On Episode 8 of The Edge of Innovation, we talk about how digital footprints make finding a killer almost too easy.
Show Notes
Open-Source License Plate Tracking
Preventing DNS-Based Data Exfiltration
A DNS Root Server Attack on Target?
Transcript
Sections
The Craigslist Killer’s Boot-prints
What is Done with Boot-prints Today?
Hacking a Corporation and Who Receives Damage
Where are the Flying Cars? Entrepreneurial Possibilities Beyond Bitcoin
Ads as a Necessary Evil?
Jeff Jonas and Data Fuzzing
Introduction
Paul: This is the Edge of Innovation, Hacking the Future of Business. I’m your host, Paul Parisi.
Jacob: And I’m Jacob Young.
Paul: On the Edge of Innovation, we talk about the intersection of between technology and business, what’s going on in technology and what’s possible for business.
The Craigslist Killer’s Boot-prints
Jacob: So, Paul, we’ve been talking about anonymity in the last couple of podcasts, and what does it take to become anonymous in the digital age, and with our digital technology, and with the technology and how it tracks us and fingerprints. You were involved in one way or another with the Craigslist killer. So can you talk us through what that was, how technology caught up with him, and what exactly your part in that was?
Paul: Yeah, certainly. Well first of all, I wasn’t the Craigslist killer, and I never met him or know him.
Jacob: Thank you for clarifying that.
Paul: But at the time, I was CTO of a technology company that was basically allowing, produced tools to help people understand how things moved about the internet and what IP addresses were doing what and all these different things. At the time, you know, this stuff is growing exponentially every year, this technology that we’re talking about. But one of the things that this person did was use Craigslist. And they got IP addresses, and they got lists of who accessed IP addresses and looked at what ads and things like that, and got that information, and then used some of our tools to help pinpoint where these IP addresses were.
Now we didn’t invent technologies that like the geolocation stuff, but our tools made that easy to use. So you could go and type an IP address and then find out where that was.
Most IP addresses are fairly static. Now, you know, with a mobile IP address, it’s a little different, because you, you’ll have a cell tower attached to it, you know. And that doesn’t really help anybody. But your cell provider knows which IP address you had and when.
So, when you take all that and put it together, they could find out where this IP address was, and over a few weeks, they were able to determine where it was and what it was doing. And most computers that are doing something are controlled by a human and it happened to be that person. And that allowed them to identify that person. So, you know, it’s not terribly difficult to correlate these things. If you think about movies we watched as kids, where you would see the tracker in the forest tracking somebody, and they’d see the footprint, and it matched the boots the guy was wearing in the murder mystery. Well, that’s all we’re talking about now, is we have the IP address, you went to this, you read this ad, you were at this location where your phone checked in with the cell tower, and you were there at the time the person was allegedly killed.
Well, that’s really hard to argue with. And then we have this history of your web browsing based on Craigslist’s IP addresses and all the different things, and you looked at this ad, and you looked at this ad. 50 years ago, if you got in your car and drove downtown and did something, people would have seen you. Usually people lived in a small town. They’d observe you. “Oh, yeah. That’s Jacob’s car. Oh, yeah, yeah, yeah. I know him, and I saw him walk into the building, and, you know, somebody was killed in that building in the same hour that he walk into it.” Well, it would certainly make you a suspect.
What is Done with Boot-prints Today?
We just have a lot more footprints now. You know, and we might have seen your footprint, you know, walking through the wet cement. Okay, we have Jacob’s boot print there, you know, and the fact of the matter. But your boot print is one thing, an eye witness is better.
I have these boot prints with all this internet data that give me the ability to understand where you are and what you were doing.
You know, I hope that it’s not there’s some clandestine, you know, government agenda to wipe out all the people who don’t like basketball or whatever silly thing you want to say. But you know, there’s all these conspiracy theories and ideas and different things like that. And I would like to think that it’s all pure and milk and honey kind of stuff going on, that they basically just want to sell you things.
