Home » Blogs » justin's blog

My Generation

Submitted by justin on Thu, 06/10/2010 - 15:23

I was recently notified that danielkennedy74 was following my Twitter feed. It was slightly amusing to see a security professional using "74" post-pended to their user name. It took me back to a simpler time.

Back when the internet was young and you signed up for an account it was typical to ask you a few personal details first. This generally included your date of birth. When you requested your account name you'd typically request your name, or some variation thereof. This was back in the trusting old days, and so if your name was taken the system would usually suggest the name you tried plus the year of your birth. So you'd try "DanielKennedy" and the system would say that was taken, but if you were say, born in 1974, the system would suggest "DanielKennedy74" as an alternate username. It was a great scheme, easy to remember, and relatively close to the user's original request.

Then came the dark days of the internet, full of hackers and phishers and identity thieves. The world wide webs went from information super highway to wretched hive of scum and villainy (well, not really, but you get the idea). Now stuff like your social security number, home address, and birth date become valuable pieces of information. Many systems will use your birth date as a security question in fact. Most people know this so aren't too shy about giving out the month and date of their birthday, but what happens if your username gives away the year of your birth?

I'm sure that nobody who thought up this system ever considered the security implications, and to be completely fair it's an outside threat. However, nowadays leaking any personal information can be dangerous. Every shred can be connected with other shreds to build a dossier that can be used for social engineering, password guessing, or identity theft attack. The more public a person's identity, the more dangerous this situation can become. Sarah Palin's e-mail address being compromised was a prime example. Simple information, combined in interesting ways (such as using alma maters listed on LinkedIn along with birth dates to figure out graduation years) can leak complex information useful to an attacker.

Seeing this old scheme still in use Seeing this style of username again (there's absolutely no evidence suggesting that Daniel Kennedy's birth year is 1974) definitely brought back some nostalgia, but also a little bit of horror as I realized how much the times had changed...

Ed: Edited to clarify.

answer

Submitted by MaraFitzgerald24 (not verified) on Thu, 09/09/2010 - 20:47.

Different people in the world get the home loans in different creditors, just because it's easy and fast.

Which would be interesting if I was either born in 1974 or 74.

Submitted by danielkennedy74 (not verified) on Thu, 06/10/2010 - 15:36.

Unfortunately my age is neither 36 nor 74, eliminating those two possibilities ;)

So if I actually believed that someone was trying to determine my age or birth date based on Twitter name, I guess I have unintentionally obscured the information by providing a red herring.

It could also mean there are 73 other danielkennedy's.

Or...

Submitted by justin on Thu, 06/10/2010 - 17:17.

Or you're 35 and you were born after June 10th ;) Obviously the number 74 has some significance for you (as the number 2600 has significance for me). The thought that struck me when I saw the username though was that this used to be a very common method for suggesting usernames, that I'm sure persists. Upon reflection it also seemed to me that very few people would give such a naming scheme a second thought, unintentionally leaking significant dates.

Justin Klein Keane
a.k.a. Mad Irish

Ah, you think I was being cute. Where's that birth certificate?

Submitted by danielkennedy74 (not verified) on Thu, 06/10/2010 - 18:21.

To clarify, I was not born at or near 1974 or 1874, and I didn't come from the future of 2074. I feel old enough already, please don't make me older (uh oh, information disclosure). The significance of the 74 is this: it is a combination of numbers unrelated to any date that got my user name accepted as available.

You see, people, like me, who lazily try to set up user names just quickly shoot through numbers until one set works. I didn't think I would be on Twitter that long (he said after years now), and thus didn't put a whole lot of thought into it. I could change my name, maybe something like danielkennedy74thosenumbersarenotmybirthyearsopleasedontblogthattheyare, but it seems like a waste of time.

I suppose using my real name on Twitter might be a mistake in the long run, since we're talking about information disclosure. Then again, I didn't want to be spouting off opinions anonymously, it feels disingenuous, but that was a tough decision for the reasons you cite in the post.

Doesn't 2600 have significance to everybody in infosec ;)

Your point on using dates in user names is well taken, it just would have been a better post with an example of an actual user who had done it ;)

Touche

Submitted by justin on Thu, 06/10/2010 - 18:43.

You are correct sir, I apologize for using your Twitter name as my example, it just happened to be the one that got me thinking. Not that it matters but I like danielkennedy74 better than danielkennedy74thosenumbersarenotmybirthyearsopleasedontblogthattheyare although I suppose the latter carries a clearer intention :)

Justin Klein Keane
a.k.a. Mad Irish

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <acronym> <em> <strong> <cite> <code> <li> <ul> <ol> <pre> <strike>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
This CAPTCHA is to prevent spambots and other automated annoyances on the site.
Image CAPTCHA
Enter the characters shown in the image.