sales
Decision One
Computer & Network Security Industry
1995 – 2005 (10 years)
Business Development Manager
Pacific Bell
Computer & Network Security Industry
1995 – 2005 (10 years)
Business Development Manager
DecisionOne
Computer & Network Security Industry
1995 – 2005 (10 years)
Business Development Manager
SBC
Computer & Network Security Industry
1995 – 2005 (10 years)

I received this yesterday as a “Colleague” connect request. If your years at a specific company or school overlap with someone else, a feature within the site allows a bypass mechanism. Your message is automatically sent without any outside broker (introducer/friend) or previous knowledge (an email address). It appears that this gentleman was a very rich, and very busy boy. In fact, since 1985, he “worked” at 7 major companies simultaneously. The only people I know afforded that sort of leeway are consultants, and they aren’t business development managers (the SEC frowns on this, something about overlapping strategies and oligopolies). All of his employers are in the Computer & Network Security Industry, and security’s a hot market, so my guess is, he’s a head hunter, or maybe a mass marketer selling niche email lists. Or maybe, he’s a corporate spy. Probably not, but that’s the security guy in me.

I bring this up for user education. I personally found several University classmates I hadn’t talked to in over 10 years through this same feature. And there is a temptation for networking with this guy; it appears over 177 people accepted his invitation. The only question really is how many of them he actually knows. Thankfully, you still have to choose to link with your contacts. Linked-In gives you the option of reporting the user for agreement violation. Just think before you click. If it doesn’t look right, it probably isn’t. What’s a social network if there’s no value in who you’re connected with?