I wonder how many Comcast customers were doxed with this method before it was fixed.
Say you go post on Infowars anonymously (but not through Tor/VPN/Proxy). They can now know where you live.
Of course the address is public. The relation between your IP address and your actual address isn't...
I guess it's a bigger problem for celebrities or for those who are targeted. But even then, the police are there. Just call them.
I'm trying to understand the other side of this.
The psychological effect of having someone treat you like an object, repeatedly hunt you down after moves, and gaslight you/landlords/cops into believing it’s not happening is harmful as it is—let alone the not-so-unlikely chance that someone with this high degree of intelligence and mental health issues will physically hurt you if they find you.
There’s not much you can do besides a paper restraining order. By the time the cops come it’s too late.
This possibility is a very real part of many people’s lives, but maybe less talked about with men like me because statistically female victims are more common.
The cops don't have a specific obligation to "come" to help you. Nor to enforce a restraining order.
Everyone should read those two Wiki entries. The law often isn't what people think it is.
OTOH if someone breaks into your house and you smoke 'em, then in most states you're in the clear, even without a restraining order.
I know that's not what most people here want to read, but it is "the law of the land" in terms of legal precedent.
For example, T-Mobile and Verizon vulnerabilities are used to SIM swap and get around 2FA on instagram or twitter. Usually, they first try to find an employee who works at the store and has access to the database, before going through all the trouble of finding a vuln.
This has been an “underground” space for quite some time, but is slowly coming to light.
Source: I use to be in this space and made so much money off original usernames. To give you an idea of what a username goes for, I sold the Instagram @b*ss for $20,000.
Police can't be there to intercept the metaphorical brick through your window. The reason why we feel safe walking outside everyday is because of the fabric of trust in our community.
Uh, isn't that the exact problem? Once someone knows your address you're a voip call away from swatting.
We could just stop having SWAT teams. The events that supposedly justify them are so exceedingly rare that most members of SWAT teams go their entire careers without ever seeing one. But once they exist they get used for all kinds of routine operations that don't actually require them, where all they do is raise tensions and unnecessarily escalate matters.
There is a reason there is supposed to be a hard wall between the police and the military. If you really need a military presence, the governor can call in the National Guard. But when does that happen? Even they mostly end up getting called in for hurricane relief and that sort of thing.
(1) Have the IP address return the right location
(2) Not have duplicate street names in that location
(3) Have a single digit address OR be the only home starting with that number
That's going to be a pretty rare combo. Probably less than 1%.
- a select few with good reasons to avoid their address being widely known. Because stalkers etc.
- All those infsec bros with their "attack vectors" and their "threat landscape". They'll scream "security by obscurity" when you're using an unlisted URL to share holiday photos, but get really miffed if someone finds out where they live, or where they go running.
Person A and Person B are getting hot and bothered about something stupid. Person A says "come at me bro, here's my address." Person A gave Person B Person C's address instead.
Person B swatted Person C. Person C had no idea what was going on, went outside, maybe panicked, maybe whatever, but Person C was shot and killed because SWAT had no idea.
I believe A and B were arrested, but usually the cops don't get lucky. They couldn't find the idiot who tried swatting me, but they don't exactly have a ton of resources either.
Shit's scary, especially since it can happen anytime.
I have the President of the United States' address. 1600 Pennsylvania Avenue. Oh no! I done dox'd him!
Exposing information about someone that is largely already public is somewhat bad, but it's not "really, really bad". And it's certainly not worse than exposing the last 4 of their SSN.
There are many ways to dox people. If you have a specific target, you probably know their name; if not, you can phish it, and any other information you want. If you have their IP, you know their ISP. With their name and their ISP, and maybe some extra info gleaned from various sources like social media, you can get pretty much anything you want. Account access, phone numbers, billing information, socials, etc. With their phone number you can take over their phone, and then all their SMS-linked accounts.
Is this scary? Yes. Did I need to slowly extract their home address using a vendor's web form and their IP? No.
The last 4 of the social is much worse. It makes all of this incredibly easy and gives access to much more sensitive information, like medical records, payroll, government service information, etc.
If only we all had access to the Secret Service. Lots of modern games make use of P2P behind the scenes (e.g. for voice chat), which means that maladjusted script kiddie I just sniped already has my IP and might decide to forego DDoSing me and skip straight to calling in a hostage situation at my home address. Being able to easily resolve a concrete address from an IP is certainly a bigger deal than being able to determine its ISP.
The last time I mentioned how disciplined our military was compared to seemingly trigger happy police though someone said quietly to let the military our of the barracks and live in my neighborhood as well as occupy public space everywhere within the country and my opinion will change within a few years. I suspect this is true. I don't have any solutions to this militarization, just wanted to point out that doxxing isn't there real problem but rather the swatting is.
The problem is that SS7 still allows anyone and their dog to spoof phone numbers. Swatting will always work because a (real) hostage situation is among the worst things that can happen for police, the others being terrorist attacks and serial killers.
Swatting can only be prevented reasonably by fixing telephony signalling and throwing the ones doing it into jail for a couple of years.
> Swatting will always work
Because ALSO most forces can't spend the money to train their police in hostage situations. It isn't just giving them big "toys" that they want to play with. It isn't that they aren't trained. It is that it is impractical to train them.