Jacob: Sure.
Paul: Get you to give us more of your money. And that, I think, is true. They definitely want to give us opportunities to spend our money. That’s why advertising works. That’s what the whole thing makes Google go round is advertising. And some can say, as I’ve said before, and I have a friend who’s interested in boats, and he loves to see boat ads and boat related material ads, as opposed to, you know, lawn mower ads. Well, what do I want to see a lawn mower ad for?
Jacob: Right, right, right.
Paul: I live in an apartment.
Jacob: I live in the city.
Paul: What’s the deal, you know? So, that is a benefit, but there is that underlying undercurrent of saying, “Well, nothing you do is anonymous nowadays,” and you know, when somebody commits a crime, can we get that data to help us prove that they did that crime? That’s a real interesting question.
Jacob: So, in the case of the Craigslist killer, you guys were able to do that, right?
Hacking a Corporation and Who Receives Damage
Paul: Yeah. Well, it wasn’t us doing it. They used our, some of our tools on our products. Some of the investigators used those tools, to get an understanding of where he was at what times. It’s sensational, but it illustrates the fact that the data is out there. And with a warrant, you can pretty much find out anything about somebody.
It’s fascinating what you can find out, or if you want to break the law. You know, if you’re willing to break the law, you can find out anything about somebody. There’s this shift over the past few years of the majority of hacking that’s done is criminal hacking, to get access to people’s personal information so that they can steal money from them or use that money, use that credit card and all. Fraud, basically.
And those aren’t attacks on a person. Those are attacks on a corporation’s database. So, you know, you’ve given Amazon your credit card numbers. Now, Amazon is like over-the-top on security, and they say that they’ve never been hacked. Some people say, “Well, they’ve never disclosed that they’ve been hacked,” but regardless, you’ve never heard, you know, like the Target breach or the Verizon breach or the Sony breach, or you know.
You’ve never heard anything like that about Amazon, but the fact of the matter is, is that there seems to be this “Oh, you know, don’t use the internet. You’re going to get hacked.”
Well, all of the credit cards I have, all the bank accounts I have, have insurance on them that is provided with them. I didn’t have to go buy it, that I am not liable for any fraudulent charges. So, what’s the problem? What’s the problem? Just last week, I tried to use my Discover Card out for dinner, and it came back declined. Well, that’s weird. You know, I pay my bills right on time. So, I paid with another card and called Discover, and they said, “Oh, there were 100 168 authorizations attempted for a dollar apiece over the past day.
Jacob: Huh. Yeah.
Paul: And it was through PayPal. So, somebody had gone to a PayPal form, not logged in, but since you can become… You know, you can join PayPal and pay with your credit card, typed in my accurate credit card number and tried to get it authorized. And I don’t know what happened, but it either failed or it went through or it didn’t. But I talked to Discover, and they looked into it, and they immediately canceled the card, and they said, “Oh, don’t worry. You’re not liable for any of the fraudulent charges.” So, somebody either got that credit card number or guessed it. I mean, it’s only 16 digits, you know, and the first eight are usually the same. You know, so it’s not that terrible to figure out that I could guess it.
Discover did their job and locked the card.
Jacob: Yeah, yeah.
Paul: You know, so, what am I out of? What’s the problem here? Yeah, I was inconvenienced, but in the you could say, “Gee, they stole that from Amazon.”
Well, they might have. Or they might have just guessed the number. Because they didn’t use my name. They used Sandy Simpson. They typed that name in to try and activate. And they used that over and over and over again. I don’t know what they were thinking. So, it was probably some sort of bot doing it.
Jacob: Sure. Yeah.
Paul: Now, if they had used my name, it would have been evidence that they stole it, because that correlated piece of information rather than just guessing the number.
So, I don’t, I don’t understand that. And you know, and make sure you go to a bank that you say, you know, if somebody gets my bank account number and withdrawals all my money, what happens? Understand that before it happens. And if, if that bank doesn’t have a good answer, there’s a bank next door that probably has a better answer.
