lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 4 Feb 2011 11:31:08 -0500
From: Jeffrey Walton <noloader@...il.com>
To: Wesley Kerfoot <wjak56@...il.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Best Buy and Privacy?

On Fri, Feb 4, 2011 at 11:24 AM, Wesley Kerfoot <wjak56@...il.com> wrote:
> I think the fact that they have that info in their systems is pretty awful.
> I wouldn't trust them with my personal information. How do you know some
> disgruntled employee won't take it all and sell it? Or that their database
> servers are insecure? BB have shown that they have incompetent employees and
> no ethics whatsoever.
http://dsandler.org/wp/archives/2002/05/01/it-seems-that-best-buy-uses-unencrypted-wireless-to-transfer-in-store-data-including-register-transactions-credit-card-info

>
> On Fri, Feb 4, 2011 at 11:16 AM, Thor (Hammer of God) <thor@...merofgod.com>
> wrote:
>>
>> I found this interesting, so I thought I would share it.
>>
>>
>>
>> Over the last few years I had amassed quite a number of various gaming
>> system games that I never used anymore (if at all) so I decided to trade
>> them in at Best Buy (they do this for store credit).  Though $3 for a $50
>> game wasn’t exactly attractive, I figured I could get a free Blue Ray out of
>> it, so why not.
>>
>>
>>
>> I showed up with a stack of games, and sat at the counter for about 30
>> minutes while the guy individually entered each title, catalog number, etc
>> for each game.  After all that, he finally said that he needed to see my
>> driver’s license in order to give me my $73 credit.  I always question this
>> type of thing, so asked him why.  “In case these were stolen” he says, going
>> on to say it is store policy.  Whatever, I think, so I give it to him.  He
>> doesn’t just look at it, but starts entering my info into the system – I
>> didn’t care because it was an out-of-state license, but didn’t like that he
>> was actually entering it into the system.
>>
>>
>>
>> He then notices that my license had expired a month earlier.  I actually
>> knew this, but wasn’t going to offer it up.  He says he can’t take it, and I
>> give the obligatory “I’m not driving in the store, I’m just giving you
>> games” bit and the “it was me a month ago, so what difference does it make
>> now” pitch.  He goes asks the manager, and sure enough, they can’t take it
>> because it is expired.
>>
>>
>>
>> So this is the point where I really start to wonder and ask more questions
>> about what difference it makes.  He then tells me that the reason he has to
>> enter so much information, including each individual title and UPC, is
>> because they have to send all this information to the Seattle police in case
>> any of the titles I turned in were reported stolen by someone.  I asked how
>> they expected to match up a stolen title with a redeemed one short of
>> putting 5 “Pimp My Ride” games in a line-up for identification, and of
>> course the kid didn’t know and didn’t care.  I then pointed out that even if
>> I did steal it, if the cops came around looking for it, I wouldn’t have it
>> anymore anyway because it would be in the Best Buy warehouse.  More not
>> caring.
>>
>>
>>
>> While the overall process of wasting police resources on tracking games
>> that might have been stolen seems like a complete waste of time and money,
>> what really concerned me is that Best Buy was going to send my personal
>> information over to the police without disclosing anything to me.  There was
>> no mention of it anywhere, no fine print, nothing.  Had my license not been
>> expired, that info (which they would not have had) would be put into the
>> public system, and there would be no way I could control the information or
>> what they did with it.  This would have been particularly bad if I had to
>> explain why I had a copy of “Barbie’s Horse Adventure” at some point.
>>
>>
>>
>> As far as profiling is concerned, you would think they would be more
>> interested in the fact that I was going to use the $73 credit towards the
>> purchase of a couple of seasons of Dexter, but I have no way of knowing that
>> they wouldn’t have sent this information anyway.  It begs the question as to
>> what other information Best Buy is sending to whom, and what kind of privacy
>> rights I am implicitly giving up by shopping there.  If they can report
>> personal information to government agencies without my knowledge, approval,
>> or any sort of notification, and in this case collected the information for
>> the explicit purpose of doing so, why else are they collecting?
>>
>>
>>
>> AFAIAC, there is something seriously wrong with this.  Anyway, I thought I
>> would share this in case anyone found it interesting.
>>
>> [SNIP]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