
I challenged hackers to investigate me (2013) - matthiaswh
http://pando.com/2013/10/26/i-challenged-hackers-to-investigate-me-and-what-they-found-out-is-chilling/
======
Nursie
It's easy to find a surprising amount out about people without even any
'hacker' skills.

A friend occasionally gets email for someone with his name that lives in a
different country (lastname.firstname@gmail.com vs lastname-
firstname@gmail.com). He told us this, plus the country and county the guy
lived in, and asked a few geek friends of his what we could find out. He had
withheld some info so he could verify our results.

Within a few minutes we had his address, his immigration status and
photographs of his family. Which is quite scary.

(--edit-- this was using simple online tools like google and bing, plus
government websites in the country concerned.)

~~~
specialist
_It 's easy to find a surprising amount out about people without even any
'hacker' skills._

It's the entire business model of Seisint (now owned by LexisNexis),
ChoicePoint, and probably others.

We received some Seisint training. The idea was to use their service to
uniquely identify patients, for electronic medical records. (The money people
didn't pull the trigger, because they couldn't get the transaction cost low
enough.)

My boss entered my name into the search field and says "Before I hit [Enter],
is there anything you don't want me to know about? We don't have to do this."

Thank god I'm clean. It showed everything about me. Any public record any
where was aggregated and collated. And showed it all in a nifty navigation
hyper graph, linking me to every roommate, relative, job, residence, court
document, etc.

~~~
jtheory
> My boss entered my name into the search field and says "Before I hit
> [Enter], is there anything you don't want me to know about? We don't have to
> do this."

That's a bit weird, isn't it? Why did your boss enter your name, and not their
own name? Or ask for a volunteer?

Granted, you were asked "should I go ahead or not", but you shouldn't have
been forced into this situation in the first place. You could easily have had
something in your history completely irrelevant to your work, but saying
"don't" would reflect poorly on you regardless.

------
nraynaud
I think I will challenge the hackers to finish and polish all my half assed
open source projects. I won't get a nice clickbait title, but maybe the world
will have moved slightly forwards.

~~~
datphp
Make sure you attach the project in .jar

------
coldcode
Yet look at all the trouble they went through. The vast majority of people who
want to steal from you look for easy targets that involve far less work, like
hacking Target. Sure it sounds scary but with even a little security effort
you can make it not worth their while to attack you as an individual.

~~~
yaskyj
Exactly. It took several individuals two months to get into his files. I don't
understand why number one on their list of attack vectors is physically
breaking into his house. You're pen testing an individual and number one is
B&E?

~~~
dublinben
Why wouldn't it be? Physical access to a computer is the best way to own it.

------
jere
I don't recall ever hearing about people lacking fingerprints. Here's an
article about it:
[http://www.nytimes.com/2011/08/09/science/09obprint.html](http://www.nytimes.com/2011/08/09/science/09obprint.html)

~~~
rplnt
Wide variety of skin issues will leave you with unstable, malformed, or even
without fingerprints as well. Then you have a note in your passport that says
that it doesn't contain that particular biodata.

~~~
jere
Interesting comment. Thanks. My first thought is how that would be applied to
_Papers, Please_.

------
krosaen
"you won't believe what happens next"

------
tashian
I wrote a Java applet that will show you how to avoid some of these
vulnerabilities. pm me for the link... ;-)

------
doktrin
Genuine question : are JAR files sent as email attachments still the state-of-
the-art in PC hijacking?

~~~
orbitur
No, but the "user is ignorant" attack vector is still the most common. And for
good reason.

------
bittercynic
Are there any services that will take my name, photos, and some personal info,
and then shoot chaff across popular web services? Seems like enough bogus info
would make it a lot harder to put together accurate information on someone.

------
tokenadult
A funny little detail I just noticed about this article as I was reading it is
that cannot be bookmarked from my normal view of the article in Chrome, even
though all of the other dozen tabs I have open just now can be bookmarked.
When I viewed the source code on the page, I was able to bookmark that, and I
will definitely be coming back to this article in the future. (I have already
shared it among my Facebook friends.)

The comments here are interesting, as the last time this issue came up on
Hacker News, I was reading more anecdotes about public data searches on
individuals that mostly turn up junk data (which has been my experience). Way
back in the 1980s, I attended a presentation at a law firm where I then worked
and was told that with simply a former telephone number, all kinds of
interesting information could be found about a person. So I gave the company
representative one of my previous phone numbers from childhood, and he found
next to nothing about me, and some of what was found was erroneous. I was not
impressed.

By the 1990s, I had a lot of online presence, and when AltaVista was still the
dominant search engine a friend of mine in another city (we had met in Taiwan)
began using my name as a search term in training his colleagues in how to do
online searching, as a search on my name reliably turned up a lot of hits.
Google finds plenty of information about me, of course, and has become better
and better at sorting the most useful information about me to the top of the
search results over the years. I am aware that cyberstalkers, like point-of-
view pushers who have tried to drive me away from Wikipedia editing, can go
from my Wikipedia screen name (unique to Wikipedia) to find out other
information about me, including telephone numbers. But I'm still on Wikipedia
after they have been banned, so all's well that ends well. The harassing phone
call trick to suppress my free expression of fact and opinion on online forums
was tried as long ago as 1993, so I'm used to it.

Most of the emails that come to me off-forum about my Hacker News comments
address me by name, so it's not a hard research problem to link my Hacker News
screen name to my real name. (A harder problem is distinguishing me from the
subsequent people who began using my screen name here after I first used it on
another forum, beginning in 2004.) Yeah, foolproof privacy is difficult to
achieve. I usually don't go snooping, and for the most part I have no idea who
I am talking to here on HN. I figure that the old days of living in a village
with a small group of people who were mostly all extended family relatives
probably didn't offer much privacy either, so I'm not particularly worried
about the modern world, but I wonder how much more Privacy by Design

[http://www.privacybydesign.ca/](http://www.privacybydesign.ca/)

concepts can catch on in everyday practice in most industries for more of what
we each do in daily life.

If you would like to comment about this, I won't try to figure out who you are
away from HN.

------
hnha
* October 26, 2013

~~~
mjolk
What's your point? It's possible to have an enriching conversation and/or
discuss things that are more than a few hours old.

~~~
TheDom
Sure, but it has been discussed before:
[https://news.ycombinator.com/item?id=6617497](https://news.ycombinator.com/item?id=6617497)

~~~
mjolk
Is your assertion that the maximum utility of an topic is realized on the
first discussion?

~~~
thejosh
Sure, so how often should content be recycled through HN?

~~~
mjolk
The site has a ranking system for posts that handle this question.

