Schneier on Security
A blog covering security and security technology.
« The "Hidden Cost" of Privacy |
| Prairie Dogs Hack Baltimore Zoo »
June 15, 2009
Did a Public Twitter Post Lead to a Burglary?
No evidence one way or the other:
Like a lot of people who use social media, Israel Hyman and his wife Noell went on Twitter to share real-time details of a recent trip. Their posts said they were "preparing to head out of town," that they had "another 10 hours of driving ahead," and that they "made it to Kansas City."
While they were on the road, their home in Mesa, Ariz., was burglarized. Hyman has an online video business called IzzyVideo.com, with 2,000 followers on Twitter. He thinks his Twitter updates tipped the burglars off.
"My wife thinks it could be a random thing, but I just have my suspicions," he said. "They didn't take any of our normal consumer electronics." They took his video editing equipment.
I'm not saying that there isn't a connection, but people have a propensity for seeing these sorts of connections.
Posted on June 15, 2009 at 2:26 PM
• 47 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Don't mean to go Luddite and all, but tell me again what precisely does a twitterer receive in exchange for telling subscribers where he is, what he's doing, and when he hopes to be home?
Even if the tweets had nothing to do with the incident, it shows that sharing too much information is always going to be a problem, no matter the platform you are.
Why the readers need to know they were traveling? Well, it is fun to share your experiences, but you have to be very restrictive on how you do it...
@mcb: Well, if he's a vigilante; he gets a freebie.
That's exactly the reason why I blog my holiday-stories and photos after I came back home.
Whenever specific stuff is stolen like that, you've got to think it was suspicious.
I've heard first hand of a similar case. While a person I personally know was out of town, his home was robbed by a co-worker. His co-worker knew he would be out of town because he had an out of office auto-reply set up on his work e-mail account stating as much.
Moral: Don't tell the world your plans, you never know who is out there.
I think there was very likely a connection. My reason?
His twitter account is "izzyvideo". A whois of "izzyvideo.com" gives his street adress. Checking in google maps, it's definitely a residential address.
All this took about 3 minutes to look up, and an opportunistic burglars would know how far away he was and the kinds of valuable gear they could get from robbing him. Said video gear was all the burglars stole.
just also tweet: "home alarm service has been notified and will be watching house closely" and "monitoring motion sensitive cameras throughout the house".
This is nothing new. RV owners don't usually park their RVs at home for very similar reasons. People have to get better at applying old-world security precautions to new online situations.
Bruce Schneier must be immediately arrested and waterboarded, to stop him from giving terrorists information on how to steal high-tech video equipment, that can and will be used to record footage of nuclear power plants!
This is really serious and we must to do something about it, NOW! After all, it is also possible that the video-editing equipment will be put into outer space by Albert Kaida and used as a WMD to orbitally bombard the hard-working Americans. Or even women and children!
If you don't support President Obama in his effort to appoint a Twitter Czar, you are anti-American!
Twitter, Facebook and sites like these make it very easy for people to give away private and personal information, and for some reason people like to do just that. I see no other reason for them to do so besides "because they can."
A good practice when you leave the house has always been to have someone check on your house (not just for security, but also to water the plants for instance), and have someone empty your mailbox to make it less obvious that there is no one there.
Now the new trend is to shout on the Internet that you are far away?
Just because you can doesn't mean you should.
Pray tell, how did they find out it was a co-worker? I presume that the co-worker wasn't a very *good* thief.
You can't spell Twitter without a twit
an insignificant or bothersome person.
Homeowners who lack common sense and the things that happen to them because they lack common sense, or how come common sense isn't that common?
I grew up on a party line. You kept your mouth shut on important stuff that other people did not need to know. What did get known was that someone was staying on your farm to keep the animals fed. Your friends inferred that you might be away, and the rest figured that the watchdog would be loose and ready for keen fangy action.
Twittering with a well known and traceable collection of data that your house is vacant. With 2,000 account followers. Like that's going to turn out well, who knew? Why not tack a huge "Kick Me!" sign on your front lawn? At least the person knew to take valuable equipment and not the junky stuff.
The main reason I stopped social networking more than two years ago.
No reason to announce anything to the lurkers.....
I had a related discussion with my wife the other evening. She'd mentioned that a friend in town had drop-in visitors. It was someone the couple knew, but probably would not have invited to their house. Nothing sinister, just that they're not that close.
The visiting couple came to our small town and went to the Chamber of Commerce for assistance. The helpful attendant there looked up the address in the local phone book and gave directions.
