
De-anonymizing Users of French Political Forums [pdf] - adulau
http://archive.hack.lu/2013/dbongard_hacklu_2013.pdf
======
rolleiflex
The government could just as well pinpoint the hosting provider, and pull some
strings to take the site offline, then read through the captured database.
When the stakes are nation-state level, quite a large amount of very
disturbing things start to become practical.

Shameless self plug: They should be using Aether. (
[http://www.getaether.net](http://www.getaether.net) ) It's a distributed
network that creates forum–like, anonymous and encrypted public spaces—
something I created and launched a few days ago. It's an app I created for
this express purpose. I don't sympathise (at all) with their views, but no one
gets to choose who gets free speech and who doesn't.

~~~
comex
This sounds like an interesting project, and you should submit it as a link,
although I'd expect various concerns about security to be thrown around.

~~~
rolleiflex
I did, about three times. Nobody looks at 'new', apparently :/

------
maximegarcia
Very smart, I like it.

Gravatar is obviously wrong in its defense of the md5 choice. The md5 of an
email is way more significant as we know in advance the structure, and for 80%
of the population, we have a strong guess of the domain, the format. Rainbow
tables can be specialized for one domain (*@gmail.com) via the reduce phases
or for the "first_name dot last_name" structure... & so on.

~~~
nwh
There's also massive wordlists in the form of scraped and compromised emails
to look through.

------
abolibibelot
A little context here. The FDeSouche blog (a pun on "Français de souche" which
could be translated as "stock French" or "purebred French", really meaning
"White French") is an extreme-right blog whose commenters are pretty tame
compared to what you could read on, say, Pam Geller's site. The commenters
have internalized the French Hate Speech laws and mostly use innuendos.

The "mariage pour tous" (="marriage for all" i.e. same-sex marriage) was
opposed by a semi grassroot movement called "la manif pour tous" ("the protest
for all") made mostly of our religious right. The protests were huge, and some
people have compared it to the Tea Party (minus the guns).

~~~
masklinn
> The protests were huge, and some people have compared it to the Tea Party
> (minus the guns).

And either better dressed or significantly less dressed (many, both inside and
outside the country, wondered at the existence of such fabulous anti-LGBT
protesters)

~~~
abolibibelot
The lack of self-awareness was hilarious:
[http://americablog.com/2013/07/frances-gayest-homophobes-
str...](http://americablog.com/2013/07/frances-gayest-homophobes-strike-
again.html)

------
rgovostes
I published an identical attack in 2010:

De-Anonymizing Web Communities with Gravatar

[https://web.archive.org/web/20111219233019/http://rgov.org/2...](https://web.archive.org/web/20111219233019/http://rgov.org/2010/11/27/gravatar/)

------
Udo
I'm surprised Gravatar claims the hash is about privacy in the first place. I
thought it was about generating a short, standardized URL.

If sites wanted to protect their user's anonymity, they'd cache the gravatars
with different file names on their servers. Also, as a user I would never sign
up for a site with my "real" address when I'm not comfortable with it being
known eventually, Gravatar or not.

------
dmix
I was ready to dismiss this as "de-pseduonomizing" people, because in order
for Gravatar to work (suitably well), they submitted their actual email
address to the website host.

Intentionally "anonymous" individuals don't use real email addresses.

But the slides turned out to be pretty interesting when it gets to the email
cracking part.

~~~
DanBC
> Intentionally "anonymous" individuals don't use real email addresses.

([http://ritter.vg/blog-deanonymizing_amm.html](http://ritter.vg/blog-
deanonymizing_amm.html))

Here's an analysis of de-anonymizing posts to alt.anonymous.messages - those
people want to stay anonymous. They make some trivial mistakes.

