I suddenly thought of a funny story last night that I regailed my girlfriend with about how my friend in college got himself laid. He was not a particularly attractive man, or particularly swave or funny or anything else you’d expect of a guy who got himself a new girl every week. But there he was, knee deep in the opposite sex. So one day a year or so later, I asked him how he did it. He used is brain, pure and simple.

First of all (this will date me) you have to remember that the internet wasn’t a happening place back then. There were probably only several thousand people on Yahoo instant messanger in the state at that point, and most of them were not female, and even fewer were cute. What he found was that he could sort people by city. So he took all the usernames and real names and sorted them by cities. Then he did a lookup on the cities and found all of the ones that were within 100 miles (I guess that’s his tolerance for driving when dealing with Internet girls - and he probably didn’t have enough money to be traveling long distance).

With the real names he took the first name and compared it against a list of female names he got off some baby naming website. He then sorted those by which ones had photos and stored them in some sort of lookup table. Then he went through them one by one, hot or not style and decided which ones he thought were cute enough to talk to. This was before the days of IM spam, so they were happy to talk to him. Sure enough he got himself a lot of girls just by doing a little data mining back when there were probably only a few hundred girls within that 100 mile radius with the chat client. You gotta give it to him, he used his smarts.

But it brings up an interesting point about correlation. There was that Yahoo vulnerability where one of the secret questions was your birthdate, but they also had a astrology section, so all you had to do was grab that information and within a few guesses you could get the answer. Taking seemingly uncorrelatable peices of information can open the hole (in my friend’s case no pun intended) so that you can exploit it. In the case of search engines, you can take completely unrelated peices of information and bring them together. In the day of social networking a lot of the heavy lifting is done for you.

Once you find one peice of information leading you to a MySpace profile you have a gold mine. Of course it gets scary when you are looking through the lense of what a pedophile may do what that same information. Once upon a time I put together a document for law enforcement about what they need to look for and the bits of information they need to leave to make it easier for a pedophile to stalk their persona. It works like a charm. Not that my friend was malicious, but he easily could have been an axe murderer. With the tools at our disposal, there’s no reason any one of us couldn’t use it for nefarious purposes, whether it be for penetration testing, industrial espionage, or something far worse.

I applaud my friend’s ingenuity, but at the same time, I’m concerned about what that means in the days of big brother data mining (guess where I won’t be storing my pictures?). All it takes is one person getting access to this type of information through intentional information disclosure or by accident. The responsibility must be ominous.

This entry was posted on Friday, August 18th, 2006 at 8:48 am and is filed under Webappsec, Random Security. Responses are currently closed, but you can trackback from your own site.