
Coinbase user emails and full names leaked - cbcbcb
http://pastebin.com/RzWipJFb
======
ryanthejuggler
I'm pissed. My email address is among those leaked. I got two transaction
requests, the first for 732342.34425 BTC and the second for 999999.99999999
BTC. The second had registered a username of "⚠ URGENT: Сoinbase hacked. We"
so that the email subject line read "⚠ URGENT: Сoinbase hacked. We sent you a
payment request."

I got my coin out of Inputs.io just a few days before they got hacked, and
I've got a low balance in Coinbase. I'm going to make that a zero balance,
because I've completely lost faith in any company's ability to manage Bitcoin.

~~~
nly
You've just become a target. Everyone now knows everyone on that list has
Bitcoin and use web wallets, so it's effectively a list of potentially
profitable targets for email account compromise.

Please ensure you're using random passwords on every site you use, select the
best available security questions, use a password manager, and enable two
factor authentication everywhere that allows it.

Also move all your coins in to offline wallets. _No_ online web wallets have a
bank grade reputation.

~~~
nwh
Hot/cold storage as coinbase is using is probably better than any encryption.
Even an end of world bug means that they can only ever lose a small portion of
all stored user funds. Manual processing of this means there is some sanity
checking on large withdrawals too. Encryption affords you none of that, I
would be happier with coinbase than storing on any other online wallet for
this very reason.

~~~
jellicle
> Even an end of world bug means that they can only ever lose a small portion
> of all stored user funds.

Were you born yesterday?

The steal-all-your-money rate of bitcoin businesses is running right around
100%, and you're going to lecture people that "they can only ever lose a small
portion of all stored user funds"? Really?

~~~
nwh
Coinbase isn't some random website made in a basement. It's a well funded, YC
backed, known-founder company that complies with relevant banking law. There's
absolutely nothing to suggest that they hold a partial reserve or have any ill
intention whatsoever.

~~~
sillysaurus3
You're right, there isn't anything suggesting that they hold a partial
reserve.

And there won't be even when they do.

And when they close due to massive theft / loss of coin, and take all of their
users' funds with them, that will be the first suggestion that any user hears
of.

It happened to me. It's not fearmongering, it's fact.

~~~
nwh
So ask them to prove their reserves if it bothers you so. Other large services
have in the past.

~~~
sillysaurus3
Proving reserves doesn't help at all. They can die at any time from massive
loss. Proof of reserve reveals whether there's a problem; it doesn't _prevent_
any problem from happening.

To use a metaphor, a failed proof of reserve is like detecting that someone
who's riding a motorcycle without a helmet has been launched into the air due
to a car crash, and is about to hit the ground. That doesn't change the fact
that they're not wearing a helmet in the first place. And in bitcoin's case,
no such "helmet" exists. There is no protection for consumers against losing
their funds by the exchange.

There's always going to be this massive risk of the coins disappearing due to
any number of reasons: that they get hacked, that the founder steals them,
that they lose them to some massive technical problem, that they experience
another undocumented bitcoin protocol issue like malleability, that they lose
access to their cold storage wallets, etc.

This has happened at, what, a dozen exchanges so far? They've all died due to
one of the above reasons. Who's next? It's completely possible that Coinbase
is next, and that you're recommending users throw their money away by trusting
them. There's no reason to trust Coinbase. Keep your funds in your own secure
cold storage wallet, and you'll have them forever. Keep them in Coinbase and
you'll have them exactly as long as Coinbase lasts.

~~~
genwin
> Keep your funds in your own secure cold storage wallet, and you'll have them
> forever.

In regards to Coinbase, if only because their terms make it clear they aren't
liable for a customer loss of any cause whatsoever.

------
NathanKP
Does anyone know where or if the full list can be found? I have a Coinbase
account but I don't see my name on the abbreviated list.

