I found it scarily easy to find info on some people. I was talking to my friend about it, so I tested it out on them (with their permission).
With just their public facing instagram account handle, I:
Found full name from family members in following list -> email, phone #, etc from full name
Found email + phone of most of the close family
Found address, PO box, and usernames from their past accounts
Found their (current!) password for email, social media, etc (but not bank) from a breach from 2016 (!!!)
Found their old wattpad account (!!!!!!)
Found out that their instagram had no 2fa and "hijacked it" with them next to me, changed email and password (not sure if they could have recovered it afterwards). Notifications did come through but given their email, I used an email newsletter spammer I made and a text spammer to blow up their phone to hopefully distract for the few minutes it took, to simulate a real attack.
Needless to say, it was bad news all around. (I already knew some of the info I found, but my search consisted of me pretending I didn't)
Edit: the irony of me posting about data security when I just divulged where I grew up & school district less than 2 weeks ago :'( (though I bet I'm fine given I have no other accounts with this username)
I've got another anecdote about exposed information. Saw a car's 'Instagram handle' while next to them (was passenger) and got curious. Sure enough, their car's Instagram handle was public-facing and had links to the presumable owner's instagram handle (public facing) and his wife's handle (also public). Within five minutes of horrified clicking, I found both parents' birthdays, occupations (and photos of locations where they worked at) full legal names and birthdays of their parents, sisters, brothers (they had posted birthday celebrations and funeral announcements with names and dates), their wedding date (and all subsequent vacations they took), residence (posted about buying a new house), their children's full legal names and where they went to school (posted dropping them off at school), and the makes and models of all their cars (posted about buying new cars) over the last 5-6 years. It was a little scary to see how open they were.
That reminds me when I was still in high school and got to school by bus.
I was around 16 and used to carry a binder with my full name on its back in my hand because it was a bit too large for my backpack.
One day, I got a letter by a guy whose name I didn’t know. He saw me on the bus and thought I was cute, so he decided to look me up and somehow found out my current address. He couldn’t have used the phone boom because my family wasn’t listed, so he must’ve googled me. Luckily, the guy didn’t have any bad intentions but it was very scary nevertheless.
Yes, it was essentially a love letter ending with “please call me“.
I actually did text him - since he included his phone number and I wanted to know who he was - but I “ghosted“ him after some months when he kept asking me to come to his home (he was twentysomething so several years older than me).
Afterward, I received one more postcard from him telling me how much he misses me and how he wished I was there with him (he was travelling at that time) but then it stopped.
Wow, that's very weird and very inappropriate of him, hopefully he got in trouble / didn't do that to anyone else. I'd be very anxious if someone had my home address and was harassing me, I'm sorry you had to deal with that.
Don't think I found anyone on facebook when I searched- just an instagram. If that's true, though, that's... par for Facebook I guess? I wish any other better site took off with people (especially teenagers) than something Facebook has their tendrils in.
I just spent a few hours signing up for newsletters I had saved previously and gathering submit POST requests, concatenating it into one script, etc. I honestly can't think of any white hat use for it (besides what I did). I haven't open sourced it, because it will probably be used for malicious purposes by script kiddies 99% of the time, and I don't really want that associated with me.
Ah, but then fewer people would "sign up for the newsletter" by failing to toggle the box on the checkout page. Then your list membership growth rate would go down! Can't risk that, no wonder it hasn't been implemented.
Mailchimp turned off double opt-in as the default list behaviour, presumably as a result of this listbombing taking place.
It eliminates the immediate flood from the listbomb attack but does mean the email address now has to opt-out from every list they've been susbcribed to.
This is an area of sec research I'm very interested in: classic attacks with a major IRL impact.
It's similar to social engineering but that's not a correct comparison. More like an attack that hops the cyber<>physical barrier but uses standard TTPs from pure-cyber.
There are proof of concepts like this out there, to start. It's like you DDoS'd someones real life - that's intense.
