November 16, 2024, 08:02:36 AM

1,531,348 Posts in 46,734 Topics by 1,523 Members
› View the most recent posts on the forum.


need advice from the elitest hackers

Started by rdl, February 03, 2017, 11:59:59 PM

previous topic - next topic

0 Members and 1 Guest are viewing this topic.

Go Down

rdl

hello hackers,

so i need to create this resource that has people's names and contact info (email, phone) and general location (city) in it. however i need to protect these people's info from people who might want to harass them. its apparently happened before. how can i do this while still making it a public resource?

all i can think of is just have login identification, so that if anybody does leak it to people with bad intentions we can try to figure out who gave someone their login. but i dont want to make people have to create an account because then they'll never use it. i was like, maybe there's something we can do with encryption but if it's a public resource then, not really.

can you have something private that doesn't require login? i dont think so. maybe keep it unlisted and off of google and just pass the link out to specific people? idek.

fug

Daddy

Put it on a website that is only accessible from certain IP ranges (ideally the ranges used by internal computers + external computers on your company's VPN) though it doesn't stop malicious internal users from leaking that data.

By public resource, do you mean "general public" or just public as per not-restricted to employees of your company.

General public, the best you can probably do is put the page on a robots.txt and hope that it doesn't get hit by scrapers/crawlers that ignore robots.txt

Putting it on robots.txt also tells anyone "hey there's something we dont' want indexed on this page lol".


Alternatively, load the page with no identifying informaiton, put a captcha, and then don't use robots.txt  Nothing interesting will come up when indexed, it won't stand out in robots.txt and it will require human interaction to actually view the data.

Again, someone who knows what theyre looking for won't be stopped.

rdl

it's a list of sources for journalists akudood;

so thats going to be anywhere from national outfits to local newspapers. trying to access it, looking for a source. and this will (supposedly) go national/international so while their current plan is to just use google forms, im trying to see what other options we have to at least try to protect people.

Daddy

Some sort of obfuscation (javascript, images instead of text) could also do the trick though in the end, anyone who wants to dox someone on the list and knows it exists, won't be stopped if they can find the page.

rdl

;_;

yeah so the solution ended up being just setting up a google drive account with two factor authentication that manually approves who has access. id still like to log who logged in when, so best i can do is catch ip's using a script, or a script that automatically adds a blank space character anytime someone opens the doc. that ties things up pretty well.

now i feel like a dumb idiot because i had everyone jumping down the omg infosec lets have everyone set up accounts and remember new passwords rabbit hole and now i have to tell everyone that lol uh achtually we just need to set up a gmail account and manually verify. obviously.

at least im not getting paid for this

C.Mongler


rdl

yay my solution was approved, now we just need the executive director to give me the green light and we're good. we're like almost a month behind schedule though lol oops

rdl

welp this launches tomorrow. its not totally bad guy proof so hopefully we don't get anybody attacked or anything. tho im more pissed about being unemployed than that, oddly enough. normally this would be nerve wracking.

strongbad


Daddy


Hiro


rdl


Go Up