
Grabbing random DHL package signatures - smcl
http://blog.mclemon.cz/grabbing-dhl-signatures
======
sneak
On Sunday, weev will spend his 28th birthday in federal prison for doing this
exact same thing.

The CFAA declines to define "unauthorized access", meaning that the site
operator can simply label anything that wasn't what they envisioned as
"unauthorized" and suddenly you're a felon.

You are obviously not aware of the times in which we live.

~~~
smcl
I am, I just reckon this is not quite the same. Some shitty pixellated
signatures are not a particularly big deal

~~~
aroch
The shitty, pixellated signatures could be used to fraudulently sign
electronic documents...

~~~
smcl
I'll submit that it was not smart to collate them into a tarball and bung them
into my dropbox

------
blackdogie
This is probably something you should have reported to DHL before you shared
this.

As for analysis of signatures, it would be interesting to see if you could
compare male / female writing, and see if there was anything you could learn,
to predict if the writing was by a man or woman. There is a list that you can
download from the Library of Congress
[http://www.census.gov/genealogy/www/data/1990surnames/names_...](http://www.census.gov/genealogy/www/data/1990surnames/names_files.html)
for first male / female names.

~~~
blackdogie
Well DHL at least are aware of the issue , via a twitter conversation
[https://twitter.com/DHLPaket/status/373388119175090176](https://twitter.com/DHLPaket/status/373388119175090176)

------
notimetorelax
While it's good to expose such a security issue why would he grab 1000
signatures and than share the script? What do white hat security researches
think of that?

~~~
sneak
Why would DHL publish -all- of the signatures on the web without even a
rudimentary audit/security review?

This is 2013. It's not about the "grab". The act is publishing, making
available. Those who access are not the gatekeepers.

~~~
squidi
Two wrongs don't make a right

~~~
sneak
It's not wrong to read something someone posted inside a window.

------
petercooper
This doesn't surprise me. I think DHL is an absolute joke when it comes to
security and validating identity.

For several months, DHL's debt collectors have been pursuing my company for
unpaid import taxes because some fraudsters trivially used our (misspelled)
company name on their account (without any true "ID theft" taking place).
Despite mountains of proof to the contrary, the case continues and may be
headed for court.

I'm so tempted to report this to the ICO because it seems like a violation of
British data protection laws.

------
roywiggins
Yeaaaah, you could probably fall afoul of the CFAA with this one... See: weev.

Edit: Ahh, I see you're based outside the US, carry on.

~~~
NKCSS
Lol on the edit :P

------
nly
Fortunately, for many of us, signing for packages is probably the only
frequent use of our scrawl so hopefully the potential for fraud from this hack
is lessened.

I think a scarier prospect is that signature recognition may make it possible
for someone to search for all the packages you've ever signed-for, regardless
of the courier or location at which you accepted it. I'd be surprised if
couriers weren't already doing this in collaboration with law enforcement.

------
RossM
Ethics aside, this is a pretty large oversight on the part of DHL. All you
need to stop the incrementing is to require a second param such as the
recipient postcode or customer surname. Plenty of other companies get this
right.

~~~
mineo
That's actually how the german DHL website works - unless you enter the
recipients postcode, all you get is information that's not telling you who the
recipient is (that is, the shipment progress, the latest status). If you enter
the postcode, the recipients name and the name of the person the package was
delivered to (for example your neighbor) will be revealed.

~~~
LukaszB
I like the way how TNT asks for PIN to display pod details..

------
thejosh
uhhhh... didn't something like this happen with at&t a while back that is
pretty well known now?

------
davidbanham
Kind of shocked that anyone thinks this is a significant breach. It is 2013.
Nothing of significance is secured by "the kind of unusual way I write my
name" any more.

What I did find interesting was how much effort most people seem to apply to
doing a proper signature on that tiny, awkward device. I just dash a line and
the delivery guy is happy.

~~~
sengstrom
I usually sign "Chuck Norris" at the grocery store.

------
arbuge
It seems to me that signatures are way past their useful shelf life. The world
is not set up to verify them against anything. If you sign off on a package
with a fake signature, you'll probably be fine - the computer will check the
box as having a signature on file and close the delivery - and you won't be
exposed to privacy breach like this.

More sinister: if somebody grabs your check book and starts writing bad
checks, I doubt the bank will pay much attention to whatever they scribble on
them and you'll have a real nuisance on your hands.

~~~
claudius
My bank doesn’t do checks, but they check the signature on incoming (paper)
mail with a signature of mine they have stored somewhere – I had to come in
once specifically because my signature was different.

Similarly, when signing leases for flats, you usually need a copy of your
passport/ID to prove that the signature is indeed yours.

Edit: Oh, and just pretending to be someone else is a lesser crime than
pretending to be someone else and faking their signature, so requiring a
signature might help as some sort of deterrent. (You can still do three
circles for your signature, but doing three circles while impersonating
someone else and giving the impression that said three circles are their
signature is a crime on its own (in Germany (IANAL))).

------
Tarang
You should have reported this to DHL first. Signatures are sensitive bits of
information. While its a large oversight on DHLs part its still not right to
upload people's signatures publicly

------
evadne
Time to practice generic and illegible signatures. For example, draw four
circles and cross it out.

They are everywhere… a particular hotel’s breakfast order card you hang on the
door knob requires a signature, banks require them, you sometimes have to sign
when paying with a credit card, people expect you to doodle in a little box
whenever there is exchange of money and goods.

Remind me to print HERP DERP next time with DHL please.

~~~
smcl
Actually if you look through the signatures I grabbed, a lot of them are just
a big capital "D", a random squiggle or just the same name as is published but
in a semi-legible form

------
kekumu
I think USPS is basically the same way. I just shipped something with
Signature Confirmation. The only thing I needed was the tracking number, and
then I could sign up to receive an email with the signature in a PDF. Maybe
you have to sign up before it's delivered though.

------
fnordfnordfnord
inb4 'righteously' indignant people are offended that OP 'hacked', 'stole',
'broke in to', 'etc' but not the least bit worried that DHL has utterly failed
to protect that which ought to be confidential information, (for years).

------
warcode
Pretty standard for package trackers.

Only thing that helps is a sufficiently random tracking hash/string.

~~~
7952
Anything sufficiently random to avoid automated guessing is going to be too
long to enter on a keyboard.

~~~
soult
On the German DHL package tracking page, you have to enter the recipient ZIP
code before being shown recipient details like name and signature. The
tracking code itself is 20 decimal characters, although it is not randomly
generated.

------
madaxe
This is pretty old news (has been the case for years and years with DHL),
however by grabbing those signatures, you've just put yourself in Weev's
shoes.

~~~
bigiain
If weev had done what he did from the Czeck Republic (and never entertained
the idea of visiting the USA) he'd almost certainly be doing just fine right
now (well, as "fine" as weev ever did…)

~~~
smcl
I've no intention of visiting the US anyway.

~~~
bigiain
That's a pity – in spite of everything, it's a wonderful place with some
amazing people.

