The best way to get the right answer on the internet is not to ask a question; it's to post the wrong answer.Cunningham's Law (named after the inventor of wiki software), states that the the most effective means to convince someone to give up information is to confidently post false information. This principle is based on the human reflex of wanting to share which is, itself, a noble thing, but can be exploited by people who want your information.
In OPSEC circles, it was common knowledge that foreign adversaries found it much more effective to convince people to volunteer their data rather than try to steal it. For example, send highly attractive agents to woo the scientists and engineers at NASA and suddenly Russia has a space shuttle that looks remarkably similar to the NASA one.
But it's not even necessary to entice people with tantalizing beauties; most people will volunteer sensitive information on demand simply because they were asked.
Elicitation for profit
In the brief and tumultuous period where I sold overpriced cookware for a direct-sales company, I worked the Oregon State Fair with my team boss. We had a drawing for some free cookware – all they had to do was fill out a little slip with their name and phone number…. and their address. And their average yearly income. And a few other details about their family and life situation that made me uncomfortable.
I said in disbelief, "people will actually answer all this!?" to which the boss replied, "they will because we asked" (and a disturbing number of them did).
How many posts have you seen online that show a list of photos or characters and then say "your birth month is X" or "your birth day is Y"? Or the cleverly-worded discussion-starters that involve both your birth day and birth month?
Do you give it a second thought before participating or do you jump in assuming no one who sees it might be interested in the data you're giving away?
Time to hunt!
I'm not saying these posts are nefariously attempts to harvest data, but if I really did want to ruin someone who ticked me off on Reddit, it's not hard to see which communities they post in and plant a few similar posts to see if they respond. I could target birthdays, general location of your home, schools, friend names…
It's surprisingly simple some times to trick people out of their data and if you're still not buying it, here's an example where I tricked someone into handing me their IP address.
I'm not sure why, but all hell breaks loose when I travel for work. On this occasion, I had settled into the hotel before the conference when my wife called.
Apparently, a good friend of her was being cyber bullied by someone with an ax to grind. The friend, "Becky" let's say, had a Facebook page for her side hustle, but the aggressor ("Aggy" for convenience) expended immense effort to plaster the page and posts with lies about her character, bogus service reviews, and basically doing everything she could to take Becky down.
I say "she" because Becky was near certain this was the work of the woman her ex-husband had married, but she couldn't prove anything and Facebook wouldn't cooperate by providing account information. Having only comments to go on, there was little she could do, but my wife had a suspicion I might have an idea and she was right.
(See online!)
No, I didn't hack Facebook. I didn't need to. Using the tried and true principles of "Social Engineering" (proven effective by the world's first hacker to reach the FBI most wanted list, Kevin Mitnick).
If we couldn't get her IP address (to give to the police) from Facebook, all we needed to do was lure here somewhere else. Like this website for example!
Every person who leaves a comment has their IP recorded automatically by WordPress – this is no secret, though most people aren't aware. And leveraging that general unawareness, I set the trap.
Step 1: I wrote a private article about how I was thinking of working with Becky Industries(tm), but I was worried about whether they were trustworthy and a good risk. I asked anyone who was aware of them to leave comments to let me know.
Step 2: I instructed Becky to bait the lure by posting on her Facebook. The post would talk about how she really wanted to form a partnership with The Geek Professor and how that would really turn things around if everyone reading could just go to the page and leave some good comments (along with a link to my private access-by-link-only post).
Less than 20 minutes later, a comment was dropped using the same wording, the same character as everything from the Facebook posts only, this time, on a page where I had access to the IP. I gave it to Becky and she handed it to the police.
We love to share
I stumbled on a Reddit post where the question was "What's your favorite character who has the same name as you." Two things immediately came to mind.
The first was how my dad took me to see the Secret of Nihm when I was kid. And when the crow came on screen and introduced himself, I stood up and yelled across the theater, "HEY! That's MY name!". My dad tried to shush me as an amused audience tittered at the outburst, but I was insistent. "But Dad, that's my name!".
The second was the reason I declined to participate in the discussion and tell the charming story of my youth: every person that responds loses the anonymity of their username and self-identifies with their real name.
 |  | As much fun as it might be to answer these kinds of questions or share delightful stories, think twice when doing so means giving up information. You might think "What's the harm? It's just a little bit of detail; it's not like they have any more" but don't be complacent. Let me teach you about Aggregation Risk |