I suspect that the person who made this Pastebin just ran a huge list of known
leaked emails, or dictionary based emails through the minor information
leakage vulnerability discussed yesterday
([https://hackerone.com/reports/5200](https://hackerone.com/reports/5200)). I
would be willing to bet that this brief list is actually all he got back, and
he is just lying when he says "Full list much bigger."

Since the vulnerability was reliant on knowing the email first, and since my
email used on Coinbase is not a known email that I publicize I doubt he would
have been able to discover my Coinbase account, nor the Coinbase accounts of
anyone else who uses a sufficiently random and unknown email address when
signing up.

~~~
beaner
There is no full list. The "exploit" doesn't give you email addresses you
don't already have. This is why it was not considered a vulnerability.

~~~
goatforce5
I work on dating sites, some of them a bit risqué.

On the password reset form, there's a big difference between saying "That
email does not exist in our system"/"Emailed password reset instructions" vs
"If that account is registered, we will email you instructions".

~~~
MichaelGG
Do you setup a timed sleep to make sure that you return results in exactly the
same time regardless of path taken?

~~~
broolstoryco
Not sure if sarcasm..

~~~
nfm
This is a real attack vector. It's called a timing attack:
[http://en.wikipedia.org/wiki/Timing_attack](http://en.wikipedia.org/wiki/Timing_attack)

~~~
broolstoryco
I am familiar with timing attacks. The thought of someone attempting to apply
it over the internet to verify whether an email is registered on a dating site
seems laughable.

~~~
MichaelGG
Applying it over the Internet is quite feasible, especially with simple code.
If it connects to a remote SMTP server, the delay may very well be noticeable
enough without doing any complicated timing. It might be just about as easy as
scraping the page for "user not found" versus "email sent".

I assume that was the original point - that on risque dating sites, the
recover password system tries to hide membership.

------
korzun
At this point I would not trust Coinbase, their engineering department shows
that they have very little clue when it comes to building a secure
infrastructure.

Not only they are not rate limiting and leaking names, their implementations
are simply laughable.

With a proper design, customer should have been allowed to either
enable/disable that end-point when somebody is searching for their email, or
there should have been an option to have a 'whitelist' a set of users/user
that are able to look up that information and make a transaction request.

On top of that, they should have been able to detect a pattern such as this
attack and pro-actively block it.

This would pass for a to-do app API but Coinbase? Wow.

~~~
jakejake
I haven't really lost my trust in Coinbase due to this issue but I do find it
annoying the way they are handling it so far.

Almost any site that has a password reset can be used to verify whether an
email account exists in that system - depending if the system tells you "no
user with that username exists" or not. Coinbase is in no way unique with the
amount of info they expose, which is the point they were trying to make on
their "official" response.

I would have liked to see them announce that the API does have some sort of
throttle and maybe they are going to think of ways to enable an option for
this behavior or something - basically anything except to just dismiss it.
Because even though I personally agree with them as far as the level of
vulnerability - a lot of people don't and Coinbase doesn't seem to understand
this perception problem.

~~~
foobar5482
It is certainly possible to allow for password resets and account creation as
well without revealing whether an account exists.

Password reset:

1\. User enters email in password reset form.

2\. Website shows the same message whether the password was reset or not.

3\. Email is what differs. If the account exists, send a password reset link.
If it does not, send an email asking them if they want to create an account
(and offer an unsubscribe link so people can't spam signup emails).

Signup:

1\. User enters email in signup form.

2\. Website states it is sending an email to verify the account.

3\. If it already exists, send a message saying they already have an account.
If not, send the normal email verification link and then they can complete
filling in their account details.

This prevent someone without access to the email from finding that the account
exists, and also keeps the owner of the email filled in if they just forgot
which email they used for the account or that they already had an account.

~~~
jakejake
I agree 100% this is the _right_ way to do it. And it's really not any more
difficult to implement.

