I hope you don’t mind my sharing our discussion with my blog readership,
because we are covering security issues that affects most people. I think
you hit upon an important point, perhaps by accident. Yes, you could turn
catching thieves into a hobby. The same goes for trying to making your life
as secure as possible. That could even become an obsession. My counterpoint
is that, as Steve Gibson acknowledges, each person needs to choose a level
of security that they are comfortable with. The trick, as always, is to have
awareness of the risks involved. It is true that most people aren’t equipped
to handle that task, but some of us are. 🙂
With my current arrangement with Dell, I’m comfortable with the information
revealed in my blog. If anything, anyone foolish enough to attempt
exploiting that info would quickly come to understand why.
Again, it is great to know my blog is being read.
From: Troy W [mailto:email@example.com]
Sent: Friday, January 20, 2006 11:06 PM
Subject: RE: Mr. Royall , Your Dell Service Blog is leaking vital info
Sorry, if came across as rude, or presumptive of your relationship with
Dell. It was never my intention to be the harborer of bad-news. I’d like to
think I’m the "going-out-of-my-way-good-sumeritan"
You do seem like the type of person that has the time and werethol necessary
to press charges, and fight identity theft… Hell, I dunno maybe you need
a new hobby?!? 😀 Who wouldn’t enjoy putting afew thieves behind bars?
But… wouldn’t it be much simpler to avoid it rather than "put on your
gloves" and encourage all-comers?
You seem to be fully confident of the security of your posting. However, I
will have to disagree with you, and theres no point in me harassing you to
be safer. You seem to take pride in holding your ground, wherever it is. I
would suggest asking Nancy about the "privacy" of ID tags, and what
information is safe to disclose in a public domain.
And asmuch as I would love to argue politics, I’ll have to decline. You
would obviously beat me with experience. Your privacy is not safe from the
government, but it should be from your neighbor.
Thanks for your time, and sorry again for the intrusion.
– Troy W
>From: "Scott Royall" <firstname.lastname@example.org>
>To: "’Troy W’" <email@example.com>
>Subject: RE: Mr. Royall , Your Dell Service Blog is leaking vital info
>Date: Fri, 20 Jan 2006 22:20:29 -0600
>It would be so maybe if Nancy was a mere account rep. She’s in Executive
>Services and has my email address tattooed on her brain.
>Anyway, the right to privacy is nowhere near the US Constitution. It is a
>myth based on something that died sometime in the second half of last
>century. What I mean is that I am not going to run and hide. My physical
>address is a matter of public record. After all, I am a registered voter,
>and service tags aren’t private anyway. Thus, while I will not put things
>like banking information on public forums and I use WPA TKIP with a
>63-character random key, but that’s as far as I go. If someone wants to try
>me, I’m just the type to press federal wire fraud charges.
>From: Troy W [mailto:firstname.lastname@example.org]
>Sent: Friday, January 20, 2006 8:21 PM
>Subject: RE: Mr. Royall , Your Dell Service Blog is leaking vital info
>It’s not my intention to needlessly scare you. I am only trying to help
>protect your information. I do think it would be wise to remove your full
>name address, plus service tag. Ther service tag should be a private
>You may not directly see how a crook could abuse this information, but I
>have heard of unscrupulous methods used before when ordering Dell products.
>While it may be more difficult for a crook to order a completely new
>they could easily order additions or replacement parts, and then charge it
>to your account. Dell service reps are "encouraged" to charge to a Dell
>A service rep is what ties your service tag to your Dell Preffered Account.
>Once a crook has correctly verified himself as you, there is nothing
>stopping him from making up a story about how you(he) is on vacation, and
>needs the new part shipped to Crooktown, USA. "Go ahead, and charge it to
>my DPA!" I don’t believe the service reps will ask for anymore
>identification (I could be wrong), or your DPA password. Viola! Mr.
>has a new monitor, ram, whatever the fancy.
>While you do have a secret weapon with Nancy. I doubt that the service
>in India, will contact Nancy, if they believe that you have authorized the
>purchase. They would be happy to make the sale themselves.
>I’m telling you that no alarms will be "tripped," if someone correctly
>identifies themself as you, and makes a purchase.
>Just a silent charge to your account. Do not give your info to the crooks
>on a silver-platter. You might find that there are plenty of people out
>there who feel they are "lucky" enough to pull it off. Infact, I’m fairly
>positive this can be done with ease.
>Your frusteration with Dell service support is an issue that can be shared
>by many. I’m glad your patience and virtuosity made some head-way with the
>sometimes dense service reps at the worlds largest computer manufacturer.
>Can you imagine the amount of frusteration involved with un-authorized
>orders? Hopefully I have brought a valid concern to your attention.
>You had to push Dell in order to get them to budge an inch on their repair
>stance. Their goal is to make profit, not to assist those in need. Dell
>would rather make a sale, than protect your account. And while I’m glad
>you find this email interesting enough to post in your Blog, I must advise
>you not to post this on your Blog, since I have outlined exactly how one
>could abuse your info!
>Please consider what I’ve said! Keep your info private!
>Wishing the best!
> >From: "Scott Royall" <email@example.com>
> >To: "’Troy W’" <firstname.lastname@example.org>
> >CC: <Nancy_R_Dorr@Dell.com>
> >Subject: RE: Mr. Royall , Your Dell Service Blog is leaking vital info
> >Date: Fri, 20 Jan 2006 17:56:21 -0600
> >Your email is quite interesting, if a tad mis-informed. Service tags are
> >user identification. Yes, they do identify Dell computers, and there is a
> >way to tie them to a Preferred Account. But then what? Even if a cracker
> >brute-forced the password, about all he could do is view my balance due.
> >quite happy to let such a clown pay it. The website doesn’t have any
> >info. So all a cracker could really do is try to order something, and
> >would trip all sorts of alarms. (Like, "go ahead, punk. Do you feel
> >Besides, Dell recently gave me a not-so-secret weapon named Nancy. That
> >isn’t in the blog yet, but she’s essentially my de facto account rep. Any
> >would-be thief would need to spoof her, and that challenge gets stiffer
> >daily as she becomes accustomed to my eclectic thinking. <EVIL CHACKLE>
> >Speaking of the blog, it’s great to know someone reads it. May I post
> >—–Original Message—–
> >From: Troy W [mailto:email@example.com]
> >Sent: Friday, January 20, 2006 1:18 PM
> >To: firstname.lastname@example.org
> >Subject: Mr. Royall , Your Dell Service Blog is leaking vital info
> >Hello Scott,
> >I just wanted to inform you that your MSN MySpace Blog is leaking
> >Dell service information that could be used by individuals to order on
> >account. I often do business with Dell, so I understand your frusteration
> >with the recent "lack" of customer service. I am also a computer science
> >major. I viewed the following page
> >The information provided in your Blog can be accessed by anyone searching
> >the internet. A common search phrase being "Service Tag" Your
> >of service tag, and ID information can be used by individuals to purchase
> >your account. You have provided your service tag, full name and address,
> >phone number, its almost like your password. This is the same
> >Dell uses to verify your identity. I don’t know if you have a Dell
> >Preffered Account, but someone may be able to place orders on your
> >with this public information.
> >I highly recommend that you contact Dell and review your transactions for
> >any un-authorized purchase. (Although, I would definately understand
> >not wanting to wait on customer support anymore than you already have)
> > >.<
> >Hope I brought this to your awareness soon enough! Feel free to reply,
> >you have any questions. Good Luck. Stay Safe!
> >- Troy