> _Then I go into a large analysis of the types of PGP-encrypted messages
> there are. Messages encrypted to public keys, to passwords and passphrases,
> and PGP messages not encrypted at all!_

------
lstamour
I've often thought Gravatars were less-noticed privacy violations. Nice to see
that confirmed here. Of course, if the websites don't have SSL-always, then
governments can listen between your ISP and the web host to get your cookie,
and from there, get your email address or track your activity. This,
obviously, is more open since anyone can view a gravatar, or even previously
generated ones via archive.org.

~~~
selmnoo
Also noteworthy is that it's getting increasingly harder to even have
pseudonyms -- and not be outed.

About a week ago, I really wanted to get in touch with a HN user (who did not
have any contact information in his profile), so I set out to do a little
detective work... and after about 2 hours I basically got his e-mail address.
Innocently and guilelessly I wrote him a message, and I found him to be just
bewildered that I found out his identity... I felt very sorry of course for
having scared him like that. This was a big moment for me. Because I also
prefer to be anonymous on comment forums, and I'm generally pretty careful to
not give clues as to my identity, but I still can't help but wonder if it's
all gonna come back to me and maybe hurt my career in some manner.

~~~
unimpressive
Things I noticed going through your comment history:

Your race.

What car you drive.

Hints at your political ideology.

Where you grew up/that you're not originally from the United States/wherever
you live now.

You've undergone an IQ test in a professional environment.

You've probably donated to Lavabit's legal fund.

What OS you use, when you last bought a new computer.

Since you talk about a computer engineering class with 250+ people, you've
probably been to college. (Scratch that, you've definitely been to college.)

You have a first church of atheism near you, and are probably a member.

\----

That seems like enough to uniquely ID you.

~~~
selmnoo
Oh boy.

Kudos to you for gathering a lot of good stuff, an A for the effort
absolutely. I should point out that you're off on /some/ things (or perhaps
more accurately: incomplete). For beginners, the OS I use -- you're thinking
Win8, but that's only on the laptop I recently bought. I've actually been
using Ubuntu for a couple of years on the main desktop. My race, car,
political ideology, place of birth, current residence, current religion,
religion of household I was born to, education you've got right. For my own
good I will stop confirming other bits of information, I think (hope) that
still leaves enough ambiguity to grant me still some freedom of anonymity (or
maybe I'll have to abandon this account after another week or so, I guess I'll
think about it). Oh, while I have the perfect chance to preach /why/ anonymity
is important: I have family problems, because of religious differences. If my
family found out my religious beliefs in full they'd be mad at me, that is
_one_ of the reasons I choose to be anonymous (in addition to a good many
other, relating to professional work life and other things).

One question: Why is my talking about being in a CE class of 250+ people not
conclusive enough information that I've been to college? And, what was that
/extra/ thing that made you confidently say 'Scratch that, you've definitely
been to college'?

~~~
lstamour
That'll teach me to make assumptions. I assumed Mac since you wrote somewhere
that you didn't have the Java web plugin added 1 and 2 and got 4.

As to abandoning your account, I wouldn't worry about it. You're far more
likely to get a relative's interest some other way -- perhaps an event
notification on a smartphone screen, or the auto-complete bar in a browser.
The simplest approach is most likely though: dinner table conversation on some
evening in the future. :)

~~~
selmnoo
> That'll teach me to make assumptions. I assumed Mac since you wrote
> somewhere that you didn't have the Java web plugin added 1 and 2 and got 4.

I don't have Java web plugin installed even on my Windows machines (indeed,
when I provided the link to the rubik's cube page and complained about the
java applet, I was on a Windows computer). A lot of people don't have Java
webplugins installed these days... seriously, try living life without it, it's
great (well, if you can -- I think a lot of people use it for work/school
reasons).

It's certainly not as needed as it was some handful of years ago for smooth
web browsing. So if you can go without the hassles of having to update it god-
knows-how many times, having different versions installed and being a mess on
the computer, having yet another thing running in the background, etc... it's
great. I really, really don't miss it.

------
korethr
Interesting.

What this shows to me is that md5 needs to die. Perhaps it was a good in times
past, but now it is too easy to crack with commodity computer hardware. The
rig shown in the article costs <$2000 USD when priced out on newegg.com. Top-
shelf gaming GPUs are only going to get faster.

I was surprised to read that the right to freedom of speech is not recognized
in France. Anyone here from France willing to affirm or refute article's claim
in that regard?

