On Defending Against Doxxing - Benjamin Brown

alright hey everybody as they've mentioned this talk is on defending in daxing I thought I'd make this slides a little more relevant for the place in context I'm sure a lot of you from this area know where that is up on the Parkway so Who am I some relatedness for you I am a Incident Response engineer and threat researcher at Akamai Technologies I do systems architecture reviews before products go live and for major changes I also do trainings and workshops for incident management and what I really really love doing is spending a lot of time on the seedy underbelly of the Internet and getting information about different actors and their tools and their methods and things like that so that we can then

use that to better protect ourselves and our customers all right so two of the terms that we're gonna be talking a lot about here are daxing and swatting doxxing is publicly releasing a person's identifying information including but not limited to their full name date of birth address phone number and pictures sometimes that also includes things like Social Security numbers bank account numbers things like that swatting is to cause the SWAT team or the police to bust down somebody's door and raid their home based on false information all right so why should we care about those things well when someone's doxed it can be that information can be used for you know pranking or sort of gray shady marketing

it can also release sensitive information we'll talk about one of the big releases of sensitive information that was a very recent a little later it could lead to online harassment bullying and cyber stalking it can also lead to some scarier things like identity theft swatting and being targeted for a physical attack out in meatspace all right so you know like I like I mentioned you know it could be something like a phone prank call that you get because your phone number was released out there and you know that's obnoxious but you can deal with it it may also be something a little shady er that guy's obviously shady and those sorts of things are when

somebody calls to try and social engineer you or try and scam you and all of the information from a Docs can lead to them being very convincing in their scam if somebody has your physical address they could lead to something easy to deal with but annoying like somebody leaving a flaming bag of poop on your doorstep or it could be something more serious like having your tires slashed sorry having your tires slashed okay so those are hypotheticals I'm going to give you some real-world cases of where people's information being released without their knowledge or want led to some unfortunate circumstances so and this is I changed the names in it to try and give this kid

a little more dignity back but he was working for a bank and he emailed his boss about a family emergency and he's telling his boss you know I need to go to New York this morning sorry for the late notice I need to deal with some family issues and thanks a lot so his boss writes back the next day you can see it's November 1st and he says Tim thank you for letting us know I hope everything is OK in New York cool wand that's strange why would he mention a wand and why did he CC the director huh well it turns out unbeknownst unbeknownst to Tim his friends had posted a bunch of information on

Facebook it's not on his facebook but it's linked to him and he was tagged in a bunch of photos and there were a lot of talk about you know this family emergency that he in New York turns out the family emergency was going to a Halloween party and just getting completely trashed and so the reference to the wand and unfortunately the kid did lose his job because of this so being mindful of what's out there about you is something that could save your skin so something a little more serious Sunil Tripathi anybody who was following the Boston bombing Marathon bombing and you were online on reddit or 4chan or something like that you know that there

was some online internet sleuthing going on and one of the people that read it had fingered as being a bomber early on his name was Neil Tripathi and a lot of media started picking this up as well and he was doxed on both reddit and 4chan all of him and his family's information was put out there so his family started receiving death threats harassment both in person and online and it turns out Sunil was missing since before the bombings happened and what had happened was he committed suicide and his body was found in the Providence River in Rhode Island and so his family he's having to deal with not only their son's suicide but a lot of threats and

harassment as well in the real world so that's a that's a case where being doxed had a real impact another time in recent history is Amanda Todd a girl who was blackmailed and bullied online ended up taking her life and anonymous got into their white knight mode and decided we're gonna find the man who did this and they ended up daxing the wrong man this man like the previous example received death threats harassment it ended up being so bad that he had to quit his job move across the country and change his name to try and escape all of this so it was a real upset for his life when he had nothing to do with the

Amanda Todd case another more public one was the fingering of the shooter of Michael Brown in Ferguson and again the wrong person and his mother for some reason they were doxed they never had any ties to the Ferguson Police Department they also received death threats things thrown at their house so damage to their house and they both ended up being victims of ID theft you know cards and bank accounts and things like that were opened in their name based on the information that was released so those are you know things that you can deal with but you're not necessarily being shot at or harmed physically but in the next case swatting that can very well occur when you have a

bunch of armed people busting into your house there are a lot of things that can go wrong in a tense situation like that we know there are there are lots of examples of SWAT teams moving in and shooting a person or a dog just because of the way that they reacted or didn't react in time so you can see a lot of examples of swatting going on a lot of online gamers who stream when they're gaming there's a you know when one gamer wants to take out another gamer they'll call in the SWAT team on them and there's a lot of recordings of this going on live and during gamergate there are a lot of the outspoken you know

