It’s obvious that he just wants to be left alone to get on with what he enjoys – hacking shit, and figuring out how stuff works
No, he wants to be left alone because it endangers his life to reveal his identity. Jesus, do people seriously expect someone that's done heroic deeds like this to jump out and scream "I am Batman"???
If some journalists were able to find his identity, he can safely assume that the people behind wannacry are also able to do it. Maybe he'll take some measures to protect himslef more now.
I would've liked to see the journalists find the hackers behind this. That would've been an achievement indeed.
I would have liked to see a story from the journalists on how easy it was for them to find the guy and then they had responsibility alerted the person on those points w/o revealing his name (you know like what security researchers do)
A "slang" term for a perfectly legal profession (where I'm from) used in a derivative but substantive manner--it's obviously short for the phrase "attention whore" (which is really the main reason why you shouldn't have moderated this remark) and this type of journalist is doing it just for the attention to make money, which is relevant because it sheds light on their motivation behind their questionable actions. The phrase couldn't be more on-point, actually.
Which leaves the "civil" part. Because he said "whore" instead of "prostitute".
Certainly from now on, you'll be moderating people for using the ugly word "hacker" instead of "security consultant/researcher", right? It really (still) has the same bad name among people not well-acquainted with the biz. And no, it doesn't matter that some people chose to wear the "hacker" title with pride, because guess what? So do most whores.
To add substantively to the discussion myself, here's an open question. I'm having a real hard time coming up with a phrase two words or less, that communicates this aspect of journalism as accurately as "attention whoring". How would you say it?
I think you may be missing the forest for the trees by focussing on a single word as the cause for 'sctb's comment. He specifically mentions that comments should be civil and substantive. That phrase is often used to describe the goals for discussion on HN, and they're both important.
The comment 'sctb responds to has very little substance, adding little to the conversation other than castigating its parent for assuming that people (journalists in particular) ever strive to do anything other than follow their basest instincts, that all journalists only seek attention. You add some nuance ("this type of journalist") which is entirely lacking in the original. The phrasing is also aggressive and does not invite further civil and substantive responses—hallmarks of comments that are not appropriate for HN.
I occasionally offer to dox people to show them how bad their OpSec truly is or as an example of why I don't use social media like Facebook for privacy concerns. Doxing people is often trivial since nearly anyone contributing to discussions online have large online profiles. It isn't a very difficult task - just a game of connecting the dots and knowing how to construct specific Google search queries (eg: "site:___ + 'some info'").
If a journalist can find it - any internet layman who knows how to Google can find it.
I often think about the Witness Protection Program and how much harder it must be to be a part of it in the age of social media and new forms of instant communication. While it's hard enough to cut off ties with family and friends, etc., it must be much worse when there are so many ways to keep in touch with people. Worse, I can't imagine someone in the program would be able to have any kind of online presence. It would be too easy to leak details about yourself.
the worst doxxing source are github repos. One wrong reflex to sign in as author of a new class, one insider joke - and boom, there is the way to trace - never going away.
I've been wondering if it is possible to dox my Reddit account. I like to think I've been careful not to give too much away but I wonder if it is true.
I would like to find a white hat site that prepares a report on what they can find about you.
(For the record, my reddit account has a different username than my HackerNews account)
> I would like to find a white hat site that prepares a report on what they can find about you.
To me there seems to be an inherent catch-22 involved in that. To be responsible, you have to confirm the person requesting the information is the person that wants doxxing. In providing evidence you are who you say you are, you're seeding that company with information to better find you that might not be easily found otherwise. It would take a strict separation of the sales and operations teams, to make sure this was a useful and accurate service, and with all that work it likely wouldn't be cheap.
What if the service/whitehat did an ID verification before releasing the info they uncovered? Basically ask a few things generally like what credit report agencies sometimes ask (Which of these addresses are yours? What is your username on this site? etc). Only release the info if there's a match.
Presumably you'd want to get paid up front, since you'd have done all the work in either case.
>I would like to find a white hat site that prepares a report on what they can find about you.
This would be difficult to start as it would require trust. I already do exactly this ("white hat doxing") but do you trust that that is actually what I'm doing? Maybe it would be easier as an established corporation with an explicit privacy policy.
>I've been wondering if it is possible to dox my Reddit account.
I personally run it for all posts older than 2~3 weeks (when activity/relevance of the post is nearly equivalent to "0").