The problem is the convenience tradeoff. Take a site that has an instant
green/red indicator that a username is already taken. People love the instant
feedback, but it creates an attack vector. If you had to wait around for an
email to see if you had already signed up - I bet a "Show HN" would have
people here telling you that your site was user hostile! Even though it is
unquestionably more secure.

I do think what Coinbase is doing now is not out of line with standard
practices. But for a financial site they might be wise to start erring in the
direction of security at the expense of a little convenience.

------
tokenizerrr
I assume someone took a huge list of emails and ran them through the Coinbase
API as described in
[https://hackerone.com/reports/5200](https://hackerone.com/reports/5200) and
retrieved their full names, and is now scaremongering. I do not think they are
enumerating users from the coinbase database, but who knows.

edit: The recent adobe email list comes to mind.

~~~
300bps
You're right. As a Coinbase customer, neither my name or Coinbase-only email
address was in this list.

What you describe is exactly the exploit that was disclosed and exactly what
the person exploiting it seems to have done based on the content of the list.
Of course, Coinbase argues that this is a feature and not a bug.

~~~
naterator
> neither my name or Coinbase-only email address was in this list

That doesn't really mean anything, since it clearly says at the top:

"Here is a partial list of Coinbase user emails and their full names. Full
list much bigger."

Which could be bullshit and scaremongering. But it certainly could be true
that they have a large number of Coinbase user's emails.

~~~
300bps
>Which could be bullshit and scaremongering.

It could also be that you are reading too much into it.

>"Here is a partial list of Coinbase user emails and their full names. Full
list much bigger."

Where does it say in that sentence that he the OP has access to the "full
list"? It doesn't say that. It implies it, which you picked right up on. But
he doesn't explicitly say, "Here is a partial list of the full list in my
possession".

------
peterwwillis
Why the fuck would someone keep cash in a central repository if the whole
purpose of bitcoin is to be de-centralized? It's like, hey, I have a car so I
can get around town any time I want, so let me park it with a bunch of other
cars in a dark open lot 2 miles from my house. Sure, I have to take a short
bus ride to get to it, and it could be stolen or broken into at any time, but
that's the price I pay for convenience, versus just keeping it in my garage
where it's much more inconvenient for anyone to steal or damage it. (?????)

A website is not a bank. There are no armed guards or vaults and there is no
federal insurance for your bitcoin. You're basically all handing your money to
some guy who keeps all the coin on the second floor of a corporate office with
a single old dude standing guard at the elevator. It's totes hard to get past
that guy, because like, he has a badge and a hat and everything.

~~~
tymekpavel
In my case, because Coinbase provides a simple, trusted way to sell Bitcoin
and deposit the money into my bank account.

I'm not buying Bitcoin because it's decentralized. I'm buying it because there
is a market bubble, and I can profit from currency speculation.

------
alandarev
> Coinbase provides your full transaction history to the FBI, FinCEN and IRS
> every day. They are under a gag order.

That is interesting accusation. Even if this is true, we will unlikely have
evidence. Is there a serious risk to Coinbase users granted Gov is having full
access?

~~~
throwaway812
If they had evidence of that, why wouldn't they have pasted it as well? I'm
assuming it's baseless speculation.

Btw, has anyone actually confirmed any of these emails / names are real? I
have a coinbase account and am not mentioned in the leak.

~~~
kevingadd
Wouldn't any evidence supporting the existence of the gag order be a violation
of the gag order?

~~~
headShrinker
Yes. I read something about a library that had a sign up, "No government
agents have been here." They would take down the sign during an investigation.
Any one who knew the sign -was- there knew an investigation was underway. No
gag order was broken. There is a name for this type of flag, but don't know it
off hand.

~~~
alistairjcbrown
Warrant Canary

[http://en.wikipedia.org/wiki/Warrant_canary](http://en.wikipedia.org/wiki/Warrant_canary)

------
privong
The link has no mention of the "bug was dismissed" as stated in the HN title.
Support for this? Or is it the same bug as
[https://news.ycombinator.com/item?id=7504353](https://news.ycombinator.com/item?id=7504353)
?

