deafcon 14

[bugzpodder]

http://news.yahoo.com/s/ap/20060804/ap_on_hi_te/conference_counterfeits

specifically, this caught my eye:

Greg Conti, a computer science professor at the United States Military Academy, prepared a report that shows just how much information free Web services such as Google Inc. and Yahoo Inc. (Nasdaq:YHOO - news) have about typical Internet users. He wrote a program that allows anyone to see the kind of personal details "” including a complete list of every search item ever entered, every location surveyed on a map, and entries put in electronic calendars "” routinely stored by such sites.

anyone able to find a copy of the program? it seems to be a very interesting thing to have.

[bugzpodder]

a bit off topic: anyone seen this? hardcore! http://www.youtube.com/watch?v=aeXAcwriid0

[Panopticon]

bugzpodder wrote:

anyone able to find a copy of the program? it seems to be a very interesting thing to have.

Since DEFCON is a black-hat conference, most of the things being exhibited there are illegal, immoral, or just plain ethically wrong. DEFCON doesn't officially endorse or support anything that participants may choose to demonstrate during the expo. Unless the author has a copy of the program on his personal website, you probably won't find it online.

What happens in Vegas stays in Vegas.

[bugzpodder]

thats completely off. First of all, real world hackers for profit are illegal, immoral, and "plain ethically wrong". However, part of the aim of DEAFCON is not a gathering of script kiddies, but to actually bring real security experts and top hackers together to address current urgent security issues!! This is completely legal, moral, and ethically right i suppose.

[Tony]

but demonstrating a tool that breaks the said security and then giving it out for free to anyone interested... that brings us back into the "plain wrong" category.

It should probably be noted that both companies (Google and Yahoo) offer email services and run IM servers. If they really wanted to collect some personal data, then they have access to so much more than your search preferences.

[bugzpodder]

yes exactly why im curious about it, how the heck does the program get this information?

I dont think that it could possible for him to hack into google server to fetch this information (otherwise you will be sure his ass is getting sued by Google and Yahoo). so i think on the other hand the program would be legit, and maybe use some feedback methods. but i have no clue for sure.

Tony, to my knowledge, Google does store EVERYTHING it knows about you. According to some sources, google does not delete any data it obtains. that includes things like your old [deleted] emails, your chat history (that you wanted to save in your email), calendar, google desktop 2 stuff (if you decide for it to transfer stuff to google servers), google map queries, etc. Even though Google employees are prohibitted to access this information directly without a warrant or something, but you can be sure it is stored somewhere on one of these computers. That is what the person's program exploits. apparently it seems he found some way of retrieving this data, legally or otherwise.

[Tony]

I was just thinking.. if you were to have some application that would constantly send out random (think dictionary attack) google queries at a regular interval. Whenever you want to actually search something, the query gets places in a queu, gets executed during the next scheduled search, and the result is displayed (instead of being thrown away).

Sure it ads some delay (and bandwidth consumption), but from Google's perspective, your actual searches should effectivly be lost among random content.

[md]

bugzpodder wrote:

thats completely off. First of all, real world hackers for profit are illegal, immoral, and "plain ethically wrong".

Not entirely true... hacking for profit is legal in situations depending on who you work for and what kind of information your looking for. It may not be ethical in most situations, but ethics and business are two completely seperate things. Morals are just ethics, so the same applies

[Tony]

well... recently AOL has decided to release a huge list of searches, along with user IDs. They recalled the file after someone has actually looked at it, though a smaller (20K) sample (and stripped ids) is still available at research.aol.com. It doesn't contain the murder plots of the original, but the porn searches are still pretty sickening. AOL users have problems, seriously.

[bugzpodder]

Cornflake wrote:

bugzpodder wrote:

thats completely off. First of all, real world hackers for profit are illegal, immoral, and "plain ethically wrong".

Not entirely true... hacking for profit is legal in situations depending on who you work for and what kind of information your looking for. It may not be ethical in most situations, but ethics and business are two completely seperate things. Morals are just ethics, so the same applies

i meant illegal profit, such as phishing, id theft, things like that.

[md]

WEll of course illegal profic is illegal!

The original dataset released by aol is still available on a mirror somewhere, I just forget what the url is. The best part was the guy who quite clearly was looking to kill his wife... and get some steak and cheese.

[bugzpodder]

well he was just searching for that. maybe his searching for ideas to create a movie scene or drama play or something. like if you search for "child porn" maybe you are actually looking for the civic issue rather than real pornography

[md]

I suppose those work too... I think hte most amazing part of teh data released was that it contained social security numbers and credit card numbers. Why anyone would be searching their own credit card number I do not know... but they were apparently found.

[Tony]

I've gotten a hold of the entire dataset though a mirror host. Yey.

I do sometimes search for myself on Google just to see what's out there, or more often to see if compsci content is cached up to date It is beyond me why one would search for their own credit-card number.

It is sort of scary how much info can be infered from search requests alone. Interestingly enough, I sometimes use Google in place of a calculator, so technically full solutions to some of my assignments are logged there somewhere.

[Dan]

I whould be more woired about my ISP then my sreach engion keeping data on me. Besides it is rather hard to track who you are when your ip is not static and you clean out your cokies every so offten. If you are loged in to a google acount well doing it, thats another sotry.

However if google did ever realses that data they could be sued. AOL right now is facing law suites for the EFF and posibale actions from the U.S. goverment. Tho if the goverment requests the infromtion that gets in to more issues, and they have asked google for it befor.

Personaly i do not think i sreach or use google in a way that whould give out any information that whould realy screw me over since all my info is allready posted publicly all over the place (like the compsci.ca wiki). Most of the time i use google as a spell checker.

I whould never use google desktop tho, i don't realy like my computer sreachable that easy :p

Edit: As for the storting of map locations i look up, i most query google maps like 10 times per seconded for some of the software i am working on for work, lol. And with all the wrong spellings i use in every day googling it whould intresting to try and sreach what they have on me.