Devil's Advocate: Buying secrets on eBay

It's easier than you might think...

You can buy almost anything on eBay, including computers. And it seems when you buy a computer on eBay there is a better than evens chance of getting some confidential data thrown in. This information comes from the University of Glamorgan, which bought 100 computers from the online auctioneer just to see what was to be found.

One system would have been ideal for anyone wanting to sell bogus university degrees. It came complete with a document template for creating degree certificates. Presumably it was wasted on the University of Glamorgan, which is in the legitimate degree business. Another included school reports; I wonder if they contained any classic comments?

At least seven out of the 100 computers provided enough information for a hacker to bypass security completely and gain access to the former owner's systems. It makes rather a mockery of expensive firewalls and intruder detection systems when the keys to the network are simply handed over to anyone who happens to pick up a bargain PC.

In the days of the Cold War, I used to draw comfort from people's apparent inability to keep secrets. It always seemed that both sides had spies everywhere and that each was therefore fully informed of what was happening. Both sides also had vast batteries of nuclear weapons aimed at each other, with at least a few pointed this way. My feeling was that if either side was kept in the dark, the risk of them all going bang was much greater, so a bit of spying was rather a good thing.

My faith in spies keeping the information flowing has taken rather a battering lately. Maybe it was easier to understand the situation in the rigidities of the Cold War. Recently one has been given the impression that the intelligence services are rather less informed than the average broadsheet reader and rather more gullible. Perhaps they are not buying enough computers on eBay.

The hope that I expressed in last week's column, that we retain at least a degree of privacy online, may be doomed by the huge increase in the data that is stored about every aspect of human life. People have always been careless and nowadays transport operators sweep up more mobile phones than umbrellas and even a fair sprinkling of laptops. One of the favourite applications for a PDA is storing passwords, often unencrypted. These devices go missing too.

With more data stored, the chances of it getting out of its supposedly private world must be greatly increased. The average personal computer now has enough storage capacity to hold several large databases. The University of Glamorgan's foray on to eBay strongly suggests our procedures are not keeping up with these new challenges.

It is several years now since convicted hacker Kevin Poulson advised the world that if he wanted to penetrate a company, he would take a job there as a janitor. Clearly, when it comes to mundane work like disposing of obsolete computer equipment, few people worry about what menial staff might do with any remaining data.

If you do buy a computer that gives you entry details into a large company, it seems you could go the whole hog and assume the company's identity. Apparently, all you have to do is to get hold of form 287 to change the company's registered address to your own choice. The form is easily downloaded from the Companies House website and generally there is no check on its validity. More secure filing methods are available but few companies are yet using them. Not, of course, that I imagine you would do such a thing.