googling credit card numbers

Interesting story about someone who happened to be happily googling about and ran across some lout’s hidden (albeit rather poorly) cache of stolen credit card numbers, along with other details:

I found more than that: login details to people’s web hosting accounts and e-commerce site memberships as well. It was really freaky to think it was all just staring at me, thanks to a flukey Google search. Nothing more complicated than that. (And no, don’t email me for the search details!)

For whatever reason, a hacker has broken into a number of sites and stored the resulting DB dumps into text files that Google came along and indexed, all because this guy’s site’s directories were set to display their contents when no default file is present.

To be honest I’m not all that surprised. The hacker in question probably had put the information on a location that may have only been partially commandeered, giving him or her a place to stash his loot but possibly not being able to block index listings. Anyway, goes to show once again that, no matter how safe anyone tells you their system is, there is always room for mistakes. The gentleman’s article, in that regard, provides some good advice to make sure that its not your credit card number that shows up on a google search.

Well, perpahs except for one:

So here’s the suggestion: search Google for your credit card number.

If I may be so bold as to disagree, I’d strongly discourage everyone from doing this. Not necessarily that someone at google will be salivating over the fact that you’ve just given up your credit card and will shortly be going to the nearest Fry’s to cash in (given their options, I imagine they could care less…), but rather because that same info will be going to google by way of any number of intermediaries in a completely unsecured, unencrypted form. Not that its a huge risk – the chance of someone who happens to be listening in to your particular transmission may well be low. Then again, it ain’t rocket science to set up a filter to pick out certain number patterns in internet traffic. I guess the only point is, why take the chance in the first place?

press neutrality and lawsuits

Techcrunch (Mr. Arrington) has put up an article suggesting Digg sue Wired (that’s also the headline – “Digg Should Sue Wired”). Because Wired posted some negative reviews of Digg. And because Wired’s parent, Condé Nast, owns a competitor of Digg (reddit). The nub:

Digg can’t treat Wired like any other user that’s engaged in fraud. Wired is the press, and the press has tremendous power. Wired is putting Digg in an impossible situation, and they should be called on it. Reporting news is one thing (although they should note the conflict of interest there as well), but actively creating negative news about a competitor and then using the massive reach of Wired to promote that “news” is way over the line.

Very strog words indeed. I’m quite surprised by this comment, as I understand Mr. Arrington has legal training and in fact practiced as a lawyer for some time. Why surprised? Because, apart from the possibility that the reporter who wrote the second article to which he refers (who basically tried to see if Digg’s system of user rankings could be “gamed”) breached Digg’s terms of use (of course – because rightly so their terms would prohibit such gaming…), its really, really tough for me to see exactly what Digg should sue Wired for? What exactly is the cause of action? Surely he’s not accusing Digg of actually committing fraud, is he? It difficult for me to see how fraud has been committed – what exactly is fraudulent about the articles?

Sure, there is a conflict of interest situation here, the usual cure for which is full disclosure, but hardly the basis for a lawsuit. And if he thinks that Wired suffers from conflict of interest, well, I invite him to check out the ownership of most major media in the US and Canada, and see how many times they are taking a stab at competitors of other companies that their ultimate owners control. If this is as big a deal as Mr. Arrington suggests, the Chomsky’s Manufacturing Consent should be considered a field manual to endless lawsuits against not only Condé Nast but also CBS, NBC, ABC, CanWest Global, etc. etc. etc.

But perhaps I took the words too seriously – perhaps he was just using the words “sue” and “fraud” figuratively or to illustrate his point. Or perhaps, given the more litigious nature of the US, and the somewhat kindler, gentler, less punitive (as in damages) environment in Canada, there is actually a basis for Digg suing the heck out of Wired.

Bit of a tempest in a teapot, I think…

And of course in the interest of full disclosure, I am a subscriber to Wired, and also hope someday to see one tiny link from their site to this little blog.

Rapleaf

Interesting article on Techcrunch about a company called Rapleaf. The nub:

Rapleaf will allow anyone to leave feedback for anyone they’ve transacted with. Others can use this feedback to help them determine if they are doing business with someone who’d likely to engage in fraud. Rapleaf is eBay feedback for the rest of the web, and the offline world.

Very interesting idea. Of course, there have been various solutions that people have tried to address the curse (and perhaps sometimes blessing) that, on the internet, no one knows if you’re a dog. I always thought encryption and the whole public key infrastructure thing would go somewhere, you know, with PGP and all being used, then of course the various bodies around the world setting up certification authorities, and then related legislation, etc. etc. That could have solved a lot of problems, including, amongst others, spam. And of course fraud. Surprisingly enough it never got off the ground all that well and in its stead we find reputational markers such as this.

Interesting how the internet has enabled the scaling of these sorts of reputational mechanisms. Where it was once a couple of neighbours chatting about the best butcher, its now millions of folks spread across dozens of countries having their opinions on thousands (or more) vendors. Talk about network effects.

Pretexting, Ethics and Clients

Still catching up a bit – very quick post on the HP “pretexting” thing. As you may recall, HP asserted that its practice of pretexting – i.e. pretending to be someone else to get confidential telephone records – was legal. They were investigated leaks to the press by one of their board members and had resorted to this practice to try and find the leak. I had commented elsewhere long ago when this story first broke that even if it were illegal, very few (if anyone) could consider such actions the least bit ethical.

As most of you know apparently there was some disagreement as to legality and a few folks at HP were charged. Then I read this recent story about how HP was ending its special ties to Larry Sonsini, of the California powerhouse firm of Wilson Sonsini:

Sonsini – famous for decades in these parts – gained national fame in September during HP’s spy scandal hearings in front of Congress. Emails between the lawyer, HP executives and former director Tom Perkins raised serious questions about how sound Sonsini’s advice was around the practice of pretexting. He seemed to indicate that phone record fraud sounded like fair game, after being nudged in that direction by HP’s internal lawyers.

My emphasis. Its unfortunate to hear of something like this. I don’t doubt that he took the time and effort to research the law to come to a reasonable opinion on the matter before advising his client – obviously it was a very grey area of the law. In those circumstances its unfortunate that he didn’t perhaps suggest, notwithstanding the black letter of the law, that it would be unwise do take the course of action they were contemplating. That as good corporate citizens with a significant public profile, that such a practice is not something they should even consider. But then again, maybe he did and they didn’t listen (and of course he would surely have the good sense never to say that in public and embarrass a major client) or maybe he thought that such comments were not for legal counsel to make. Who knows.

The situation is not unfamiliar to many lawyers – particularly when it comes to giving opinions – lawyers are sometimes subjected to pressure to deliver the opinion that a client wants to hear rather than the one they should probably be delivering. By this I’m certainly not suggesting lawyers are delivering bad or incorrect opinions. What I am saying is that there are often grey areas of the law (which tend to be the areas on which legal expertise are sought) and in respect of which opinions can go one of two or more ways. And sometimes, the client will want to hear a certain outcome – for example, in the case of HP, I’m sure they would have liked the comfort to hear from their external counsel that their actions were legal – it would serve as some evidence that they took some degree of diligence and could serve to mitigate consequences if it turned out governmental authorities differed. If he, on the other hand, refused, or proffered a legal opinion that it was fine but qualified with a recommendation not to take such actions, HP likely would have not been very happy with him. And everyone knows what happens when clients aren’t happy.

Its an unfortunate situation to be in. Particuarly in this case, where, at the end of the day, HP still, obviously, isn’t happy with him.