[Dataloss] Details on AOL search log disclosure

lyger lyger at attrition.org
Tue Aug 8 00:21:12 EDT 2006



On Mon, 7 Aug 2006, Joshua Reich wrote:

": " Now that we all have the list -- how ethical are we being by using it, for
": " whatever purposes?
": " 
": " Which ethical guidelines apply in this circumstance.
": " 
": " (would type more but sliced hand opened a harddrive last night)
": " 
": " Josh Reich

Not an easy question to answer, but a good one.

First, AOL did actually remove the original list from their public web 
space, which was a wise move.  However, they didn't do so until copies 
were distributed across the internet.  At this point, no legal action will 
be able to remove the data from hard drives across the world.

Second, ethics.  There will probably be several differing opinions 
regarding distribution and use of the list or dataset.  Personally, I have  
seen raw sets of breached data.  Was I happy about it?  No.  Did it make 
me uncomfortable?  Yes.  Did I seek the opinions of others in the security 
industry about viewing said data?  Absolutely.  The best piece of advice I 
received was this:  Do no harm.  Look, but don't touch.  Don't distribute 
for commercial gain.  Try to understand the data itself, but don't use it 
for anything other than self-education.

Side note:  make sure any data breach is reported to the appropriate 
people, whether company supervisors or law enforcement authorities.  If 
you know something, they should too.   



More information about the Dataloss mailing list