Paranoia? Or genuine concern?


  • Discourse touched me in a no-no place

    Disclosure: I've worked with the author else-forum and he's not normally the paranoid type.

    Thoughts?



  • If you care about the timestamps, just munge them.
    The potential attacker does not know if you work from home or not, so the graffiti scenario is a bit contrived, and most people sleep at night -> that would be the time to deface their home. If the attacker has the ability to travel to your house, he can easily surveil you by wifi activity or light activity.
    In principle i agree, but it's somewhat academic...



  • My GitHub history (if I used it in this hypothetical scenario - I don't otherwise) wouldn't be much use except maybe working out I live in the UK.
    That's not hidden information. It's not going to mean someone can figure out my address. They'd need to find that out another way, and if they've done that, they have a much easier way of working out if I'm at home or not.

    In theory? Maybe. In practice? Crack out the tinfoil hat.



  • Seems easy to do - make it part of the commit hook to reset to midnight or last Monday. Does github enforce date correctness (as in patch cannot be created before original commit was created)?


  • Winner of the 2016 Presidential Election

    Yeah this. It sounds to me like one of Raymond Chen's "rather on the other side of the airtight hatchway" vulnerabilities. Someone can't do all that much damage with this unless they know where you live, in which case they can find much more information on you anyways



  • I agree with the author. Sometimes you may not want to share with the world the exact time youre working.

    Its is mildly interesting to see the working habits of famous people otoh


  • SockDev

    yeah.... that is metadata that could be used to extrapolate things....

    but that's not specific to git, any public readable SCM will leak the same metadata.

    Mercurial? SVN? CVS? yep they all have the same data as part of the commits.


  • Discourse touched me in a no-no place

    Fuck SCMs. Any and all online activities leak this information class.


  • SockDev

    that too.

    the goat ate my tinfoil hat last week, so my paranoia levels are slipping.... i've bene tryingto find a new hat to properly focus the paranoia rays into my brain, but the search has not been fruitful.



  • We need a forum site that holds back your posts for a random period, so no one can figure out your schedule from your TDWTF postings. :thumbsup:


  • SockDev

    you can use @zoidberg for that, kinda.

    so long as he can see the topic he'll anonymize your post for you.

    @sockbot will also do that if you don't like the crustacean.

    PRs accepted for adding ramdomized delays to that anonymization.



  • You could just work in private repositories and stop writing shitty open source software if you were so concerned.

    Why "airing all your dirty laundry" is necessary to the open source process I will never understand.



  • So the problem is that if someone knows your home address and has the means to vandalize your house, they can additionally wait until you're not there to do it because you commit to GitHub at certain times of the day?

    Isn't the fact that they know where you live and want to vandalize it a problem regardless of when they do it?



  • @blakeyrat said:

    Why "airing all your dirty laundry" is necessary to the open source process I will never understand.

    ...says the man who has been dinged by his boss for pushing half-done work to the company repo at an unacceptably high rate because he can't be arsed installing Dropbox?



  • @flabdablet said:

    ...says the man who has been dinged by his boss for pushing half-done work to the company repo at an unacceptably high rate because he can't be arsed installing Dropbox?

    When did that happen? Where the fuck do you people get this shit from?

    Installing Dropbox on my work PC would be like the world's biggest HIPAA violation.



  • @ben_lubar said:

    Isn't the fact that they know where you live and want to vandalize it a problem regardless of when they do it?

    Quite.


  • Discourse touched me in a no-no place

    @blakeyrat said:

    Installing Dropbox on my work PC would be like the world's biggest HIPAA violation.

    You've got live customer data on a developer machine? Or you're running services on a desktop?



  • @mott555 said:

    We need a forum site that holds back your posts for a random period, so no one can figure out your schedule from your TDWTF postings. :thumbsup:

    CS used to do that. I do not miss this feature.

    I think the sort of metadata in the post might be useful if you were already doing some kind of serious surveillance of someone. I'm not going to lose any sleep over it.



  • Github history is million times less exploitable than Facebook dashboard. Especially since you don't usually upload geotagged photos there.



  • I've always said that if you have a bot that can extract personal data from text posts (and it's a certain thing that intelligence agencies have them) you could get to know a lot of things from the post history of the people in this forum.

    With enough innocent posts like "wow, it started raining all of a sudden" and "there's some noisy construction work next to my house" you could probably pinpoint people's location pretty accurately.


  • Discourse touched me in a no-no place

    @anonymous234 said:

    if you have a bot that can extract personal data from text

    You go round geotagging your text files?!


  • Discourse touched me in a no-no place

    Technically not a violation until it gets used to incorrectly store protected data.

    Otherwise you couldn't have email or a Web browser.



  • @dkf said:

    You've got live customer data on a developer machine?

    No, but I have a saved SQL connection string to a server that does. Maybe I should remove that from SSMS now that I think about it...

    But in any case, the post I was replying to was complete garbage.



  • No PR, but suggest adding negative delta to the requirements


  • SockDev

    @Gribnit said:

    No PR, but suggest adding negative delta to the requirements

    if you can come up with a sufficiently prescient algorithm, i will add support for negative delay deltas for anonymized posts



  • @accalia said:

    prescient algorithm

    I haven't gathered enough heuristics to do prescience for any but a subset of users. <!-- You, @blakeyrat, that's who I'm talking about. Am getting a pretty good bead on @Magus, too -->



  • I was going to ask that. I know that I wasn't allowed anywhere near the production DB the last time I worked on an application that had data related to medical records.


  • Discourse touched me in a no-no place

    Yeah, and while I know that we plan to run some medical samples through our mass-spectrometry platforms at work, I also know that they'll be entirely anonymised by the time we get them. Literally “Sample 12345” and so on. The only thing that we'll have to be careful of is whether they're potentially infectious and so require additional safety procedures. The data? Impossible for us to tie to patient identities. (The medical school can worry about that stuff instead…)


  • SockDev

    @Gribnit said:

    @accalia said:
    prescient algorithm

    I haven't gathered enough heuristics to do prescience for any but a subset of users. <!-- You, @blakeyrat, that's who I'm talking about. Am getting a pretty good bead on @Magus, too -->

    Insufficiently generalized i am afraid then. ;-)



  • @dkf said:

    You've got live customer data on a developer machine?

    Or maybe he has data about dead customers and the live doctors who treated them.



  • @anonymous234 said:

    With enough innocent posts like "wow, it started raining all of a sudden" and "there's some noisy construction work next to my house" you could probably pinpoint people's location pretty accurately.

    I know I've posted enough stuff on here that somebody who knows the area well, like @blakeyrat, could probably get fairly close.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.