Also, what is the evidence for the assertion that transaction logs are
delivered daily? Given recent revelations, it's probably a reasonable
assumption, but there's still no actual evidence given.

~~~
jyap
Here is the bug closed as "Won't fix" (so yes, it is the same exploit/bug):

[https://hackerone.com/reports/5200](https://hackerone.com/reports/5200)

~~~
wes-exp
Apparent Coinbase response there: "This stance is not unusual on the web:
you'll find that user enumeration is possible on Facebook, Google, and nearly
every other major internet site"

Um, no. If that is what Coinbase believes, I just lost respect for their
claims of security.

~~~
SDGT
Would you care explaining why it is that you believe email enumeration to be
"insecure"?

The data obtained is an email address and a name (only if the user filled in
the "name" field). This may as well be treated as public information.

~~~
wes-exp
It also discloses whether someone is a customer or not. Possibly en masse.
Problems:

1) Aids phishing attacks against Coinbase and customers

2) Oftentimes harmless tidbits of information can be combined to form non-
harmless information. In this case, disclosing email, name, and the fact of
being a Coinbase customer, or not, seems minor on its own. However, combine it
with some other dataset (let's say emails/passwords taken from an unrelated
site), and now it would be easier to break into accounts without setting off
warning bells, since you already know who is a user or not.

Dismissing the information disclosure strikes me as akin to the "it's only
harmless metadata" argument of the NSA. As we have already seen in many
reports, "metadata" can be surprisingly powerful.

~~~
SDGT
I would argue that using a personal email and filling in your full name on
coinbase, who CLEARLY state you have no expectation of privacy in this regard,
is effectively the same as publicizing the information.

If one cares about the privacy aspect, then don't use an email that is tied
back to you in any way, and certainly don't fill in your personal information.

~~~
bronson
Or, and this is much easier, use a web site that actually cares about its
users' privacy?

If CoinBase is so needlessly sloppy then it's not hard to picture a Mt Goxish
scenario in its future.

------
seanieb
This is not a "leak". All of these email addresses were already in the wild.
The "attacker" simply tested if Coinbase accounts matched these emails.

Think about it. Email enumeration is possible if accounts associated with an
email address. Otherwise forgot password forms would simply say successful
even if someone typo'd their address (terrible UI) or the signup forms would
allow multiple accounts with the same email address.

~~~
ambrop7
Actually, many password forget forms do not provide any information about
whether the email was recognized or not. More than once I've seen a message
along the lines if "If the email entered was associated with an account, a
password reset has been sent.".

EDIT: On the other hand even if the response is always the same, I expect most
implementations to be vulnerable to a timing attack ;)

~~~
genwin
How would they be vulnerable to a timing attack?

~~~
ambrop7
Sending an email takes more time than not sending an email.

~~~
genwin
I think I see your point; clever. The site could show the message and only
then send the mail asynchronously. I guess that's why you said _most_
implementations.

~~~
MichaelGG
Queuing up an async message still takes time. As does reading a row from a
database and materializing an object. So "most" is really probably nearly all
unless they take explicit steps to make sure the same amount of work is
performed in either case.

~~~
genwin
Yes, or sleep to elapse a time that's longer than needed to queue up the async
message, say half a second, before returning the message to the browser.

------
nathas
This feels... weird. There was a problem with Coinbase months ago that was
patched where some of this information could be found if someone was using
Coinbase's merchant tools.

A list of emails and names feels a lot like trying to cause a panic to get
people to dump Coinbase.