No, it's called DDoS'ing, at least for threat model that I'm referring to.
The user just near about doxx'd themselves by all the OSINT that was available. That's not particularly interesting. Trolling with IRL effects is a the better peer as well, in that case. It's also similar to malicious pop-ups in a browser, but a browser never had the life-governance abilities that a smart phone has now.
What is interesting, from an exploit dev standpoint, is that in a sense you can DDoS someone's life by overwhelming their human data intake systems of notification-based services, which they use to govern their own behaviors.
Think of this in terms of a notification == a connection, and human == router.
* Baseline: 5 notifications per hour -> parseable by a human with 1 brain and a single iphone to triage them. No discernable effect on ability to rely on other key notifications (calendar alerts, banking messages, so on).
* Elevated from baseline: 5 notifications per 10 mins: odd, but still parseable, maybe calendar alerts and watching for an important email take a back seat.
* Malicious DDoS: 5 notifications per minute, on repeat: you don't know what's going on, it is overwhelming, you can't particularly turn off a phone because you still need the calendar app, and so on.
When the notification system, taken in aggregate, is providing some key service to how a person runs their life, overwhelming that system is a DDoS.
Another vector: many calendars such as Gcal and especially with recreational users, allow appointments to be dropped onto the calendar. This is a common sales tactic too. Generate N appointments, overwhelm a calendar, and it's up to the user to remove malicious appointments manually vs. a very bulk, automated appointment attack. DDoS as well.
I think they meant DDos'ing as in the person gets overwhelmed with notifications and can't actually see the notification about the password change. (i.e. the person's attention is the service)
Like I sort of referenced in my OP, it's part of a group of exploits which still lacks firm industry terminology, but definitely are out there.
The only firm things I can ID so far in this cyber<>physical attack space is:
- cyber<>cyber TTPs definitely apply in a certain way
- Vulns->exploits can start with CIA-like threat modeling (so ID'd starting point)
- the indicators of compromise show up both in the cyber domain, and physical domain, as part of a single attack
- it's a greenfield on defining what an IOC in the physical domain part of this attack is. If you attack plant watering system, is there anything unique on the outcome of plants that indicate it's definitely cyber?
- The physics of the real world play a large role in governing how the physical aspect of the attack occurs(my human ability to read, process notifications at certain scales of notification receipt)
Another example is "AI/ML" can generate financial reports that are believable. If you consider the behavior that a lot of folks trade purely on Twitter news, you can model exploits via thinking how you could compromise the integrity and availability of financial reports that people trade off of (I and A in CIA) by:
- Integrity: if you can get the fake report to get uptake on Twitter on key nodes, "the truth" of a company's finances can be replaced via this false report, as you have a legion of twitter traders following a much smaller legion of key accounts for trading views
- Availability: if you generate enough volume of this fake report vs. the real report, a metric humans use to eval the truth of things is "is it in every newspaper," so you can reduce the availability of the real report as it is drowned out.
And so on... there's definitely real attacks here, but they exist a bit outside of current security models. Very cool area.
"A DoS attack is a denial of service attack where a computer is used to flood a server with TCP and UDP packets. A DDoS attack is where multiple systems target a single system with a DoS attack. The targeted network is then bombarded with packets from multiple locations."
Multiple apps engaged to notify 1 human, multiple systems attack -> single system.... DDoS.
> Found their (current!) password for email, social media, etc (but not bank) from a breach from 2016 (!!!)
When a friend of mine asked me to do a similar challenge, I actually forgot to check password dumps.
Then again, I also didn't bother spending the $10 for ancestry information which probably would have yielded yet more info (mother's maiden name, etc). But I kind of lost interest after reading several dozen pages of their Twitter feed.
I used to do a presentation called "Shattering Secrets with Social Media" where we'd do a "live attack" on a volunteer from the audience.
