A lot has been said about the outing of Roissy by LR, a woman who he had an online beef with. I’m not going to link to all of it because frankly it’s rather pathetic on a variety of levels and if you’re reading this, most likely you already know what’s happened and/or you have an interest in not being outed yourself.
One thing I noticed was that other bloggers were saying “Well, I don’t put personal information about myself on the web, much less give my name to journalists, so the chances of it happening to me are nil.”
Have you hinted at the general vicinity of where you live? You’ve already given away a valuable lead if someone is determined to find out who you are.
What I’m talking about here is protecting yourself from people who have intermediate to advanced computer skills, a lot of time and the willingness to drop a few dollars if need be. In fact most of the techniques used to find someone are completely legal and involve no illegal activities, and most of those that involve illegal activities are not “hacking” per se, instead misrepresentation in the form of social engineering.
I don’t claim to be all that skilled with computers or some sort of genius at maintaining a protocol for privacy, after all I don’t conceal my identity. I don’t do so because I’ve learned it’s just easier to say what you believe in a subtle way rather than being inflammatory or picking fights with people. I learned that lesson the hard way.
Back in the mid-90s I had pretensions of being some awesome hacker and phone phreak when all I was competent enough to do was load a Unix shell and run scripts. I had a big mouth and someone took it on himself to school me. I was lucky and merely endured some minor harassment in my offline life for a couple days, enough to chase me from where I was hanging out. It could have been much worse, especially if it had been later and I had gotten 911 slammed like a friend of mine got (911 slamming is when someone spoofs the phone trunk system into thinking a call is coming from a certain address when it’s not, usually to get a SWAT team out to raid the unsuspecting inhabitants, it still happens from time to time on systems that haven’t been upgraded or patched to fix that loophole).
Suffice to say, it was hellish and I would not wish it on my worst enemies. Since then I’ve attempted to keep up with times in regards to personal security as best I can. As stated before, I don’t claim to be an expert and if anyone has any corrections or additional advice, please tell me!
1. Given the circumstances of what prompted this post, I’m going to a priori assume that you are a person posting things online that others would find morally offensive and/or shocking in regards to mainstream mores. While there are ways of finessing the kind of impact you have in stating them, let’s say you’re trying to go the Bill Hicks route. Okay, so you’re saying stuff that could harm your professional and personal standing if it got out, so anonymity is important.
2. If you’re going to do this, avoid making personal online enemies. What that means is going out and personally attacking someone instead of their views. Above all else, don’t do stuff to them online that you don’t want done to you, namely de-anonymizing them. It doesn’t matter if their myspace page is public and they have the shittiest protocol around. It’s context that matters here, not the content.
As a corollary to this, do not fuck with someone’s family even in the slightest, particularly a mother’s kids. Really, you do *not* want to trigger that maternal protective instinct.
While this won’t prevent obsessed people from trying to find out who you are, these personal habits will cut down on their number greatly.
3. Do you know what your IP number is? I suggest you get to know it, because everywhere you go on the web, you’re leaving it’s little imprint behind, and once someone has that, a multitude of doors open. Oh, and God help you if you’re surfing from your work or school where most stations don’t have floating addresses and stay on overnight.
Do you post on boards where the admin hates your guts? He has your IP number. Do you even just visit to lurk? Chances are he can log your number if he has the know how.
Do you use hotmail, G-mail and all that thinking it keeps you anonymous? Nope, your IP is hidden in the header data. All someone has to do is create a fake account, e-mail you a question and poof, with their reply comes the key to the kingdom.
Now back in the days of dial-up this wasn’t so much of a problem, it would just lead you to the location of your service provider server. Nowadays cable routers, wireless hubs and all the rest of that stuff takes you straight to your address (or the near vicinity many times). Want to know something scary? It’s pretty damn easy to geolocate from an IP number. There are websites where you just pop it in and out comes GPS numbers. From there you can imagine what you can do with google maps, google streets and the rest of those.
Sure, they’re not going to get your exact name and address from your IP, but with time and money for a PI or a for-pay info-bank, or time and the willingness to lie, they can get it pretty quickly from that. Remember what I said about saying where you live in general? Makes it real easy, bub.
Okay, so how do you protect yourself? Easy. Anonymous proxies. Whenever I need to go somewhere I don’t want my IP to logged, I use Tor, which is a handy-dandy program that uses an encrypted series of tubes (heh, look into it and you’ll see why it’s a good metaphore) to make you essentially untrackable, so long as you don’t do stupid shit like post your pattern data or say who you are. It’s not that hard to use either. It is too slow if you’re going to be doing much downloading, but if you’re like me, it’s mostly just an occasional safety measure.
Also get a verified anonymous remailer if you don’t want to log into Tor just to check your hotmail.
4. Is your password secure? In other words, is your password a combination of letters, numbers and random characters that is impossible to brute force using dictionary attacks? Is your blog protected against script attacks that use dictionary attacks (ie forbidden to access after a certain amount of failed tries on passwords)? Are the blogs you post on protected? Is the security protocol in regards to passwords strong even in blogs where you are a welcome member? Do I use more than one password?
These are all questions you need to ask yourself. You can have an awesome 16 character random character password, but if you’re using the same damn password whether it’s your online bank account, your blog, ten message boards and the shady little place you download pirate torrents from, you’re an idiot.
5. If you post pictures that you take on your digital camera to your blog, do you make sure your EXIF data is stripped? While not as bad as giving out your IP number, many camera models do post unique information that specialized engines can sniff out, given one image, to find others, like say pictures of your office party with you personally identified on another site. There’s nothing more sad than someone going through the effort to obscure their face in a picture and leaving all the digital watermark information intact.
6. I also reiterate, it’s also possible to say extremely controversial things online with only the barest of anonymous shields. I know one guy who had his blog registered to his real name, but he never ran into any problems with being outed. Why? He wasn’t a dick to people and didn’t tolerate dicks congregating and festering stupidity and hatred on his comment roll, so there was no one really interested in outing him. On the converse, there are many stories of even super-secure hackers getting pwned because they were massive massive dicks that pissed off a critical mass of people to finally find a chink in their armor.
If you gotta be a dick, be a smart dick and realize where the undrawn lines are.
If you’re interested in keeping up with this sort of stuff, I would recommend a subscription to 2600 magazine. It’s not very expensive and a really fascinating outlook into the technical and political foibles of our society.
That’s all I got to say, so as Captain Mullet sez “THE POWER IS YOURS.”
Peace out, it’s ukulele time.