
How I got my username on nearly every site - edent
https://shkspr.mobi/blog/2019/07/how-i-got-my-username-on-nearly-every-site/
======
a254613e
Considering the relatively short response times the original owners were given
in some cases, and you do not gain anything from having all those usernames I
think what you did was kind of a dick move.

And because of that you'll use it to acquire even more usernames.

You opened a dispute to take someone's chat/telegram name... Not cool. What if
the person was active but just didn't want to reply to you? Why would they,
you don't own the rights to that username. What if they were away for personal
or health reasons temporarily?

You're not a brand. You're not a product. You're someone who has those letters
in your name, just like I'm sure a lot of other people.

What gives you the right to claim those usernames more than anyone else? In
some cases it seems what gives you the right is just the fact that you
bothered support, or opened disputes, to give you a name on another service
then used that fact to get more of them.

~~~
edent
I agree with you. But I didn't make the Telegram policy - they did.

If you want to keep your username, the lesson here is to read the T&Cs and
comply with them.

And, as I say several times in the blog post, I don't have the right to those
combination of letters.

~~~
always4getpass
So you're suggesting that everybody should read the miles long terms for each
website they subscribe to, otherwise they do not have a right to keep their
username.

And I'm not sure that abusing an unethical system waives you from the morality
of your actions.

The only lesson you're giving here is about you. But hey, any publicity is
good publicity right? You're enforcing your 'brand' after all. \s

~~~
driverdan
> So you're suggesting that everybody should read the miles long terms for
> each website they subscribe to

Absolutely. You should never agree to something you haven't read.

~~~
always4getpass
Oh so I guess the fact that there are whole organizations[1] devoted to
reading the absurdly enormous TOS means nothing, and studies[2] that suggest a
major percentage isn't reading them are false.

I will not believe you if you state that you read the TOS for every site you
register on, every program you install.

[1] [https://tosdr.org/](https://tosdr.org/)

[2]
[https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2757465](https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2757465)

------
piyush_soni
Wow. You know it is inconsiderate of you to do that, but you are still sharing
details on how you did it as if it's an achievement. Most people want the same
username on all websites, but really, one month's of inactivity is a very
short period of time to kidnap someone's username. There are companies that
give six months (or more) of maternity/paternity leave alone.

~~~
edent
I agree. I was shocked that some sites only gave 48 hours notice.

What are you going to do to protect your accounts now you have that knowledge?

~~~
MagicAndi
Terence, I love how you are throwing it back on others to protect their social
media account names from being snatched by people like you.

[Edit] Corrected typo in Terence's name.

~~~
edent
When I started out doing this, I thought it would be a lot harder to grab the
names. And I thought it would take several months. Frankly, a month isn't long
enough and 48 hours is downright shocking.

~~~
homonculus1
...Then why do you continue doing it?

~~~
sieabahlpark
Because he doesn't want it to happen to him?

~~~
piyush_soni
So if you don't want to get robbed, you rob everyone else in anticipation?

------
TazeTSchnitzel
> When YouTube first started giving out names, they used Google+.

When YouTube first started giving out names, Google+ didn't exist.

Then there was the merger of Google accounts with YouTube, then there was the
merger of Google+ profiles and posts with YouTube profiles and comments to
inflate G+'s stats and force people to use it. Despite all that churn, I don't
think old YouTube usernames from 2006 ever stopped working.

~~~
edent
Ah, that may be my confusion. I obviously got the ability to add a name at
around the same time as G+ did its weird merger.

I'll correct the post. Thanks!

~~~
TazeTSchnitzel
Mm, I think perhaps usernames died with Google Accounts and then they added a
new feature to choose a short URL for Google+ or something.

~~~
woodrowbarlow
nope! i have a youtube account that i never migrated. still shows my original
username everywhere.

~~~
TazeTSchnitzel
I don't mean that usernames were removed, just that you couldn't create new
ones for a time (also, I don't know if the new system is technically a
username or not). Just to clarify.

------
serf
i'm sure the former owners of 'edent' are _ecstatic_ about your hobby.