Where are the Flying Cars? Entrepreneurial Possibilities Beyond Bitcoin
Jacob: For entrepreneurs, are there any avenues or frontiers for the anonymous category of user interfacing with the internet that are unexplored or possibilities to be explored?
Paul: Well, I think one of them, you know, BitCoin was sort of represented as a way to use anonymous spending and money. As it turns out, it’s really not anonymous because of the way the blockchain is, and you can just trace things back. In some ways, with BitCoin, you need to say so where’s the flying cars? I mean, it didn’t happen. There are other proposed cryptocurrencies that may solve that problem of truly anonymous things.
Jacob: We talked about those in previous episodes.
Paul: Right. You know, remember. Cash is relatively anonymous. You know, they could scan the money and find out that you were the source of it by recording the serial numbers they give you, but you could give it to somebody. And they could give it to somebody, and they could give it to somebody, and they could give it… Immediately it becomes very difficult to trace.
So, entrepreneurial opportunities. There is a lot of opportunity in providing a semblance of anonymity, of what one might think is anonymous. But it’s largely all smoke and mirrors.
Jacob: So, it’s largely an elusive category.
Paul: It is. It is. There are people who want to do all these things. Like, you know, in the web browsers you have this private browsing.
Jacob: Sure.
Paul: All that does it doesn’t sustain cookies between sessions, practically, is really what it does. But it still presents your fingerprint. Now, an opportunity would be to have something that would skew the fingerprint. You know, just lie and say, “I’ve got all these fonts. I’m using this browser. I’m using all these different things.”
So, I think there’s some opportunities there. And there was a clever idea where these guys were really upset with ads showing up on websites. So, they built a browser that in the background, clicked on every single ad. That is brutal is because, up until now, clicking on an ad was either a mistake, you just randomly clicked, or it showed some interest that could correlate to your fingerprint, let’s say.
Jacob: Well, and I’ve heard that the reverse of that is if you, by having an ad block on your web browser, it’s presented as an ethical concern because ads are how the website is paying for itself to exist in front of your face.
Paul: Right.
Jacob: And so, you’re ethically violating the terms of the website. But I’ve never heard that before, that basically they reversed it. Rather than blocking the ad, they clicked on all the ads.
Paul: Right. Well, because then it becomes useless. Because now we don’t know what people are interested in or not interested in. And that’s nasty. I mean, you know, from a marketer, internet marketer, that’s a brutal thing to have happen to you.
Jacob: Yeah.
Paul: And the systems are not designed to deal with that. So, the problem would be is it does make the data useless, but it would indicate that you’re really interested in a lot of things, because the systems aren’t built to deal with that. So, so, that’s an opportunity. You know, the ad blockers are an opportunity, but like you say, the point of the ads is so that the people who are presenting the data can get some compensation for that data.
Jacob: Yeah.
Ads as a Necessary Evil?
Paul: You know, there’s apps on the iPhone and iOS that have a paid version that take the ads out. I have a solitaire game like that. I had the free one for a year, and then I got tired of the ads, and I spent the dollar. You know, I spent the whole dollar in one sitting, and now I don’t have the ads. So it’s an interesting… It’s sort of a quid pro quo. You know, the ads are what you give. Your eyes have to process through that, and unfortunately or fortunately, our society requires money so that people can live.
Jacob: Yeah.
Paul: And that is the ultimate arbiter of value is we attach it to money. What’s fascinating to me is that the ads are as effective as they could be. Because, if you look at the value proposition in most ads- and this has been proven in email marketing – the reason you get these harebrained emails is because they work.
And you’re like who in their right mind would click on this and do something with it?And they’re not scams, necessarily, but they’re like, you know, the flex hose. You know the hose that collapses, you know. And they were everywhere, you know, and it was an intriguing product, and it’s still out there and all that. And it has its pluses and minuses.