------
daisukepr
I contacted Coinbase and received this response:

Erik: Our engineers are aware of this development and concluded that the
released information was not acquired through a security breach in our
systems. Instead, the poster was already in possession of your email address
and used our "Request Money" functionality to obtain the name given to our
system on the Settings page of your account
([https://coinbase.com/settings](https://coinbase.com/settings)). Although
this is an intended feature, we understand that some users may wish to not
disclose information to third-parties that are able to obtain their email
addresses. As such, we are working on improvements that will give users an
option to hide their name from other users.

------
gommm
And this is why in addition to per site passwords, I also use per site email
addresses.

I like to be able to track who spams me and in case of leaks I like the
ability to disable an email address...

~~~
flanbiscuit
how do you keep track of all the emails?

and did you always do this or did you start at one point having to go back
through a lot of old accounts to change emails and passwords?

~~~
josephwegner
If you use gmail, you can use youremail+anything@gmail.com, and it will all
get forwarded to youremail@gmail.com. This is incredibly handy for noticing
who is sending you spam.

I'll also use it for sites that I _know_ are going to send me spam, and then
immediately create a filter than deletes emails sent to
joe+annoyingsite@gmail.com (note: that's not my real email)

~~~
jonknee
That won't help here, your real Gmail address is exposed which lets everyone
know that you have BTC on web wallets.

~~~
eli
Actually it would help you here. In this case your real address isn't exposed
unless someone guessed the exact version you used to sign up.

~~~
jonknee
What do you mean? If joeblow+coinbase@gmail.com is in the leaked list you know
that that joeblow@gmail.com is the "real" user and also is someone who has
BTC.

~~~
eli
There was no leak. The API allowed you to see whether a given email had an
account associated, so someone churned through a big list of known email
addresses to find accounts.

------
simon_
Relatedly: DO NOT CHEAT ON YOUR TAXES. If you have any BTC profits and do not
report them to the IRS this month, they are reasonably likely to catch you and
make an example of you.

~~~
fudWrecker
YOU ARE WRONG. The IRS is .1% in the business of audits and 99.9% in the
business of scaring people about the possibility of an audit. Like you just
did.

~~~
drags
I'm being audited right now (over a $2,500 student loan interest deduction, of
all things) and it's totally automated. It seems like they have an internal
process that goes "Taxpayer claimed deduction, IRS doesn't have paperwork
matching payment activity, ergo send letter asking taxpayer to pony up".

If Coinbase is going to report earnings to the IRS, it's a good idea to match
what they report or you might trigger the algorithm.

~~~
stonogo
What you are describing is not an audit. The automated system is a separate
process. An audit involves an actual IRS agent manually reviewing your entire
tax history for the given year.

~~~
albedoa
At least at the state level (MA), the automated system is considered an audit.
I recently received notice that an "audit" (their word) of my state tax return
detected a discrepancy with my federal return. When I called, I was told that
it was caught automatically.

So I think the manual and automatic processes are considered to be two forms
of the broader term "audit".

~~~
stonogo
The IRS does not work for the state of Massachusetts.

~~~
albedoa
We know this. I was explaining to you what the word means by example.

------
johnl1479
Almost every email in this list is repeated twice. Only 1151 of the 2041 are
unique.

------
api
The whole idea of Bitcoin was that you wouldn't use banks, but as we can see
convenience trumps that.

------
devanti
Seeing a complaint about Coinbase every week makes me feel like they are a
poorly managed company -- which is crucial if you're a company dealing with a
lot of money.

~~~
Einstalbert
Reputation is sacred for these kinds of companies and this stuff isn't
helping. I was just about to sign up for them, I had their tab open in my
browser, but I sincerely thought something like this would happen and that I
would "be on a list." Tab's closed, now.

------
meritt
If this is the same "bug", the emails were not leaked. Someone already had an
email list which enabled them to exploit an information leak to obtain names.

------
BrownBuffalo
What's more ironic is that the gmail.com addresses comprise upwards of 80% of
what's on this list. IRS -> FBI -> Google request. Does it make any difference
if this is public or not? IRS has much easier ways of getting at your info
than this.

------
higherpurpose
> Coinbase provides your full transaction history to the FBI, FinCEN and IRS
> every day. They are under a gag order.

How is that legal/constitutional? It's one thing to monitor one "target's"
transactions, but _everyone 's_?

------
bake
It's really hard for me to trust anything I read online on April Fools Day.

