
Doxing the hero who stopped WannaCry was irresponsible and dumb - ascorbic
https://thenextweb.com/insider/2017/05/15/doxing-hero-stopped-wannacry-irresponsible-dumb/
======
custos
Yeah, let's tell everyone everything about someone who partially foiled an
organized crime operation.

What could possibly go wrong?

------
stuffedBelly
_It’s obvious that he just wants to be left alone to get on with what he
enjoys – hacking shit, and figuring out how stuff works_

No, he wants to be left alone because it endangers his life to reveal his
identity. Jesus, do people seriously expect someone that's done heroic deeds
like this to jump out and scream "I am Batman"???

~~~
stagger87
The author talks about this further down in the article.

------
tudorconstantin
If some journalists were able to find his identity, he can safely assume that
the people behind wannacry are also able to do it. Maybe he'll take some
measures to protect himslef more now.

I would've liked to see the journalists find the hackers behind this. That
would've been an achievement indeed.

~~~
dagw
_If some journalists were able to find his identity, he can safely assume that
the people behind wannacry are also able to do it._

How do you figure? Digging through information and finding out this sort of
stuff is literally what journalists do for a living.

~~~
Nadya
I occasionally offer to dox people to show them how bad their OpSec truly is
or as an example of why I don't use social media like Facebook for privacy
concerns. Doxing people is often trivial since nearly anyone contributing to
discussions online have large online profiles. It isn't a very difficult task
- just a game of connecting the dots and knowing how to construct specific
Google search queries (eg: "site:___ + 'some info'").

If a journalist can find it - any internet layman who knows how to Google can
find it.

~~~
Spare_account
I've been wondering if it is possible to dox my Reddit account. I like to
think I've been careful not to give too much away but I wonder if it is true.

I would like to find a white hat site that prepares a report on what they can
find about you.

(For the record, my reddit account has a different username than my HackerNews
account)

~~~
Nadya
_> I would like to find a white hat site that prepares a report on what they
can find about you._

This would be difficult to start as it would require trust. I already do
exactly this ("white hat doxing") but do you _trust_ that that is actually
what I'm doing? Maybe it would be easier as an established corporation with an
explicit privacy policy.

 _> I've been wondering if it is possible to dox my Reddit account._

You can make it _much_ more time consuming and more difficult (read: but not
impossible) to do so by using this userscript as frequently as possible:
[https://greasyfork.org/en/scripts/10380-reddit-
overwrite](https://greasyfork.org/en/scripts/10380-reddit-overwrite)

I personally run it for all posts older than 2~3 weeks (when
activity/relevance of the post is nearly equivalent to "0").

Some sites still archive posts w/o updating for any future edits, there is web
cache, etc. But those are far harder to search and tie together than simply
browsing your comments on your profile. Note that some subreddits may ban you
for using it and you'll get a bunch of AutoModerator posts asking you not to
do that because of thread integrity and blah blah blah.

~~~
Zak
I _hate_ it when people use these scripts and do have a rule against deleting
posts that have replies in one subreddit I moderate. There are two kinds of
things harmed by this behavior:

* In communities where people buy and sell things, or offer pay for services (e.g. /r/forhire), a glance at someone's account history provides some insight into their likely reliability. It's not much to go on, but that's inherent to doing business with strangers online.

* In many communities, previous discussions are full of useful information for future readers. Removing half of a conversation often ruins that utility.

~~~
Nadya
_> In communities where people buy and sell things, or offer pay for services
(e.g. /r/forhire), a glance at someone's account history provides some insight
into their likely reliability. It's not much to go on, but that's inherent to
doing business with strangers online._

Trivially solvable with an alias used exclusively for such dealings where you
don't scrub history. Also, as mentioned, it isn't necessarily that good of a
rule anyway. Better than nothing but not necessarily by much.

 _> In many communities, previous discussions are full of useful information
for future readers. Removing half of a conversation often ruins that utility._

I value my personal privacy (and time) more than any use my conversations will
have for future readers. I don't have the time to selectively edit/delete
hundreds of posts. One argument against this would be to "post less" but then
many of those "useful posts" may not have ever been made to begin with so
there isn't a net difference.

Also - quoting the most relevant bits of a post in your own post helps retain
at least some context. Even if you were to edit/remove your post now - I have
two pieces of it quoted that a future reader would at least have some context
as to our conversation.