I imagine, somewhere, a family with a dead relative, 'Emily Dent' in my head-
cannon, is trying to login to _their_ edent to download the family album to no
avail.

~~~
edent
They should have been born to someone with a more unique name...

But, more seriously, I've only claimed inactive accounts. If There was
activity on them - or any content - I'd be less inclined to proceed.

~~~
paulirwin
There usually isn't activity on dead people's accounts that are memorialized.
I'd be incredibly heartbroken if someone took my deceased younger brother's
accounts because he's "inactive".

~~~
edent
I'm sorry for your loss.

I know Facebook and Twitter have memorialised account options which prevent
them being taken over. I wonder how many other sites are so considerate.

Here in the UK, it is common for phone numbers to be recycled. Which is
distressing when you start receiving text messages from a dead relative.

~~~
paulirwin
Another anecdote: a friend recently had a stroke and was unable to use his
phone or computer for many months. I'm sure his grieving, caregiving family
members were not thinking about the ToS specifics of his social media accounts
to make sure he didn't lose his memories and identity online.

I think it'd be helpful to have a better definition of "inactive." If the user
hasn't posted _anything ever_ , and they don't respond, then sure, that's hard
to defend. I think that's fair. But if the user has posted
content/code/whatever, it's unfair at best and ethically reprehensible at
worst, especially in cases where there isn't a memorialized option, to take
over their account just because they don't respond to an email within the
window of the ToS. There are lots of things that are technically allowed by
law or policy that don't make one that takes advantage of them any less of a
subjectively terrible person.

If you had approached this from a perspective of "look what can happen to your
account" as a security research experiment, that would have been received
better than "look at all the people, including those deceased/incapacitated
people whose loved ones may be heartbroken, that lost their accounts to me so
that I can have a vanity username."

~~~
edent
Perhaps I should have made myself more clear in the blog post.

NPM - the account had no activity on it. No code, no linked accounts, and no
avatar.

SoundCloud - completely dormant account. They'd posted no content. They had no
public activity.

Telegram - user didn't appear responsive. I hold my hands up on this one, it
might have been someone using the account.

Those were the only three accounts I could claim. I was not able to claim any
accounts which were in use, or had content on them.

And, like you, I think these services should have a better way of protecting
accounts.

------
anc84
Someone please take over this dormant account:
[https://www.npmjs.com/~edent](https://www.npmjs.com/~edent)

~~~
grkvlt
His account has a published package available that was pushed about 3 months
ago - hardly dormant, and based in their disputes process [0] it seems
unlikely anyway:

> To dispute a user name [...] After 4 weeks, if the owner has not responded,
> support will address your request. The ultimate outcome is at their
> discretion and judgement.

And this statement on squatting confirms that it would be 'extremely
unlikely':

> We are extremely unlikely to transfer control of a user name, as it is
> totally valid to be an npm user and never publish any packages: for
> instance, you might be part of an organization or need read-only access to
> private packages. If a user has not logged into their account in a long
> time, we may consider transferring a name if it is requested by a new user.

0\.
[https://www.npmjs.com/policies/disputes](https://www.npmjs.com/policies/disputes)

~~~
anc84
There was no activity on the package for 3 months when I wrote this! By his
logic, that would qualify for someone else to take over the account if they
like the username.

------
vinceguidry
Real name policies bother me a lot. They're just about the laziest and most
personally-intrusive way to get the worst kind of legibility into your user
base.

I don't often wish for legislative resolutions to social ills, but if anything
needed a law, it's this. Maybe California or the EU will take up the torch.
Ideally both, I don't want companies evading these kinds of things by
bifurcating their userbases.

------
Tepix
I use a different name on every site. Far too much pervasive tracking as-is, I
don't need to help the stalkers, headhunters, employers, etc.

I recommend you do the same.

~~~
edent
Which is great, until the Tepix on Twittergram starts posting violent messages
- and then you get conflated with them.

Having a unified identity is a risk - but having a unique identity is not
risk-free.

~~~
Tepix
I find that hard to believe. However just in case that's why in my profile i
mention this very fact.

Looking at your .tel page i can tell that you don't have any issues with being
tracked all over the internet.

