Hack Back Series:

Data is an AssetWhitepaper registration services strategy.

By 404Whylo

29 J

une,

2015

©2

015w

ww

.404W

hylo

.com

™ A

ll r

ights

res

erved

.

1

Summary

29 J

une,

2015

©20

15 w

ww

.404W

hylo

.com

™ A

ll r

ights

res

erved

.

2

• Hack back series is all about YOU and how I can

contribute to make the internet a safer place for everyone.

• Your personal data is an asset and deserves to be treated

accordingly.

• Data and information bytes are non tangible objects its

hard to assign values to them.

• Use the “data is an asset” analogy to help considering

giving away your personal data.

• The techniques you learn will are essentials skills now

and in the future.

• Protect yourself and become more diligent in the use of

digital media.

The one thing to remember

•"Data is an

asset & asset

= money"3

©20

15 w

ww

.404W

hylo

.com

™ A

ll r

ights

res

erved

.29 J

une,

2015

The one thing to remember

• This is all there is you need to know for information

security. I also work on volunteering for a hacker high

school project and the most important thing about

security I try to teach the teenagers is this.

•"Data is an asset"

4

©20

15 w

ww

.404W

hylo

.com

™ A

ll r

ights

res

erved

.29 J

une,

2015

How to grasp this?

• Usually I do it this way

• I will have some coins at hand for this.

• Then I make a list together with the teenagers with attributes they

use for registration for so called "free" services.

• Name: 404

• Last name: Whylo

• Dob: 1. Nov 2000

• City: Bern (Switzerland)

• Phone: +41763011961

• Email: 404@dontget.me5

©20

15 w

ww

.404W

hylo

.com

™ A

ll r

ights

res

erved

.29 J

une,

2015

What does free mean?

•"If it's free then

U are the product

in some way or

form"6

©20

15 w

ww

.404W

hylo

.com

™ A

ll r

ights

res

erved

.29 J

une,

2015

The link

• These information bytes will usually be given away quite

easily. The problem with “data is an asset” is: it's abstract.

Giving away information bytes is painless, easy and of no

consequence in the first place. So I need to make a

connection for the teenagers to remember or to link in the

brain: data is an asset. There the coins come into play. I

will give the teenagers 5CHF Swiss Frank coins (this is

the largest Swiss coin and worth about 5US$) for one

information attribute.

• P.S. You can do this with poker chips too!

7

©20

15 w

ww

.404W

hylo

.com

™ A

ll r

ights

res

erved

.29 J

une,

2015

The new list

• Name: 404 (worth 5US$)

• Last name: Whylo (worth 5US$)

• Dob: 1. Nov 2000 (worth 5US$)

• City: Bern (Switzerland) (worth 5US$)

• Phone: +41763011961 (worth 5US$)

• Email: 404@dontget.me (worth 5US$)

• Total: 30US$ 6 coins 5US$ each

• Now the teenagers have their coins in their hands and play

with it. 6 coins stack up nicely and you build little towers etc..

It's now tangible! You can feel the worth. It's no longer

abstract.8

©20

15 w

ww

.404W

hylo

.com

™ A

ll r

ights

res

erved

.29 J

une,

2015

The realisation

Then I start trading.

• Here a fictitious service A you can game for free and

chat. In order to use the service I want your name and

birth data plus all the pictures you create will be now and

for all eternity mine. I can print t-shirts with it or create

coffee mugs. Please register and pay now.

• Here a fictitious service B you will have free video

editing software 5GB of storage space. In order to use the

service I want your name, last name and birth data plus

all the pictures you create will be now and for all eternity

and beyond are mine.9

©20

15 w

ww

.404W

hylo

.com

™ A

ll r

ights

res

erved

.29 J

une,

2015

Now the «good» happens

• The teenagers have to decide and choose a service. Come

up to the registration and pay the amount. Now comes the

turning point and the discussion starts right here. The

discussions are around:

• Why should I pay?

• I don't want to pay 30US$ just for this.

• Can I have it cheaper?

• This sucks!

• I buy some ice-cream instead.

• It's not worth it!10

©20

15 w

ww

.404W

hylo

.com

™ A

ll r

ights

res

erved

.29 J

une,

2015

The conclusion

• This is exactly what I wanted. Now the abstract

concept of "Data is an asset" has been linked. The

discussions becomes focused around: • What do I get in return for the money (asset: your name) I paid for.

• Where is my freedom?

• Why do I don't get money if people are making money from my

data and information (advertising).

• I should get paid if my information is used to make profit.

• I shouldn't reveal my information too easily.

11

©20

15 w

ww

.404W

hylo

.com

™ A

ll r

ights

res

erved

.29 J

une,

2015

Victory

•Yea my goal has

been reached:

critical thinkers

are born!12

©20

15 w

ww

.404W

hylo

.com

™ A

ll r

ights

res

erved

.29 J

une,

2015

Practical application

• Now some tips and tricks from a practical perspective.

• We now know data is an asset you might want to keep as

much as you can for yourself or under your control.

• Do you feel annoyed by the practice of collecting your

data for just downloading a white paper for instance.

Some registration sites just want to suck you dry of your

personal data.

