What could possibly go wrong?
No, he wants to be left alone because it endangers his life to reveal his identity. Jesus, do people seriously expect someone that's done heroic deeds like this to jump out and scream "I am Batman"???
I would've liked to see the journalists find the hackers behind this. That would've been an achievement indeed.
Which leaves the "civil" part. Because he said "whore" instead of "prostitute".
Certainly from now on, you'll be moderating people for using the ugly word "hacker" instead of "security consultant/researcher", right? It really (still) has the same bad name among people not well-acquainted with the biz. And no, it doesn't matter that some people chose to wear the "hacker" title with pride, because guess what? So do most whores.
To add substantively to the discussion myself, here's an open question. I'm having a real hard time coming up with a phrase two words or less, that communicates this aspect of journalism as accurately as "attention whoring". How would you say it?
The comment 'sctb responds to has very little substance, adding little to the conversation other than castigating its parent for assuming that people (journalists in particular) ever strive to do anything other than follow their basest instincts, that all journalists only seek attention. You add some nuance ("this type of journalist") which is entirely lacking in the original. The phrasing is also aggressive and does not invite further civil and substantive responses—hallmarks of comments that are not appropriate for HN.
How do you figure? Digging through information and finding out this sort of stuff is literally what journalists do for a living.
If a journalist can find it - any internet layman who knows how to Google can find it.
I would like to find a white hat site that prepares a report on what they can find about you.
(For the record, my reddit account has a different username than my HackerNews account)
To me there seems to be an inherent catch-22 involved in that. To be responsible, you have to confirm the person requesting the information is the person that wants doxxing. In providing evidence you are who you say you are, you're seeding that company with information to better find you that might not be easily found otherwise. It would take a strict separation of the sales and operations teams, to make sure this was a useful and accurate service, and with all that work it likely wouldn't be cheap.
Presumably you'd want to get paid up front, since you'd have done all the work in either case.
"Here is a link to an encrypted report containing info on what we found. Please verify your ID and we will give you the key."
>I've been wondering if it is possible to dox my Reddit account.
You can make it much more time consuming and more difficult (read: but not impossible) to do so by using this userscript as frequently as possible: https://greasyfork.org/en/scripts/10380-reddit-overwrite
I personally run it for all posts older than 2~3 weeks (when activity/relevance of the post is nearly equivalent to "0").
Some sites still archive posts w/o updating for any future edits, there is web cache, etc. But those are far harder to search and tie together than simply browsing your comments on your profile. Note that some subreddits may ban you for using it and you'll get a bunch of AutoModerator posts asking you not to do that because of thread integrity and blah blah blah.
* In communities where people buy and sell things, or offer pay for services (e.g. /r/forhire), a glance at someone's account history provides some insight into their likely reliability. It's not much to go on, but that's inherent to doing business with strangers online.
* In many communities, previous discussions are full of useful information for future readers. Removing half of a conversation often ruins that utility.
Trivially solvable with an alias used exclusively for such dealings where you don't scrub history. Also, as mentioned, it isn't necessarily that good of a rule anyway. Better than nothing but not necessarily by much.
>In many communities, previous discussions are full of useful information for future readers. Removing half of a conversation often ruins that utility.
I value my personal privacy (and time) more than any use my conversations will have for future readers. I don't have the time to selectively edit/delete hundreds of posts. One argument against this would be to "post less" but then many of those "useful posts" may not have ever been made to begin with so there isn't a net difference.
Also - quoting the most relevant bits of a post in your own post helps retain at least some context. Even if you were to edit/remove your post now - I have two pieces of it quoted that a future reader would at least have some context as to our conversation.
It's a little difficult for me to wrap my head around the mindset though: if you're concerned about privacy, why would you post anything sensitive to reddit? If you haven't posted anything sensitive, why delete it? I'll admit, I've never been the victim or perpetrator of doxxing, so I may be missing something.
Most people leak information constantly and each bit or byte of information by itself is not important. However, in aggregate, people leak enough information about themselves to have it become sensitive information. What can be seen as harmless on its own can lead to more sensitive/"harmful" information being gathered.
For an example, let's say you share a photograph of yourself somewhere in London. Maybe you went on vacation, a business trip, a family visit, a honeymoon, etc. There are plenty of reasons to be in London one time! Now over the period of 10 years you've shared a few dozen photos of yourself in various places of London. What are the chances you live in London? Would you say the chances are higher than if you had only shared a single photograph?
Likewise, information that doesn't seem sensitive on its own can become incriminating when combined with other evidence. Scrubbing everything therefore is the best way to ensure you aren't leaving anything behind. It's also a lot easier to scrub everything than to read over years of post history to see if you've ever shared anything you maybe shouldn't have.
So I guess my opinion is: radiating that information is not really an issue, and any problems arising from it are best solved elsewhere, and not by becoming a digital hermit.
Not sure I'd want to see a community where people removed useful content on a whim because they were that worried others would use it against them.
Used to, when I really used reddit. Now I basically have a different account in each device to upvote/downvote.
I just creeped your whole comment history and you only leak a small pattern of facts here (country, gadget, a couple repeated interests).