Starting with their name from their badge, we'd see how many of the top 10 security questions we could answer. For most people we could get 4-6 in a matter of minutes. For a select few we could only get 1-2.
Despite it all, there were two we could almost never get: street you grew up on and first pet's name. My theory was that those are tied to a time and place that predates social media for many millenials and all gen-x.
But there was another approach.. one of those silly threads from years ago was "What is your porn star name?" which required your first pet's name and the street you grew up on. Yes, that was a social engineering attack at scale.
And even if you didn't answer it, if you had a sibling roughly the same age, odds are theirs were the same.
> Starting with their name from their badge, we'd see how many of the top 10 security questions we could answer
A fun thing I do is to just not use my legal name. Online or in person (unless talking to a doctor and such). Many of my friends don’t even realize.
Of course the problem is that at this point I’ve used this name enough that you can probably do all the same tricks with it. That’s why I use yet a 3rd name as a throwaway at coffee shops or with transient strangers.
Getting death threats from dad’s business dealings once was enough.
This is a great idea that I've been coming around to for a while now.
1. Have a legal/professional name. This is what shows up on your birth certificate, your IDs, what the people at your work know you by, etc.
2. Have a personal name. This is what your friends and family know you by, and can be completely disjoint from your legal name. A low-effort way of approximating this is just to go by your middle name among friends, since you're usually not required to divulge your full middle name on formal documents, so you can still maintain some degree of separation.
3. Have a public name, or a variety of public names, that are disjoint from the prior two. These are your social media account names, email address, Twitter handle, etc. Let these be as disposable as possible and, if feasible, rotate them out every few years.
That's an okay idea but it still dependent on secrets. The first time some books a flight or hotel on your behalf or your company pays an expense report, it's no longer a secret.
But your third point of having a variety of public names is good. Ideally, don't connect or link them in any way either.
Interestingly enough, having multiple names for different situations was commonplace before bureaucracy wanted standardized personal and surnames for better record keeping and taxation. Names used to be a lot more flexible and contextual before statecraft.
I learned about this from a section in James C. Scott's Seeing Like a State. Sadly I don't have a specific page number or citation to provide you with. But the section talked about how families were given names based on profession (Smith, Baker, Carpenter, .etc), description (Short, Young, etc.), or general location (Glenn, Brook, etc.) and all of this was done to simplify taxation and get a better command of resource extraction. This phenomenon is not unique to the West and was done in China as well.
I like to imagine that one day, after the Singularity, the super-intelligent AI overmind that society merges into will be able to resurrect me from the security answers I've left throughout the internet.
And all of the virtual reincarnations of all you security-minded suckers will be stuck thinking your mother's maiden name was X1r$9ox01.
I've found that goofy answers are both easy to remember / say, but impossible to guess.
Like, "what's your mother's maiden name?" "Lady with cheeto-colored hair." Or, "what street did you live on growing up?" "We liked to imagine it was the moon"
This issue always come up with those discussions indeed. Probably to be safe you could just come up with plausible unique non-random name, and still store it in keepass.
In my experience, I told them I didn't remember, and they told me "yeah it's just a bunch of random letters..." but they didn't let me through and required me to go through different security confirmation instead.
In this case, it's as if the security question just didn't exist. That's fine with me. I'd rather the attackers figure out the other security measures (e.g. get access to my email or phone in order to receive a security code) than just get into my account by pure guesses. (Though I like the solutions here of using very uncommon two-word phrases to avoid the chance of an incompetent phone operator accepting "random letters" as an answer).
Then there is a clear breach of the terms of services from your bank, and it might be easier to get issue on their hands.
But you are right, the best solution would something in between.
I think the key to the Street address question is to actually first find their parents and then find the addresses that they lived at.
There is a non-zero chance their parents still live at the same address. And if not, there are likely records of home buy/sales which can give more guesses.
