Matt's Life Bytes
Matthew Sullivan's Thoughts on Security & Tech



ID Theft, Porn, and Profit: My 2:00am Dumpster Dive

So… last night I was taking out my trash.

Part 1: The Find

As I hurled the bag towards the dumpster, my 6’2″ stature allowed me to catch a glimpse of some electronic devices.  Never one to pass up a good offering, I climbed up the side and leaned in to view my catch.

Discarded technology and some soft-core porn. There’s bound to be an old broken sofa in here to go with that…

Sure enough, along the piles of trash bags was an old HP desktop, some accessories, and (as you can see from the picture) someone’s collection of Playboy magazines.  Underneath the Playboys was a rather nice collection of college textbooks, still in pretty good shape.  Worth trying to re-sell at the ISU bookstore?  You bet.


It was very apparent that whoever had dumped the computer was also responsible for the simultaneous dumping of the other items; they were pretty much the only things not in trash bags in the entire dumpster, with exception of a mattress that smelled like it was once a surgical experimentation table.

I read them for the articles.

I grabbed the books and desktop, and assessed my new collection.


Side thought to the person who threw this stuff out: nothing attracts women like a man who studies public policy, is sensitive to economic conditions, and keeps a fairly impressive stash of Playboy magazines in his dorm.

Not that I care if you believe me, but I tossed the Playboys back in and promptly washed my hands.  Because really… who is going to keep someone’s used Playboy magazines?  Exactly.  Besides, I don’t think the girlfriend would have approved.

Drive extraction in progress.

I pulled the hard drive and a PCI graphics card; the latter of which I often need, yet never seem to have.


The hard drive was quite chilly (it was about 40°F outside), so I let it warm up a little and worked on slightly more pressing matters (like studying for final exams).

I’m told this is how Gateway support used to do it as well.

Because of my unequivocal laziness I simply stuck the drive in my coffee mug rather than actually installing it properly.  You might attribute this carelessness to the fact that the drive wasn’t mine, so I had nothing to lose if it should fall.  I hate to admit to you that I do this with my expensive drives on occasion too, though.


Once powered on, the hard drive began spilling its secrets.  Within minutes I had gleaned enough information to steal two identities and ruin the owner’s reputation.  I’m not interested in doing either here though, so I’ve censored my findings, shown below.

Part 2: The Results

Driver’s License

Cory, this PC’s previous owner, had scanned his Iowa Driver’s License and saved it to his My Documents folder.  Big, big no-no.  Keep information like this off your electronic devices.  Even though the License itself isn’t the jackpot for an identity thief, the information gleaned would be invaluable for a social engineering attack.


Loan Application

Jackpot; this is what an identity thief is looking for.  Loan application, scanned in with social security numbers, addresses, and full names of two individuals, the owner of the computer and a family member.  It’s always best to never store electronic documents with sensitive information on them in the first place, but if you have to, be sure you properly remove them before discarding the computer.  How does one properly remove them?  We’ll cover that in just a bit.


The “Remember password” feature on Chrome, Internet Explorer, and Firefox are a hacker’s best friend.  With freely available utilities, these passwords can be stolen almost instantly.  Our target, Cory, only has Internet Explorer installed, so I ran Nirsoft’s IE Pass View utility to recover the passwords stored with his account.

Nirsoft’s IE Pass View in action.

One result came back.  It seems that Cory has a membership to an “Ultimate BBW” site.  I, being completely naive, figured that BBW stood for something sports-related (I have no understanding of anything in the sports world), so I browsed to the website.  Well… I assure you that “BBW” has nothing to do with sports.


It was sort of like this… only not nearly as cute.

Apparently “BBW” stands for “Big Beautiful Women”, and this website caters to individuals who have a sexual fetish for very, very large women.  Of course I didn’t happen to know this beforehand, so now “what has been seen cannot be unseen”, as they say.


But anyway, do yourself a favor and don’t type that into your address bar.  I cannot be held liable for if you are emotionally damaged by the material contained within.

Now back on topic: Cory (or someone using his computer) has a thing for the larger ladies, it seems.  And to him I say, “To each, their own”, but often times people aren’t so lucky.

The bear says so.