The interest related subreddits would likely still be a pretty huge haystack.
News organizations have access to many non-public databases.
for lack of a better term
It's like, almost every front door lock can be broken, or circumvented by smashing a window. Leaving your front door unlocked and open however, creates opportunity, that really increases the danger of burglary.
The people behind wannacry targeted Russian banks. Chances are they already died of unexpected radioactive contamination, accidental stabbing, or unfortunate neuro-toxic poisoning.
Anyway, comparing these journalists as "sphincters of bad journalism" is probably even too positive. Unlike sphincters, that do have a useful purpose, tabloids could be wiped out of this planet without any negative side-effects.
Do you have a reference for this?
It's definitely weird, but there's a reason (https://www.theguardian.com/world/2012/apr/25/mi6-gareth-wil...) that they considered this as a real possibility:
> But his former landlady, Jennifer Elliot, told the inquest that three years before his death, she and her husband had heard Williams call for help at 1.30am from the annex flat he was renting from them in Cheltenham, where he worked at GCHQ.
> They let themselves in with the spare key and found the codes expert lying on his back on the bed, in boxer shorts, with his hands tied to the bed posts with material so tight it had cut his wrists.
> In a statement read to the inquest, Elliot said she and her husband had both been in shock. Her husband asked Williams: "What the bloody hell are you doing?" Williams told them: "I just wanted to see if could get myself free."
> The statement added that he did not appear sexually aroused, and was "very embarrassed, panicky and apologetic."
> The couple, who never spoke to anyone about the incident, said they concluded it was "sexual rather than escapology".
Tie one hand very tight. Use a loop of rope for the other wrist, and loop it round the wrist too many times squeezing the hand though.
Use unsuitable rope
Use ratchet handcuffs and over tighten.
And SIS/GCHQ wonder why they have such a hard time recruiting staff.
I don't think anyone much thought it was anything but an extremely suspicious death. In many ways matching almost too perfectly the imaginary world of Spies we like to watch/read about.
Also can anyone point me to resources on preventing doxing while hosting a website? I want a checklist of things that can possibly leak my identity. For example:
- Some basic stuff is use whoisguard and don't reuse any existing hosting / cloud infrastructure or even google analytics accounts
- But for new accounts, does using real credit card information matter? I am not sure how easily a company will give that information up. For example how hard is it to social engineer or get a court order/subpoena for it?
- Even then you can still be fingerprinted by ip, browser agent, hardware if you ever even log in with the same computer. For example HN certainly knows who my alts are just by checking request logs ip.
- What about sharing similar coding style / code base? Or even just speech/writing patterns? Is NLP sufficiently advanced to fingerprint you by that yet?
Are some of these too paranoid? I really think there's no way to fully prevent doxing for anyone sufficiently motivated. What's actually good enough in practice?
With anonymized currency, then you're free to start signing up for stuff. If a site doesn't accept Bitcoin, use Localbitcoins.com to buy a prepaid debit card (Visa/Mastercard). If a site insists on a phone number for confirmation, use a darknet market to buy a pre-made Google Voice account. You can't access it over Tor or it'll get blocked, so use darknet markets to rent a Windows client box ($10-20 a month) so you have a "clean" IP and Google won't block you.
Then it's a matter of not giving away your info. You should adopt an entire persona when you're doing anything related to your site. Come up with a backstory (name, location, etc.). Ideally, none of this would matter: You're over Tor and using an entirely separate system for everything related to the site. But from the indictments I've read, it seems like a lot of first steps in finding someone's ID are just going off small hints. The way they write, mentioning the weather, etc. I would assume it to be very effective to fake these things. (For instance, notice a flood in a part of the country. Stay offline during the flood. When you get back on, write a small note that you had to be away due to flooding.)
None of this will protect you from an adversary that can correlate your home-connected-to-Tor times with site-gets-updated-times. But it'll stop people without that access, even if they're willing to fake a subpoena/warrant/etc. to your registrar/hosting provider (easier than you'd think). And hell, it doesn't always take a legal order to get those details; social engineering can do it just fine.
The Whonix wiki goes into lots of details on all this: https://www.whonix.org/wiki/DoNot
1: I asked Wells Fargo and they claimed they don't keep track of serial numbers and have no way to do so, but it seems so trivial I wouldn't believe it.
> MalwareTech doesn’t give out his name on his Twitter page or blog. There are no headshots. It’s obvious that he just wants to be left alone to get on with what he enjoys – hacking shit, and figuring out how stuff works.
For a modern mainstream internet user, who sees that everybody goes with their real names and photo (except trolls), it's not obvious.
> stalking other people’s Twitter and Instagram accounts
How can reading information that people have voluntarily posted online for everyone to see can be called "stalking"?
> The weird emphasis about his fondness for pizza, and how he works from a small bedroom in his parents’ place? That shows they don’t actually respect him, or what he’s accomplished.
To me, it shows just that they were interested to paint a picture of a human being instead of just a username. I feel that HN audience is very used to talking to someone whom they know just by a nickname, with no personal details or information - but for the general public, the concept of "anonymous hacker" is not associated with anything good.
> Why do I need to know his age, and that he enjoys pizza? Why do I need to know his name, or know what he looks like? Does anyone care that he enjoys surfing? It adds nothing to the story.
Look at any NYT or Guardian longread about a complicated issue that touches a lot of people - instead of analyzing statistics (as I personally would prefer), they always include an individual story or two, with unrelated personal details, to make the reader feel "connected". Only logical to assume that, while to me, and probably, to HN reader, this is just irritating and distracting, that's what "general public" wants to read about.
An association that's largely created by these tabloids in the first place.
"that's what "general public" wants to read about"
Maybe, but if that's what's required, they should be requesting an interview with him and only reveal what he agrees to reveal. If he wishes to, that could lead to a more insightful look at a man and his motivations rather than random paragraphs about pizza and surfing.
If he chose not to reveal anything, a responsible journalist would accept that and understand that the man has reasons for wishing to stay anonymous. Not dig into his information and publish it anyway, leading to both him and his friends being needlessly harassed for preventing crimes. At the very least, this could lead to future would-be Samaritans from deploying fixes or publicly detailing their methods.
At least they manages to increase their clicks with some facts rather than just making things up, I suppose.
I'm not saying that the current state of affairs is good or defending it; however, I think that the blame is misplaced and the problem lies in culture clash, not in malice (as often happens with the media).
I mean, you're right about his age and pizza and hobbies. They turn a tech-news story ("Major malware attack stops") into a human-interest one ("Meet the man who saved the internet"), which plays way better for these papers. The general public, or at least their readership, probably does enjoy those details.
And I suspect they didn't exactly consider this 'doxxing'. It's a less invasive piece than a lot of what they run, and the information was available via public sources. The Sun in particular considers felony phone-tapping fair game, so this is almost chivalrous by their standards.
But... none of that justifies a damn thing. The general public wants plenty of things that are harmful or illegal, and we don't accept "people wanted it" as a defense of those things. The Sun, as I mentioned, proved that point in spectacular fashion.
Even conceding that the information was available, this isn't something excused by decent journalistic ethics. Publishing nominally-positive personal accounts about people without any attempt to contact them or let them request redactions is pretty odd. Showing up at their friend's houses without notice or interview requests to the main player is bizarre and unwelcome. Offering real name and location info on someone who just interfered with a major criminal action is downright irresponsible - he made the info available in the past, but might have felt pretty differently after interfering with this attack. Using his Twitter photos (unembedded) is comparatively harmless, but it's also illegal!
So yeah, I see why there was a human-interest piece run here. But that doesn't actually justify how the thing was handled.
Really, a remark like that is on the same level as someone calling mathematics "pointless and kind of boring".
What makes it particularly not-pointless, is that it allows one to discuss these things without you having to feel any need to defend yourself because indeed you didn't say anything about "excuse" or "justify".
Similarly, math allows us to say "two plus two equals four" without anyone having to jump in and clarify that they never said it wasn't four.
It's absolute no excuse for the doxer.
The reasearcher's blog (posted on HN earlier) said that although originally he thought it was a kill switch he now thinks it was just a clumsy attempt at detecting whether the worm was runnign inside a sandbox.
Apparently, worms will often do that sort of thing- call out to an unregistered domain to check whether they get a response indicating that they're not really connected to the internet. Except the ones that do it right call out to some random domains and this one had it hard-coded (either because the creator of the worm was a numpty or because they forgot it) (and therefore, a numpty).
So it probably wasn't a kill-switch in the sense of a failsafe, as it was reported in the press.
No, actually. They're showing that he fits into the archetypical British bedroom hacker/programmer genius, which is very highly respected in the UK, and produced the likes of Matthew Smith, David Braben, etc. It looks like the author of this article wasn't around in the 80s, so perhaps he's not familiar with this history.
edit I fit into this category myself, and I'm not offended at all.
It was a pretty shitty thing to do.
Once you personal preferences because you happen to be ideologically aligned with a particular news source, I have a hard time seeing how pretty much any of the major mainstream media outlets is better or worse than any of the others. (Yes, this includes the New York Times, too.)
Ironically, I was just complaining on HN a couple of days ago about the near-death of investigative journalism and how when historians go to assign a date for that event it'll probably be in the past. So it's even more egregious in some ways than I think it initially sounds that these journalists dox'ed this guy... they don't seem to have the resources to do much truly investigative journalism nowadays, and this is what they spend those scant resources on! Why not just come out and tell us all that they're too afraid nowadays to do any investigative journalism on anyone with even a hint of power?
Tabloid journalism doesn't exactly have a stellar history of responsibility. Unfortunately this sells for some reason.
However, I've seen some rumblings on the Internet that it used to be high quality journalism, but lately it had been going more downmarket of late. This is "Internet opinion" of course, so I'm not sure what the real truth is. That being said, if they are engaging in tabloid-style stunts like this these day, this would sort of confirm what I've read.
1. The fact that it was disabled so trivially was ultimately their own fault.
2. As we have seen, it was easy enough for them to change the logic to remove the web request on the nonexistent domain and start spreading again.
3. Retaliation would not be without cost and risk. Acting on #2 instead is a less costly, less risky action.
Sucky journalism strikes again.