I get that it is impractical for Olathe Kansas to train all it's police force in hostage negotiation and deescalation when most likely none of the force will ever use it but what is the alternative? We can't just bus the same negotiation team across the country every time. If we could, EPA wouldn't have its own armed servicemen, right? Also there wouldn't be a Port Authority Police Department in POrt Authority of New York and New Jersey, right?
Basically, I imagine if you wear the equipment and gear for seat, you must be trained for it and we'll qualified in it. If not, then don't carry the gear. No?
> Exposing information about someone that is largely already public
A home address may be public, but the connection between that address and online activity, like posts on reddit / HN / some forum (political? fetish/porn? extremist? etc etc), is very much not public. Last 4 of social is not uniquely identifiable, but a (partial) home address almost is.
> If you have a specific target, you probably know their name
Not if they're being careful, like anyone would be if they don't want their posts online mapped back to them. But now you can DM them a link (or email them an image if you have an email address or redirect) and turn their IP into a home address. That's very bad.
Doxing someone isn't just exposing an arbitrary address, it's connecting a purportedly anonymous online account with personally identifying info.
Going back to the president, what if you could find out that some angry anonymous person posting racial slurs online was actually the POTUS? That is doxing.
Saying this is a really bad vuln because you aren't as private as you think you are online is like saying lock picking is a really bad vuln because you didn't know door locks could be opened by anyone with a bent piece of metal or a shaved down key. Locks don't actually keep bad people out. They just make people feel safe. Same with this idea that your IP is anonymous. It's really not. It's a literal address.
While I agree with your general sentiment, I hope you appreciate the irony of this particular example.
Still is, depending on the canton. For Zürich you get 5 lookups per day per IP. For other cantons they might charge you a swiss franc or so . Cantons that charge 10-20 CHF and require a reasoning for why you need this data are in the minority.
Irrelevant, since Comcast already hands this information over to such parties willingly.
You can identify addresses that are Comcast customers simply by going to their website and shopping for service. If you enter in the address of an existing customer, it tells you.
You can cross reference this with open records like tax and voter registration to determine who lives their and potential phone numbers.
You can confirm the owner of the account by using Comcast's bill pay without login feature. It allows you to specify a street address and telephone number to view/pay a bill. And based on the bill amount you might be able to determine which services they're subscribed to.
If the person is renting equipment then they'll be broadcasting a hotspot that other customers can log into and use unless they're savvy enough to disable it. That could be used to determine their IP address.
Those are just the ones I know about off the top of my head. I'm sure there are many more.
She (paraphrased) told me that since it wasn't a "bug", it didn't deserve a bounty as part of a bug bounty program. She followed that dribble by saying that for them to implement a bug bounty program would be far too expensive because it would lead to them having to fix all of the security flaws at Comcast. No joke.
Dear Comcast: put out a fucking bug bounty!
In SF both Monkey Brains and Sonic are excellent, pro-Net-Neutrality, pro-privacy ISPs who offer non-exploitative contracts for internet access which is unfiltered, blazingly fast, and incredibly cheap!
Comcast has a functional monopoly in my area, and that has been true my entire life except when I lived abroad. Our suburban home in Wisconsin, and again in South Carolina. Five different homes in Houston. Three in California. I shudder to think about the amount of information Comcast has on me, particularly if they snoop my network activity.
I heard about Monkey Brains from a pal. From a quick search, the only comparison site that seems to mention them is Yelp.
Lol If only. I can't remember the time I rented an apartment and had even an option other than a monopoly like Comcast. I've literally never seen it available in the midwest. You always just have the single choice, sadly.
My new place in San Jose has fiber to the premise, so I signed up for Sonic again. Good bandwidth, Rock solid service.
If you’re in a larger building (15+ units), there are a couple of other fiber providers that may be an option, if building management is up for it.
MonkeyBrains is a wireless ISP. I regularly get 25-40 Mbps from them (though they don’t guarantee that). I’ve had only occasional slowdowns and one outage lasting a few hours. (So, more reliable than Comcast had been, at least for me.) I’d heard rumors MonkeyBrains was planning some equipment upgrades that would let them deliver 60-80 Mbps, but no official announcement or timetable.
It's just such a pleasure to talk to someone who is actually listening to and thinking about your problem, instead of simply reading from a script.
Email notice is an option if meeting the restrictions listed in the Federal law linked below. I think the relevant part is section (c), with the major restriction being "affirmative consent."
Alternatively if the breach affects over half a million people, they can send notifications by email, but also have to plaster their homepage and send "Notification to major statewide media." The homepage banner would only affect people who pay electronically but not by autopay. There are ways to minimize the effect of news broadcast, e.g. send the press release at 4 o'clock on a Friday when no one watches the news.
So, it's not quite as easy as you think but Comcast does have options to minimize the impact of notification.
It fits too well.
Based on the details in the article, this sounds like something that needed to be fixed, but probably not even worth the time to write this article.
The SSN last 4 digit bruteforcing is really bad, too. I'd say arguably not as bad, since it's not very hard to get most people's SSNs on black markets these days.
This is not a breach, but these are two massive vulnerabilities and deserves many articles.