[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: www.WhoWhere.com selling access to my employer's passwd file
On Sat, 27 Apr 1996, Black Unicorn wrote:
> On Sat, 27 Apr 1996, Sentiono Leowinata wrote:
>
>
> > I wonder how they can get the e-mail address? Our finger daemon are
> > blocked. Many un-broadcast e-mail addresses (the account never send any
> > e-mails to anyone) are in the database. How?
> > Furthermore, isn't it also privacy invasion?
> > Would any hackers or expert people kindly to tell me how to block
> > further threat like this?
>
> Use a nym.
This doesn't necessarily help if you work or study at a large institution
(stanford.edu, for example). It depends on what you want to keep private.
If I want to moonlight or carry on a political discussion, I can use
untraceable nyms, but if someone wants to know where Rich Graves works,
then there is no way for me to stop them from finding out. That's not a
problem for me, obviously, but I've got 30,000 other people to worry
about.
What whowhere.com did (whoswhere was a typo, yes -- it was late, and I was
rather pissed off) was grab the password file some time ago. We know that
they grabbed the password file because they have misspellings, odd
capitalizations, and daemon/group IDs that appear *only* in the password
file. We know exactly when they did it, because the password file is
built sequentially. They have everything up to line 26,667, and nothing
after that line. We know exactly when account 26,668 was opened.
Search for "SITN Account" at organization "stanford.edu". These are
kerberos IDs that have never had email addresses. They have never existed
outside the password file.
They also have password files from a few other large educational and
commercial organizations. It is not clear that they broke the law getting
our password file, but in at least two other cases, it is.
The threat profile is this. We've got grad students and visiting lecturers
from repressive countries, or good-guy countries threatened by terrorists.
We've got some really famous people who don't want to be stalked. These
people have unlisted phone numbers, unlisted email addresses, unlisted
physical addresses, and if you call the registrar for a transcript, the
registrar will neither confirm nor deny that Stanford has ever heard of
such a person. If you finger @stanford.edu, these people will never show
up, no matter how you formulate the query. They're simply not in any
directory database.
If you grep one of the files that whowhere.com OBVIOUSLY used to build its
database, some of these people do show up. If you then finger that address
specifically, you might get the last login time and location, which might
tell you exactly where they live and work on campus. You can then send a
package with excessive postage, or something like that.
Never mind women (or men) being stalked by sticky-fingered psychopaths.
One person's paranoia is another person's reality.
In a way, I suppose we're "asking for it," because anyone with a
reasonable level of technical knowledge would know that the password file
the whowhere.com guys took is vulnerable, but the users who are now in a
public directory without their knowledge or consent were NOT asking for
it. Since the fact that they're at Stanford is one of the things some of
them might want to keep secret, there is no satisfactory compromise short
of removing all names and addresses collected in such unethical ways.
whowhere.com is in Mountain View; its principals live in Palo Alto, a
ten-minute bike ride from campus. If some (former) Stanford affiliate
helped them out, they're in trouble. If some (former) Stanford affiliate
didn't help them out, then they're in a lot more trouble.
They also have an entry for me as "Dick Graves - CDA Investigator." I
believe I used this in the From: line of two posts to su.* newsgroups that
do not propagate beyond nntp.stanford.edu. The presence of this address
means that they were building their database on Stanford computers, which
is a big, big no-no.
-rich