Slashdot Mirror
The Face of One AOL Searcher Exposed
Juha-Matti Laurio writes "No. 4417749 conducted hundreds of searches over a three-month period on topics ranging from "numb fingers" to "60 single men" to "dog that urinates on everything., report NYT journalists Michael Barbaro and Tom Zeller Jr., but with a permission from Mrs. Thelma Arnold, 62. "Those are my searches," she said, after a reporter read part of the list to her, continues the article."
Now what kind of legal recourse can people expect from these search results? Can the man who searched for ways to kill his wife be tracked down? How about all of the paedophiles who searched for child pr0n? Oh, I can just see all of the "Come on AOL, think of the children...tell us who that was..." How closely tied are these numbers to the user's AOL Accounts, I mean, I'm sure AOL left themselves some tie to the user in their copy. What's stopping feds from making many major busts on people?
Warning: Corny karma killing post above.
The data is out there, what exactly could they do?
Erase it from peoples hard drives, remove it from all the pipes that its in, drug everyone who has seen it?
The fact they have this data is one thing, releasing it to the public is another.
liqbase
After reading through all of the 0+ modded comments, I've seen everyone saying "God, I wish there was something that could be done to stop this from happening again". You want to see it stop? Find something that ties your local congressmen to their search histories on AOL. Contact them with that information. I can almost guarantee you that if you find enough dirt on enough congressmen/senators, you'll see legislation passed requiring that Search companies not keep records of searches. It quickly changes from "Think of the children" to "Think of saving my ass from dirt that can be used against me next election year"
Warning: Corny karma killing post above.
Just to pimp somebody else's work...
A neat paper was presented in the Software track at USENIX Security just a week or so ago about a technique that can be used to prevent all SQL injection attacks. It's a source code transformation that tracks one or two bits of "taint" information for every byte address in a program's address space.
The sysadmin or security admin can then define a policy with augmented regular expressions that have three Kleene-style operators that let you say e.g. (expr)^T, which matches the expression 'expr', iff every byte in expr is tainted, or (expr)^t which matches 'expr' iff at least one byte of expr is tainted. The last operator is ^u which means "iff none of these characters are tainted".
They prevent SQL injections by making a policy that says that whenever the function that actually executes the SQL query is called, its arguments are examined, and any string that matches.. (looks it up).. "(StrIdNum|Delim)*(SqlMetachar)^T(any)*", causes the system to either cause the call to fail with a given error, or causes the program to halt.
That's pretty neat, but it's already been done with pre-built binaries. The problem with those systems is that they use library preload hacks and have to run each instruction inside a lightweight VM to track the taint information (because they lack the semantics that come with having the source), giving performance hits of a factor of around 100. Since this solution transforms the source, GCC can optimize the transformed code a fair deal and they end up with around a 17% performance hit, which is an excellent tradeoff for security.
Since it's a C source transformation, they transformed apache, PHP, bash, and even glibc. Their technique can be used (and was demonstrated in the paper) to prevent a number of classes of attacks, not just specific attacks.
Look it up: "Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks", Wei Xu, Sandeep Bhatkar, R. Sekar, Stony Brook University.
End pimp.