female gamers and supporters of female gamers and game designers who were targeted for swatting as well Ashton Kutcher was swatted twice and of course Brian Krebs who I'm sure a lot of you know was also swatted though the good thing is after the first time it happened he got together with is a local police department and they were able to stop some future swatting attempts as well which is really nice so if if you want somebody swatted and you don't want to get caught or don't want to do it yourself there are services where you can pay to have somebody spotted so this is one of the The Onion Router onion sights a marketplace where

you can purchase different services and one of them is swatting and he says he'll get it done within 10 days anywhere in the US for a hundred bucks and he has pretty good reviews there are a number of people that use the service and we're happy with it and you can see this is rather recently okay so daxing isn't necessarily a us-only phenomenon there is an analogue in China called the human flesh search engine and this started out you know among academics that were trying to out people who they thought were putting out false papers or falsifying their research things like that and usually what it would what would happen is a group would get

together on a forum and they would find friends and friends of friends who worked in different areas that I could get them access to information about this person that they wanted to uncover so it went from there to being something that was used to harm other people or scare other people and then also used by activists against who they thought were corrupt officials things like that so it was a it's a double-edged sword in that way in the Eastern European and former Soviet bloc the they really liked daxing celebrities and they'll trade celebrity information and they'll sell it if you want to buy it there is also excuse me there was also for a while a website sure some of you

have this but leaked and you could see here there's docs on Michelle Obama chris Christie Bill Gates Hulk Hogan Britney Spears Paris Hilton jay-z Beyonce and those had like their personal cell phone numbers their family members numbers their addresses their social security numbers a lot of things and those that you would not want out there all right so how do doctors go about building this profile of your personally identifiable information well of course they use the googles and Google foo is what a lot of them will call it when they just use you know basic operators and boolean and things like that there are also there's also a Google hacking site that will do a lot of that

for you and one of the first things that a doctor will do is if they have either your username or an email address for you they'll go online and try and match user names to email addresses and vice versa so they can find more accounts that you've been associated with also if your information is up on a website or was up on a website but it's no longer there they can use the things like the Wayback Machine to go and look at earlier snapshotted versions of a forum or a website where that information would have been also they look for variations of user names and email addresses if your username was like big hack 555 they'd then search for big hack

or big hack five five things like that to try and find more accounts that you were associated with there are also automated tools that help them do these things faster and make it less manual the harvester this one you can target individuals or business and it'll go through being Google LinkedIn and a number of other sources to find you know email addresses associated with that person or company to find you know skill sets that are associated with them businesses things like that multi go multi goes useful for really building a visual diagram of somebody's social network who they're who they're talking to who they're involved with what businesses they're involved with things like that creepy is a Python script that

uses Facebook's API to get information about somebody through their friends so it uses some API calls the for information that aren't available through the browser interface of Facebook so even if you have your Facebook locked all the way down your friends connections to you can seek some information recon ng is a very extensive framework for doing reconnaissance on a person or a business and it includes some of the things that the harvester and creepy do as well alright so the next place they'll hit after Google is your Facebook account your Twitter account your LinkedIn account things like that because those will give contact info they'll give information about family members where you normally go what your

patterns are what your interests are what skills you you have or don't have jobs that you have or have had in the past as well as who your colleagues are and a lot of the information that's found on Facebook Twitter and LinkedIn is information that could lead someone to being able to guess your security questions for your accounts so that they can then get in and see the account as the owner of the account would like one of the most common security questions is my favorite pet or my first pet if you go all the way back through somebody's Facebook chances are they've mentioned this pet at some point so that's just an example for somebody who doesn't have

facebook locked down this is some of the information that you can get children's names and ages again that's useful for brute-forcing somebody's password or their security questions your birthdate again good for guessing somebody's password or username contact information including email address and where you physically live your current address the colleges that you've been to where you worked things like that also you are political views and religious views that could be used for social engineering as well right right right so you're good yeah I'm trying to remember mine I don't remember yeah yeah so some other places that aren't like the Facebook the Twitter's forums that you frequent groups that you're in or mailing lists that you're a part of a

