Hard Disk Encryption: "Please Rob Me" Site Shows How Innocuous Information Is Not Trivial.

And now for something completely different…from what I usually blog about.  A Dutch group has created a site called pleaserobme.com (please rob me dot com) that essentially goes through twitter posts and plucks only those tweets that “check-in” using Foursquare.  Essentially, you can tell when someone’s not home, and that’s great information for would-be burglars.


Foursquare



I’ve got to say this is the first time I’ve heard of Foursquare.  According to Wikipedia, it’s a “location-based social networking website, software for mobile devices, and game. Users “check-in” at venues using text messaging or a device specific application.”


I guess the idea is that, if you’re at a particular bar or something, and a friend sees that he’s also in the neighborhood, he can just kind of drop by and say hello.


The problem, though, is that the act of checking in, and making the information public and easily available, also means that pretty much anyone can keep tabs on where you are.  And how much more public or far-reaching can you get than Twitter?


What Does This Have To Do With Disk Encryption?



Nothing, and yet, everything.  Obviously, it makes no sense to encrypt the above data: social media sites and services like Twitter and Foursquare are meant to be public.  Sharing information is a given.


On the other hand, it plays into the observation I made in yesterday’s post about the “hidden dimension”: Just because the information seems innocuous at first glance doesn’t mean it cannot be easily tweaked and used for nefarious deeds.


Consider e-mail addresses.  No one really thinks of it as private, sensitive information.  You’d be crazy to do so; I mean, if you kept your e-mail address truly private, you’d probably never receive any e-mail.  However, consolidate 10,000 of the same, and suddenly there may be a way to use it for criminal purposes.


Companies (OK, most companies) make it a policy to encrypt or hash client passwords, but don’t extend the policy to other data such as e-mail addresses.  The idea is that, if their security perimeter is breached, passwords are sensitive information while e-mail addresses are not.


But, as I pointed out in yesterday’s post, plain-vanilla e-mail addresses can be used for carrying out scams as well.  It seems to me that anytime you’ve got a large enough database of any type of data identifying people, you should really take a look into securing it.



Related Articles and Sites:
http://www.csmonitor.com/Innovation/Horizons/2010/0217/Please-Rob-Me-and-the-problem-with-social-media
http://news.bbc.co.uk/2/hi/technology/8521598.stm



Comments (0)


Let us know what you think