~~~
Zak
I'll grant this for that technique: while your website linked to your username
here made it easy to guess your reddit username, 5 minutes of looking did not
recover your deleted comments.

It's a little difficult for me to wrap my head around the mindset though: if
you're concerned about privacy, why would you post anything sensitive to
reddit? If you haven't posted anything sensitive, why delete it? I'll admit,
I've never been the victim or perpetrator of doxxing, so I may be missing
something.

~~~
Nadya
_> I'll admit, I've never been the victim or perpetrator of doxxing, so I may
be missing something._

Most people leak information constantly and each bit or byte of information by
itself is not important. However, in aggregate, people leak enough information
about themselves to have it _become_ sensitive information. What can be seen
as harmless on its own can lead to more sensitive/"harmful" information being
gathered.

For an example, let's say you share a photograph of yourself somewhere in
London. Maybe you went on vacation, a business trip, a family visit, a
honeymoon, etc. There are plenty of reasons to be in London _one time_! Now
over the period of 10 years you've shared a few dozen photos of yourself in
various places of London. What are the chances you live in London? Would you
say the chances are higher than if you had only shared a single photograph?

Likewise, information that doesn't seem sensitive on its own can become
incriminating when combined with other evidence. Scrubbing _everything_
therefore is the best way to ensure you aren't leaving anything behind. It's
also a lot easier to scrub everything than to read over years of post history
to see if you've ever shared anything you maybe shouldn't have.

~~~
TeMPOraL
I fear we're slowly stepping into paranoia levels of privacy protection. This
is my personal belief, I'm aware many people here don't think that way, but
here it is: it is literally impossible to live a life in a society without
radiating such information all the time. This applies both to physical and
digital realms; and as most people spend more and more time with digital
services, the two start to blend into one.

So I guess my opinion is: radiating that information is not really an issue,
and any problems arising from it are best solved _elsewhere_ , and not by
becoming a digital hermit.

------
OwlsParliament
The Telegraph, The Sun and the Daily Mail are utter shitstains.

~~~
Bakary
We have the media we deserve, for the most part.

~~~
Bartweiss
True I suppose, but the problem is that this guy got the media someone else
deserved. The victims and the audience aren't the same groups.

------
krona
There is a newspaper claiming he's now working with GCHQ. I doubt such
information is true, but given what happened to Gareth Williams in similar
circumstances, I'd suggest it's egregiously irresponsible for a newspaper to
even suggest it given everyone now knows who he is.

~~~
proaralyst
For those curious as I was:
[https://en.wikipedia.org/wiki/Death_of_Gareth_Williams](https://en.wikipedia.org/wiki/Death_of_Gareth_Williams)

~~~
sillysaurus3
[https://www.reddit.com/r/todayilearned/comments/6990kh/til_i...](https://www.reddit.com/r/todayilearned/comments/6990kh/til_in_2010_an_mi6_spy_was_found_dead_his_naked/dh4r4vo/)

\--

It's definitely weird, but there's a reason
([https://www.theguardian.com/world/2012/apr/25/mi6-gareth-
wil...](https://www.theguardian.com/world/2012/apr/25/mi6-gareth-williams-
bed)) that they considered this as a real possibility:

> But his former landlady, Jennifer Elliot, told the inquest that three years
> before his death, she and her husband had heard Williams call for help at
> 1.30am from the annex flat he was renting from them in Cheltenham, where he
> worked at GCHQ.

> They let themselves in with the spare key and found the codes expert lying
> on his back on the bed, in boxer shorts, with his hands tied to the bed
> posts with material so tight it had cut his wrists.

> In a statement read to the inquest, Elliot said she and her husband had both
> been in shock. Her husband asked Williams: "What the bloody hell are you
> doing?" Williams told them: "I just wanted to see if could get myself free."

