So this was the question I received on Quora recently. It had eventually occurred to me that many of us have pondered over this thought some or the other life. So lets explore how feasible it is?
“Regardless of legality, could a virus(?) be written whose sole purpose was to erase an individual from all databases, government and corporate, etc?”
Here is my take on it:
Lets assume you are writing some code aimed at doing what we just said.
You need access to all the databases of all the governments and corporates and everywhere.
Only some privileged admin users have access to these type of info. So you need to know who has the access and what the credentials are. Some even might require sign in using some authorized keys so you will need to have those keys along you.
Request IP Address
Most of the secured data are not accessible to common IPs. Only requests originating from specific IP address can access them.
“So you need to know all those respective IP addresses and then you need to spoof them without getting traced!”
“In fact in some cases you might actually need to be within that organization’s premises!”
Now you need to know the structure of all the database systems being used. Some organizations prefer to have SQL-based structure, some follow non-SQL like Mongo, some might even have graph databases. Bigger giants prefer bigger tools.
“You must have heard of Google using BigTable that is Apache’s HBase system.”
“The crux is that you need to know what all are being used by the respective organizations and you should be able to write code capable enough to extract data out of each of it.”
Database system is not all you need but also the schema. Schema gives an understanding around what all tables have the data corresponding to the given user. One cannot just delete the user’s name and move on!
All the dependencies from subsequent tables for given tuple have to be deleted too.
Each organization has a different logic of identifying a particular user.
“You need a logic using what you can identify your user in each of those database. You don’t want to confuse John Doe I with John Doe II, as it will raise doubts!”
Even when you have accessed the data, some information may be encrypt. It is a common practice by database admins to use some encryption algorithms on crucial data.
‘You would need it even during the authorization time”(i.e- The first point that I mentioned in this answers).
For instance, some admins use MD5 encoding while some prefer using ‘salt’ along the MD5 version. You need to know all the encryptions being done on the relevant tables
Accessibility to the Log Files
You need to remove all your activities from the log files. For that: you need to know where the logs are being stored and should carefully delete only your logged activities
“If you can fulfill all the prerequisites and find some points that I missed and fulfill them even. Then there would be 90% success in writing such code.”
Now talking about the term you used for the code: You mentioned its a virus.
Assuming that virus is a code supposed to run on the host’s system
Challenges you should be aware of:
- What operating system each of those systems is using
- You need to have super access to each of those systems
- What all languages are supported and installed on those system,
- You need to write the code from first part in all of those languages(with support for all available OS). And archive it along with your virus’s init file.
- Your virus should be able to identify the OS and installed language and pick the suitable archived code and run it as an admin on that system.
- The next thing would be deleting the logged activity.
- Now the crucial part would be to send that virus to those systems and initiate it on each of the system at the same time. You don’t want any time-lag between the systems otherwise it may cause discrepancies in real data.
The last thing you need:
Lots of Money!
“Eventually you are going to leave some breadcrumbs and some one will sniff them and reach out to you. You should have enough money to keep those people away and cover your tracks.”
“If you have all those points from part one and two, checked you might still need some other things(which I have missed most likely) in your backpack.”
Is it Practical?
In the end it all remains a word of fantasy to have your all information removed from the virtual databases globally! It would have been easier to get away with these kind of things a century ago!”