To many, it’s not a surprise to find out the privacy dangers associated with some online quizzes, and things of that sort. A recent PCWorld article entitledSecrets of Online Quizzes talks about how some of the quizzes out there are using the data collected to target online ads to the recipient. It also refers to an article that talks about how facebook quiz developers are automatically granted access to your profile when you agree to take their quiz.

I consider both of these to be frightening scenarios. It also got me thinking again about one of the other big privacy and security loopholes I’ve seen out there. The online name quiz. I suspect you’ve seen it… “what’s your Jedi name?” or “your stripper name?”

A quick google search gave me some of the sample questions:

DETECTIVE NAME:(favorite color, favorite animal)
Red Kangaroo

DRAG QUEEN NAME: (first pet + mother’s maiden name)
Margo Webster

MOB NAME (Dad’s name, favorite Italian restaurant)
Bill Regina

MOVIE STAR NAME: (grandfather/grandmother on your Mum’s side, your favorite candy)
Evelyn Reese

MOVIE STAR VAR 1: (grandfather/grandmother on your dad’s side, favorite candy)
Graham Reese

MOVIE STAR VAR 2: (favorite snack food + grandfather’s first name)
Doritos Graham

MOVIE STAR VAR 3: (first pet’s name + Favorite teacher’s name)
Margo Levine

NASCAR NAME:(first name of your mother’s dad, father’s dad)
Sidney Bill

NEWSCASTER NAME (your middle name, moms maiden name)
George Webster

PORN NAME: (1st pet, a street you grew up on)
Duff Veronica

PORN VARIATION: (first pet and current street name)
Duff Verdun

PORN VARIATION 2: (middle name, father’s middle initial, street you grew up on)
George T. Randall

PORN VARIATION 3: (current pet’s name, street you grew up on)
Amber Veronica

SOAP OPERA NAME:(middle name, city where you were born)
George Syracuse

WITNESS PROTECTION NAME:(mother and fathers middle names)
Julie Tracy

WITNESS VARIATION: (grandfather and grandmothers first name
Graham Ruth

(I’ve changed the answers that I’d pulled off the website, so as to not endanger the person who posted it.)

See the problem? These are all questions that banks, financial institutions, and other groups out there might ask you, as ‘questions that you’ll only know the answers to’ to prove your identity. With the current state of the internet, once that data is out there, it’s out there forever.

People really need to understand the implications of what happens when they put their data out there. I still think we’re in for a big problem very soon with all of this. This just makes identity theft that much easier.

I was reading Bruce Schneier’s recent post on his blog and was thinking “hey, I’ve been meaning to write this.”

In general, this bothers me. What bothers me just as much is the blind acceptance that goes along with it. I’ve often heard the argument of “Oh, I’m sure that all of that information is out there anyhow, it’s no longer worth my effort to try and protect it.” More disturbingly, I’ve heard this argument from people who have been entrusted with the data of others.

On the whole, the US has been lulled into a complacent attitude towards their personal information and privacy. With the steady rise in identity theft, and a weak economy, I really have to wonder when we’ll reach the point of personal identity information being worthless, since none of it can be trusted.

I often think of my bank. Banks are built with the image of security involved. What could be physically safer than a big thick vault? In fact, when I hear of a bank being robbed, it is usually a daytime robbery, which involves bypassing the humans, and not cracking the vault.

Compare that to modern life on the internet. You may do your banking on the internet… how do you know that it’s safe? More importantly, how does the bank know that it’s really you? There are basic protections in place, but with the amount of data about people on the internet, it’s getting very hard to be sure that the person on the other end of the wire is really who they say they are.

I’m increasingly convinced that there is going to be a big technology/privacy “incident” sometime soon. I don’t know what it will be, or who it will effect. I hope we all survive it. More so, I hope we all learn from it, finally.

A picture is worth a thousand locksmiths.

This is a somewhat interesting article.   I’ve used very similar procedures long long ago.   The concept isn’t too far from what you’d see in old spy movies where the agent would make a wax mold of the key.

Whereas this is a bit of fear mongering, to anyone who has been paying attention, physical keys are rarely as secure as you think they are.   To me, this is yet another attempt by the computer security industry to  highlight known physical security issues and try and make it look like it was a huge discovery.   Being able to use a computer to do it is neat, but hardly groundbreaking.   I can say with certainty that when I was in practice, there were certain keys that I could manually read and memorize the cut depths from a distance of 5-6 feet.      This came from a lot of practice of analyzing that particular manufacturer’s locks and knowing the specifications of their system.    Some vendors may be more difficult than others.

In terms of protecting yourself against this sort of attack, the first line of defense is a good offense:   don’t let other people scan or photocopy your keys.    Beyond that, you want to try and use a locking system that doesn’t translate well to a 2 dimensional representation.    Medeco may be a good example in that I suspect that it’s harder to tell the cut angle, so you’d only have the cut depth, which isn’t enough to open the lock.  There are several other vendors that use keys that are more 3 dimensional in utility which would be harder to get around.    Moving to a key with data in 3 dimensions doesn’t eliminate the problem, it just adds one more layer, making it that much more difficult to recreate.

Still… locks and keys have been around for a very very long time, and they’ve been known to be vulnerable for a very long time.   This attack is hardly new.    There is a reason that jails don’t allow any pictures of the cells keys to ever be taken.

PR: wait… I: wait… L: wait… LD: wait… I: wait… wait… C: wait… SD: wait…

“The jerboa is a nocturnal desert rodent who scurries about looking for holes.”

My hope is to capture my thoughts on life, security, firewalls, VPNs, computers, blogging, health, finance, credit cards, mortgages, privacy, travel, books, and whatever piques my interest at the time. This is my forum. My hope is that you’ll find something useful to take away from it.

I did security consulting for many years. I don’t do that any more, but I learned a lot about the world back then, and that knowledge stays relevant to this day. Security isn’t a product, or a tool. It’s a mindset and a methodology. It’s how you view the world, and where you draw the line between inside and outside.  Security is all about process, not about products.

Watch this space! More to come!

PR: wait… I: wait… L: wait… LD: wait… I: wait… wait… C: wait… SD: wait…