13

©20

15 w

ww

.404W

hylo

.com

™ A

ll r

ights

res

erved

.29 J

une,

2015

The problem

• It appears the motto for most providers is: the more the

better.

• Actually from a risk and security perspective the motto is: the

less the better. Because if you have data you should take care

of it and this costs money.

• It's not easy to prevent asset depletion but it's worth the

effort in the longer term.

• For registration purposes I personally use the following 3 step

strategy:

14

©20

15 w

ww

.404W

hylo

.com

™ A

ll r

ights

res

erved

.29 J

une,

2015

3 step strategy

15

©20

15 w

ww

.404W

hylo

.com

™ A

ll r

ights

res

erved

.29 J

une,

2015

Step 1• Just hit the enter

button for the download of the whitepaper and see what happens.

Step 2• Register with as

much garbage, meaningless or unpersonal information as possible.

Step 3• Either use a

temporary email address or the company email address for registrations or your personal or company email address as given to you.

Step 1

• For share only concept sites - this are the BEST sites and

they should receive and accolade for their

exemplary behaviour. Just click on the download button.

Sometimes you can just download the whitepaper you want.

You don't have actually to fill out the form. You just think/

assume you have to in order to get the file. You are nicely

conditioned :-). You will be surprised how many site just allow

this. If this isn't working (you will figure when the download

form gives you all red errors back) P.S. I figured this out

myself. As a well behaved and conditioned user myself I did

also fill out some forms just to discover I didn't really had too!

If no success with step 1 proceed to step 2.

16

©20

15 w

ww

.404W

hylo

.com

™ A

ll r

ights

res

erved

.29 J

une,

2015

Step 1 screenshots

• Oh no it doesn’t work here the result. The download form

delivers some error messages. 17

©20

15 w

ww

.404W

hylo

.com

™ A

ll r

ights

res

erved

.29 J

une,

2015

Figure 1 Screenshot download whitepaper

Figure 2 Screenshot Whitepaper download

form errors

Step 2

• For collect and share sites. Step 2 is the strategy when step one

doesn't work. But always try step 1 first. Step 2 is filling out the

registration form with garbage or meaningless and unpersonal data.

Use your imagination! For the emails sometimes the form is testing

for a valid and active email account. For instance you can use the

company email address from the company you want to download

from. If the company is dontget.me the use an email like

404@dontget.me. The email address most certainly will be valid and

active plus the company can have a taste of its own marketing

strategy. If this works you can download your whitepaper directly.

Some providers don't really like that. From their perspective they

want something valid in return of their whitepaper. The will give you

the download link only in an email sent to a valid and active email

account. 18

©20

15 w

ww

.404W

hylo

.com

™ A

ll r

ights

res

erved

.29 J

une,

2015

Step 2 screenshots

• Hurray it’s a step 2 company! Just enjoy your whitepaper!

There was no validation other than filled out fields in the form. 19

©20

15 w

ww

.404W

hylo

.com

™ A

ll r

ights

res

erved

.29 J

une,

2015

Figure 3 Screenshot download form

with garbage information entered

Figure 4 Screenshot download window

Step 3

• For share through active email websites (downloadlink). The question

here is do really want to share your personal or private email with this

company. Can you trust them not to sell your information to others or Spam

you with advertising? Some you can trust some you can't. Here is the place

where all this instant email services are popping up. Use case is the

following: you will create a temporary email from one of the anonymous

email providers. From this temporary email you then extract the download

link for downloading your whitepaper. Some of this email addresses only last

for 10 minutes. Some providers have these email services blacklisted which

means they don't send emails to those domains. Here are two sides of the

coin. Providers want your data and you want privacy. The general problem is

there have been too many false promises in order to trust all those "too good

to be true promises". A provider can state they will not share your data. But

when they will be bought or ownership changes then your data belongs to the

new owner and then you don't know what they will do with it.20

©20

15 w

ww

.404W

hylo

.com

™ A

ll r

ights

res

erved

.29 J

une,

2015

Step 3 screenshots

• Remember the download link goes to an email address. Either

use a temporary email address or the company email address

for registrations or your personal or company email address as

given to you. 21

©20

15 w

ww

.404W

hylo

.com

™ A

ll r

ights

res

erved

.29 J

une,

2015

Figure 5 Screenshot link sent by email

Figure 4 Screenshot validated registration form

The solution

• I propose to all organisations to actually create a

group email account (whitepaper@dontget.me)

for exactly this reason. All the employees can use

this public mailbox if they want to download a

whitepaper or register for a service. Benefit is

also this email address would not normally get

blacklisted unlike the domains of these specific

temporary email providers.

22

©20

15 w

ww

.404W

hylo

.com

™ A

ll r

ights

res

erved

.29 J

une,

2015

Cybersmart

•Be cybersmart and remember your

data is an asset!

•P.S. Please send me your name, last

name, email address, dob in order to

receive a personal thank you note

from me :-)23

©20

15 w

ww

.404W

hylo

.com

™ A

ll r

ights

res

erved

.29 J

une,

2015

Thanks and don’t

forget to have

fun!

29 J

une,

2015

©20

15 w

ww

.404W

hylo

.com

™ A

ll r

ights

res

erved

.

24