First pet though, I agree is difficult. I can't think of any public records which would list this kind of info. However, pet names also follow predictable patterns. You can probably get very far with names like "Mittens, Duke, Spike, Spot ..."
Someone, somewhere, is mapping out all the sites that ask that as a "security question", and they'll be ready to add to their dictionaries when one of those sites is breached.
Yes, this is how someone "hacked" (if you can call it that) Sarah Palin's Yahoo mail account: the answers to her security questions were all Google-able or easily guessed.
> "What is your porn star name?" ... was a social engineering attack at scale
I can't believe I didn't learn this until now. I can't believe I didn't realize it on my own. A quick search shows that this has been known for at least 10 years, though perhaps not widely. Just, wow.
Not sure how common that is, but I simply fill out those questions with random words. No way anybody will find out. At that point, they basically are easily readable passphrases. Of course it helps that everything will end up in a password manager.
One of the things that I accidentally got is an extremely common first + last name combination. Googling it gives you eight digits of results and an info box for an athlete. My childhood library system had five other people with my name, and my childhood pediatrician had one other.
It makes me a lot more confident about my pseudonyms' online anonymity. Not that I don't think concerted attackers could figure out who I am - people have, given access to additional info like previous employers or the college I attended. But I think it severely limits the ease and scope with which people could attack my personal life through my posts online. When I have children I'm going to do the same for them, I can only think it'll be even more important thirty years from now.
This, I don't have a common name, but I'm roughly the same age/regional origin as someone with the same name as me who has generated enough internet noise from things like sports that the tracker pages (as an example) have us deeply confused. Very comforting, except for when we get emails meant for each other.
When I taught high school in the '00s, they used first+last name as a primary identifier for students. For duplicates, they added an asterisk on the end, repeating as necessary. I had one student on my roster who was Jose Ramirez**** (not his actual name or number of asterisks, both of which I've long since forgotten).
That's one reason to advocate for good security hygiene for everyone. "I'm not important" is not a defence here, helping your aunt set up a password manager that syncs automagically for her is.
In a weird way it feels like we are more prepared for this in countries like Sweden where your social security number, tax returns, income, credit history, address, spouse, children, company board positions, pet ownership, car ownership and criminal records are public information and easily available.
At least we have no illusions of privacy. Someone could start with your licence plate and two minutes later know pretty much everything.
Since 1905 you have been able to buy a book every year that listed up to date income and net worth for everyone in your area [0]. Now, of course, everything has moved to web services and APIs. Take a look at the example response from this API for an idea of the information available [1].
This was part of why author Stieg Larsson never married his girlfriend: To do so would expose her to people who had made credible threats on his life because of his journalism work. Unfortunately, this also meant that she was locked out of his estate after his death.
The key part there is that in such an environment it is obvious for any company (and their customers) that "something your spouse or mom would know" is not an acceptable security measure for anything, so it does not get used. But it does not have to be a tradeoff, we could easily have companies avoid such security questions even if privacy is still mostly a thing we get.
Why not? Sweden is a great country on a lot of measures. Shouldn't quality of life count more? Or access to free, high quality health care for you and your family? Free education for your children? What if that kind of openness is in fact improving the society? Norway is very transparent as well.
It seems irrational to deny oneself and ones family the opportunity of moving to some of the best countries in the world (on a lot of measures) due to principle.
I guess the matter is trust. It is hard to become more trusting as adults, and yet, society works much better when the baseline of trust is higher.
It's not free healthcare/education, it's paid with taxes.
Why would the government publishing my personal information help me? Or is it that publishing my personal information would help other people more than it would harm me?
Sure, there are costs of course, but not for you as a patient or parent or student*, only as a tax payer. The discussion is also raised here https://news.ycombinator.com/item?id=26440702
If making more information public increases trust, both between government and citizens and among citizens, then it's good for all. Of course, not all information should be public, but transparency is often useful.
