Schneier on Security

I tried it and here is what I found:
Google found people with the exact name, including at least one physician (good target :-). The town and zip are correct, but Google couldn't find the street. It did suggest 199 E. Williams St. as an alternative to 485 Williams Drive. The phone number exists (Verizon), but the listing's address isn't public. However, the number is in the right town. For the VISA number the first six digits are the bank id, but I couldn't find this id on a list of bank id's I found. However, the list was major banks and the card could be from a local bank.

I got Charles L. Cihak as a 1st result, with WA address... I could find a Charles Cihak in MI.
Second try: Alan Salinas .... plenty of people with that name.

I need to bookmark that page for the internet registrations and other fun stuff. :)

.. and hte first female try, Michelle Kern, had actually an interesting existing person as well.. :p http://www.michellekern.net/

I find it strange that I find it fun.

I used to watch alot of I Spy and Mission: Impossible when I was a kid. This reminds me of the cover identities that would have to be dutifully memorized. I think the site needs to add a 'personal details' section to breathe some real life into the identities.

You see, I've always wanted to be a dark-complected left-handed billiards enthusiast from Istanbul who walks with a limp and wears a fez.

Note to self: buy fez.

For messing with web registrations, this seems sufficient. That's pretty easy since they'll take any information you give them. When they sell the information, it just becomes a single, irrelevant data point. The value to the data aggregators comes from numerous matching data points. Creating false personas makes the data more interesting to them. There is no validation of data. In their world, quantity == quality. I once got a credit card offer to Guy Fawkes based on many bogus things I filled out.

What would be really cool is something more applicable in real life. When I go to places like Defcon, there are many people who know me, but don't know my real name. It's easy to get business cards and credit cards in a bogus name. However, if someone asked for ID, that's not something that can be faked without violating some laws. I wonder if I could convince someone to give me a credit card with a fake name and my picture? I'll have to look into that. I'm not looking to scam the credit card company, since it would be tied to my account anyway, but it would give the appearance of a legitimate person.

AFAIK, changing your name, or going by an alias (the two aren't materially different), is legal unless used for fraud. Also, while you can file some kind of legal name-change form, it's *not* required, but more of a "I want it on record that" kind of thing.

these are not "random identities", these are real people taken from census bureau records. use of such a "random identity" is tantamount to identity theft. extreme caution should be taken in selecting which "random identity" you will use, because some of us reserve the right of direct personal action against the thief to implement a final solution to our problem.
i will never respond to a census bureau request again.

not bad for a first level pass

it is not unlawful to use a name as long as there is no intent to defraud, and no law or regulation requires you to provide your identity

For web registration, I find it amusing to give a name like "Larry Llama", or "Brian G. Bear", and the address of one of the local zoos. I sometimes wonder what kind of offers the animals receive in their mail as a result...

@another_bruce

The names are a random match of actual last names and actual first names of men and women. I had a look at the files from the census bureau, here are a few entries from the last name file,

SMITH 1.006 1.006 1
JOHNSON 0.810 1.816 2
WILLIAMS 0.699 2.515 3

and a few entries from the female first name file

MARY 2.629 2.629 1
PATRICIA 1.073 3.702 2
LINDA 1.035 4.736 3
BARBARA 0.980 5.716 4

so actual names corresponding to real people are not made public by the census bureau. The name components are sorted by frequency in the files.

@another_bruce:

It seems to me that the names are indeed generated randomly, but sometimes do match the name of an actual person. I do not know how are the addresses generated. I tried a few times and most of them the addresses listed in Google for the people concerned did not match the "fake" one.

This does not mean that reckless use of this random data is totally harmless. If the "fake" name or address do exist, it is indeed possible to end up creating a problem (or at least an annoyance) for some random person.

It is interesting that that an API will be provided... This could make the "feeding" of databases much more streamlined.

I want the name-generator site automatically hooked up to the auto-fill feature in my browser, so a single keystroke both manufactures an identity and fills it into the proper fields in the form. I'd even pay $5 for such a plugin.

Very similar to this software...

http://packages.debian.org/stable/misc/rig
Package: rig (1.10-3)
Random identity generator

RIG (Random Identity Generator) is a free replacement for a shareware program out there called 'fake'. It generates random, yet real-looking, personal data. It is useful if you need to feed a name to a Web site, BBS, or real person, and are too lazy to think of one yourself. Also, if the Web site/BBS/person you are giving the information to tries to cross-check the city, state, zip, or area code, it will check out.

You can also buy private domain registrations (costs a couple of dollars more), without needing to screw a person whose name happens to be something you invented/generated.