Time and time again, we’ve seen hackers or dumpster divers recover potentially embarrassing information, only to turn around and use it as blackmail against the individual.  This is especially true of “sexted” pictures, when the sender or receiver isn’t careful about how those items are stored.  So remember kids, wipe your sensitive data from your drives before disposing of them (or even lending them to others).


Part 3: The Wrap-Up

Gangster’s Paradise.

Remember how I found those books along with the computer?  The next day I took them to the university’s book store, hoping that I’d get a few dollars out of them.  To my delight, the pile had a total value of $57.  On top of that, I won a candy bar!
Day == Made.


The money went to a nice dinner at our local pizza place, and it was delightful.

Additionally, if I were a real identity thief, I would have done pretty well with minimal effort.  I had obtained:

  • The social security numbers, full names, addresses, and phone numbers of two individuals
  • The driver’s license number of the owner, Cory
  • Potentially embarrassing personal data for blackmailing purposes
  • $57 from re-sold books

I’m not going to count the Playboy magazines or the membership information for the porn website, but perhaps for a small subset of thieves this accomplishment would be note worthy.  Personally, I don’t wish to have either.

Alright, from here on we’re getting helpful and preachy.  Don’t mind my tangents.

Part 4: Destroying Your Data

To ensure your data is destroyed, I encourage you to seek help from someone who is tech-savvy if you don’t feel comfortable doing these things yourself.

Here’s the deal: when you tell your computer to delete something, it doesn’t actually remove that file.  Instead, it just tells the drive that if needed, that space can be utilized later by a new file.  This is a simplification of a complex process, but we’re just on the basics right now.  So, even if you delete “super_secret_nude_picture_of_myself.jpg” from your computer, it takes all of two seconds for someone with the right know-how to get it back.

So how do we solve that issue?  Well instead of just deleting the file, you can use special programs that actually write random data to where the file used to be located on the memory, effectively rendering the file’s recovery impossible.  Had Cory done this to his desktop, I would not have ever known about his social security number or sexual fetishes.  Sounds like a good idea now, doesn’t it?


One great utility for destroying your data is Kill Disk, a free CD-bootable software package that can completely erase your drive’s contents.  Just download the software, burn to CD, and reboot.  But remember, once you’ve started the process, there’s no turning back.

But perhaps you want to destroy personal data without erasing the entire drive?  Give the free utility Eraser a try.  Eraser adds an option to your right-click menu, so all you have to do is right-click on a file or folder, and eraser will take care of the rest.  It fills the memory back up with random data and prevents prying eyes from ever recovering the information.

Part 5: Sexting

Sexting wasn’t such a big deal 10 years ago when photo clarity wasn’t a part of the camera phone’s feature set.

If you have pictures of yourself or a loved one that you’d rather not have other people see, take a moment to just delete them (securely!) right now.  The longer you hold on to them, the more likely it becomes that eyes other than yours will be viewing them as well.  It’s not worth risking your reputation, so just don’t do it.

I’m always amazed when I hear about people sending nude photos via MMS (cell phone “picture messaging”).  Have any of these people stopped to think about the sheer number of server administrators who have access to those files at the cell phone companies?  That’s right, 47 year old Ned (who isn’t really a “people person”) has probably already lifted that picture of you without underwear on and copied it to his flash drive.  Have fun sleeping with that thought tonight.

Additionally, most young-adult relationships have a shelf-life shorter than skim milk.  So once you break up in a week, what’s he/she going to do with those pictures?  I’ll put down a few hundred that the answer is not a secure deletion using proper data destruction methods.  Unless you count posting the picture on a porn website as secure deletion… but I don’t.

Part 5: If You Are A Victim

If you have reason to believe your identity or credit card information has been stolen, be sure you notify the appropriate agencies and continue to watch your credit.  The FTC has a great website for anyone who has questions about any part of the process as well.

If you are being blackmailed, just contact the police.  If you give in once, the attacker will just keep pressing harder; it’s a vicious circle.

Alright, that’s all I’ve got. Have fun, kids.

Post-Publishing Updates

I did not, at any point, log into this person’s online accounts.  All of my actions were legal, as anything you throw in a dumpster forgoes an expectation of privacy (see California v. Greenwood).  The line of illegality would have only been crossed if I had I used the information I gleaned.  I am a strong advocate for responsible disclosure, hence my censoring of the subject’s full name and personally identifiable details.