And different stances in these kind of questions are probably adaptive in different societies. Publishing financial information is not adaptive if there is a high risk of being robbed as a result**. Having your address public is nice if all you get is flowers and post cards.
However, my main point was that "never move to Sweden" because more information about you is public, is quite unproportional as Sweden is one of the best countries to live in.
* There as some fees though, at least in Norway, but there is a limit of about $300 above which you don't need to pay for medical treatment. Some medicines have small costs, and there is also a fee for skipping your appointment without cancelling in advance. University costs about $80 per semester, but you're eligible for a public grant of ~$4 000 per semester.
** There is an ongoing case in Norway where a billionaire's wife has been kidnapped with a demanded ransom of €9 000 000. However, the police seems to believe that the motive is not merely financial https://no.wikipedia.org/wiki/L%C3%B8renskog-forsvinningen
Thanks. I think "how much better is X country over Y country for me" depends on the circumstances of the person. E.g. for people who have health insurance in the USA (~90%), it's a different situation than for people who don't.
Well... for me, there's literally no reason my neighbors (or any other random person on the internet) needs to know all that information about me or my family...
It's funny how much energy there is behind things like GDPR preventing a company from transferring people's email address to a partner, when, by comparison, this is much more sensitive information.
I don't think that having free healthcare or college requires baring private financial and other information to any nosy busybody who wants it.
Thank you for the nuances; my main issue with the comment was dismissing Sweden as an option for good, which seemed quite unproportional. Sweden is a good country to live in, regardless of their policy on sharing this kind of information
Personally, I think openness about taxes, fortune etc. is good to check that everyone contributes as they should. But before it was protected by login, at least in Norway, there was a (minor) problem with maps showing which streets had the wealthiest inhabitants (the police didn't like it)
Someone turned right in front of me one day, almost causing me to hit them when I had my kids in the car. I was absolutely furious. It was a distinct car, with a vanity plate, that quickly led me to an Instagram account with a link to their business websites. The sites were PHP messes with a bunch of vulns and directory listings with links to admin pages, domain control panels, email, you name it. I was very tempted to nuke everything before common sense returned to me and I just let it go.
I (when I am not using a throwaway) try to act like anyone I interact with online could be standing outside my house. You just never know.
The internet is also a public place in many ways. If someone overhears my name and sees my face and discovers my personal website or LinkedIn page, then they have only discovered MORE public information about me. There is no privacy breach if I don’t divulge private information on public spaces, i.e the internet.
I think there needs to be more consciousness that the internet as a whole is a public commons, as public as doing something on the square. It's something I'm going to endeavor to teach my kids when they start interacting with the internet (a thought that already gives me great anxiety)
The norm used to be never to post personal info online. Yes, some things could still be found out, and there were still attack vectors, but typing your real name in a web form, except maybe (and only fairly late in the time period I'm talking about) to pay with a CC on a well-known site? LOL no. Posting photos of yourself, and with your name and maybe even a location attached? Madness! Are you nuts!?
I'm convinced Zuckerberg's infamous "dumb fucks" comment was made in a state of puzzlement that all these n00bs just had no idea they shouldn't be giving him that info, and indeed, the dawn of Facebook and all the people it added to the set of folks posting information online ended the previous "no-one knows you're a dog" set of norms of the Web.
Now there's money tied up in it, so of course people insist they must be able to post all kinds of things under their real names so they can market themselves. Never mind that it remains a terrible idea.
This is the source of conflict, I think, between people who want more real names online and those who want none. The former are the new folks who think posting personal info online is normal, or even necessary (see again: personal brand-building and marketing) and believe that we need to be able to ID everyone to prevent abuse (i.e. be able to find abusers to punish them), and the latter are the old-school Web users (post-Eternal-September, pre-Facebook) who don't get why all these idiots are making themselves easy to abuse in the first place, who see more anonymity as the obvious cure.
> This is the source of conflict, I think, between people who want more real names online and those who want none.
