back to article Need a facial recognition auto-doxxx tool? Social Mapper has you covered

Finding people's social media profiles can be a slow and manual business – so why not get facial recognition to help? That's the pitch coming from Trustwave's SpiderLabs, which wants to make life easier for penetration testers trying to infiltrate clients' networks and facilities using social engineering and targeted hackery …

  1. Vimes

    Didn't NSA employees get caught out on LinkedIn using project names that were then subsequently leaked by Snowden? And presumably their profiles have nice mugshots displayed?

    1. Chris G

      Re. NSA employees

      What do they put in their Linked in profile?

      ' I develop and expedite projects and technologies for spying on my fellow Americans'?

      Profile pic from Spy vs spy.

      1. Anonymous Coward
        Anonymous Coward

        Re: Re. NSA employees

        > What do they put in their Linked in profile?

        Don't know, but a senior scientific type at my former employer had the former in his intranet CV:

        * 1985-2000 Australian Army. Special Air Service Regiment. Main tasks: problem-solving in small teams.

  2. Anonymous Coward
    Anonymous Coward

    Go for it

    Good luck finding ME!

    1. Oengus

      Re: Go for it

      You might find my picture in someone else's profile, I can't stop people posting images that I am coincidental in, but good luck finding any profile for me on any social media.

      1. Siberian Hamster

        Re: Go for it

        Well for a start we can find out the approximate area you live, Australia/New Zealand is our starting point...

        1. Khaptain Silver badge

          Re: Go for it

          Australian, living in one of Sydney's affluent suburbs.

          Worked on IBMs, knows AS400s probably from within a Banking environment, in or around the early 80s, we can quickly surmise that at least 48 years old, although I would hazard a guess are around 62. ( forty odd years in IT).

          Learned assembler on Macs in an Australian university.

          Likes to make/eat Cheese. Previously owned a BMW 740il

          What's the betting that it would not take too long for someone with but a little more information than El Reg posts too fully determine the real name of our probably Scottish or Irish descendancy poster......

          So were moving along quickly with this rather un-anonymous Aussi...lol.

          [Oengus, don't take it too seriously, I just wanted to see what kind of profile I could quickly develop just reading through El Reg posts] Anyone that thinks that El Reg is not a social media website, think again...

          1. Anonymous Coward
            Anonymous Coward

            Re: Go for it

            > Anyone that thinks that El Reg is not a social media website, think again...

            Yup! And btw, your great example illustrates very nicely the reason why my every post in this site since 2003 or so (whenever it started having comments) has been as AC. People with access to El Reg's backend can still track the nonsense that I post*, but at least not every Robert and Harold can do so.

            * Just be aware that one is in the habit of taking certain other measures too. Nothing personal, but having been politically active in a certain country where it is distinctly unhealthy to do so makes you be like this.

  3. Anonymous Coward Silver badge
    Paris Hilton

    This:

    "even though your [social media] profiles are all under different names and handles"

    Doesn't really correlate with this:

    "searching for targets by name."

    Basically, Social Mapper is automating the process but not doing anything that would take a human more than a few seconds per name.

    I shall remain unconcerned.

    1. Anonymous Coward
      Anonymous Coward

      that would take a human more than a few seconds per name.

      I wonder how much would it cost to hire a human (or humans) to do the job, as compared to the computer?

  4. Neil Barnes Silver badge

    matching a photo of your face to the selfies you used on each of the account pages

    What photos? What social media accounts? Good luck with that...

    1. Ochib

      Re: matching a photo of your face to the selfies you used on each of the account pages

      "What photos? What social media accounts? Good luck with that..."

      Well there is this one for starters

    2. GIRZiM

      Re: What photos?

      All those ones of you that are posted by your friends and family on Faecesbook that will then lead to the revelation of what circles you move in socially, thus making it much easier to socially 'engineer' you.

      You know Faecesbook: it's that company that, even though you've never once gone near it yourself, has your name/address/phone number/email address/D.o.B and a photo of you, because someone else has used one of its 'products' on their phone and stored all that information about you in your contact record.

      That Those photos of you.