My address is not in the phone book, but I use my real name online and state my town name. If a stranger wanted to find my house, the Chamber might be just as helpful.
The Chamber attendant should have simply given out a phone number.
Unfortunately, though I don't post my street address anywhere on the 'net, google turns up a few instances published by a couple of forums and some tax-related entity.
If you use a cell phone, you're still on a party line.
@Savanik: No, this person apparently was not a very good thief. He also robbed a few other co-workers under similar circumstances. It's probably not a good idea to rob so many people with such a common thread, such as "same place of employment."
The article author should be teacherized not to use the word "burglarized".
Heh, good one. Had a scanner once that picked up the analog signals. It was sometimes a hilarious form of entertainment Bob Newhart style. Unless you have two scanners, you only pick up half the conversation. It was always fun imagining the other half. Never messed with any of the digital cell stuff as by then I'd gotten it out of my system.
And probably why the cell phone I carry is an emergency use device. Besides, I don't like electronic leashes.
My scanner days also made me glad I was not a cop. I would have lost my patience with criminal stupidity and somewhere along the line committed police brutality on three chronic domestics.
Whilst I have little doubt that he was targeted for the video equipment, I'm doubtfull about the "twitter" conetction.
It is just as likley that his wife was discussing the trip with her hairdresser.
There is a reasonable chance he was targeted by somebody who was a customer or knew of him through a customer of his business or possibly one of his suppliers.
However most likley is it was as a result of a person using or living on his street, who had seen rubbish or other materials related to his business and had either commited the crime, or had told somebody who did commit the crime.
Sadly for home workers it is usually quite obvious to those in proximity to them when they are away from home for more than a few hours or planning to be so.
For instance near where I live a couple I know had the habit of chaining their push bikes up at the front of the house as they had no garage or easy access to the back of the house, they where burgled whilst away for a few days. Fortunatly for them the burgler was known to the local police and was apparently not the brightest person in the world. They where told by the local "crime prevention officer" that under questioning the burgler had mentioned that he knew they where away as the bikes where not there. Aparently a lot of people advertise they are away by "tidying up the front" before they go away. In the UK it is not uncommon to notice thinks like no milk bottles, rubbish bags etc or curtains not being drawn/undrawn lights being off in the evening and all sorts of other tell tale indicators of lack of human occupancy.
More than just burglary... Can it topple a government?
It does point out that communication speed is off the charts and mostly unalterable.
Or, you can advertise that you're going out, and just stay home with some firearm.
Catch more twits with honey. ;)
So what you are all saying is that this is an argument
FOR Security by Obscurity.
@ Rick Auricchio
If you own your own home all they have to do is look up your tax records online.
@Arkh: Thats what I was getting at with the vigilante getting a freebie.
This particular risk far pre-dates Twitter and Outlook. Back in the day, people were warned not to put their name and address on outward-facing luggage tags for exactly this reason. All an enterprising burglar needed to do was hang around the airport and wait for a family of four boarding a plane to Cancun. Read their address off their luggage tags, and go have fun!
This is why luggage tags are all covered now.
Society frowns upon boring and unsociable people. I myself am excruciatingly boring, tedious company, and therefore rather unsociable.
As a result, I have no interest whatsoever in social working. Not Myspace, not Facebook, not Twitter. None of that gubbins.
It’s reassuring, then, that dullards such as myself are far less susceptible to burglary, and also that most modern of crimes – ID theft. I can go on holiday safe in the knowledge that my home and my identity is safe. Not that I go on holiday that often.
There is nothing wrong with enhancing, or adding to security, by using obscurity.
Not tweaking, yammering, or otherwise blabbing your whereabouts is in addition to having locks, having an alarm, ... or other layers of security.
Scared: You can't spell Twitter without a twit
You also can't spell: Twitter without wit, without without with, or relevance without Vance.
My first initial thought was that this incident was merely a coincidence, but the fact that the perpetrator only took video editing equipment arises my suspicion.
Digital cell phones are essentially as secure as a landline. Especially CDMA, which as part of their systems to maximize bandwidth efficiency & also to combat fraud essentially use fairly strong encryption as a side effect of ensuring only the one handset receives the datastream.
Won't stop eavesdroppers
this is *exactly* why I never use "Out Of Office" notifications - ever!
--I may be paranoid, but am I paranoid enough.
A couple decades back, there was a rash of burglaries in my mom's neighborhood. Culprits were police officers who had availed themselves of the "keep an eye on such-and-such address, we will be on vacation from ... to ..." notes.