lot of mailing lists keep archives and information that you can get from that is somebody's birthday their age their geographic location a lot of those things are standard when you sign up for a forum or group it asks you to put those in also for some forums that you may be a part of it leaks information about what your secret hobbies or fetishes are also it it will show who you talk to the most on those on those forums or groups in your history and so what that's useful for is being able to fish somebody by acting like that trusted user that they're used to talking to also breaches you know a lot of forums and groups and mailing lists

have had breaches that leaked the information that you thought was only between you and the admin or you and one other person that's now out in the open one such breach that led out a lot of very sensitive information that is actively and currently being used to blackmail people is the adult friend finder British so if you go through the actual leaked info you'll see a whole lot of dot mil and dot-gov addresses in there as well as other companies Akamai is not in there yes but yeah but you know again that's that gives information about you know what your sexual proclivities are if you're married and it shows you like hooking up with other people that's you

know useful for a black male and it's a useful information that they can do damage to you with also something that seems benign yahoo groups especially groups like free cycle if you go in there people often will use the same username that they use on other sites and they'll give out their address or their geographic location saying hey I've got this free thing come pick it up at this address so now you have their physical address as well who is information is is useful if you're not using a privacy or proxy for registering your domain name then the Whois information will include typically your full name your phone number your fax number it still s for that your email

addresses and your physical address that you or your business is located at here's an example so you can see for search engine journal com you could see you know when it expires who the owner is their email address where they physically are their phone number and yes she doesn't have a fax number because it's 2015 data brokers okay so the this is where like where the scary information comes from so Spokeo and Telus people PQ a lot of check you there's a lot of sites like this and what they do is they buy and aggregate data from various sources and then and sell it to anybody who wants it so their free versions of it you can get

full name including maiden name and ages current and former addresses and then lots of information about their family members and you know people that they've previously lived with but if you pay then you get things like copies of their criminal records school records retail activity information you know when you go in the store and the people ask you you know do you want to put in your email address or your phone number things like that a lot of that information is bundled up and resold so you can see entellus has three different tiers of where you can buy information and as you can see the the one that's the highest here the $50 version of

somebody's records has a whole lot of information including things like liens you know death records lawsuits things that you might not want out there in the public and just really nasty Spokeo one of these data brokers one of the ways that they advertise their service is they will uncover personal photos videos and secrets guaranteed come on guys like that's just that's Shady

so public records another way that doctors can get a lot of information about you if you've incorporated a business if you've purchased land or a house if you've registered a patent or a trademark all that information is public and you could see who your business partners are your addresses their addresses histories of dealings with different entities and individuals as well as mappings to other businesses that you may be affiliated with yep yes but there are ways to protect yourself against having your information out there and we'll go over that in a little bit so as you can see here on this articles for incorporation it has the the business owners as well as their street addresses in their zips

sometimes it'll also have things like phone numbers and along with a lot of the sites that you can view the aggregate the public information it'll show almost like multigo like connections and a lot of times it'll show what other businesses you might have an association with other folks that you've worked with before and if you've purchased a house or a land I'm sure this might look familiar to some of you who are from this area this is Buncombe County's GIS and information portal so here you can see things like the where the plot of land is as well as the address and full name of the person who owns it you could see the property

value and who owned it before that's really good for social engineering especially if they just sold it because if you pose as one of the people who just sold it to this person they're more likely to open an email or an attachment or something like that because they've had current dealings with that person other information that included are the improvements that have been done to the land or the house and something that's a little scary especially if you're paranoid is it gives layouts of the house you know where different rooms are how big they are things like that so if somebody wanted to college you physical harm or break into your house or something like that

that gives them useful information yes

yep and not just satellite imagery of like one period of time they'll give you a selection of different seasons as well other public records that give out useful information if you've given political contributions then that typically will include your name address your affiliation and how much you're donating which is again useful information when taken in tandem with lots of other information for tricking somebody into doing something if you've signed a petition or a petition for recall that will give your name your Draeger affic location and again more fuel for social engineering because they'll understand what your leanings may be exif data alright so if you've taken a picture with your phone or video with your phone or a newer digital

capturing device a lot of times they have features that will give tagged metadata on to these pieces of media that tell you know whoever's looking at it about the device or computer that was used the software that was used in the version so that's you know it could be useful but even scary and that is a lot of times it'll include times and dates of when it was taken as well as GPS coordinates of where that picture was taken where that video was made so here's an example of the metadata from a photo that I found online is it shows the time that it was taken as well as the camera that it was taken with and the latitude and