  5. GIRZiM

    The pitch coming from [a couple of shysters at] Trustwave's SpiderLabs

    "which wants to make life easier for criminals who will pay them a lot of money [nudge] [wink] penetration testers [/wink] [/nudge] trying to infiltrate clients' networks and facilities using social engineering and targeted hackery"

    There - fixed that for them.

    1. Pascal Monett Silver badge

      And the best of it is that all the data is beamed back to SpiderLabs, for algorythm improvement, of course, so anything you do search for will be added to their database which will be worth millions in a short time.

      Great for them !

  6. tiggity Silver badge

    " Google+ (because we've all got one of those),"

    Actually - unlike FB, LinkedIn and the others, I do have one of those.

    Because its not an in your face, obtrusive thing, and is good for interacting with people with similar interest (and the bonus of their feeds not being full of selfies, pics of meals etc .). Also has bonus that people who pester you to join FB so you can get their irrelevant updates on minutiae of their life (No I don't care that you purchased new shoes & definitely do not need to see a huge image of them FFS, no I don't want to see an image of the "design" the barista added in your crema etc.) are oblivious of G+ so will not hunt for you there.

    Win all round.

    (Ditto Mastodon for avoiding Twatter, but getting interactions you want)

    1. Anonymous Coward
      Anonymous Coward

      Doesn't anyone who's ever opened a gmail account (i.e. activated an android phone) have one automatically? That kills the quip pretty much stone dead if it's still true...

      1. GIRZiM
        FAIL

        Re: anyone who's ever [...] activated an android phone

        without first covering the peephole camera for narcissexuals deserves to have their photo taken - it's natural selection at work weeding out the stupid.

        As for opening a Google account on an Android phone, do you mean the account opened with a fake name, on an unregistered over-the-counter phone purchased with cash, with an unregistered PAYG SIM that only ever has its credit topped up with cash, and on which Play Store purchases are only ever made by means of Google Play gift cards paid for with cash?

        The Gmail account on the completely anonymous device that had a settings put global airplane_mode_radios cell,nfc,wimax ADB shell command sent to it the moment it was turned on, so that it can be used for E2E messaging/VOIP calls with Signal, but not traced any other way by virtue of it being in permanent Airplane Mode?

        That Gmail account?

        Yeah, I worry about Android's lack of privacy sometimes as well.

        1. Anonymous Coward
          Anonymous Coward

          Re: anyone who's ever [...] activated an android phone

          > As for opening a Google account on an Android phone, do you mean the account opened with a fake name

          That is terrible advice. It doesn't matter one iota what name you use if you configure a google account on the phone, the data is still what it is.

          And for the record, those who have legitimate privacy / security concerns should not use Signal either¹.

          For a reasonably secure and resilient messaging platform, try Briar along with a suitably configured panic button application. Understand that security comes at the expense of convenience and that you will probably not have a need for continuous use of Briar: like every other specialised bit of kit it is more of a "project" tool.

          ¹ Signal, Whatsapp, Telegram offer low effective security and are not DoS resistant. The October 2017 Catalan independence referendum provides a good practical case study in which the Spaniards at different times both subverted and blocked all three. Funnily enough, much of the remote logistical coordination, which was completely successful, was done over open channels anyway.

          1. GIRZiM

            Re: anyone who's ever [...] activated an android phone

            It doesn't matter one iota what name you use if you configure a google account on the phone, the data is still what it is.

            Yeah, it's a fake name attached to a Gmail account that is never used for anything. A fake name with no other email accounts, that makes/takes no phone calls, sends/receives no SMS/MMS, uses no apps that identify what services are made use of other than Signal itself, has a handful or three contact records stored on the phone and has never once been synced with Google's 'cloud'. All 'calendar' data (don't forget the milk) is similarly stored locally and never once uploaded anywhere. The device is locked down in a variety of ways that ensure nothing gets in or out beyond Signal text/VOIP (and those latter via VPN to boot).

            Beyond that, it has all the apps you'd expect to find on an everyday reasonably technical user's phone: system utilities, file manager, note-taker, media-player; all of them locked down at system level to prevent data leakage or application compromise - nothing get in, nothing gets out (not unless the hardware/OS is so backdoored that there's nothing anyone can do to prevent it anyway).

            It does Signal.