One possibility for turning the tables on companies that aggregate and sell personal information is to just fill their DB's with endless amounts of false info. As the quality of their information goes down, the value of their data goes down, and the financial incentive decreases. If one were so inclined, it might not be too hard to whip up web crawlers that visit web forms and uses this (or RIG) to fill them (and the personal info DB's) with useless false data.

ok, i zabasearched several of the names and couldn't get a street address to match (although there really is a kenneth e. graham in arvada, colorado, only six months older than the "random identity"), so for maximum safety in using this utility, i suggest checking to make sure the identity is truly blank and not susceptible to real-world confusion.
from looking at the faq page previously, without clicking on the census bureau link, i had not realized these were just frequency distribution tables for names instead of raw names from census reports, yet they may still pose a hazard to some people because they're available by area. as a "bruce" i'm pretty safe, but what if i were a "jehosophat" or one of those african-american names with absolutely unique spelling? i suggest that jehosophat just use "joe" on the census return.

@Abdul Alhazred

That wouldn't be much different from the BugMeNot extension for firefox, which will auto-login to many "free subscription required" sites with bogus credentials created by other users. Right? See:

http://roachfiend.com/archives/2005/02/07/bugmenot/

--kirby

Every time I refreshed the site, the address '@pookmail.com' always appeared. I'm sure there would be a verifiable and retrievable crumb trail if you used the pookmail address and people wanted to track you down ...

I wonder if there's any subtilty in the name generation, or whether it is straight uncorrelated random names from a distribution? E.g. "Abraham Cohen" and "Giovanni Guareschi" are perfectly good names, but "Abraham Guareschi" and "Giovanni Cohen" would raise eyebrows. It would be an interesting exercise to do some sort of clustering analysis from the real first-and-last-name data.

Pookmail is a temporary service. Use and discard. These Identities aren't meant to be long-term.

Note to self: don't trust any pookmail email addresses.

I surley hope it is in fact pseudo data and not real data from people copied from phone databases. If it is pseudo, this is easy to generate yourself with a few lines of code. Just build up a couple of arrays with sur/lastnames. phonenummers can be randomly generated. and download a country/zip database (free if you know where to look.) and finally a radom creditcard number generator. Overal, seems an hour work to build.

Someone mentioned the bank id, other wise known as BIN number. Does anyone know where this list is available. I have a list but it is out of date. I would be willing to pay for a list from a legitimate source such as a bank. Our bank (in new zealand), or more specifically the bank's anti fraud department repeatedly denied such a list existed, then finally told us they would not give it to us and gave no reason why. Unfortunately we get a lot of cc fraud. We now only ship within NZ or to Australia, and for expensive items we do not accept credit cards.

Someone mentioned the bank id, other wise known as BIN number. Does anyone know where this list is available. I have a list but it is out of date. I would be willing to pay for a list from a legitimate source such as a bank. Our bank (in new zealand), or more specifically the bank's anti fraud department repeatedly denied such a list existed, then finally told us they would not give it to us and gave no reason why. Unfortunately we get a lot of cc fraud. We now only ship within NZ or to Australia, and for expensive items we do not accept credit cards.

Spam that directs marks to fill out contact information for later follow up, such as mortgage spammers, is fun to use this for.

Software exists that collects open web proxies from black lists, then uses them to post random personal information that simple filter scripts won't weed out to pollute the leads that come back.

There's something oddly ironic that the site information for the "random" generator links to the Latter Day Saints faith; on the one hand they have done so much to advance geneological research and archiving, and on the other you can now easily pollute the data by erasing your tracks and generating multiple dead ends all by yourself.

Historically speaking, this generator is a start but perhaps it would be better to go all the way and challenge the very concept of a given/imposed "Christian name", since that would give far better entropy as well as encode a path to the real person.

For example, in the most obvious example, what if Bob Smith was son of Smith Robert, son of Robert Bob, son of Bob Smith...that's common outside Christianity and the significance of the name as a primary factor in western ID surely would be different.

@Benny

Hence the API I'm working on. ;o)

@Jungsonn

Names are generated in the manner citadel outlines. Pretty convincing, eh?

And you're right, only took a few hours to get it basically working. Several more hours making it actually work well and have the features I wanted it to have.

@Davi Ottenheimer

Luckily there isn't any commandment against using pseudonyms.

(And it is Latter-day Saint, not Latter Day Saint... The former is the large world-wide church that everyone refers to as Mormons, the latter is a small splinter group in Michigan)

@zulugrid

I have to confess the significance of the hyphen was opaque to me, so I went and read The Church of Jesus Christ of Latter-day Saints "style guide":

http://www.lds.org/newsroom/page/0,15606,4043-1---15-168,00.html

And now I'm more confused than before. I mean the style guide makes me believe that the Latter-day Saint site perhaps should really be hosted on l-ds.org instead of lds.org.

The l-ds.org domain seems to be available, by the way.

The Wikipedia also had an interesting entry on the same identity issue:

"Due to a large number of incidents in which misidentification has been made in regard to LDS Church, confusing the church with its much smaller schisms, the church strongly prefers that if the term is used that it be applied solely to the LDS Church while at the same time encouraging the increased use of official and historic self-designations such as 'Latter-day Saints', 'Saints', and 'Church of Jesus Christ' instead of 'Mormon.'"