~~~
minimaxir
The easy way to see if anything is fake on April Fools Day is to determine if
it follows Poe's law. Security breaches are always serious and never funny.

(Then again, r/games faked moderation corruption as their April Fool's joke.
That did not go over well.)

------
MichaelGG
So, users opt-in to providing their names to be used with Coinbase
transactions, then are unhappy when said names are used?

Perhaps yesterday's "bug" reporter was unhappy at being dismissed (and he paid
for Burp Suite, too!) so perhaps he decided to cause, in his words, "panic".

There's good reasons to dislike Coinbase but this isn't one of them. And of
course the "full list" is bigger - the list just contains some previously-
known emails and their associated, _optional_ , Coinbase name.

------
antr
I don't care if you are a bootstrap startup or a multi-million dollar vc
funded giant, I will signup to your service with an email alias. This is the
reason why.

It's easy to block the account if spammers get hold of it, nobody is able to
double check if I use other services by comparing login emails, I know which
service has leaked my email... bottom line, I am in control. I feel sorry for
these Coinbase users.

------
jorgem
Someone should market bitcoin to women. From a cursory review of that list of
names, women don't seem to be signing up. Missing half the market...

~~~
untog
Some members of the Bitcoin community have... some work to do in making women
feel welcome. An illustrative blog post by a woman that went to a meetup:

[http://www.ariannasimpson.com/this-is-what-its-like-to-
be-a-...](http://www.ariannasimpson.com/this-is-what-its-like-to-be-a-woman-
at-a-bitcoin-meetup/)

 _“Well,” he says looking at me knowingly, “Women don’t usually think in terms
of efficiency and effectiveness”._

~~~
jorgem
ugh. that's so horrible.

------
lettergram
This doesn't seem like that big of an issue. Yes coinbase should protect
against this, but it doesn't really cause a security threat of any kind
(assuming you have a secure password). This is a list of people who have
bitcoins, but if you have a secure password you should be fine, further you
can change your email.

~~~
korzun
Actually it's a big deal, if your local bank allowed to do mass look-ups like
that you would be receiving phisihing attempts that pretend to be that
facility for the rest of your life.

And right now, an email is part of your security auth since it's email *
password.

When email is known as a 'good user' that reduces that multiplication to just
password.

------
chazandchaz
I am curious why their contact form isn't posting over SSL
[http://support.coinbase.com/customer/portal/emails/new](http://support.coinbase.com/customer/portal/emails/new)

While I want to contact support for help, I am hesitant to fully disclose my
issue in their contact form.

~~~
dangrossman
Here you go:
[https://coinbase.desk.com/customer/portal/emails/new](https://coinbase.desk.com/customer/portal/emails/new)

support.coinbase.com is just an alias for their Desk account.

~~~
chazandchaz
I may be missing something but your link is 301'ing to
[http://support.coinbase.com/customer/portal/emails/new](http://support.coinbase.com/customer/portal/emails/new)
so I really don't how I can submit a contact form over SSL.

It is kind of a moot point because I have committed to moving my bitcoin out
of coinbase.

~~~
dangrossman
Strange. No 301 here.
[http://i.imgur.com/2eWQ2kP.png](http://i.imgur.com/2eWQ2kP.png)

~~~
giergirey
Odd - if I go to
[https://support.coinbase.com/customer/portal/emails/new](https://support.coinbase.com/customer/portal/emails/new)
I get an untrusted connection warning since the SSL certificate is for
*.desk.com, not support.coinbase.com.