I think there is a space for both, tbh. There is always business based on reputation, and for that you need to self-identify. I used to be a professional gigging musician, and there was absolutely no way to do that while remaining anonymous online, nor would I want to.
The difference being, I suppose, was business vs personal, but personal brand was a thing long before the internet (I assume).
> There is no privacy breach if I don’t divulge private information on public spaces, i.e the internet.
You also have to keep in mind that you can be publicly divulging things without even realizing it, especially because everything you post online is stored permanently, and tons of private information about you can be extrapolated from it by anyone who bothers to pay attention.
It's also insanely profitable, just look at Google and Facebook!
For Google, the most profitable thing (to my understanding) is advertisement on product-seeking queries. If you look and a SERP for a privacy-invading search, like Googling someone's name or email address, you'll notice that there are not really so many ads. I tried searching for my real name, my real name with my locale, and my email address. I was able to find an old breached password and I was able to find my home address, but I didn't see any ads. You could argue that this feature provides some halo benefit to Google's more profitable queries, but to be honest it seems like a stretch to me.
For Facebook, they make money from advertising to logged in users. Broadly speaking, they keep users logging in by offering users the ability to broadcast private information to friends, and by offering the ability to receive such broadcasts from friends. To the extent FB does invade privacy, they do so to more effectively advertise to users on their site. They don't make the results of that invasion -- the profiles they build from their tracking bits, in other words -- available for public search. What's available for public search is instead only what the users choose to broadcast about themselves.
The exposure of private information to public search engines is not what is profitable about either of these companies. It's an incidental effect of the persistence of digital storage and the difficulty of curating what is stored.
A lot of conversations around privacy and using encryption would be much easier if those in the conversation understood just how simple and permissionless it is to snoop information and become way more knowledgeable about someone than you should.
There is no privacy with sites like SearchPeopleFree (dot) com
That's all u need to find out almost anything about anyone! Even if a prospective online dater gives you their Google voice number the site is gonna most likely tell you almost all about them.
I'm looking at that now out of curiosity. I don't know if I'm more outraged that they link you to multiple sites (for more information) which are clearly just reskinned versions of the same underlying code, that the sites are clearly trying to harvest more and more information from me as a user, or that they are using a "please wait while we search for more information!!!" anti-pattern to keep you on them forever.
[EDIT: And oh look, the "more information" site asks for your money after dragging you through the longest anti-pattern in the world.]
They give plenty of info for free..type in phone number and get their full name, age, current and previous addresses, people they associate with. Everything except criminal record which once you have a name in most US stated you can then go to the local court website and get that info. Why pay anything?
Interestingly, they have 4 phone numbers listed for me, none of which are accurate. The (partially blanked out) email address is also not one I have ever used, and although my current address is correct, the three previous addresses are all wrong (nobody I know ever lived at any of them as far as I know). I can only hope that the information behind the paywall is equally inaccurate!
Imagine if we did Google every single person we met, and started a dossier of them with all of the information that we could find and collect about them. That would be a lot of work, but Facebook does it for us.
Now imagine an ITTT-style automation of this collection, so it requires virtually no input from you to have a dossier on almost everyone around you based on their ambient presence.
Could even potentially use Facebook et.al. facial recognition.
Bundle it up with your Instagram or Google glasses.
I did a little experiment and yielded , what to me was expected, results within seconds. I pretended I was at a Starbucks and I heard them call out my grandmother's first name for her coffee order. I googled her first name and the name of the town the Starbucks is in--no state or other info--just two words.
I scroll down, swipe through a few pictures, and now I have her life story in front of me. From that I can go down the rabbit hole and easily construct a phishing profile that I can use on her family members.
I just assumed everyone already knew you could do this.
Some years ago I was applying for a job and had to fill out a form for a background check. The background check asked for my last several addresses — and I had no idea what they were. Even then, it seemed obvious to try googling myself. Scary! In a few minutes I had every address I had ever lived at.
