2008-10-11: The "I Have Nothing to Hide Fallacy"

A common pattern we hear on the Internet in regard to privacy or security is "I have nothing to hide" - no one will want to target me because they'll gain nothing from doing so. Today let me tell you a story that shows why this is not true.

A few years ago, I was using the same easy-to-remember password (which was only 6-letters long) on most of the sites I had accounts on. One day, I received an email from Freshmeat.net asking me if the fact that I had changed the description in the record of Freecell Solver there to "Freecell Solver is a useless 100% ANSI program that automatically solves games of Freecell", indicated that it was not worthy of inclusion there. This surprised me because I naturally didn't modify it like that nor intended to.

After talking with the admins of Freshmeat, I realised that someone logged in to my account, and submitted the malicious update for inclusion. They ended up giving me his IP, which was in Israel's Netvision ISP (while I'm subscribed to a different ISP). Now, this change was pretty innocent, but naturally, now that he knew my shared password, the possibilities for him were endless. As a result, I went on a concentrated spree of changing that password to new, different ones in all the accounts I created on the Net with it. I made a smarter use of my password manager and eventually discovered the auto-remember-passwords feature of browsers such as Firefox and Konqueror, and solutions such as OpenID.

There's no good excuse to compromise on security. Do you have a bank account and access it online? If you're not careful enough, a malicious attacker installing spyware on your PC might empty it. So you say to yourself: "What does he have to gain from me? I only have $10,000 there.". Maybe you do, but if he empties hundred or thousands of accounts like that by writing a robot, he'll become rich, so he isn't likely to not to target you.

And some people are keen on doing random vandalism with your online presence, like the one I mentioned, who may have also been trolling my blogs. Therefore, make sure you're as safe as possible. This incident was all I needed to become more careful, and I hope you now realise that, as well.