Some sites still archive posts w/o updating for any future edits, there is web cache, etc. But those are far harder to search and tie together than simply browsing your comments on your profile. Note that some subreddits may ban you for using it and you'll get a bunch of AutoModerator posts asking you not to do that because of thread integrity and blah blah blah.
I hate it when people use these scripts and do have a rule against deleting posts that have replies in one subreddit I moderate. There are two kinds of things harmed by this behavior:
* In communities where people buy and sell things, or offer pay for services (e.g. /r/forhire), a glance at someone's account history provides some insight into their likely reliability. It's not much to go on, but that's inherent to doing business with strangers online.
* In many communities, previous discussions are full of useful information for future readers. Removing half of a conversation often ruins that utility.
>In communities where people buy and sell things, or offer pay for services (e.g. /r/forhire), a glance at someone's account history provides some insight into their likely reliability. It's not much to go on, but that's inherent to doing business with strangers online.
Trivially solvable with an alias used exclusively for such dealings where you don't scrub history. Also, as mentioned, it isn't necessarily that good of a rule anyway. Better than nothing but not necessarily by much.
>In many communities, previous discussions are full of useful information for future readers. Removing half of a conversation often ruins that utility.
I value my personal privacy (and time) more than any use my conversations will have for future readers. I don't have the time to selectively edit/delete hundreds of posts. One argument against this would be to "post less" but then many of those "useful posts" may not have ever been made to begin with so there isn't a net difference.
Also - quoting the most relevant bits of a post in your own post helps retain at least some context. Even if you were to edit/remove your post now - I have two pieces of it quoted that a future reader would at least have some context as to our conversation.
I'm strongly with 'Zak here; there's little I hate more in the domain of Internet conversations than people deleting things their wrote. In fact, I believe there is a strong community interest in all (not killed by moderation) comments remaining up as long as the whole discussion exists. I don't mind if someone unlinks their post by e.g. deleting account; I care less about who wrote something than about what was written. Deleting posts ruins the discussion for those who come later.
I'll grant this for that technique: while your website linked to your username here made it easy to guess your reddit username, 5 minutes of looking did not recover your deleted comments.
It's a little difficult for me to wrap my head around the mindset though: if you're concerned about privacy, why would you post anything sensitive to reddit? If you haven't posted anything sensitive, why delete it? I'll admit, I've never been the victim or perpetrator of doxxing, so I may be missing something.
>I'll admit, I've never been the victim or perpetrator of doxxing, so I may be missing something.
Most people leak information constantly and each bit or byte of information by itself is not important. However, in aggregate, people leak enough information about themselves to have it become sensitive information. What can be seen as harmless on its own can lead to more sensitive/"harmful" information being gathered.
For an example, let's say you share a photograph of yourself somewhere in London. Maybe you went on vacation, a business trip, a family visit, a honeymoon, etc. There are plenty of reasons to be in London one time! Now over the period of 10 years you've shared a few dozen photos of yourself in various places of London. What are the chances you live in London? Would you say the chances are higher than if you had only shared a single photograph?
Likewise, information that doesn't seem sensitive on its own can become incriminating when combined with other evidence. Scrubbing everything therefore is the best way to ensure you aren't leaving anything behind. It's also a lot easier to scrub everything than to read over years of post history to see if you've ever shared anything you maybe shouldn't have.
I fear we're slowly stepping into paranoia levels of privacy protection. This is my personal belief, I'm aware many people here don't think that way, but here it is: it is literally impossible to live a life in a society without radiating such information all the time. This applies both to physical and digital realms; and as most people spend more and more time with digital services, the two start to blend into one.
So I guess my opinion is: radiating that information is not really an issue, and any problems arising from it are best solved elsewhere, and not by becoming a digital hermit.
These scripts are why I'm surprised Reddit doesn't have sub specific edit permissions. I mean, on traditional forums, we avoid these issues by simply blocking the edit function after a certain time limit. Or limiting who can remove content.
Not sure I'd want to see a community where people removed useful content on a whim because they were that worried others would use it against them.
Is that going to help against checking with the Internet Archive? I've used the Internet Archive to read versions of reddit comments when they were deleted (but not to dox people).
I just used this for my reddit account... holy crap its kinda scary how accurate it is. All it takes is for you to slip up in a comment here or there, add in a detail somewhere once, and its all there. I think i need to start using temp reddit accounts, and just jump ship every few months.
This. It's the added opportunity that put this researcher in unnecessary danger.
It's like, almost every front door lock can be broken, or circumvented by smashing a window. Leaving your front door unlocked and open however, creates opportunity, that really increases the danger of burglary.
> If some journalists were able to find his identity, he can safely assume that the people behind wannacry are also able to do it. Maybe he'll take some measures to protect himslef more now.
The people behind wannacry targeted Russian banks. Chances are they already died of unexpected radioactive contamination, accidental stabbing, or unfortunate neuro-toxic poisoning.
Anyway, comparing these journalists as "sphincters of bad journalism" is probably even too positive. Unlike sphincters, that do have a useful purpose, tabloids could be wiped out of this planet without any negative side-effects.
There is a newspaper claiming he's now working with GCHQ. I doubt such information is true, but given what happened to Gareth Williams in similar circumstances, I'd suggest it's egregiously irresponsible for a newspaper to even suggest it given everyone now knows who he is.
> But his former landlady, Jennifer Elliot, told the inquest that three years before his death, she and her husband had heard Williams call for help at 1.30am from the annex flat he was renting from them in Cheltenham, where he worked at GCHQ.
> They let themselves in with the spare key and found the codes expert lying on his back on the bed, in boxer shorts, with his hands tied to the bed posts with material so tight it had cut his wrists.
> In a statement read to the inquest, Elliot said she and her husband had both been in shock. Her husband asked Williams: "What the bloody hell are you doing?" Williams told them: "I just wanted to see if could get myself free."
> The statement added that he did not appear sexually aroused, and was "very embarrassed, panicky and apologetic."
> The couple, who never spoke to anyone about the incident, said they concluded it was "sexual rather than escapology".
I'm not sure this has any impact on the ability of the services to recruit staff, compared to things like compensation, or having to fill in "permission to socialise" forms...
I don't think anyone much thought it was anything but an extremely suspicious death. In many ways matching almost too perfectly the imaginary world of Spies we like to watch/read about.
Gareth was a quiet, private person completely unknown prior to his death. Various news media pawed over the gory detail without so much as a thought to public interest or the bereaved.
Also can anyone point me to resources on preventing doxing while hosting a website? I want a checklist of things that can possibly leak my identity. For example:
- Some basic stuff is use whoisguard and don't reuse any existing hosting / cloud infrastructure or even google analytics accounts
- But for new accounts, does using real credit card information matter? I am not sure how easily a company will give that information up. For example how hard is it to social engineer or get a court order/subpoena for it?
- Even then you can still be fingerprinted by ip, browser agent, hardware if you ever even log in with the same computer. For example HN certainly knows who my alts are just by checking request logs ip.
- What about sharing similar coding style / code base? Or even just speech/writing patterns? Is NLP sufficiently advanced to fingerprint you by that yet?
Are some of these too paranoid? I really think there's no way to fully prevent doxing for anyone sufficiently motivated. What's actually good enough in practice?
Use Tails or Whonix. Buy Bitcoin with cash via mail on Localbitcoins.com. Depending on your level of paranoia, don't use bills directly withdrawn from the bank/ATM.[1] Be careful to not get fingerprints/hair/traceable writing on the envelope. What I've done is ask someone at the store (buy a card/envelop at CVS or something) to write the address for you. With BTC-via-mail, the only thing you leak is a rough physical location. Running the coins through Monero or something should blind things and render all this moot, but hey just in case?
With anonymized currency, then you're free to start signing up for stuff. If a site doesn't accept Bitcoin, use Localbitcoins.com to buy a prepaid debit card (Visa/Mastercard). If a site insists on a phone number for confirmation, use a darknet market to buy a pre-made Google Voice account. You can't access it over Tor or it'll get blocked, so use darknet markets to rent a Windows client box ($10-20 a month) so you have a "clean" IP and Google won't block you.
Then it's a matter of not giving away your info. You should adopt an entire persona when you're doing anything related to your site. Come up with a backstory (name, location, etc.). Ideally, none of this would matter: You're over Tor and using an entirely separate system for everything related to the site. But from the indictments I've read, it seems like a lot of first steps in finding someone's ID are just going off small hints. The way they write, mentioning the weather, etc. I would assume it to be very effective to fake these things. (For instance, notice a flood in a part of the country. Stay offline during the flood. When you get back on, write a small note that you had to be away due to flooding.)
None of this will protect you from an adversary that can correlate your home-connected-to-Tor times with site-gets-updated-times. But it'll stop people without that access, even if they're willing to fake a subpoena/warrant/etc. to your registrar/hosting provider (easier than you'd think). And hell, it doesn't always take a legal order to get those details; social engineering can do it just fine.
1: I asked Wells Fargo and they claimed they don't keep track of serial numbers and have no way to do so, but it seems so trivial I wouldn't believe it.
I respect the intent of the article, but I feel that the author completely misjudges the intentions and perspective of the mainstream journalists and their readership. It looks more like a culture clash than malice.
> MalwareTech doesn’t give out his name on his Twitter page or blog. There are no headshots. It’s obvious that he just wants to be left alone to get on with what he enjoys – hacking shit, and figuring out how stuff works.
For a modern mainstream internet user, who sees that everybody goes with their real names and photo (except trolls), it's not obvious.
> stalking other people’s Twitter and Instagram accounts
How can reading information that people have voluntarily posted online for everyone to see can be called "stalking"?
> The weird emphasis about his fondness for pizza, and how he works from a small bedroom in his parents’ place? That shows they don’t actually respect him, or what he’s accomplished.
To me, it shows just that they were interested to paint a picture of a human being instead of just a username. I feel that HN audience is very used to talking to someone whom they know just by a nickname, with no personal details or information - but for the general public, the concept of "anonymous hacker" is not associated with anything good.
> Why do I need to know his age, and that he enjoys pizza? Why do I need to know his name, or know what he looks like? Does anyone care that he enjoys surfing? It adds nothing to the story.
Look at any NYT or Guardian longread about a complicated issue that touches a lot of people - instead of analyzing statistics (as I personally would prefer), they always include an individual story or two, with unrelated personal details, to make the reader feel "connected". Only logical to assume that, while to me, and probably, to HN reader, this is just irritating and distracting, that's what "general public" wants to read about.
"for the general public, the concept of "anonymous hacker" is not associated with anything good"
An association that's largely created by these tabloids in the first place.
"that's what "general public" wants to read about"
Maybe, but if that's what's required, they should be requesting an interview with him and only reveal what he agrees to reveal. If he wishes to, that could lead to a more insightful look at a man and his motivations rather than random paragraphs about pizza and surfing.
If he chose not to reveal anything, a responsible journalist would accept that and understand that the man has reasons for wishing to stay anonymous. Not dig into his information and publish it anyway, leading to both him and his friends being needlessly harassed for preventing crimes. At the very least, this could lead to future would-be Samaritans from deploying fixes or publicly detailing their methods.
At least they manages to increase their clicks with some facts rather than just making things up, I suppose.
I feel that you're trying to argue against some of my points, but we're not in disagreement.
I'm not saying that the current state of affairs is good or defending it; however, I think that the blame is misplaced and the problem lies in culture clash, not in malice (as often happens with the media).
I think some of this is true, but it doesn't really excuse anything.
I mean, you're right about his age and pizza and hobbies. They turn a tech-news story ("Major malware attack stops") into a human-interest one ("Meet the man who saved the internet"), which plays way better for these papers. The general public, or at least their readership, probably does enjoy those details.
And I suspect they didn't exactly consider this 'doxxing'. It's a less invasive piece than a lot of what they run, and the information was available via public sources. The Sun in particular considers felony phone-tapping fair game, so this is almost chivalrous by their standards.
---
But... none of that justifies a damn thing. The general public wants plenty of things that are harmful or illegal, and we don't accept "people wanted it" as a defense of those things. The Sun, as I mentioned, proved that point in spectacular fashion.
Even conceding that the information was available, this isn't something excused by decent journalistic ethics. Publishing nominally-positive personal accounts about people without any attempt to contact them or let them request redactions is pretty odd. Showing up at their friend's houses without notice or interview requests to the main player is bizarre and unwelcome. Offering real name and location info on someone who just interfered with a major criminal action is downright irresponsible - he made the info available in the past, but might have felt pretty differently after interfering with this attack. Using his Twitter photos (unembedded) is comparatively harmless, but it's also illegal!
So yeah, I see why there was a human-interest piece run here. But that doesn't actually justify how the thing was handled.
I didn't mention anything about "excuse" or "justify" in my comment; trying to project these things onto the moral axis is pointless and kind of boring, actually. I think it's far more interesting in figuring out _why_ people do certain things and how to change it than to assign "good" and "evil" labels to their acts.
Of course the "why" is interesting as well, but I don't find discussing Ethics boring at all, given that it's argued well, which is (IMHO) clearly the case for the parent post.
Really, a remark like that is on the same level as someone calling mathematics "pointless and kind of boring".
What makes it particularly not-pointless, is that it allows one to discuss these things without you having to feel any need to defend yourself because indeed you didn't say anything about "excuse" or "justify".
Similarly, math allows us to say "two plus two equals four" without anyone having to jump in and clarify that they never said it wasn't four.
The Media likes to have gripping headlines that create celebrities . Presenting a person as a Hero is a tried and true way to do this.
Once you do that to a person the hazards of being a celebrity pop up . Doxxing from media and anonymous , people digging up dirt on you etc... it is an unfortunate situation and it's ruined many people's lives .
>> The Telegraph talks a little bit about how he’s self-taught, and how he stopped WannaCry by figuring out it had a kill-switch.
The reasearcher's blog (posted on HN earlier) said that although originally he thought it was a kill switch he now thinks it was just a clumsy attempt at detecting whether the worm was runnign inside a sandbox.
Apparently, worms will often do that sort of thing- call out to an unregistered domain to check whether they get a response indicating that they're not really connected to the internet. Except the ones that do it right call out to some random domains and this one had it hard-coded (either because the creator of the worm was a numpty or because they forgot it) (and therefore, a numpty).
So it probably wasn't a kill-switch in the sense of a failsafe, as it was reported in the press.
>To the hacks at The Telegraph, MalwareTech will always be some sad basement-dwelling hacker nerd.
No, actually. They're showing that he fits into the archetypical British bedroom hacker/programmer genius, which is very highly respected in the UK, and produced the likes of Matthew Smith, David Braben, etc. It looks like the author of this article wasn't around in the 80s, so perhaps he's not familiar with this history.
edit I fit into this category myself, and I'm not offended at all.
I've had my shit doxxed by the media before, but fortunate enough they were kind enough to redact information on request. It was a very quick turn-around
If we think about it, this is not much different than shouting publicly the name of a journalist infiltrated in a drug cartel. Terrible. Journalists should know better the game and what is at stake here.
If only "Murdoch's rags" were doing this sort of thing, the media landscape would be a lot better than it is now.
Once you personal preferences because you happen to be ideologically aligned with a particular news source, I have a hard time seeing how pretty much any of the major mainstream media outlets is better or worse than any of the others. (Yes, this includes the New York Times, too.)
Ironically, I was just complaining on HN a couple of days ago about the near-death of investigative journalism and how when historians go to assign a date for that event it'll probably be in the past. So it's even more egregious in some ways than I think it initially sounds that these journalists dox'ed this guy... they don't seem to have the resources to do much truly investigative journalism nowadays, and this is what they spend those scant resources on! Why not just come out and tell us all that they're too afraid nowadays to do any investigative journalism on anyone with even a hint of power?
However, I've seen some rumblings on the Internet that it used to be high quality journalism, but lately it had been going more downmarket of late. This is "Internet opinion" of course, so I'm not sure what the real truth is. That being said, if they are engaging in tabloid-style stunts like this these day, this would sort of confirm what I've read.
While perhaps (probably?) all the criticism of the papers is justified I'd note that the subject of the doxing doesn't seem very concerned about it at all.
I agree with this article, but though I am no expert in this topic I do wonder how much the wannacry perpetrators would actually go after this guy. Consider:
1. The fact that it was disabled so trivially was ultimately their own fault.
2. As we have seen, it was easy enough for them to change the logic to remove the web request on the nonexistent domain and start spreading again.
3. Retaliation would not be without cost and risk. Acting on #2 instead is a less costly, less risky action.
they came to the wrong conclusion that someone who bought a kill switch domain, would have been one of the hackers. when it fact the kill switch was firewall check (look for 502 rather than 404) and the person who bought the domain kill switched it for everyone.
Where did you come to the conclusion that they think he was one of the hackers? Neither the link, nor the Telegraph article said anything like that AFAIK.
They may not use the term "doxxed" lightly, but they also don't provide a definition for it. I have no idea what it means. I guess it means "give credit by providing the name." Maybe?
It publicly releasing the IRL identity (name, address, etc) of the person behind an anonymous online identity. The term applies more to places like reddit/twitter/4chan than to someone's own blog, but it's generally considered a form of harassment because it's an invasion of privacy.
Ah! I didn't realize it was an English dictionary word. I really thought it was an "inner circle" term that needed defined for the layperson. My mistake.
Thanks - I deserve a dig for not googling it. It's a pet peeve to see acronyms that aren't defined, but this is apparently a "common" word that I just happened to be oblivious to!
Despite all the claims of "major cyber-attack", what I see here was a virus that infected the entire British NHS, but otherwise had very little impact.
What could possibly go wrong?