~~~
dangrossman
That's not odd. That's why I linked to
[https://coinbase.desk.com](https://coinbase.desk.com) since he wanted SSL.

------
zengr
I didn't expect this from coinbase. This helped me taking the next step:
[http://support.coinbase.com/customer/portal/articles/784040-...](http://support.coinbase.com/customer/portal/articles/784040-how-
can-i-close-my-account-)

------
beedogs
Wow. Coinbase's userbase is almost _exclusively_ male. Just an interesting
observation.

~~~
JTon
It's possible that is pattern isn't exclusive to coinbase. Perhaps bitcoin
users in general are predominately male

~~~
MichaelGG
Or since there's no evidence that this list is at all representative of
Coinbase's userbase, perhaps the "attacker" had a predominately male list of
emails.

------
bulte-rs
How nice of them to publish this list. I can now simply revert to the line
number in this file and only have one instance of my email adress on the
public internets.

Changing contact info now to: line 34 of the coinbase leak-list on pastebin.

------
tomelders
The biggest problem with Bitcoin is people.

~~~
andyzweb
>the problem is people

------
bbuffone
BitCoin, the currency of Men... A brief glance at the names yielded almost no
women names.

------
kolev
I got two requests already. What kinda morons works at Coinbase to allow this?

~~~
MichaelGG
They're now "morons" to allow people to send payment requests? Perhaps you're
not quite familiar with their business model.

~~~
kolev
I am well-familiar as I'm an early adopter (and sufferer), but how about
having a button "report spam/scam"? If I "decline", the attacker will get a
confirmation I'm logged into my account and my email and account are verified!

~~~
MichaelGG
I'd imagine it's one of those not-really-needed-until-it-is feature. And now,
due to all this crying, they'll implement such a "I don't know this person"
option.

------
cdelsolar
Heh, these April Fools jokes get more and more believable.

------
nbrosnahan
Coinbase, I hardly knew ya. So long, and thanks for exposing all those emails
and full names. Good luck from here.

------
tdeo
My name is in there...

------
kgreenek
Yawn

------
whatevsbro
Here's the important part:

> _Coinbase provides your full transaction history to the FBI, FinCEN and IRS
> every day. They are under a gag order._

------
bcbcbc
Hi, I'm also an account created solely for the purpose of a single submission
/ comment!

~~~
ben0x539
Hi, nothing wrong with anonymity.

~~~
beat
There's _lots_ wrong with anonymity. But those wrongs are the price we pay for
the benefits of anonymity.

Thinking there's "nothing wrong with anonymity" is the kind of intellectual
fallacy that makes it so hard to take 'net libertarians seriously.

~~~
ben0x539
You're right, of course, and maybe I should have said "nothing wrong with
submitting an article to hn without putting an established identity or even
your real-life personal safety on the line". I suppose it was my desire to
express with that comment my wider frustration regarding stuff like
facebook/google+ real name policies that made my opt for a less accurate
statement.

~~~
beat
In general I agree, although there are certainly times when anonymity could be
problematic even submitting an article on HN - for example, lying about an
individual or a company, or starting a dangerous rumor.

The benefit of anonymity is, generally, to protect the anonymous from
retaliation for things said or done anonymously. This is important, priceless
even, when evil is being done by the powerful. For example, whistleblowing.

So the question is, is anonymity being used in any given case for good,
neutral, or evil?

In the case of Facebook/Google+, I think the policy is understandable, if
annoying. There's no business benefit to them to provide anonymity, and
substantial business risk if they do.

~~~
ben0x539
The comment I was responding to seemed like a blanket condemnation of
anonymous submissions, so I felt like a blanket rejection of that statement
was in order. With regards to protecting whistleblowing versus people starting
dangerous rumors, I think we can safely err towards accepting anonymous
submissions without scrutiny since the community is already fairly skeptical.

I don't feel compelled to sympathize with Facebook/Google+'s business cases.
I'm not criticizing their business acumen, after all.

