
You are what you leak (2018) - wallflower
https://caseysoftware.com/blog/you-are-what-you-leak
======
CommieBobDole
Two thoughts on this:

1\. This seems like a bizarrely disproportionate and unpleasant response to
being accidentally included on an email thread. It's one of those stories
somebody tells you thinking it makes them look cool but only serves to let you
know that you should avoid this person at all costs.

2\. It also sounds like a revenge fantasy written by a fourteen year old; the
only thing it's missing is "and then they all stood up and applauded me".

------
jp_sc
So he found out a kid whose girlfriend was very close to his family,
inmediately assumed the dad was a pedophile, without any proof, and proceed to
accuse the dad to the other parents so they can apply mob justice and destroy
the family.

Very classy. A real hero. /s

~~~
glloydell
He didn't make a accusation, he pointed out a set of data everyone else on the
list had access to.

The people actually involved (and with more information to assess the reality
of the situation) can make the judgement call.

See something, say something?

~~~
duxup
> I found one father who was interacting with his son’s girlfriend a lot. Not
> just “I hope you enjoyed the game!” but Liking many pictures, commenting on
> numerous posts, etc.

Do you feel like that's a problem?

~~~
glloydell
I'd say that an adult over engaged with a child on social media is a
potentially concerning data point.

Side note, are you down voting my comments because you feel like they don't
add any value to the conversation or because you disagree with my viewpoint?

~~~
duxup
I'm not voting.

I find what is described as typical socialization observed by someone who
knows nothing of these people as something to be concerned about to be fairly
absurd.

~~~
glloydell
The author spent a non-trivial amount of time researching the social media
profiles and interactions in this group, and noted a pattern of interaction
that was atypical between an adult and a minor.

If it was typical socialization within that community, then I find it unlikely
he would have only found a single instance.

*edit to fix autocorrect typos

~~~
duxup
I think it is just sexual paranoia.

I mean here we are and someone somewhere happened upon a mailing list they
didn't want to be on... looked folks up on facebook. Wrote a couple sentances
on a blog and we're at "see something say something" and "The author spent a
non-trivial amount of time researching the social media profiles and
interactions in this group".

That all seems like a huge stretch that could create a situation where all
sorts of normal behavior is scrutinized / fingers pointed, etc.

------
duxup
So poor choices and poor behavior by the author aside.

I'm not really sure how much of the information gathered would surprise that
many people. The suggestions seem like something that some local TV "security
expert" would give along with the always useless "don't download apps you
don't trust" kind of advice.

------
krick
Can this asshole be sued? I mean the author of the blogpost, obviously.

------
hinkley
I remember a ways back there was a spate of burglaries timed to social media
information stating that the owners would be out of the
house/town/state/country at a particular time.

Seems like we haven't been inoculated in a while. If there's no new incident,
or they don't hear about it, people become complacent.

~~~
taneq
When I was a kid we were raised to not talk too publicly about when you were
going to be away from home, for this exact reason. You'd ask a trusted
neighbour to collect your mail so your mailbox wasn't suspiciously full. You
could even buy power point timers that would let you schedule lights / TV /
whatever to turn on and off at preset times, plus some random jitter to make
it not obviously scheduled, so it looked like you were home.

It seems bizarre that in the face of all our perceptions of how cynical we've
become, we've forgotten so much basic common-sense security.

(Of course you can still buy the timers and they still even have the jitter
feature, but they're marketed as power-saving devices, not as security
devices.)

------
jerome-jh
Agreeing with the general tone below. The post gives the impression people
should conceal even innocuous interactions. The basis is, of course, to have
several email addresses and give the impersonal one, which receives most of
the spam, to forum/club mailing lists.

------
glloydell
I'm a bit surprised by the general tone of the comments on this.

Not using BCC on group threads like the one mentioned is essentially a PII
breach. The fact that this was an organization responsible for the care of
minors, which refused to remove someone who was erroneously given access to
that data, definitely warrants concern.

If the author had found a security vulnerability in a school website,
responsibly disclosed it, and deleted all information gathered, I doubt they
would be getting the same level of side eye.

~~~
nwallin
> responsibly disclosed it,

That's the problem here. The disclosure as represented by the author themself
is decidedly not responsible.

~~~
glloydell
Sharing the dataset with the full email list instead of individually sharing
his results with each person on the list definitely toes the boundary, but
given that the parents are going to be the drivers of change in this situation
I'd say it's reasonable.

If you were in the same position as the author, how would you handle
disclosure?

~~~
nwallin
> given that the parents are going to be the drivers of change in this
> situation I'd say it's reasonable.

(Note: I shortened your quote, and the shortened bit does not give your
intent. But it's the part I want to respond to. Other readers should read OPs
full text.) The drivers of change with regards to the Equifax leak was the
voting populous of the United States- I image if the Equifax hacker sent the
credit reports of everyone compromised by the leak to everyone compromised by
the leak and claimed to be an honest security researcher, it wouldn't have
gone well.

> If you were in the same position as the author, how would you handle
> disclosure?

The author mentioned having the contact information of the legal council of
the school. Send an email to them saying that email addresses are PII and they
shouldn't be widely distributed. Escalate from there. If they ignore it, send
a spreadsheet of names, email addresses, and facebook accounts to the lawyer.
If they ignore that, start digging, send more - anyway, the point is, start at
DEFCON 4 and work your way up, don't immediately step to DEFCON 2. In this
case, where the solution is to paste into the BCC box instead of the TO or CC
box, a 30 day window ought to be sufficient, but a zero day window is
completely unacceptable.

