The Face of One AOL Searcher Exposed

Juha-Matti Laurio writes "No. 4417749 conducted hundreds of searches over a three-month period on topics ranging from "numb fingers" to "60 single men" to "dog that urinates on everything., report NYT journalists Michael Barbaro and Tom Zeller Jr., but with a permission from Mrs. Thelma Arnold, 62. "Those are my searches," she said, after a reporter read part of the list to her, continues the article."

The Beauty of the Internet

[markild]

Didn't take too long before it leaked all over the place, eh?

http://www.aolsearchdatabase.com/

Torpark

[eldavojohn]

I guess this just goes to show that you should be using something like Torpark even when merely conducting an online search. It's a shame but if you value your privacy, I guess it's necessary.

Keep those IPs changing so they can't track and accumulate your searches I guess. I don't want a dossier of my searches available to the public.

Re:Legal Standing?

[RagingFuryBlack]

Exactly my point. Normally, I'm one of those people who are for the "Let them watch if you have nothing to hide", but searches show no motives, no intent, hell, it diddn't even have to be the owner of the account who made the search. I can't tell you how many times my AIM Accounts were cracked back in the day. Same with IPs, as the woman that won against the RIAA proved. IPs can be spoofed, computers can become bots. Just because it says you searched for it doesn't mean you actuially did. Sadly, it still won't stop the feds, though.

Re:1 down, 24.9999 million to go...

[kthejoker]

FYI: Googling "steak and cheese" myself, I see that steakandcheese.com is a site containing gory and disgusting photos and video.

So it suggests that this person, while they may have had an idle curiosity towards the subject, was either well-versed or well-instructed enough about such things to know the name of that site, which I had no idea existed until today.

SQL injection target?

[Chapter80]

Pretty cool seeing people get this data into searchable form, like on:
http://www.aolsearchdatabase.com/

I did a search on there this morning, and it displays the SQL statement for me, which is very handy...

Select SQL_CALC_FOUND_ROWS * from search_data WHERE match (anon_id,query,click_url) against ('4417749 ') LIMIT 0,30

Interestingly, if you do the standard SQL injection, searching for something like "4417749') LIMIT 0,30; DROP TABLE SQL_CALC_FOUND_ROWS;--", I bet you will screw it up for them. Kids, don't try this at home. I'd never encourage people to do something illegal!

The point of this posting is:
Learn about SQL Injection, and protect against it.
Don't display your SQL query to your users.

If you don't know what SQL injection is, try a simple example: Search for "1','0" (skip the double quotes, but not the single quotes) and you'll see it in action without causing harm.

Re:SQL injection target?

[drinkypoo]

Of course, they could simply make the user used to connect to the database unable to modify those tables. There's no reason for them to have that access.

Re:SQL injection target?

[Software]

>Of course, they could simply make the user used to connect to the database unable to modify those tables. There's no reason for them to have that access.

Yes, this is a good idea. Even if the database user had read-only privileges, though, SQL injection might allow attackers to run "unapproved" queries. For example, an outer join over all the elements might bring the database server to its knees (if the Slashdot effect hasn't done that already). So you'd want both - defense in depth is always a good idea (I don't mean to suggest that you believe otherwise).

Re:Nothing we can do!

[plague3106]

If I'm not mistaken, bankruptcy does not free you from court ordered payments. You must still pay those.