Old problem, just a fresh coat of paint.
Not all luggage tags are covered. A lot of the better ones, sure, but go to *mart and look at their "travel" section and they still carry plenty of tags that can't be concealed.
Of course, thieves won't need to bother because all they'll need to do is carry an RFID scanner in a backpack, walk by some check-in counters and grab the names and addresses from the "smart" passports of everyone in line. Ok, maybe some will have some sort of faraday cover, so they'll just need to hang out near the counter as the passports are opened.
This actually reminds me more of the "blame the victim" argument -- was a victim displaying something that invited criminal action? Seems like a slippery slope. If you can't tell a stranger you will be out of town and feel safe about it, there are larger issues at hand than Twitter.
I also find it a little ironic that a video shop did not have surveillance video...let alone live video connected to Tweets. I mean if you turn this around, a more useful paradigm would be the shop enabled to Tweet "Help, someone has entered without authorization"
This twitter thing is easier than regularly driving around the neighborhood doing a wireless read of power meters to see who is in town and who is gone by tracking daily power use.
@Rick "The Chamber attendant should have simply given out a phone number."
No. The Chamber attendant should have called your neighbors on behalf of the out of towners.
In the U.S., voter registration records have name, address and are public information. I've seen them lying around in the front lobby of public libraries.
Power meters won't help you with me. Too many computers, and I don't turn off the fridge.
Water and Gas meters, on the other hand...
Just a thought - even if there is no proven connection between the tweet and the burglary, your insurance company may still use tweets/public social networking data to claim that because you publicly advertised the fact that you would not be home, you are not covered for the burglary.
"Don't mean to go Luddite and all, but tell me again what precisely does a twitterer receive in exchange for telling subscribers where he is, what he's doing, and when he hopes to be home?"
They get an ego boost because they think other find them interesting and important - and they provide those without a life of their own something voyeristic to clutch at....
A lot of people here have really kind of missed the point.
Yes, it is a long-standing, well-known threat that publicising vacation information increases the risk of burglary. Twitter probably makes very little difference in this specific regard because, even though the number of recipients of the information may be larger than traditonally, for burglary only the ones in your area matter.
But vacation burglaries are only one of many, many threats for which our traditional, low security defences depend primarily on the fact that it is too costly for the opponent to discover the exposure. Call it security by obscurity if you like, but in the real world much of our practical day-to-day security relies on it.
Kids walking home from school? No big deal in most neighbourhoods. The likelihood of them being targeted by prowling pederasts is microscopic. BUT if the predatory pederast can do high speed massive database searches for such titbits, such an assumption may no longer be valid.
Telling a friend you're whipping down to the shops for half an hour: excruciatingly boring, but no big deal. Telling thousands of random strangers: dumb. Telling a friend you're about to pass out drunk in the park: tacky, but OK, maybe even prudent. Telling thousands of random strangers: dumber than a bag of hammers.
By encouraging the exposure of tedious personal minutiae, what we see Twitter doing here is creating quite novel risks of targeted exploitation of security sensitive personal information. Not so long ago, you didn't need to worry about keeping your route to work secret unless there was a "contract out on you." But if you're into twittering all this kind of guff, you need to start doing a double-take with everything: should I publish this? Could it be harmful?
It's unlikely that we will find out if Hyman's burglary was "cased" on Twitter unless the thief is caught. Personally, I hope the thief is caught and it does turn out that he used Twitter, because it might knock some sense into the kind of people who never believe until they see the gun in their faces.
The words you all are searching for is operational security OPSEC.
OPSEC in concept is simple...though DHS's "intro" course is a mindbending 8 hours of frustration...deny the enemy information it wants.
It is entirely dedicated to controlling and yes, obscuring, transient state security information and the asset protected.
The dictionary I checked a while back said that "burglarize" (American) and "burgle" (British) are each just over a hundred years cold, evidently being "what a burglar does" - although that word is way older. Language is way weird. But, as the saying goes, the English are amused that Americans consider a hundred years is a long time.
And, uh, yeah. Someone finally finds a use for Twitter...
This is precisely why I NEVER used the presence notification abilities of instant messengers. I configure my clients to always show be available. Even then I connect from multiple locations so that I am actually available nearly every second I'm not driving or sleeping, and I sometimes intentionally ignore people, just so they can't make patterns of when I am and am not near a computer or where that computer is.
Heh. I half-expect the USAians in another century or so to be talking about "burglarizers" - i.e. people who burglarize.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.