> The statement added that he did not appear sexually aroused, and was "very
> embarrassed, panicky and apologetic."

> The couple, who never spoke to anyone about the incident, said they
> concluded it was "sexual rather than escapology".

~~~
StavrosK
How do you tie yourself so tightly that it cuts your wrists?

~~~
DanBC
Use zip ties and tighten them with your teeth

Tie one hand very tight. Use a loop of rope for the other wrist, and loop it
round the wrist too many times squeezing the hand though.

Use unsuitable rope

Use ratchet handcuffs and over tighten.

------
throwaway_ques
What does "dug through a ton of OSINT" mean?

Also can anyone point me to resources on preventing doxing while hosting a
website? I want a checklist of things that can possibly leak my identity. For
example:

\- Some basic stuff is use whoisguard and don't reuse any existing hosting /
cloud infrastructure or even google analytics accounts

\- But for new accounts, does using real credit card information matter? I am
not sure how easily a company will give that information up. For example how
hard is it to social engineer or get a court order/subpoena for it?

\- Even then you can still be fingerprinted by ip, browser agent, hardware if
you ever even log in with the same computer. For example HN certainly knows
who my alts are just by checking request logs ip.

\- What about sharing similar coding style / code base? Or even just
speech/writing patterns? Is NLP sufficiently advanced to fingerprint you by
that yet?

Are some of these too paranoid? I really think there's no way to fully prevent
doxing for anyone sufficiently motivated. What's actually good enough in
practice?

~~~
MichaelGG
Use Tails or Whonix. Buy Bitcoin with cash via mail on Localbitcoins.com.
Depending on your level of paranoia, don't use bills directly withdrawn from
the bank/ATM.[1] Be careful to not get fingerprints/hair/traceable writing on
the envelope. What I've done is ask someone at the store (buy a card/envelop
at CVS or something) to write the address for you. With BTC-via-mail, the only
thing you leak is a rough physical location. Running the coins through Monero
or something should blind things and render all this moot, but hey just in
case?

With anonymized currency, then you're free to start signing up for stuff. If a
site doesn't accept Bitcoin, use Localbitcoins.com to buy a prepaid debit card
(Visa/Mastercard). If a site insists on a phone number for confirmation, use a
darknet market to buy a pre-made Google Voice account. You can't access it
over Tor or it'll get blocked, so use darknet markets to rent a Windows client
box ($10-20 a month) so you have a "clean" IP and Google won't block you.

Then it's a matter of not giving away your info. You should adopt an entire
persona when you're doing anything related to your site. Come up with a
backstory (name, location, etc.). Ideally, none of this would matter: You're
over Tor and using an entirely separate system for everything related to the
site. But from the indictments I've read, it seems like a lot of first steps
in finding someone's ID are just going off small hints. The way they write,
mentioning the weather, etc. I would assume it to be very effective to fake
these things. (For instance, notice a flood in a part of the country. Stay
offline during the flood. When you get back on, write a small note that you
had to be away due to flooding.)

None of this will protect you from an adversary that can correlate your home-
connected-to-Tor times with site-gets-updated-times. But it'll stop people
without that access, even if they're willing to fake a subpoena/warrant/etc.
to your registrar/hosting provider (easier than you'd think). And hell, it
doesn't always take a legal order to get those details; social engineering can
do it just fine.

The Whonix wiki goes into lots of details on all this:
[https://www.whonix.org/wiki/DoNot](https://www.whonix.org/wiki/DoNot)

1: I asked Wells Fargo and they claimed they don't keep track of serial
numbers and have no way to do so, but it seems so trivial I wouldn't believe
it.

------
golergka
I respect the intent of the article, but I feel that the author completely
misjudges the intentions and perspective of the mainstream journalists and
their readership. It looks more like a culture clash than malice.

> MalwareTech doesn’t give out his name on his Twitter page or blog. There are
> no headshots. It’s obvious that he just wants to be left alone to get on
> with what he enjoys – hacking shit, and figuring out how stuff works.

For a modern mainstream internet user, who sees that everybody goes with their
real names and photo (except trolls), it's not obvious.

> stalking other people’s Twitter and Instagram accounts

How can reading information that people have voluntarily posted online for
everyone to see can be called "stalking"?

> The weird emphasis about his fondness for pizza, and how he works from a
> small bedroom in his parents’ place? That shows they don’t actually respect
> him, or what he’s accomplished.

To me, it shows just that they were interested to paint a picture of a human
being instead of just a username. I feel that HN audience is very used to
talking to someone whom they know just by a nickname, with no personal details
or information - but for the general public, the concept of "anonymous hacker"
is not associated with anything good.

> Why do I need to know his age, and that he enjoys pizza? Why do I need to
> know his name, or know what he looks like? Does anyone care that he enjoys
> surfing? It adds nothing to the story.

Look at any NYT or Guardian longread about a complicated issue that touches a
lot of people - instead of analyzing statistics (as I personally would
prefer), they always include an individual story or two, with unrelated
personal details, to make the reader feel "connected". Only logical to assume
that, while to me, and probably, to HN reader, this is just irritating and
distracting, that's what "general public" wants to read about.

