[uptown]

Okay, let's connect some dots about you.

Your name is Gary LosHuertos

You look like this: http://yfrog.com/0irajuj

Gender: Male

Astrological Sign: Scorpio

Industry: Consulting

Occupation: Software Engineer

Location: New York : NY : United States

You have a blog hosted on BlogSpot from which this article came.

You send tweets from @gloshuertos where you promoted this story.

Your twitter account lists a latitude/longitude address of 27.109827,-82.308136 which is in Venice, Florida. One of your oldest tweets mentions that you're on your way to Gainsville, Florida.

https://twitter.com/#!/gloshuertos/status/1267758656

Only one Gary LosHuertos comes up on LinkedIn, but this person used to work in Gainsville Florida, so it's reasonable to assume this person may be you.

http://www.linkedin.com/pub/gary-loshuertos/11/68/aa0

The interesting thing about that LinkedIn profile is that it lists your current employer as Amazon.com. From your blog post, you mentioned the following:

"This was somewhat puzzling. Did they receive the first message? I logged into their accounts, and surely enough, they had. One of them was even on Amazon.com, which I had warned about in my first message. I targeted him first: I opened up his Amazon homepage, identified something he had recently looked at, and then sent him a "no, seriously" message on Facebook from his account including the fun fact about his music choices."

So what you're telling us is that you used a user account of a customer of your current employer to login as that person, spy on their purchases, then logged to their Facebook account and send them messages about his customer information?

You're entering into a world of hurt if Amazon catches wind of this.

[gloshuertos]

Wait a second.

You're saying I shouldn't bash my employer on a public blog and then submit it to another public website?

OMG

Really you didn't dig deep enough. Googling my name pulls up an email with my current employer in it. I don't work for Amazon anymore.

[uptown]

It's reassuring to know that you wait until you're employed by somebody else before violating your previous employer's privacy policies.

[jrockway]

Amazon is violating its own privacy policy by allowing users to interact with its site insecurely.

Two wrongs do not make a right, but when you can implement a technical measure to protect your users from rogue ex-employees, you should do it. A legal contract does not prevent data loss, it merely allows you to punish the person who stole the data. SSL prevents the data loss in the first place.

[docgnome]

What? Unless he is still bound by some Amazon NDA or something, what difference does it make if he violates the policies of someone he no longer works for?

[mcknz]

I don't agree with killing the messenger here. His activity is in a decidedly gray area, but I think the results and discussion are valuable.

[jhancock]

This is valuable discussion but not to the HN audience as we already get it. There are some tough laws that can be applied to his behavior. I don't know what the odds are of getting caught into a criminal prosecution, but you don't want to spend the next 10 years of your life dealing with the fallout of a blog post.

[Uhhrrr]

It is certainly interesting news to me that 5 out of 5 random users won't change their habits, even after someone provably breaks into their account and tells them how to avoid it in the future.

[uxp]

The article isn't clear, but it sounds like the author used firesheep the second time to see if the users changed their habits.

Most people already know that if someone gets a hold of their account, and they already have access to it, to change the password. For this particular situation, they don't know about the whole SSL thing. It took me nearly 20 minutes to explain what a session was to my very non-technical girlfriend 2 days ago. Most people are very unsure of following directions from an untrusted source on the internet, even if they are very trusting of strangers on the internet. Most users are aware of Phishing scams as a general strategy. There is a good possibility they changed their passwords, since that is what they already know, but that particular solution doesn't work all that well for this scenario.

[gilgad13]

I'd like to think that the point of your investigation isn't so much that Amazon will be pissed, but, "Look at how much we were able to find out about a random guy through just his username and blog post"

I think most users have already accepted that information previously considered private is now available to most of the world. The step from anonominity to the information posted above is a hell of a lot more scary than from the information posted above to someone knowing your current location.

I know that the point of the article was that the author was able to log into random users accounts, but the scary part was supposed to be that the author knew exactly who and where they are. But when they give away information like the above on a regular basis, I honestly think users could care less.

[scalyweb]

Hey...I'm in Venice! I run out in that area on trails in Myakka everyday. I certainly hope you don't assume all of us Venetians to be as abusive about privacy as Senor LosHuertos.