Re: [arch-dev-public] AUR ToS (aka making AUR user names public)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Mon, Mar 06, 2017 at 09:44:12AM +0100, Tinu Weber wrote:
> Because anonymisation: even if one dataset in isolation may look
> unsuspicious from a privacy POV, if combined with other datasets, it may
> suddenly reveal information that was not intended to be public.
> 
> I admit that a simple one-column list of user nick names may probably
> not really be joinable with other datasets or -tables in any useful
> manner, but it is still not always obvious how data can be (ab)used
> (see also [1]).
> 
> I would not give out the user list. Even if there are means for
> everybody to somehow obtain the data (with enough effort from their
> side), it is not the same thing as simply handing it out conveniently
> prepared and formatted.

See, the rule should be that private information is the one that is manifestly
marked so. For example, a password or a secret key is private information which
you never ever disclose to anyone.

But a username is by definition open. Therefore, if your privacy relies on a
web service not disclosing usernames, you haven't considered the threat model
carefuly enough.

What I'm saying is just another example of avoiding security through obscurity:
don't rely on a web service not advertising your usernames, if this is an
issue, make each username a random string (which defeats the attack [1]).

> [1] http://archive.wired.com/politics/security/commentary/securitymatters/2007/12/securitymatters_1213

Cheers,
-- 
Leonid Isaev



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux