I’m no George Washington, but for about the past two years, I’ve had my own little online nemesis who’s delighted in provoking and stalking me while hiding behind a veil of pseudonymity. He’s gone so far as to post satellite images of my house on web forums, offered my home address to anyone who requested it, and gleefully posted about invading my privacy. I was annoyed more by his mocking and provocative attitude than by the information he offered. After all, everything he found was publicly available.

I’m not afraid to share my identity on the Internet for a few reasons. First, I believe that the best way to protect your identity is to assert it. Second, obscurity is not security. There’s no point in feeling a sense of comfort from hiding your identity with the assumption that it’s impossible for anyone to find out the secret of your true identity. Google follows you everywhere. Even if you’re very careful, you’re bound to leave clues.

That’s how I discovered that my tormenter, a person who posts online under the alias Buick Riviera, was actually a 58 year-old husband, father, grandfather, senior partner in a law firm, chairman of a Civil Service Commission,and member of his county’s Board of Health. His name is Ricky Jay Helmuth of Orrville, OH.

We met on the Las Vegas Advisor forums. Rick Helmuth had been there for a while as Buick Riviera, and already had a reputation for stirring up some heated discussions. His political views lean strongly to the left and he doesn’t hide his hatred for George W. Bush at all. I think of myself as a moderate Republican, so we clashed on political issues. Helmuth likes Downtown Las Vegas instead of the Strip or other areas. I actually visited downtown for the first time based upon recommendations from folks on the forum. Unfortunately, I found next to nothing charming about it. The place stunk of smoke and urine, and that was inside the casinos there. The folks who visit Downtown just aren’t on the same wavelength as I am. It seems that Helmuth also took this as a personal insult.

Due to our disagreements, Rick Helmuth decided to start off with insults. He called me “lowbeem”, “beemshit”, “beemslime”, and probably others that I’ve since forgotten. I have to admit, he pissed me off and I most certainly said some unkind things in response. I’ve never had anyone speak to me in person the way Rick Helmuth did online behind his persona, Buick Riviera. It bugged me.

Should someone ever insult me in person, I’d look them straight in the eye and confront them. That’s not possible online with a person hiding behind a pseudonym. The fact that I couldn’t reach a person who was blatantly mocking me had a tremendous impact, and I just got more upset. That played right into Helmuth’s joy and he continued to do everything he could to push my buttons. For example, when he learned that I hated tattoos, he posted photos of some (I thought) really gross examples of body art. I was more upset by the notion of being mocked by a coward than the actual content he used.

However, that wasn’t enough for Helmuth. He decided to escalate things by invading my privacy. He looked up my home address and offered it to anyone who wanted it, kicking things off with this post on the Las Vegas Advisor:

Last night I found out how unsafe the internet can be. After a little exchange with lowbeem (you’ll have to read the last page or so of the Ellis Island thread) I set out to learn the address of our Resident Pontificator to take him up on his invitation to “sue me”.

Anyhow, thanks to his big mouth and inability to use one word when 125 will do, I now know his address, what his house looks like, that his avatar is a fraud, that he does not live in a water front property, that behind his house is a dry pond (in Ohio we would call it a big mud puddle), what certifications he holds, what his training is in, the name of his former employer (he was “let go”), what technical papers he has written (he mentioned on here he is in the area of IT), how many dogs he has, I know that 7 is two of the digits of his address and the names of his neighbors. I’m pretty sure I know the name and address of his parents (but I got tired and went to bed).

If I was a thief, I’d also know when to ransack his house because he has told us all when he is going on vacation, where he will be, how far he will be from home, the dates of deparature and that he will be 442 miles from LV coming and going with his visit sandwiched in between.

Of course this all took about 30 minutes because I didn’t know what I was doing and I was unwilling to pay $20 to the various vendors out there who would do it for me.

My point is simply this. You aren’t safe, your families are not safe and your possessions aren’t safe when you decide to be an egotist on the internet. You open yourself up to the whole world, including the fruits and nuts.

What befalls lowbeem, I could care less. But for the rest of you (as they used to say on Hill Street Blues) be careful out there.

Your resident nut,
Buick

Of course, it didn’t stop there. He decided to post a satellite photo of my house with a diagonal slash through it on the site, and as part of his signature line on every post (since removed by LVA moderators). As he stated, his purpose was to violate my privacy as much as possible:

Cool site [referencing Zillow.com]. It was a lot faster than my gumshoe tactics. I got lowbeem’s house (the correct one, not the one Google Earth gives you) in 6 seconds. All you need is the address (which you can easily find) to invade his privacy and peel away the fraud.

Buick

Helmuth continued to taunt and insult for nearly two years. The only interruptions occurred when he was occasionally banned from the Las Vegas Advisor forum by its moderators. Not once, not twice, but three times. After each of his first two times being banned from the forum, Helmuth changed his attitude when allowed to return. He seemed more humble and less troublesome to me. Unfortunately, it never lasted. He received his third (and permanent) ban from Las Vegas Advisor a few weeks ago when he was once again displaying a satellite photo of my house in his signature line.

I thought it would be over by that time. Helmuth couldn’t post on that forum and I didn’t visit the other Las Vegas message boards where he was still posting. At least, that’s what I thought until I joined some friends and former members of Las Vegas Advisor on a forum at the VegasRex.com site. Once again, Helmuth started taunting folks on the forum, including myself and others, starting posts like this one:

Ohio State Kicks Michigan’s Ass Again!
by Buick Riviera on Sat Nov 17, 2007 3:25 pm
So fuck you LIR. You too Nesalk.
Wise decision Big.
Buick

..and this one:

Here’s What’s Really Cool About This Forum
by Buick Riviera on Sat Nov 17, 2007 8:15 am
You can see how ugly the beautiful people really are.
Buick

…or adding this video (which I presume he intended as a snipe against me) to an existing thread:

Re: Funny Video’s Thread
by Buick Riviera on Fri Nov 16, 2007 8:40 pm
One of our own?

http://www.youtube.com/watch?v=NEWcGHvGi1c

I finally had enough. This person I only knew as Buick Riviera simply didn’t seem to have anything better to do with his life than toss insults from behind a shield of obscurity. I was determined to put us on equal footing. He knew who I was, and I intended to find out who he was.

Over the past couple of years, Helmuth left clues that I fed into Google. His avatar was always a graphic encouraging others to adopt greyhounds. He’d mentioned that his dogs were named Jake and Abby. He stated that he lived in Northeast Ohio. He is a big supporter of Ohio State sports. He loves fishing, and even posted photographs of his gear to make fishing rods in his home. He previously mentioned that he was a senior partner in his business.

Helmuth uses a Photobucket.com account with the user name JakeGrey; something easily discovered by right-clicking on one of the photos he posted on the Las Vegas Advisor forum and examining the properties. That added another clue to my search. All of this was good enough for a start.

Using Google, I searched for “Buick Riviera” + Ohio, “Buick Riviera”+fishing, “Buick Riviera”+greyhound, and “jakegrey” in my queries. I found a few hits. For example, “jakegrey” hit on Half.com for a user selling books, which shipped from Orrville, OH. A quick check of the map confirmed that Orrville was in the right region to be “Buick’s” home, and gave me a bit more fuel for my searches.

Another hit was on a forum for OhioGameFishing.com. I got a hit on a thread about members posting pictures of their boats, and there was this entry from a user named Buick Riviera:

Not only did this poster have the same Adopt a Greyhound avatar, but the man in the photo was the same person who I’d seen in photographs posted on the Las Vegas Advisor of Buick Riviera. It was the same guy.

While I knew his face and his home town, I still didn’t know his true name. I scanned every post Helmuth made on OhioGameFishing.com as Buick Riviera until I came across a thread discussing some engine problems he had with the Evinrude engine on his 2004 Ranger 175 VS bass boat. Someone referred him to another forum – BassBoat Central – to discuss his problem. Helmuth signed up on that forum and dutifully hid his e-mail address. However, location or age. Once again, I saw the familiar greyhound avatar, his location was in Ohio, and his age of 58 matched information he previously posted on Las Vegas Advisor. He also failed to conceal his Full Name:

From here, everything clicked. My tormentor was actually Rick Helmuth of Orrville, Ohio. More quick searches revealed his full name was Ricky Jay Helmuth. He is a senior partner in the law firm of Johnson and Helmuth:

Rick Helmuth is a member of the Wayne County, OH Board of Health:

Rick Helmuth is a the Chairman of the Civil Service Commission for the City of Orrville, OH:

There’s more information, such as his e-mail address, his 1300 square foot home from an aerial point of view, and even photographs of his dogs. Now I know the same things about the man who so happily tormented me for about two years as he knows about me. All it took was some searches on Google and other public databases to bring it all out. I haven’t uncovered anything that wasn’t already provided by Helmuth. I simply used the power of search engines to correlate the information that he laid out in public.

My recommendation for Rick Helmuth is simple. Behave online as you would in person. Perhaps he thought he could taunt and tease people on the Internet behind your pseudonym and no one would ever connect it to you. If that’s the case, he was wrong. From what I’ve gathered, Helmuth behaved this way simply because he didn’t like me. It’s fine if someone doesn’t like another person. How one behaves is the issue. Mr. Helmuth’s behavior was quite simply appalling and inappropriate. You would think a 58 year-old man could find better ways to deal with his personal issues than to become an infamous scribbler.

The Payment Card Industry Data Security Standard (PCI DSS) – adopted by the major credit card brands – requires organisations to monitor outsourcing service providers and states they are liable for fines if that provider compromises their data.

Good job, guys.

No, it was a Personal Information Advisery. It seems that a Harley-Davidson employee reported a missing laptop on Monday, August 14, 2006. The laptop contained HOG member data to facilitate registration at HOG events.

The letter claims that Harley-Davidson conducted an extensive investigation, notified law enforcement, and still want to retrieve the laptop. I’m sure that’s true, though the word “extensive” means different things to different people. There are no circumstances provided regarding how the laptop disappeared, whether it was stolen or misplaced.

Harley-Davidson sent a letter to 60,000 people (including me) because the file contained either a credit card number and/or driver’s license number. I know that HOG has both pieces of information from me, since I had to provide that information for a Fly & Ride rental during a trip to Salt Lake City in April this year.

Additionally, Harley-Davidson provided me with a free one-year account with ConsumerInfo.com to provide credit monitoring. There’s a forum on the HOG members web site, and a promise to mail any pertinent information to me about the case.

This is a case where I understand why an employee had customer data on a laptop. Event registrations happen in the field without network access to a corporate database. Also, you never know who may attend an event. Harley owners frequently travel to HOG events out of their own state, so it makes sense to keep information on hand to accommodate those travelers.

However, I do not see any mention of security measures taken to protect data on the laptop. Theft or loss in the field is a reasonably high probability risk. Is the information password protected? Was the disk encrypted? I tend to doubt it, or the letter would probably try to assure me that my identity information was reasonably secure. How can a major corporation allow sensitive customer information outside of its walls without taking these reasonable precautions to protect it? These days, it’s inexcusable to let a laptop with sensitive information go without disk encryption.

I appreciate the notification and apology from Mike Keefe, Vice President and Director of Harley Owner’s Group. To Mike, I strongly recommend that you take my advice. Encrypt the hard drive on all of your remaining laptops. Customers like me depend upon your precautions.

The part that interests me is how easily the investigators collected private information. Pretexting is a means of deceiving someone with an untruth. In this case, the investigators pretended to be the people whose records they wanted to retrieve from the phone company. In short, they lied. They also broke the law.

Under federal law — the Gramm-Leach-Bliley Act — it’s illegal for anyone to:

• Use false, fictitious or fraudulent statements or documents to get customer information from a financial institution or directly from a customer of a financial institution.
• Use forged, counterfeit, lost, or stolen documents to get customer information from a financial institution or directly from a customer of a financial institution.
• Ask another person to get someone else’s customer information using false, fictitious or fraudulent statements or using false, fictitious or fraudulent documents or forged, counterfeit, lost, or stolen documents.

The Federal Trade Commission Act also generally prohibits pretexting for sensitive consumer information.

According to that third bullet, the HP management who ordered this theft of information may also be at fault under the law. I’m sure they’ll claim they never knew the investigators would use illegal means, but I wouldn’t buy that if I were sitting in a jury.

Think of the confidential information companies collect about you. They know your name and where you live. Some have your credit card data, and part or all of your Social Security Number. Stores know what you’re buying, and when you’re likely to buy a product again. Think of your medical records or credit card transactions getting into the wrong hands. Your search engine queries may reveal things that you have a right, and a wish, to keep private.

The problem with raw data is that it provides no context. The records don’t say why you purchased a banana and a jar of vaseline at the grocery store last Tuesday. If you were running for election this year, imagine the uncomfortable suggestions that an opposing political rival could make those that tidbit.

We hear about invasions of other people’s privacy almost daily, but how often do we make changes to protect ourselves? For example, do you have a GMail or Yahoo Mail account? If so, all of your searches while logged into those accounts trace back to your identity. Even if you don’t login with an account, the search engine records the IP address you use for your query. In real world encounters, how much information do you give to an unknown source when you register to win that “free” car sitting in the mall, or answer a telephone survey?

There is always someone who can use your private infomation to their benefit. Only you control how much information you give. Once that information is out of your hands, you have no control over it. We trust certain organizations – banks, insurance companies, phone companies, utilities, blood banks, schools, employers, physicians and hospitals – to keep our information safe and confidential. Some succeed. Some fail. It’s up to you to understand the privacy policies of an organization when you provide your information. There are laws to protect us, but laws won’t stop criminals.

I believe that the inherent weaknesses of organizations that are vulnerable to pretexting are exactly why we need secure credentials. When you vote or conduct some financial transactions in person, you have to show a photo identification to authorize your access. Why do we not demand authentication for more transactions to retrieve confidential data? It’s time for greater use of fully proofed and vetted identification systems to become the standard for personal and electronic interactions. It’s too easy to fake your way through an informal interrogation or compromise a password. Identity requires something you know and something you have.

Do we even look at the user license agreement anymore, even on video games? Fortunately, someone did. That’s why there’s a buzz now about EA Games license agreement for XBox Live games.

That content comes from EA’s Privacy Policy web site. For its part, Microsoft has two privacy policy sites. The first one mentions the following about Personal Information:

• When you register for certain Microsoft services, we will ask you to provide personal information.
• The information we collect may be combined with information obtained from other Microsoft services and other companies.
• We use cookies and other technologies to keep track of your interactions with our sites and services to offer a personalized experience.

The second bullet states that information may be combined with infomation obtained from other sources. What does that mean? Combining information from multiple sources does not indicate distribution, as I understand the statement. Now let’s look at the next set of bullets about Uses of User Information:

• We use the information we collect to provide the services you request. Our services may include the display of personalized content and advertising.
• We use your information to inform you of other products or services offered by Microsoft and its affiliates, and to send you relevant survey invitations related to Microsoft services.
• We do not sell, rent, or lease our customer lists to third parties. In order to help provide our services, we occasionally provide information to other companies that work on our behalf.

The third bullet states that Microsoft does not sell, rent, or lease customer lists to third parties. That would seem to indicate that they do not distrubute (although there’s no mention of freely giving away your private information). However, the second sentence in the third bullet does seem to indicate that Microsoft does distribute your private information to companies that work on Microsoft’s behalf.

Does EA Games work on behalf of Microsoft? If you buy a copy of Madden NFL ’07, does EA work for Microsoft? I doubt it. Maybe I’ll have to ask some of the guys at my gym who work for EA – they make Madden right across the street.

Of course, I mentioned that Microsoft has another privacy policy statement. This is Microsoft’s full disclosure for online privacy. I think the pertinent statement in the full disclosure is this line:

So what exception described in this statement is the one that allows Microsoft and EA Games to pass your private data around like a beach ball at an outdoor concert? Why, I think it’s this one:

EA Games and Microsoft’s XBox Live must come under the “co-branded” loophole. That means neither of them will make it obviously clear where your information is going. Once EA Games has your information how does it protect you?

In other words, “Trust us. We know what’s best for you.” Who knows where your information will end up? Congratulations to the co-branded offerings from Microsoft and EA Games. You’ve developed identity transivity. If only your customers knew.
SlashDot article

An article in the New York Times mentions two databases. The first, the Advance Passenger Information System contains basic passenger information commonly found in a passport, like name, nationality and date of birth. The second database, Passenger Name Record, comes from global travel reservation companies.

The reasoning behind it is the same – counter-terrorism. While I applaud the mental wizardry of those who would like to prevent future attacks from compelled idiots bearing explosives, I fear the feeble security of those already assigned to protect us at the airports. If someone can lose a laptop full of personal data in one government agency, how long will it be until another loses this database?

