
The Doxing Trend - CapitalistCartr
https://www.schneier.com/blog/archives/2015/10/the_doxing_tren.html
======
ksenzee
In spite of the headline, this article is not so much about doxing. It's about
the fact that doxing is way too easy, because companies are ridiculously lax
about keeping people's private information safe.

Schneier is arguing for government regulation, and letting people sue for
damages after an information breach, and I think he's right. We have enough
data at this point to show that very few companies are going to take good care
in this area unless a regulator or their insurance company forces them to.
It's too hard, it's too expensive, and it's too easy to brush off the
consequences when the inevitable breach happens.

~~~
Nadya
_> It's about the fact that doxing is way too easy, because companies are
ridiculously lax about keeping people's private information safe._

Even more that _people_ are terrible at keeping their own information safe. A
collection of one-off facts over the past 8 years of a person's internet life
can paint a rather vivid picture. You can tell how many relationships they
have been in, if they have a new job, what country they live in, what _town_
they might live in, what their pet's name is, who their friends are, and more.

With enough metadata it becomes trivial to find their social profile (where
they often speak about bits of information contained in the metadata) and then
you have their full name, family, friends, etc. At that point it becomes
trivial to find more information on them.

Informing people is rarely enough to get people to understand. On the contrary
- they'll blast all the info you need to know on their Facebook or Twitter.
They'll take pictures of local parts of town and post them on Instagram, etc.

It's extremely hard to be doxed unless the _user_ shares information with the
public. It's extremely rare to be publicy doxed due to leaked credit card
information or a company being hacked and a database being released.

~~~
ksenzee
Schneier really isn't using "doxing" the way you and I would. He's using it to
refer to what happened to Mat Honan[0], when someone managed to social
engineer Amazon customer service and Apple tech support to take over Honan's
accounts. Honan didn't do anything wrong, or release too much data to the
public. He simply made the "mistake" of owning @mat on Twitter. Someone wanted
the username, so they tricked Apple tech support (using data they got by
calling Amazon) into thinking they were Honan, hacked into his account and
took what they wanted.

The point of the article is that in a case like this, Apple and Amazon are
both at fault, and should be held legally responsible.

[0] [http://www.wired.com/2012/08/apple-amazon-mat-honan-
hacking/](http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/)

~~~
Nadya
So after all the years of misusing and redefining "hack" they are now jumping
ship to "doxing" to misuse that when their redefined version of "hack" is
acceptable? Gah!

Thanks for the explanation. I do agree companies should be held responsible
when they are too lax on identifying people as who they claim to be.

OTOH, I can see customer complaints about slow service and constantly having
to prove identity w/ 4 last of SSN and such. It's an area where idealism and
reality don't meet very well.