            If absolutely necessary, it takes pictures/records video/audio of people and things to local storage.

            It has offline maps that never need GPS/wifi to tell me where I am right now - I know where I am right now, thanks to the map I'm looking at (that's the whole point of a map!).

            And if any significant data ever needs to leave it, it will do so by means of a physical transfer of the (encrypted) SD card from the phone to the device that will receive it - that SD card never to be returned to the phone (eliminating it as a vector for compromise), a replacement card inserted afterwards and away I will go again.

            those who have legitimate privacy / security concerns

            One thing you should be wary of is the idea that there is anyone who doesn't have legitimate need of them.

            should not use Signal either¹

            DoS is not the same as unsecure.- there is a world of difference between 'not functioning in this place at this time' and 'compromised'.

            Yes, I could be DoS-ed, the Signal service blocked but you know what? If I'm ever in circumstances in which that is an issue, I'll rely on oldschool techniques; the most significant of which is 'radio silence' - either I'm being directly targeted (in which case all my comms channels must be considered compromised) or else I'm in a region in which any form of communication other than F2F in a crowded, public and (above all) loud place should be considered compromised anyway. Wherever I am in the world, I know my contacts personally and know how to reach them without the need of a telephone, email, IM, social media, snailmail or any intermediaries - and I don't need to contact anyone else on my phone when I do use it.

            try Briar

            I've seen it mentioned before, and investigated it.

            When I've seen a proper audit, by sufficient (and sufficiently reputable) experts in the field, I'll consider it. Until then, however, as far as I am concerned, it's in the same league as Telegram: touted by people who claim to know how to do things better but with no evidence that be the case and that said solution be not dangerously flawed or even backdoored. Who are the people behind it? Do they have the credentials of a Marlinspike, a Zimmerman or a Levison? Have they the plaudits of a Schneier or a Snowden? Or are they a pair of Durovs, talking the talk, but forever explaining that they can't walk the walk right now because the details of their performance are a closely guarded secret and they wouldn't want to compromise it?

            Moreover, I don't actually need Briar in order to communicate with people without a cellular connection. For the secure, local transfer of data, I can give you the SD card, or send you an encrypted file via wifi/bluetooth. directly, without the need for an app. Or I could simply, you know, use Signal on wifi, like I do now.

            At the end of the day, it doesn't matter one iota what name you use if you don't configure a Google account on the phone, because the data is still what it is then too.

            The problem isn't the data itself, but who has access to it, how to ensure those without a need to know about it don't and, in the event of a breach of security, plausible deniability. And whether I use Signal, Briar or anything else is irrelevant if I a draw attention to myself by being different.

            I've taken a lot of steps to ensure the security, integrity and privacy of my data. I've taken a large number of (other) steps to ensure that the identity of the owner of my phone remains unknown to any and all except those with a legitimate need to. Yes, I'm sure that anyone absolutely determined to figure out who I am will be able to cross-correlate and figure it out thanks to the small network with which my number is associated, but first I'd have to come to their attention - and I've undertaken a lot of steps to ensure that I don't leave much of a trail for anyone to notice in the first place, let alone follow.

            What I don't have is a device that screams "Detain and interrogate", which I would have, if I naively assumed that an entirely off-grid device were the answer to all my concerns about surveillance Capitalism and/or oppressive regimes of all kinds - anyone possessing a phone with no connection to Google at all, no plausible identity to which they can point when questioned about the state of their device, will be subject to greater scrutiny (for longer) than those whose devices appear to be everyday devices for everyday use.

            The fact that my device is locked down sufficiently securely (and that I follow practices that would serve me well should I ever find myself in danger from anyone, for any reason, anywhere, at any time) for me to operate within the confines of an oppressive regime with as reasonable a hope of remaining at liberty as might anyone is simple coincidence.

            I can point to my online registration with Google as evidence that I have nothing to hide, I just like my privacy and don't wish to share my RL identity with every app developer, ad-slinger and criminal out there. The fact that I only ever use Signal to communicate is because I'm cheap and don't want to pay for comms, not a sign of nefarious activity; my apps locked down to prevent them from making use of data services and costing me the money I don't wish to pay, I like offline apps for that same reason and also because it means I don't need a signal (of any kind) to use them.