~~~
byroot
> I was surprised to read that the right to freedom of speech is not
> recognized in France.

It is. The french constitution state:

> La libre communication des pensées et des opinions est un des droits les
> plus précieux de l’homme ; tout citoyen peut donc parler, écrire, imprimer
> librement, sauf à répondre de l’abus de cette liberté dans les cas
> déterminés par la loi.

Which mean that you have free speech, BUT, you can be prosecuted if you abuse
it as defined by the law. Example of common abuses: defamation (the most
common), incitement to ethnic or racial hatred, privacy violation, historical
revisionism, intellectual property infringement, etc.

But except "incitement to ethnic or racial hatred" and "historical
revisionism" it's mostly the same in the US.

Also, it's not all about the law, during the same sex marriage debates, a lot
of homosexual people got beaten by far right / nazi-like groups.

~~~
haiduc
> a lot of homosexual people got beaten by far right / nazi-like groups.

This IS a lie. Do you have any sources?

There have been one attack on a gay couple, hugely used by the government and
their supporting medias. Newspapers have implies (no facts) that the culprits
where members of the strike against same sex marriage or far right activists.
There was then a huge huge buzz to shame the strikers. And finally, 4 months
later, the police arrested 4 youths: 3 in a "cité" (public housing, "ghetto")
and one was already in jail, all of them well known of the police services for
violence facts. [http://www.leparisien.fr/paris-75/agression-homophobe-a-
pari...](http://www.leparisien.fr/paris-75/agression-homophobe-a-paris-les-
auteurs-presumes-arretes-20-09-2013-3153685.php)

Some people in the comments do say that the police delayed the arrest so that
the government could shame the protesters against same sex marriage.

One more thing, the man beaten reacts to the arrest on a far left web site.
[https://bellaciao.org/fr/spip.php?article137205](https://bellaciao.org/fr/spip.php?article137205)
And he is in a complete deny, not being able to recognize that those who beat
him have nothing in common with those that protested against same sex
marriage.

~~~
byroot
> This IS a lie. Do you have any sources?

What's the "lie", the aggressions or the fact that it come from far right
groups ?

If the former:

[http://www.france24.com/fr/20130421-climat-homophobie-
agress...](http://www.france24.com/fr/20130421-climat-homophobie-agression-
insecurite-mariage-pour-tous-extremisme)

> 1200 aggressions on homosexual people in the first 3 months of 2013 compared
> to 1 556 on the whole 2011.

Almost 4 times more than usual, is it enough for you ?

About the authors of the aggressions:

[http://www.lemonde.fr/societe/article/2013/09/04/bar-gay-
sac...](http://www.lemonde.fr/societe/article/2013/09/04/bar-gay-saccage-a-
lille-un-an-de-prison-requis_3471318_3224.html)

Are skinheads far-right enough for you ?

But off course, skinheads are probably not behind ALL these aggressions, most
of them are probably "standard" homophobics.

~~~
olivier1664
Your first source speaks of "verbal aggression", you cannot take that as a
proof for 1200 physical aggressions.

"L’organisme (SOS homophobie) a reçu trois fois plus d’appels et de mails
entre le 1er janvier et la fin mars. (1 200 personnes sur trois mois, contre 1
556 sur l'ensemble de l'année 2011)." "Ces chiffres sont un indicateur
important car ils permettent de mesurer la libération de la parole homophobe."

------
yetanotherphd
Great article, and they make a good point that it is the right-wing whose
political freedoms are most threatened by attacks against anonymity.

------
telephonetemp
Interesting preservation. I also couldn't help but notice that the slides
themselves were beautiful. I wonder if they were generated using a recent
version of, e.g., Microsoft Office (the fonts look like those used in Modern
UI) or if there's a beamer theme that looks like that. If there is one, do
tell.

~~~
telephonetemp
"Interesting preservation" should read "interesting presentation".