longitude of where that picture was snapped so if you've got somebody's album of you know this is the park by our house or something like that now you know a place that they frequent and exactly where it is and when they might typically be there another way of getting lots of information is social engineering there are if you hang out in some of the forums or IRC channels that these Doc's or kids hang out in they'll talk about how they called this person's ISP or phone company and acted like a spouse or a family member or secretary or something like that and got the ISP or phone company to give out information about calls that were made what type of

phone or plan they have and sometimes even giving the doctor full access to the account online and a lot of times the people that have the ability to do this you know our low paid Tier one support people and are typically easy to social engineer so also calling current or former places of work and acting like somebody who's doing a background check or somebody who is at a new a new hiring opportunity I can get a lot of information out of a secretary or somebody in HR posing to family as a friend of the person or posing to friends as a family member of the person especially when you act like there's a lot of urgency or there's an emergency

going on people tend to get the adrenaline going and give out more information than they probably should all right so what do we do about all of this I just don't want to be Chicken Little and say oh this is terrible I want to actually give you something that you can do so one of the first things that you should do if you haven't already has really locked down your security and privacy settings for social media Facebook Google+ LinkedIn things like that be mindful in particular about the personal information that you put up there you don't have put real information a lot of times you can leave a lot of those questions blank as well especially on LinkedIn when

somebody's trying to connect with you make sure you know that person you know vet the connection that is a common way for people to find out a lot about somebody is to just send them a LinkedIn request from a false profile untag yourself and Facebook photos if especially if that photo was not taken by you and maybe has information in it that you don't want associated with yourself also third-party apps especially for Facebook are really shady they have a lot of access to your Facebook information and the these third-party apps can easily be sold you know off to somebody who might have more malicious intent like harvesting information and so I would uninstall those you don't

really need to play farmville basic account security use strong passphrase --is wherever two-factor authentication is available please please use it a single factor authentication is very very easy to bypass two-factor authentication it's possible to bypass as we saw with the previous speaker talking about Android devices being compromised also reusing passwords is right now it's really hot for people to use automated account checkers and brooders they'll get information from a breach you know people's usernames and passwords and then just apply that across the board to a whole bunch of other sites to see where people have reused their credential information so a breach from one site can lead to somebody hacking your account on a completely different

site so old accounts especially ones that have information about you and you're not using it just clean them out shut them down turn them into shells and retail sites when they ask you you know you put in all your information to order something and they ask you do you want us to save this data for later purchases yes it might make it easier to purchase things but I would suggest not doing that because it's it's not a case of that company might be breached at some point it's they're gonna be breached it's just when so having that information not saved protects you against the something like a breach like that who is information you can use a proxy

registration you could see somebody here on the left side who did not use it it gives you know lots of information about you but like this service protected domain services fronts their information instead of yours yeah is this about ownership well transfer but if you're a business and it's your business website any of your businesses UPS or whatever on there and it's on the website anyway then the private registration you have a different threat model so there's no balance it's not sometimes and that's really kind of my question is how would you suggest people balance the need to be public especially in a business or a it cuz oftentimes small businesses are owned by individuals or a small group and they

need to be knew not to be completely unfindable on the internet so it's it's you want to do ongoing CBA's you want to do cost-benefit analysis ongoingly if you are a public figure and part of your income model is for you to be out there then of course you're gonna have a very different cost benefit you know table then somebody who wants to be private and doesn't want their information out there and as we were talking about earlier it's not a one-size-fits-all it's each person is going to have to take into account you know is this right for me is this gonna hurt my business more than it's worth the protection and so it's it's gonna be different from

person to person and business to business and again it's gonna be different between people individuals and businesses so these are just general things that you can do but you don't have to apply them if it doesn't make sense for you so thank you our people corporations mm-hmm and there are ways of incorporation that are good from a liability sense but are also good from a privacy sense and that it is not directly tied to your personal information you can have a business address like a Tapio box or something like that and not have it be your physical address okay so those data clearing houses that we saw earlier where you can pay for lots of

information all of them have opt-out mechanisms so if somebody wants these slides I'll go ahead and give them out because at the bottom it has a medalist of pretty much all of the major ones and how you opt-out of them so Spokeo people and zoom info are three of the largest ones and they just require email verification for opting out what's that oh I'm not sure if that one's there if the meta list might very well have that I didn't put all of them up here so whitepages dot-com they require email address and phone number and they also cap how many you can do in a period of time for your own safety whatever that means and entellus