            I'll keep an eye on Briar but, in the meantime, I'll stick to using the known quantity of Signal, on an anonymous phone number, on an anonymous device, that I connect to a VPN via someone else's broadband connection, that is registered to a fake Gmail account for the sole purpose of receiving OS and/or other security updates.

            That approach has served me well so far and, as it ain't broke, I see no need to fix it.

            1. Anonymous Coward
              Anonymous Coward

              Re: anyone who's ever [...] activated an android phone

              Why on Earth would "an everyday reasonably technical user" even bother to register a phone with Google?

              1. GIRZiM

                Re: anyone who's ever [...] activated an android phone

                *sigh*

                We've been through that already:

                Anyone possessing a phone with no connection to Google/Apple/whoever at all, no plausible identity to which they can point when questioned about the state of their device, will be subject to greater scrutiny (for longer) than those whose devices appear to be everyday devices for everyday use - if you don't know this then you simply haven't had to answer the right kind of awkward questions to the wrong kind of awkward people (you are lucky enough to not be of that much interest to them).

                So, what *I* don't have (and I frankly don't give a toss what anyone else has, or why) is a device that screams "Detain and interrogate", which is what I would have, if I were to have an unregistered device: it's one thing to say that I registered it with a fake name so as to avoid ad-slingers, criminals (that's understood these days, thanks to the likes of Cambridge Analytica), but it's an altogether different matter (in the eyes of those concerned by that sort of thing) to have an entirely off-grid device; suspicious in the extreme - after all, why would anyone concerned about security cut themselves off from timely security updates from the OEM rather than oblige themselves to seek them from some potentially dodgy third-party? Who are they really trying to hide from?

                And, before you dismiss this as paranoia or simply an edge case (too infrequent to worry about), I repeat that, in that case, you are fortunate enough to not be of sufficient interest to the wrong kind of people for this to have ever happened to you, but that doesn't mean it isn't a consideration for anyone,

                Why wouldn't you, as an everyday, averagely technical user register your account? What's the big deal about it? What are you worried about? Why do you post anonymously here at El Reg? Why don't you post under a user name? Who do you think is interested in you and why? What have you got to hide?

      2. Anonymous Coward
        Anonymous Coward

        > Doesn't anyone who's ever opened a gmail account (i.e. activated an android phone) have one automatically?

        It is possible to activate and usefully operate at least some Android phones without a Google / GMail or vendor account, though it is (quite intentionally) way beyond the reach of a regular consumer and takes the best part of a day to get the device to a usable state.

    2. Anonymous Coward
      Anonymous Coward

      > is good for interacting with people with similar interest

      That would be IRC then (unless your interests are different from mine).

  7. Rich 11

    ??

    by matching a photo of your face to the selfies you used on each of the account pages.

    What's a selfie?

    Yeah, good luck with that. I'm not in the habit of staying in frame when some self-obsessed idiot gets a camera out either.

    1. GIRZiM

      Re: ??

      > What's a selfie?

      You're gonna love this.

  8. Anonymous Coward
    Anonymous Coward

    That's nothing compared to

    the vast numbers of traffic cameras, CCTV, cameras in ATM's, department stores, parking lots, airports etc.

    I've seen cameras at self checkout registers at home improvement stores and others broadcasting high definition video of consumers on overhead monitors.

    Where do all those videos go?

    I've seen the factory installed Gallery and Photo apps on cheap cellphones making outbound TCP connections to Alibaba and others.

    I would venture to guess that even people that never owned a computer or smartphone have their picture stored in some searchable database somewhere.

    Take a look at this poor guy...

    Even living alone in a dense forest trying to avoid humanity at all costs, the worlds "loneliest man" is being secretly fimed "for his protection".

    https://www.bbc.com/news/world-latin-america-44901055

    What "Terms and Conditions" or vague "privacy policy" did this poor guy opt-in to allowing his image to be taken and broadcast worldwide?

  9. onefang

    "starts downloading the profile pictures and performing facial recognition checks to try and find a match."

    I doubt it will be clever enough to match the facial photo it has as a reference to the photo of my feet I use as a social media profile photo.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like