Additionally, I zeroed the drive with a three-pass erasure before disposing of it to ensure that this individual’s personal information would be protected in case anyone else were to come across the drive.


· · ·


  • Michael Davis · May 5, 2011 at 10:15 pm

    I have a new policy of KillDisking any PC I pull out of the dumpster after finding a POS system with thousands of unencrypted CC numbers a couple of years back.

    Have you tried contacting Cory?

  • Admin comment by Matthew Sullivan · May 5, 2011 at 10:43 pm

    No, and I have no plans to do so either. People don’t take well to being told about what someone has done with their personal data, even if it was done responsibly. It’s better for my safety (and his ego) if he simply never learns about it at all, in my opinion.

  • John S · May 6, 2011 at 1:35 pm

    I’m guessing “Foundations of Economics” wasn’t a real strong suit for him.

  • Cory · May 6, 2011 at 4:52 pm

    I love big bitches!

    But seriously, I have done 2 things with old hard drives. One was wiped and disposed of in the bottom of a lake and the other was burned.

  • Alex · May 7, 2011 at 11:27 am

    Cool find! I’ve been a fan of DBAN in the past. While I’m not familiar with KillDisk, it appears you have to pay for anything more than zeroing the drive, whereas DBAN has all varieties of DoD-grade wiping.

    Also, I’d just like to point out that dumping an old HDD into a lake (as a previous commenter suggested) really isn’t acceptable behavior. There’s a reason many vendors or businesses take back computer parts: they often contain trace amounts of harmful chemicals or heavy-metals. Not a lot these days, but dumping in a lake (or similar place) is unnecessary if the drive has been reasonably wiped.

  • JBu92 · May 7, 2011 at 1:41 pm

    Thanks to Alex for already having mentioned DBAN. I have never used anything else to nuke my drives. I LOVE wiping data to the security standards of the canadian mounties (seriously, it’s an option).
    It’s too bad we can’t really dumpster dive around here… those stupid green trashcans…

  • Adam K. · July 26, 2011 at 3:47 pm

    This post is epic. Love it Matt.

  • Holly Michaels POV · January 21, 2013 at 8:40 pm

    Whats up are using WordPress for your blog platform?

    I’m new to the blog world but I’m trying to get started
    and set up my own. Do you require any coding knowledge to make your own blog?

    Any help would be greatly appreciated!

  • colour printing · June 30, 2013 at 2:07 am

    Thanks to my father who shared with me on the topic of this weblog,
    this webpage is actually awesome.

  • knacker · July 29, 2013 at 5:22 am

    I have several dozen desktop, and a bunch of DDived laptops but those old windows machines quickly turn into great Xfce and Lxde Linux laptops:)

    But I got you beat in the poor deletion area:) a quick dive at a local restaurant that closed down revealed an another old Win XP computer that I assume the owner thought was dead. and free from info:) It wasn’t and it was NOT! The computer owner also owned 2 other establishments in town and on this computer were 4 admin acc’s, 1 each for his 2 small children, and all their info, one for his wife and her data, and HIS, Full of porn, browsing history, passwords, and several hundred payroll and direct deposit for every employee at all three places! and, scanned copies of each application as well as pmt information for a handfull of big clients who had hired this place to cater events. I knew the individual and many on the lists… I sent him a bunch of screen-grabs via tor and then destroyed the data. Still use the XP box in my Pentesting lab:) Stupidity is boundless

  • knacker · July 29, 2013 at 5:26 am

    “Do you require any coding knowledge to make your own blog?”

    Not if you’re using WP. If there is something easier I have not found it. Make any non-tech person think you know what you’re doing:) WP helps make that happen:) Did for me anyway

  • knacker · July 29, 2013 at 5:30 am

    “It’s better for my safety (and his ego) if he simply never learns about it at all, in my opinion.”

    Smartest comment on the page!! You got it right, people can react funny when confronted with this stuff even if you have the best of intentions. Tormail and a few “cleaned” grabs would be as far as I would take it unless going fully BH if data came from a target.

Leave a Reply



Theme Design by