The BBC reports that bank details on thousands of Britons were sold in West Africa for less than £20 each. How did they get the information? It was left on used PC’s sent for recycling.

Some of us know that merely deleting files is insufficient. You can find free programs on the Internet to undelete files. That’s because deleted files aren’t removed from the disk. Instead, deleting a file merely removes an entry in the disk’s catalog claiming the space necessary to store it. When you delete a file and remove the catalog entry, another file may, or may not, overwrite the previous one.
The old suggestion was to wipe the disk clean – essentially, overwrite existing files with a series of 0′s and 1′s to ensure the old information is gone. However, there’s a new suggestion in the data protection game. Smash the hard drive with a hammer.

That’s right, just beat the snot out of it. Make sure you crash the case and damage the platters containing the data. Hard drives are now one of the cheapest components on a personal computer. If you’re sending a PC off to get recycled, chances are good that your old drive is too slow and too small for modern needs. Let the next guy buy his own hard drive. Your identity data and bank records may prove too valuable to risk on some unknown recipient of your old trash.

The entire concept of security by obscurity is that people can’t break through your security if they don’t know where to look, or it’s not worth their time to look for something. That’s a false sense of security because there is always someone with the time, desire, and means to locate something you value – including your identity.

I found three articles online today dealing with this concept.

First, Pamela Dingle wrote this article on her blog about how modern Internet tools make it not only easy, but likely, to correlate disparate data about a person’s online habits.

As if to prove her point, Wired News posted this article today about pulling articles from an author who faked sources. The source existed, but told fact checkers he never spoke to the author. Upon investigation, Wired News learned that the author faked identities for use as a source and as a supporter on a Usenet group. Unfortunately, he wasn’t smart enough to use different IP addresses. A senior editor at Wired correlated all these disparate sources to the same IP used by the author and came to the obvious conclusion.

If that wasn’t enough of a coincidence, I found this on ZD’s Digital Identity blog:

Eric Norlin makes the point that our identity exists in multiple states. You have a choice with regard to the way you present yourself, either online or in person. If we cross paths on a sidewalk, what is the state of our identity? It’s no longer anonymous. Now I know you exist and I can identity certain attributes about you (approximate height, weight, age, hair color, gender, etc.). Perhaps I don’t know your name, but you are no longer anonymous to me. Unless I have some interest in you based upon these attributes, I may not give you another thought.

However, what if I do have an interest? Suppose I meet an attractive girl at a social situation. What’s the first thing I’m going to do? Say hello and ask for her name. Depending upon her interest (or lack thereof), she may respond with her name, a pseudonym, or decline the conversation entirely. Now I have more information about this person and her identity.

People online leave a trail of attributes all over the place; some willingly and some without even knowing it. The person who collects and correlates your attributes may discover your identity without even knowing he’s looking for you. Call it data mining or data sifting, the intention is to take massive amounts of attributes and correlate common elements – like an IP address – until you find enough information to identify an individual.

Hiding your identity is a fool’s option. Personally, I believe the best way to protect your identity is to assert it. Think of your identity like a car. Some of the most stolen vehicles are also the most common. They look alike and don’t stand out. Fitting in with the crowd is a type of security by obscurity, or hiding in plain site. On the other hand, exotic cars are much more difficult for thieves. These high profile machines are instantly recognized and there’s a limited market. Asserting your identity serves the same purpose. If people know who you are, then your identity is more difficult for an impostor to use.

This is why we need an identity infrastructure in common use. Digital certificates for signature and encryption are a reality, but few people use them to assert their identity. Few business web sites recognize and accept an individual’s certificate to authenticate and authorize their access, despite the fact that it’s in best interest of both sides. It’s time for that to change.

The auditor didn’t take the simple security precaution of encrypting the data or his hard drive.

Even if you only have one transaction with a vendor, they keep your name, address, and credit card number for years. Is that ethical? What use does a vendor have to keep my credit card information if I don’t authorize another transaction?

The sad truth is that you do not own your identity. The attributes that identify you are there for other people to use. What’s the value of your own name? Most people don’t speak in the third person, they refer to “myself” or some other personal pronoun. Your name belongs to everyone but you. It seems that your credit card number belongs to everyone else, too.