~~~
aphexbr
"for the general public, the concept of "anonymous hacker" is not associated
with anything good"

An association that's largely created by these tabloids in the first place.

"that's what "general public" wants to read about"

Maybe, but if that's what's required, they should be requesting an interview
with him and only reveal what he agrees to reveal. If he wishes to, that could
lead to a more insightful look at a man and his motivations rather than random
paragraphs about pizza and surfing.

If he chose not to reveal anything, a responsible journalist would accept that
and understand that the man has reasons for wishing to stay anonymous. Not dig
into his information and publish it anyway, leading to both him and his
friends being needlessly harassed for preventing crimes. At the very least,
this could lead to future would-be Samaritans from deploying fixes or publicly
detailing their methods.

At least they manages to increase their clicks with some facts rather than
just making things up, I suppose.

~~~
golergka
I feel that you're trying to argue against some of my points, but we're not in
disagreement.

I'm not saying that the current state of affairs is good or defending it;
however, I think that the blame is misplaced and the problem lies in culture
clash, not in malice (as often happens with the media).

------
zitterbewegung
The Media likes to have gripping headlines that create celebrities .
Presenting a person as a Hero is a tried and true way to do this. Once you do
that to a person the hazards of being a celebrity pop up . Doxxing from media
and anonymous , people digging up dirt on you etc... it is an unfortunate
situation and it's ruined many people's lives .

------
Dolores12
They failed to find creators of wanacry, so they found the guy that didn't
hide and made him look like he did something bad.

~~~
cpncrunch
No, they presented him as a hero, because that's what he is, and that's what
people want to hear about.

~~~
Dolores12
Did you happen to read his tweets?

~~~
cpncrunch
Yes, just did. Did you read the articles? Certainly sounds like they're
calling him a hero:

[http://www.telegraph.co.uk/news/2017/05/14/revealed-22-year-...](http://www.telegraph.co.uk/news/2017/05/14/revealed-22-year-
old-expert-saved-world-ransomware-virus-lives/)

~~~
Dolores12
Where did that link come from? How could i possibly know about your link if
the topic link is different?

~~~
cpncrunch
I assumed by "they" you meant the Telegraph. If not, then please clear up the
confusion...

------
YeGoblynQueenne
>> The Telegraph talks a little bit about how he’s self-taught, and how he
stopped WannaCry by figuring out it had a kill-switch.

The reasearcher's blog (posted on HN earlier) said that although originally he
thought it was a kill switch he now thinks it was just a clumsy attempt at
detecting whether the worm was runnign inside a sandbox.

Apparently, worms will often do that sort of thing- call out to an
unregistered domain to check whether they get a response indicating that
they're not really connected to the internet. Except the ones that do it right
call out to some random domains and this one had it hard-coded (either because
the creator of the worm was a numpty or because they forgot it) (and
therefore, a numpty).

So it probably wasn't a kill-switch in the sense of a failsafe, as it was
reported in the press.