is like definitely the the big dog they gobbled up a bunch of other smaller ones and their opt-out is I'm not sure about because they asked for a photocopy government ID and if I'm opting out because I don't want my information up there I kind of feel weird giving them more PII so all right so when we were talking about the difference between individuals and businesses you don't have to register or incorporate a business with your name you can use a doing business as or a fictitious name some states you don't even have to you know go through the whole process for registering it you can just use it and for the states that do require

registration you can usually do it at the county clerk's office or the state government's website for they'll have websites where you can search for businesses and entity information now when you're buying property or a house you don't have to put all that information out there about yourself or your property or your address your name things like that you can do it through a Holding Corporation or through a Land Trust and you know you want to consult a real estate lawyer of course for the right way to set it up for where you are but what will happen is either the lawyer the lawyers information will be fronted for you or the corporate holding corporations information that you've

registered with say a fictitious name would be fronted on those public records so it won't actually be your information exif data so one of my favorite tools for messing with metadata or exif data is exif tool this works on Windows Mac and different flavors of Linux and what this will let you do is you can delete meta data or EXIF information from videos and pictures and Word documents and PDFs but if you want to go a little further and have a little more fun you can put false information into the metadata like different GPS coordinates that show the picture was taken in Antarctica or something in Windows you can typically right-click on a file and

go to the property details and we'll give you some of the metadata but not all of it and you know to really lock down this headache I would suggest going into your mobile device your cameras your equipment that's capturing this media and turning off location or geo tagging for those devices a lot of times it's on by default all right so this section we're going to get a little paranoid a little more paranoid so there's a concept in Russian military thought that's called Muskoka and it's disinformation and but it's different disinformation in a very particular way and it was used very successfully during the Cold War if anybody's familiar with the Cuban Missile Crisis or the Bay of

Pigs incident you could see where Russian disinformation was very very effective and almost led to catastrophic events so what what mask Adolph got is is it's not just releasing false information so if you just released false information than an analyst who's trained can look and see okay here are the gaps in this information so that gives me an indicator towards what's actually going on what the Russians did is they sent out lots and lots of disinformation flooded comm channels but they also seeded in actual true information so then what it becomes is just noise because it's all mixed up together and there's no way without some outside bit of information of discerning which is false in which is true you

don't have those gaps to go by so we can take that and apply it to protecting ourselves online we can use different and meaningless email accounts and usernames because a lot of times your username or email account that you chose tells somebody something about yourself so you can either do random characters or something that has nothing to do with you the same is true of passwords especially if they can get the unhatched passwords employing pseudonyms can be useful online as well especially if you cultivate them you want to be wary of cloud services who here is familiar with the fappening yeah I saw this slow hands okay so what the fappening was was a lot

of yeah a lot of celebrities had their their new leaked online and one of the main ways that a lot of these newts were gathered was through their iCloud services so they had been taking pictures you know nude pictures and videos of themselves on their Apple devices and having it sync up with the cloud and then when their cloud account was hacked you get the nudes so I would say avoid those sorts of cloud services especially for information that you don't want to be out there in the open again it's not a matter of if there will be a leak or a breach but when there you go there you go false flag also you can rotate your

phone numbers and passwords often so even if you are doxed then that information becomes stale and not useful you can use things like Google Voice you can use Trilly oh you can use fring those are all services that you can just keep getting new phone numbers through also for your physical paper work especially paper work that tells people about you know your medical information or credit card information or things like that you want to go ahead and shred those before and if you want to go one step further shred and then burn using differentiated information release and release cycles you know you don't have to constantly tell everybody on Facebook and Twitter where you're going and when

and that sort of information you could even do false information get a whole picture series together of somebody else's vacation and post it as your own you can seed evidence of hobbies and things patterns that you don't actually have again this models up the doctors ability to actually put together a brief on you and you can release information late if you really really want to release photos because if you're releasing them as you're taking them then again that tells people where you are and when you're there you can also take it a step further and friends and family corroborate some of these things like if you've planted a false job or a false vacation or

something like that then you can have them you know like it and comment on it and say oh yeah this was a lot of fun I really enjoyed doing this with you things like that also cultivating multiple online personas and rotating through them is really useful it's also useful for siloing you could have different personas for different websites and different areas and that makes it very difficult for them to build a docks on you when you're communicating there's a lot of information that's leaked just between you and the site that you're using so using a VPN with no split turned on because if you don't have that your DNS is leaking also you can consider using