But boy, it was everywhere, and people were clicking on it and buying it and creating revenue.
I guess in some ways… I mean, you could sit there and say, you know, no more ads. And we’re going to government fund it all. And it just doesn’t seem to motivate people to be creative. You know, the reason Apple innovates in the iPhone area, is because they sell them and people pay for them. That’s why the iPhone 7 will come out and a bunch of people will go out the buy them, and they’ll be the people that will naturally attrite, basically, over time. Well, I’ve got an old iPhone 4. It’s time to get rid of it. I’ll get an iPhone 7. It’s going to be harder for people that bought iPhone 6s unless they’re geeks, and they love the new things. But they’re not going to see that.
But Apple will innovate. You know, Samsung has done some, you know… They’re advertising everywhere with their new Galaxy S7. It’s waterproof and it, you know. So, it’s like, “That’s cool.” You know, and, you know being in tech, we have these alliances with the technology, that I’m an iPhone guy, I’m an Android guy, I’m a this…
Jacob: Sure.
Paul: Most people look at it and say, “Oh that’s a new phone. It’s water proof. That’s a great idea. The next phone I get, I might do that.” They have no idea of this Apple versus Samsung environment or Google versus Apple, you know. It’s just not, not that. So…
Jacob: Yeah
Jeff Jonas and Data Fuzzing
Paul: I do think there’s an opportunity for an entrepreneur. They’re going to have to be a pretty heavy-duty one that can really win alliances. But what would be really cool is… There’s some work that a senior research scientist at IBM did. His name is Jeff Jonas, really cool data scientist. And it’s the way in which you can fuzz up data so that you can identify people who are the same people. So, rather than take Paul Parisi, and I might be listed in one database as Paul Parisi. I might be listed in one as P. Parisi. I might be listed as P.D. Parisi, or Paul D. Parisi. How do I fuzz that all up?
One might be 123 Main Street with street spelled out, and 123 Main St as my address.
And so, what they developed was a mechanism by which the database owner could fuzz that up and create a key that was basically a hash of these fields, once they were fuzzied. And we can apply that same algorithm to another people who own another database and fuzz that up. And then we can compare and say, “Do we have any that match?”
So, I could say to you, Mr. American Express, “I’d like to buy information on people I already have.”
Jacob: Yeah.
Paul: Okay?
Jacob: I see.
Paul: So, how do I do that? Well, I give them your name. No, because you’re looking it up in a phonebook. No, I fuzz up my data, and I say this is people I already have.
Jacob: Right. This is a digital set.
Paul: Yeah. Exactly. And they say, “Well, we have an overlap there of a thousand or a hundred thousand. And we have their spending habits for the past year.” Okay?
So, they have that data, and I think there could be, I mean, it would be very interesting. There’s some really huge problems to overcome. But to have almost a registry of the data that companies are doing.
Now, how would you, you know, arbitrate who gets access to that? It works in big aggregates. But I could probably… It would become a privacy issue, because I could say, okay, I know Jacob Young, alright. It could be J. Young. It could be Jake Young. It could be J.S., so I could do all the permutations of that, and fuzz it up in the same way. And then I could submit a query to this national database and get all your information on that.
But there’s some, there’s something in there that I think allows us to sort of see what do companies know about me. Google does this. They will let you see everything they have stored and delete it. Well, that’s pretty good. I would like to see that more and more, so that we could almost have a…
So, somebody could come up with a system that you sell to companies like Amazon or Google or whoever it is, that says, “Here’s how your customers can see what you’re storing about them.” That doesn’t exist. Google has spun their own up. You know, Amazon doesn’t show you… You can’t go and delete your purchase history or the fact that you browsed for pink underwear, you know, for yourself. Not that there’s anything wrong with that…
To be able to interact in a standard fashion with a website’s data, I think, would be, is a huge economic opportunity, to be able to provide those services, that infrastructure.
Jacob: Yeah. Excellent.
Also published on Medium.