Re: Apple's worst security breach: 114, 000 iPad owners exposed

[Rich Kulawiec <rsk () gsp org>]

On Sun, Jun 13, 2010 at 11:19:16AM +1200, Nick FitzGerald wrote:
> Most security professionals I've either asked directly about this or 
> with whom it's come up some way or other in conversation (admittedly 
> not a large proportion of all such folk I know), _do_ exactly that.  
> And at least some "more normal" folk I know (i.e. not security 
> professionals) do this too.  There are a number of reasons, but 
> commonly having a single "well protected" (by the privacy policies of 
> those companies they trust to share the address with) address is the 
> reason (the other one is tracking who sell, etc addresses and these 
> folk use a separate address for each company/entity that they share 
> contact details with).

I've done this for a very long time.  Sometimes the individually-supplied
addresses are rather obviously mine; sometimes they're not.  And I keep
very careful records of which addresses were given to whom.  I've also
trained some other people to do the same.  Sometimes it's very interesting
to note that an address given only to A turns up in B's hands...or B's,
C's, D's, E's, etc. hands in some instances.  There have been any number
of fascinating little case studies demonstrating that data is either
being sold or stolen or otherwise leaked from numerous operations (some
of which predictably claim that this is impossible and that those reporting
same must be mistaken, incompetent, senile or lying).  For instance,
United Airlines has been observed leaking addresses to Brazilian spammers.

---Rsk
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.