I once showed an UHNWI what information I could dig up on them, their family and so on in a couple of minutes starting from a single 'checkin' on FourSquare. They were so shocked that it was hard to believe they had been utterly unaware of this right up until that moment. The next couple of days were spent on reducing their information footprint to something manageable, making sure that children were no longer visible and/or easily traceable and so on. Today you can barely find that person even if you know they exist.
If you don't actively manage your privacy you are very likely leaking information that you do not wish to be made public.
I thought that the lesson of this assignment was something that they never mentioned: all this public information that the students manually googled is available for automated passive surveillance to record, look up, and store.
> Instead, she wanted them to understand the gap between our perception of how much privacy we think we have in public spaces — and the reality. And, as she puts it, "to show them how thin our privacy constructions are in the modern day."
It doesn't matter that my neighbor, or hell-- even a rando drunken tourist-- can poison my drinking supply.
It does matter if a doe-eyed, tech-fetishizing HOA busy-body hooks up an IoT device which somehow connects the control system for water supply to the internet.
You're conflating two disparate issues. Privacy and Security should not be thought of an analogs. You're talking about security. I don't think that's helpful for understanding the issues at hand.
What did you think making programming widely available was going to do? Did you think nation-states and their bloated bureaucracies would magically step in and go full North Korea about privacy to protect us from you?
This accountability-denying pearl-clutching HN does every time they see an OSINT technique is ridiculously predictable... and only demonstrates your culpability in creating this mess in the first place.
Open Source Software is a solution for the problem of companies writing bad software under the assumption that no one will bother finding bugs if they are too annoying to find. History proved that wrong.
There would be no point in doing any of that if you wanted the data to be freely available too. If so, you could just publish your database as a read-only file, and call it a day. Or just forgo any accounts at all.
It literally makes no sense to blame OSS for privacy problems. The last I checked, Google Search is not open-source... These are two completely separate issues.
You seriously cannot find a single correlation between the mass availability of programming talent which extracts and transforms data, the vast majority of Internet hardware and servers being at least 70% powered by open source software, and the unstoppable destruction of privacy made possible by said infrastructure?
Open source made Internet hardware affordable for mass use.
Mass use of Internet hardware destroyed privacy.
Even at its peak, 1950s IBM didn't have enough money in the world to violate privacy the way Google does. And the only reason Google can do it is because it stands on the infrastructure of Internet servers that were able to proliferate to the point of pennies per megabyte due to open source code.
Yes, open source code is DIRECTLY responsible for the economics that has made the destruction of privacy endlessly cheap.
Even in your example, the effect from Open Source is at least two steps removed.
The problem you are referring to has more to do with Moore's law than open source software. Let's take IBM in the 1950s. Renting the use of a 701 from IBM would have cost $15000 per month. In today's dollars, that would have been about $1.8 million per year.
How exactly would you propose that IBM in the 1950s actually convince the world's population to use a computer at all, let alone using one to keep track of all of their conversations? OSS didn't make that change, cheaper silicon did.
With just their public facing instagram account handle, I:
Found full name from family members in following list -> email, phone #, etc from full name
Found email + phone of most of the close family
Found address, PO box, and usernames from their past accounts
Found their (current!) password for email, social media, etc (but not bank) from a breach from 2016 (!!!)
Found their old wattpad account (!!!!!!)
Found out that their instagram had no 2fa and "hijacked it" with them next to me, changed email and password (not sure if they could have recovered it afterwards). Notifications did come through but given their email, I used an email newsletter spammer I made and a text spammer to blow up their phone to hopefully distract for the few minutes it took, to simulate a real attack.
Needless to say, it was bad news all around. (I already knew some of the info I found, but my search consisted of me pretending I didn't)
Edit: the irony of me posting about data security when I just divulged where I grew up & school district less than 2 weeks ago :'( (though I bet I'm fine given I have no other accounts with this username)