On Sat, 27 Apr 1996, Black Unicorn wrote:
On Sat, 27 Apr 1996, Sentiono Leowinata wrote:
I wonder how they can get the e-mail address? Our finger daemon are blocked. Many un-broadcast e-mail addresses (the account never send any e-mails to anyone) are in the database. How? Furthermore, isn't it also privacy invasion? Would any hackers or expert people kindly to tell me how to block further threat like this?
Use a nym.
This doesn't necessarily help if you work or study at a large institution (stanford.edu, for example). It depends on what you want to keep private. If I want to moonlight or carry on a political discussion, I can use untraceable nyms, but if someone wants to know where Rich Graves works, then there is no way for me to stop them from finding out. That's not a problem for me, obviously, but I've got 30,000 other people to worry about. What whowhere.com did (whoswhere was a typo, yes -- it was late, and I was rather pissed off) was grab the password file some time ago. We know that they grabbed the password file because they have misspellings, odd capitalizations, and daemon/group IDs that appear *only* in the password file. We know exactly when they did it, because the password file is built sequentially. They have everything up to line 26,667, and nothing after that line. We know exactly when account 26,668 was opened. Search for "SITN Account" at organization "stanford.edu". These are kerberos IDs that have never had email addresses. They have never existed outside the password file. They also have password files from a few other large educational and commercial organizations. It is not clear that they broke the law getting our password file, but in at least two other cases, it is. The threat profile is this. We've got grad students and visiting lecturers from repressive countries, or good-guy countries threatened by terrorists. We've got some really famous people who don't want to be stalked. These people have unlisted phone numbers, unlisted email addresses, unlisted physical addresses, and if you call the registrar for a transcript, the registrar will neither confirm nor deny that Stanford has ever heard of such a person. If you finger @stanford.edu, these people will never show up, no matter how you formulate the query. They're simply not in any directory database. If you grep one of the files that whowhere.com OBVIOUSLY used to build its database, some of these people do show up. If you then finger that address specifically, you might get the last login time and location, which might tell you exactly where they live and work on campus. You can then send a package with excessive postage, or something like that. Never mind women (or men) being stalked by sticky-fingered psychopaths. One person's paranoia is another person's reality. In a way, I suppose we're "asking for it," because anyone with a reasonable level of technical knowledge would know that the password file the whowhere.com guys took is vulnerable, but the users who are now in a public directory without their knowledge or consent were NOT asking for it. Since the fact that they're at Stanford is one of the things some of them might want to keep secret, there is no satisfactory compromise short of removing all names and addresses collected in such unethical ways. whowhere.com is in Mountain View; its principals live in Palo Alto, a ten-minute bike ride from campus. If some (former) Stanford affiliate helped them out, they're in trouble. If some (former) Stanford affiliate didn't help them out, then they're in a lot more trouble. They also have an entry for me as "Dick Graves - CDA Investigator." I believe I used this in the From: line of two posts to su.* newsgroups that do not propagate beyond nntp.stanford.edu. The presence of this address means that they were building their database on Stanford computers, which is a big, big no-no. -rich