tor it's not a panacea and it's not a way to completely protect yourself but it can be useful for looking like you're actually coming from a geographic location that you're not actually in Skype is back doored we know this Microsoft admitted it so that's definitely leaking information if it's backdoored then the government's not the only one who would have access to that information so as I mentioned before you can start building other identities the longer time that you've been cultivating them the more real ville same also encrypt everything where where possible you know use off the record for chatting PGP I know it's not user friendly but it is definitely useful there are lots of

other email services like to TIA based in Germany there's protonmail based in Sweden where everything is encrypted as you're using it both between you and the receiver because remember email was not built to send sensitive information it's just plain text flying through the air all right so what do you do if you've actually been doxed well you want to if you feel like you're in personal danger at that moment because you've been dog stand received a threat or something like that of course call the cops but one of the first things you want to do in either case is file a police report and why you want to do that is because it'll lead it'll lend legitimacy

to all of your future actions or or impacts that might occur from your daxing and you'll have a case history you want to fully document what's been doxed where it was dog who did it you know where you think they got the information take screenshots and back that up with printouts that'll be useful in any investigations that have to happen in the future also clean up any sensitive information that you found out there you know close down accounts that they use to get information about you things like that go through reset all your passwords that's turn on two-factor authentication because they will try to get back into a lot of accounts think about doing a

credit watch or ID theft watch service where they'll watch your watch for your information being used for financial or other identity theft purposes if there is evidence of ID theft or blackmail attempts the FBI takes those things very seriously and if you've already got a police record you know in the system for the daxing happening and then contact the FBI they can coordinate with the local police for finding out who did it and what happened and things like that also especially if you live in a smaller a smaller area you want to talk to your local police about swatting concerns that you might have and let them know that hey I've been doxed this is

typically something that can lead to a swatting attempt so I want to give you a heads up that please vet with me you know before you send in the SWAT guys and again as I mentioned earlier Brian Krebs had this very effectively worked out with his local police and they were able to even though he got multiple swatting attempts they only actually went in to his house once in the future they called him and he said no this is bogus and they were able to resolve it that way another thing that you can do is the FCC there their website as well as the FTC have a little walkthroughs for if you think there's identity theft going on or if your

information is being used without your knowledge and they can be really useful for who to contact in your local area to get that resolved so I'm always looking for more information about where this information can be leaked from and ways to protect against it so if you guys have any of those that I didn't cover or other things like somebody mentioned to me last talk there's a whole genre of that bounty hunters use and that repo men used called skip tracing and I started looking into that that was really useful so if you can think of anything like that please hit me up and I'm ready for questions yes you can see the potential the potential for abuse

and a lot of this but help prevalent would you say this is in a general so the it used to be very very I would say starting around five six years ago it was mostly in the gamer communities and now it's moving into security professionals into businesses business owners like the VPS of hulla the VPN service are right now being doxed and actively swatted because of the stance that they took against a Chan one of the online image boards so it's becoming more and more if you do something that one of these kids doesn't like then you you'll become a target if you you know say something that they take offense to or that they see is being like during

gamergate there was a lot of editors and and staff writers and things like that that just you know they just said hey this is what gamergate is and you know folks took offense to the way they worded something-or-other so now these editors and writers are being targeted as well so I mean it could be any occupation one of the slides you showed earlier was some people seemingly playing telephone or passing the secret and that looked like some something that was marketed directly to try to reach a different market than maybe what you're just speaking to you know repo men and and you know whatever private investigators are these companies actively targeting the general population and do you think that they

have a large share of business coming from them right now are you talking about the data clearinghouses yeah yeah so they're sucking up information on everyone that they possibly can so I would suggest like going to people or entellus or CQ one of those and just looking up your information even for the free the free accounts where you don't have to sign up for anything it's it's really scary the the stuff that you can find especially if your name is rad unique and it literally is everybody they're not targeting some specific demographic follow-up to that would be if you're interacting with a business that's basically selling you someone else's information is there any concern of you know giving them financial

information of yours - Oh certainly I mean people I guess maybe you're just not that's why doctors use somebody else's credit card information I mean they don't pay for anything themselves they're all little Carter's as well there's also if you wanted to buy your own information to see what's out there a lot of you can talk to your bank but a lot of banks will give you one time use card numbers that you can say this is the limit of the card it expires in two months and it generates a new number for you to use so that's one thing you can do all right well thank you guys very much