I hate to say it but if these schisms had used a more *random* identity generator they would have avoided this problem, although at the risk of losing their ancestral ties I suppose.

I also find it confusing that the LDS Church does not stand for Latter Day Saint but instead the Latter-day Saint. Shouldn't the acronym be LdS or LS instead of LDS?

Heh, and that just makes me wonder how long before human names need to be handled as case-sensitive with special characters? Talk about randomness...

@Davi

I understand your confusion 100%. Not sure why they went with the acronym that they did. That'd be an interesting research topic though (for a Mormon at least :o).

A lot of the schisms do have more random names, however. For example, members of the church that claims the name "Church of Jesus Christ of Latter Day Saints" are commonly called Strangites.

On a random side note, I've always thought it would be interesting to insert a digit into one of my (future) kid's names.

@zulugrid:

"... I've always thought it would be interesting to insert a digit ..."

Like in Gibson's Neuromancer?

http://tinyurl.com/nvd59

@zulugrid

It's nice, and pretty convincing.

about the random & digit in name:

Stegonagraphy is a good method of inventing a name that contains hidden code. For instance if your name is Albert Dough, you could encode your whole name into your son's name, just think up a simple encoding, when its decoded back your name is being shown (sur and lastname). I would not insert digits into ones name, in my country this is not allowed.

Bu this would seem a very nice idea. :)

There is an academic in the UK (with a bit of a thing about world-destroying robots, if I remember correctly) who goes by the name Perri 6.

Here's his biography/resume for anyone curious.

http://www.hsmc.bham.ac.uk/staff/staffdetails/6p.htm

This harkens back to the AOHell days when scammers would use fake ID's like this to get free accounts on AOL.

I'm not super impressed with this. Now, if you could actually download and print a PDF with a fake ID card and credit card, then I would be more impressed, though I couldn't imagine what legitimate purpose such a thing would have.

Come to think of it, I actually could, but they are far and few between.

To all the people asking "how does it do X", "are these real names" etc., there is a FAQ for Pete's sake!
http://dev.allredtech.com/fakename/faq.php

@zulugrid:
Nice work. Do you take feature requests?
* The proportion of generated names which come from tiny country towns is very high (at least for the Australian data). I assume this is because town names are selected uniformly, without regards to size, whereas Australia is highly nonuniform; 42% of the population live in just two cities, Sydney and Melbourne, so doing ten in a row with none from those cities looks really odd. It would be nice to be able to specify particular regions, or even towns.
* If town size is taken into acount, it could also have some effect on street names and addresses. For example I generated an address of 322 4th Street, Pioneer TAS. Anyone familiar with Tasmania would regard this as suspicious because Pioneer is a tiny little mountain hamlet with about 30 houses and two dirt road sidestreets. (Rural addresses in Australia sometimes have large "house numbers", but these are prefixed with the letters "RMB" and actually mean the distance from town in 100's of metres. They don't usually go as high as 300, except perhaps in very remote areas.)
* It might also be nice to regionalise the street names. 1st, 2nd etc are relatively unusual in Australia (although not nonexistent, and usually spelled out, i.e. "First street"), while in most Commonwealth countries Washington, Franklin and Lincoln tend to be replaced by Victoria, Albert, Elizabeth and George, and occasionally even poor old Edward. In Australia some US Presidential names do occur but Campbell and Macquarie are far more common. Similarly Walnut, Maple and Elm do occur but are much rarer than Acacia, Banksia, Waratah and Wattle.

Sorry for this

>> It might also be nice to regionalize the street names
That is a good idea, since some European countries do not have 1st, 2nd ... at all. Streets are usually named after famous people or important events.

I went to the site to download the files... please email me and tell me what to download for win xp

I have several credit card numbers but i don't have their security codes, what should i do?

I have been receiving calls from third party debt collectors for a name that i think was probably started from a RIG. They used it to scam various companies for real goods and/or money. Having no sympathy for collectors that verbally badger and harass me, i simply told them they had the wrong number. Until i called a financial institutuion about an account i had with them. They asked me to identify myself by answering a few questions that only i should know off the top of my head. The RIG identity was merged into my personal information. Now i take this much more seriously. The ramifications of this are sobering.

thvery informative website- my question is in regards to the "ccv" or credit card security value: is is not a randomly generated number, I'm sure; is there a program that will figure it out solely by the credit card number? There must be newer & better things that credit card companies are implementing to protect their clients. I think that the "one- time use" credit card number & the virtual credit card are reasonably safer ways to protect one's interests. It's unfortunate that there aren't more Canadian banks thatoffer these services- are there any banks/ financial institutions that offer such things to Canadians? tekkynn@techemail.com Thanks :)

what can i do if i use credit card

i dont have the ccv what can i do

pls tell me thankx

joseph partrick

thanksssssssss