~~~
edent
Yes, I tend to post stuff that I'm happy with under my real name.

For other stuff, I take your approach and use diverse aliases.

------
neilv
We have long associated usernames with identities, and assigned trust and
obligations to those.

One of the first places this was recognized is email addresses. Reassign the
email address username, and the new person might receive sensitive email
intended for another person, and also impersonate them for some purposes,
accidentally or intentionally.

(Additionally, today, with all the creepy mass intimate profiling that's going
on, both parties linked to the same address could have their profiles tainted
in ways undesirable to them.)

A service transferring usernames to another party, simply because that party
would like to have that particular username (not because of some separate
transfer of some functional role), seems questionable security. I'm surprised
the first example from the article, NPM (who should be security-paranoid right
now), would permit something like that, as a matter of policy, even if it
wasn't obviously a direct threat in this instance. And then the next example
-- Telegram -- is also a concern.

------
cygned
I was on the same way - but stopped because of privacy concerns. Especially if
the name is sufficiently different from others, it is becoming fairly simple
to research people.

------
tablethnuser
I stopped doing this recently because it makes password breaches devastating
and online tracking easier. Now the only stable screen name I use is for my
professional persona. Everything else I sign up with whatever random screen
name is in my head at the time. Some of them I toss in the password manager,
effectively making it also a username manager. Others, like HN, I don't store
the username or password at all. Once the session dies for whatever reason I
just make a new account. It's very freeing!

~~~
llamathrowaway
While I understand the privacy/tracking problems, why would password breach be
a problem, if you are already using a password manager which would supposedly
make it easy for you to use different passwords on different sites?

~~~
aiyodev
Not op but I think he means that he would get flooded with login
attempt/password reset attempt emails from other sites when a username is
leaked. Even though his password is likely safe, he would still have to log
into each one of these services and update the password to be sure.

------
mmastrac
While I don't necessarily agree with this author's motivation, I do wish that
there were easier ways to claim names from Twitter/etc.

For example, someone camped on the twitter name for progscrape.com
(twitter.com/progscrape) and then got it suspended. Twitter won't release a
name like that unless you've specifically got a registered trademark. That's
pretty expensive for a side-project.

There _should_ be a balance in releasing names in a global namespace, but it
should err in the side of not taking names away from legitimate users.

A one-year waiting period is probably a decent balance.

------
duub
This post reminds me of a podcast episode of "Reply all". In episode "#130 The
Snapchat Thief", less ethical ways of obtaining certain usernames become
clear.

------
stunt
Are you really active on all those websites? Otherwise someone is going to
take some of your dormant accounts next year.

~~~
edent
I try to be, yes. And now I know what their policy on inactive accounts is, I
will comply with them.

This was sparked off by Tumblr emailing me asking if I was happy to relinquish
an old, abandoned account.

------
beilabs
> Usernames are hard. Perhaps, in an ideal world, we'd all use Indie Auth and
> use our domain names as our usernames. I'd be twitter.com/shkspr.mobi, for
> example.

Can we use our domain name as our username on twitter? Is dot a restricted
character?

~~~
edent
Twitter only allows a-z, 0-9, and _

So no domain-names-as-usernames there.

~~~
hannasanarion
You can use the first half of your domain name. I saw that on a business card
once, the guy wrote his email and then highlighted and labeled the parts of it
for Twitter and Mastodon.

------
xwdv
I have a username I’ve been wanting to get for years on Twitter, the last
tweet the account holder sent out was in 2014 and they’ve only posted like 20
tweets, so highly unlikely to be an active user.

Yet twitter never seems to release the inactive account, despite claiming they
may permanently remove inactive accounts. I’ve reached out to the owner
several times; no response. I’ve considered resorting to blackhat solutions
and taking matters into my own hands.

~~~
loriverkutya
Because a username on twitter is so important that it even worth to break the
law. Your values are really interesting.

~~~
xwdv
Or rather, an inactive twitter name is so unimportant no one will notice if I
break a law.