------
cpncrunch
>To the hacks at The Telegraph, MalwareTech will always be some sad basement-
dwelling hacker nerd.

No, actually. They're showing that he fits into the archetypical British
bedroom hacker/programmer genius, which is very highly respected in the UK,
and produced the likes of Matthew Smith, David Braben, etc. It looks like the
author of this article wasn't around in the 80s, so perhaps he's not familiar
with this history.

 _edit_ I fit into this category myself, and I'm not offended at all.

------
tenryuu
I've had my shit doxxed by the media before, but fortunate enough they were
kind enough to redact information on request. It was a very quick turn-around

~~~
1337biz
Story?

~~~
tenryuu
Just a simple internet website prank that went viral with fake news. Was about
three years ago now

------
gadders
I saw that at the weekend. The guy did a good thing and obviously didn't want
his name out there.

It was a pretty shitty thing to do.

------
ianai
I hope instead of focusing on the doxing, people focus on employing and
protecting him from threats. You can't count on keeping a secret forever.

------
pvaldes
If we think about it, this is not much different than shouting publicly the
name of a journalist infiltrated in a drug cartel. Terrible. Journalists
should know better the game and what is at stake here.

------
FluffyTheWalrus
Got to love the news! They just love throwing anyone under the bus..

~~~
beedogs
This was mostly Murdoch's rags, which, unfortunately, many folks can't
distinguish from actual newspapers.

~~~
gadders
It was the Sun, the Telegraph and the Daily Mail. Only on of those belongs to
Murdoch.

~~~
soundwave106
A better way to put it would be to say all of the UK tabloid papers (the
Mirror was also mentioned in the article).

Tabloid journalism doesn't exactly have a stellar history of responsibility.
Unfortunately this sells for some reason.

~~~
kingosticks
Is the Telegraph really a tabloid? It's hardly on the same scale as the others
presented here (and in the article).

~~~
soundwave106
The Telegraph is a broadsheet, yes.

However, I've seen some rumblings on the Internet that it used to be high
quality journalism, but lately it had been going more downmarket of late. This
is "Internet opinion" of course, so I'm not sure what the real truth is. That
being said, if they are engaging in tabloid-style stunts like this these day,
this would sort of confirm what I've read.

------
nl
While perhaps (probably?) all the criticism of the papers is justified I'd
note that the subject of the doxing doesn't seem very concerned about it at
all.

------
asveikau
I agree with this article, but though I am no expert in this topic I do wonder
how much the wannacry perpetrators would actually go after this guy. Consider:

1\. The fact that it was disabled so trivially was ultimately their own fault.

2\. As we have seen, it was easy enough for them to change the logic to remove
the web request on the nonexistent domain and start spreading again.

3\. Retaliation would not be without cost and risk. Acting on #2 instead is a
less costly, less risky action.

------
jlebrech
they came to the wrong conclusion that someone who bought a kill switch
domain, would have been one of the hackers. when it fact the kill switch was
firewall check (look for 502 rather than 404) and the person who bought the
domain kill switched it for everyone.

Sucky journalism strikes again.

~~~
vultour
Where did you come to the conclusion that they think he was one of the
hackers? Neither the link, nor the Telegraph article said anything like that
AFAIK.

~~~
jlebrech
you know the media, they'll let the reader make the conclusion.

------
neogodless
They may not use the term "doxxed" lightly, but they also don't provide a
definition for it. I have no idea what it means. I guess it means "give credit
by providing the name." Maybe?

~~~
arundelo
[https://en.wikipedia.org/wiki/Doxing](https://en.wikipedia.org/wiki/Doxing)

~~~
neogodless
Ah - while it's technically slang, it is defined in the dictionary -
[https://www.merriam-webster.com/dictionary/dox](https://www.merriam-
webster.com/dictionary/dox)

My bad!

------
powera
Despite all the claims of "major cyber-attack", what I see here was a virus
that infected the entire British NHS, but otherwise had very little impact.

------
mr_spothawk
maybe it's some sort of "parallel construction" payback motive

------
retrogradeorbit
"no good deed goes unpunished"

