20070205

Profiling via Social Sites

I know cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y probably weren't cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first, but Firefox is probably cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most popular browser to support "Live Bookmarks" - an RSS feed as a bookmark. And coupled with bookmarking sites (social and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rwise), you've got a portable bookmark list. I don't have to keep a thumbdrive with my bookmarks anymore, I just point my browser to a feed and I'm set.

In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past, I didn't use bookmarks at all. It was easier (generally) to remember cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right search terms or URL's. And in order to use my bookmarks on multiple machines, I had to copy cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m around. Before Live Bookmarks, using a bookmark site wasn't all that advantageous, because to get to all my sites, I still had to make two visits - first to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bookmark site, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 site I really wanted to go to.

But now, things like Google Bookmarks, ma.gnolia, and del.icio.us allow you to bookmark, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n get an RSS feed of those bookmarks, and coupled with a Live Bookmarks type feature, you're always up-to-date.

The downside of this is that if you make your links public (I'm assuming del.icio.us is still most popular - in which case, you have to deliberately make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m private), that people can begin to profile you. How is this dangerous?

  • A little searching on del.icio.us will show you people who bookmark login pages you're interested in
  • You get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user names of those people
  • You can see what ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r login pages cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y've got bookmarked
  • Any of those an email site? You might be able to guess that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same login on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir email as on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 social bookmarking site
  • Spearphishing accomplished. Low return rate (you won't get many combinations of a known creditor/email provider), high hit rate (of those you find with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same combination, a pretty high volume of those will be hits).
With blogging sites, it doesn't take too many posts to figure out what services people are "married to" Those who are on Blogger have a pretty high likelihood of using ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Google services. People who blog on Yahoo might get email and bookmarks from Yahoo. If you can determine cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 geographic region for a person (watch cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 timestamps on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir blog postings or when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir emails hit mailing lists), you can limit ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r things like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir financial institution.

All this being said, you can bet cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bad guys are working on ways of using API's or botnets to warehouse as much of this data as possible. (Manual searching on del.iciou.us takes a long time, but it can be automated and distributed for warehousing and later analysis).

So how do you protect yourself?
  • If your blog is your "diary", make it private and limit to whom it's shared.
  • If you feel you must have a bookmark to your really sensitive stuff online, make it private, or use a private bookmarking site.
  • Don't know your own passwords. Use a password safe like keepass (or keepassx for *nix or mac), or Keychain on Macosx that will generate a really hard password and associate it to a URL.
  • Don't use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same login name for all your services.
  • Come up with a good handle that's not related to your real name, don't include your birth year in it, and make sure your email alias on big email services isn't cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same.
From a hacking standpoint, this is prolly cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lamest academic post I've done. But to be honest, as I started trying to do some of this engineering myself, I just felt "dirty" (see Jeremiah Grossman's October 2006 survey question on testing for XSS on public sites). So I didn't spend a great deal of time digging.

0 comments: