Your response is a non sequitur, which could explain the downvoting (though certainly not by me). My comment was a reference to this: https://www.youtube.com/watch?v=ANPsHKpti48
Unlike Fake Steve Jobs, I honestly get real insight out of things SLJ says. I guess it's possible outing him would force him to be a little less snarky, which would be really disappointing. SLJ snark is an awesome antidote to the SV cheerleading that dominates a lot of people's twitter feeds.
I think that depends on how you define "doxing." Yes, you're identifying a person's real information. On the other hand, malicious "doxing" usually means publishing phone number, address, kid's name, personal email address, Facebook, etc.
I think there's a clear difference between correlating a pseudonym to a real-life identity, and malicious "doxing" that could cause harm.
> I think there's a clear difference between correlating a pseudonym to a real-life identity, and malicious "doxing" that could cause harm.
People use pseudonyms for a reason. Deanonymizing them can cause them harm, ranging from getting fired to getting arrested to causing severe social strife. Not your decision to make.
> Deanonymizing them can cause them harm, ranging from getting fired to getting arrested to causing severe social strife.
Luckily I committed no crimes, or I would have had a hat trick.
> Not your decision to make.
There's actually a lot of debate and discussion about this issue; I am always surprised at the number and tenor of those who wholeheartedly support making this kind of decision.
From the guidelines (to help explain why you are seeing the behavior you are seeing).
"If your account is less than a year old, please don't submit comments saying that HN is turning into Reddit. It's a common semi-noob illusion, as old as the hills.
Please resist commenting about being downvoted. It never does any good, and it makes boring reading.
Please don't bait other users by inviting them to downvote you or declare that you'll probably get downvoted. "
You've been posting uncivil comments to HN lately (e.g. https://news.ycombinator.com/item?id=10301570, in addition to this thread). Please re-read the site guidelines and follow them:
I'd prefer you just delete my account, but I know you are not allowed to do that. I'll just try to forget my login, since apparently people are allowed to be "uncivil" to both me and newbies, but the same courtesy is not extended to me.
Are you shitting me? Revealing the identity of someone who has purposefully concealed their identity is the literal fucking definition of doxing. You have neither the right nor the ability to determine what harm may result.
Yup. Quoting Sarah Jeong's The Internet of Garbage:
"The strict 'hacker' definition of 'dropping dox,' as it was initially phrased, involves the publication of documentation (or 'docs'/'dox'). As Schneier points out, these can be addresses, phone numbers, financial information, medical records, emails, and so forth. The part where the definition of 'doxing' gets murky is that the word's prominent appearances in the media haven't involved dropping dox at all. Rather, it's come (sometimes!) to signify the unmasking of anonymous internet users without their consent. ....
"The idea that a 'full name' can constitute a dox represents an understanding that in some contexts, the publication of a legal name serves as an incitement to drop a full dox. Through Google and other databases, a full name can lead to other details...."
While I absolutely think no good would have come out of de-anonymizing SLJ, it wouldn't really be doxing (unless they had somehow attracted people that had an interest in attacking their home, embarrassing them in front of their employer, etc.).
What an odd thing to say. Documentation can certainly include real identity. Those things are a set/subset relationship, not two different things.
In both cases the desired outcome is achieved: the 'war' is expanded, taking on either new dimensions (personal knowledge of the doxxing victim) or new avenues to attack them with.
Well, the context here is that "doxing" is not about identity in the first place: it's about encouraging harassment/crime, by facilitating identity theft, leaking embarrassing photos, giving contact info of family members, giving the information needed to conduct SWATting, etc. Identity happens to be involved in all of these things, but it's not the goal.
That section of the book argues for distinguishing them because, in some cases, de-anonymizing someone (but no more) is legitimate self-defense by a community, but doxing always intends harassment (which is not legitimate self-defense). If there are rules for actual war, there are absolutely rules for "war" in scare quotes; not inciting crime is one of them. I don't think I can make the full argument here concisely, but it is well set-out in the book. (While she has a blog post saying much the same thing, I actually thought that was a much poorer defense of de-anonymization, since it's missing context.)
Obviously in this specific case there is not even "war," just curiosity, so that defense of de-anonymization doesn't apply. But we've gotten on a tangent about the term itself.
'Context' does not change facts or logic: identity is part of documents, the war gets bigger. You've written a lot, it's mostly true, but nothing actually addresses the comment you're responding to.
Regarding 'unmasking': many doxxers use this argument: when they do publish people's information, they're unmasking bad actors, when their opponents do it, they're doxxing. For example Sarah Jeong, the author of the book you mention, wrote for The Verge, which tacitly endorses doxxing by ignoring it when performed by political groups it supports.
> "The idea that a 'full name' can constitute a dox represents an understanding that in some contexts, the publication of a legal name serves as an incitement to drop a full dox."
In some contexts, a full name is a full dox, to anyone who has Google access and 10 minutes to spare. There's not really a functional difference. The presence or absence of malicious intent may determine how we judge the doxer, but the potential effect on the doxee is the same either way.
>I think there's a clear difference between correlating a pseudonym to a real-life identity, and malicious "doxing" that could cause harm.
First answer me: Why do you think they chose to use a pseudonym? I can think of many answers to explain why. Most include risk of harm to the individual in various forms.
For example - there is a reason I use a pseudonym. I always have and always will.
> I think there's a clear difference between correlating a pseudonym to a real-life identity, and malicious "doxing" that could cause harm.
There's a clear difference, yes, but it's only really relevant to how we judge the doxer. It's comparable to outing a closeted queer person: whether it's done maliciously or out of pure, naive innocence, the fallout for the subject is the same.
I agree. Revealing the real name would have been doxing. Finding associated information would be trivial.
The harder question is when doxing is justifiable. Maybe it can arguably be self-defense. But even then, consequences are typically disproportionate. And there's no process for trial, opportunity for rebuttal, judgment by neutral third parties, etc.
One thing I've always wondered about these types of anonymous "Internet famous" people: How are they not instantly outed by someone who works for any of the providers in between their Twitter client and the readers? Are they all taking extremely careful steps to use things like Tor and anonymous email to prevent the process of tweeting from leaving a trail of bits anyone with access can see?
If your adversary is a Twitter employee, you graph "Payoff for 'outing' vs. likelihood of being fired" and come to the conclusion that no Twitter employee has cared enough. If your adversary is substantially better resourced than a Twitter employee or would not suffer equivalent costs (e.g. if your adversary is law enforcement), assume the inevitability of compromise.
An interesting question is "How would you rate the ability of e.g. investigative journalists on this score?", to which I answer "Equivalent to their ability to ask someone in their social circle to tell them what the answer is."
Companies will often sue for the difference. If random company X employee doxes a client of X, and then the market cap of X falls by $Y on the news and consequence loss of trust, company X has a pretty good case that financial damages of $Y are warranted through the actions of the employee's breach of contract. Chances are, the employee has nowhere close to $Y in assets, but will settle for $Z << $Y to avoid having a huge lawsuit with the potential to garnish many years worth of wages hanging over their head.
Many people who might think that the risk of being fired is worth having the inside scoop on a story might reconsider when the threat is a lawsuit from Google/Facebook/Twitter.
Not just fired though: if they either didn't do it anonymously, or someone outed the outer, they'd be putting future job prospects in jeopardy as well.
The story about them doing this will quickly shoot to the top of search results for their name, and probably stick with them forever. Who wants to hire someone who is infamous for violating their previous company's privacy policy and abusing their access privilege? Who wants to stay on as a customer of a company where that person now works?
True, but the danger is not only with large enemies. I have had the network admin of my internet provider read my emails because he was bored. I know because we later became friends and he told me about it - with proof. (This was before gmail and everything-important-is-on-ssl.)
I also come live in a country where "government employees are reading your emails" is up there with "the water is wet", so large enemies are pretty much assumed to know everything they care to know.
Not sure about other twitter famous anonaccounts, but @SwiftOnSecurity for example, used to have their real account pointed at SwiftOnSecurity, saying that he was the person managing it.
Now SwiftOnSecurity is so huge people who remember/know this don't really talk about it. I imagine a lot of these things that blow up start like SwiftOnSecurity and then the person realizes "I'm kind of getting a lot of visibility. It could really help me but it could really hurt me. Maybe I should keep this separate from myself".
Beyond basic opsec of keeping your mouth shut, nothing is really necessary...
It's pretty easy to stay anonymous if you're just doing something for comedy and not breaking the law - use a dedicated laptop for your fake persona, only post from random public wifi connections and you're done.
You might want to throw in a bit of sanitizing with respect to the linguistic analysis side, but generally speaking if you use a clean laptop and a random public connection it will be very difficult for anyone to out you.
From a technical standpoint, yes. From a behavioral/social standpoint, a motivated investigator can always find some patterns to work with. Maybe not sufficient patterns, but enough to start making educated deductions.
Speaking entirely for myself, it never occurred to me to do that, and if it had I have to say that it's immediately self-evidently that it would be wrong to do. Twitter has repeatedly gone to bat to protect people who are the targets of major governments, including suing the US government. SLJ (whoever he is) is due the same treatment anyone else on Twitter has. To use your power as an employee to out him when you're fighting court orders asking you to reveal the identity of other accounts would be the height of hypocrisy.
This is very similar to the strange (to me) idea that people wouldn't use GMail because they're worried Google will steal their corporate secrets. Seriously? There would be riots in Mountain View if anything like that ever happened...
I'm struggling to figure out what 'trail of bits' you think would be obviously and easily pulled together by an individual somewhere in the twitter infrastructure. I guess maybe someone who has access to activity analytics could maybe connect accesses to the anonymous account to accesses to another account from the same client. I suppose Twitter's teams who investigate malicious accounts probably have tools for connecting sockpuppets to their masters, which could be brought to bear. But it seems unlikely to me that the pool of people who have access to the tools and data to do this is very large, or that that group of people would not be subject to careful oversight to make sure their privileges are not being abused. The risk that people with this level of access will be approached by journalists offering cash for insight into celebrities (e.g. who is Justin Bieber DMing?) means you'd have to put controls around it.
Props for not going through with the outing. There's a weird sense of entitlement that people have, that they have the right to unmask someone doing nothing wrong but choosing to be anonymous. I'm really glad to read the author overcame that urge, it helps keep the world a little more interesting.
Author here. I'm not sure it's directly a sense of entitlement, though you could certainly argue that it's in play whether or not the author seems to notice. There's a sense that you found out the truth, and people want to know the truth. That's where Gawker got stuck; when one of your mottos/mantras is something like "we put truths on the internet," you feel like it's your job to go through with it. You feel like people are entitled to know. This is certainly borderline, and I feel like I could have defended either call, but I think we made the right decision.
I think some people get a high/rush/satisfaction [0] from revealing privileged information. Others get the same feeling from guarding privileged information and being one of the trusted few to know.
[0] I'm sure there's a nice, concise word that fits what I'm unable to articulate here.
Isn't that the same feeling that comes when one believes what is popularly construed as a conspiracy theory? I mean, you have this bit of information that the entire world doesn't know (or doesn't care or believes differently), and you _know_ that it's correct. Granted, one like this story is factual information where as conspiracy theories are theoretical (obviously), but the sense of responsibility of knowing that information makes people want to share it as wide and as far as they can muster so they can be the leader or originator of a movement changing the status quo.
Thanks, the last part was the hardest to write, by far. I revised it a number of times. The goal there was really to sort of draw a comparison with the Gawker post, which I found abhorrent when it happened, and getting caught up in your own thing and not seeing the situation clearly. Seems to have come across OK.
I'm missing the scroll bar too, it's really annoying. After looking at the stylesheet it looks like it's due to this rule: body::-webkit-scrollbar { width: 0!important; }. If you remove that rule the scroll bar will be visible again. Here's some JavaScript that you can copy-paste into the address bar to fix it (only tested on Chromium):
I have a trackpad and scrollbars hidden by default. It still sucks that I don't get the thumb showing up when I scroll. I have no way of knowing how far along I am.
Look this is a pet project, we're experimenting with different things, I happen to like it the way it is. Last time we were on the top of HN earlier this month our font was too light; I liked it as is, but I was wrong. It changed. If we're wrong on this, it'll change too.
For me the worst thing was not to see where in the article I am and how long the article is. I am using the scroll wheel on my mouse to scroll the text.
yes our hosting provider is having problems with them, and when we get them mounted it kills the site. when traffic dies down a little they'll go back up. unfortunately #4 on HN is a little late to make a site arch change lol
Great article. If nothing else, spreading the word about the severe limitations of stylometry is very important. This stuff gets used in forensics, and like other oversold forensic techniques, causes some terrible injustices. Once the court has allowed some expert testimony, the jury is instructed to take it at face value.
I am by no means an expert, in fact, it was really that having no expertise led me to dismiss it from what I ended up doing. I still wanted to mention it because (1) it's super interesting, (2) I think that it's not well known about, and (3) maybe I could catch someone who is only sort of tangentially into code or engineering, and hook them in with this sort of use case. Probably asking for a little too much on the last part ;)
Really cool article. However, I found myself thinking, "ok, that's nice of you for not doxing the guy, but, you kinda just handed the keys to the kingdom to the internet." Doesn't seem like SLJ cares one way or another, but, I got the feeling that the author knows that this article will undoubtedly lead to SLJ's outing within a month, two months tops. There's more than enough bored programmers out there who'll just apply the methods described wholesale, and throw it out there on reddit, or wherever. So, I'm not sure how I feel about the whole "doing the right thing by not doxxing" issue, b/c it seems like we're sort of splitting hairs on the issue.
This is the (ultimately fruitless) approach I used:
1. Find the people who were within SLJ's first few hundred followers (the API gives an account's followers in the reverse order they followed the account).
2. Assuming some of the early followers knew SLJ's real life identity, find which accounts many of them were following prior to following SLJ.
3. Accounts which are followed by relatively many of SLJ's early followers, but relatively few of SLJ's later followers, are candidates for SLJ's real identity.
Ultimately I couldn't make it work, although my guess is that SLJ has some connection to Pivotal (either is a former employee or has worked with them on projects).
107 comments
[ 4.8 ms ] story [ 204 ms ] threadSLJ is great because, due to his anonymity, his ideas stand on their own merit. Being outed killed Fake Steve Jobs; it'd do the same to SLJ.
I'm having a hard time seeing how it could possibly be anything but "doxing."
I think there's a clear difference between correlating a pseudonym to a real-life identity, and malicious "doxing" that could cause harm.
People use pseudonyms for a reason. Deanonymizing them can cause them harm, ranging from getting fired to getting arrested to causing severe social strife. Not your decision to make.
Luckily I committed no crimes, or I would have had a hat trick.
> Not your decision to make.
There's actually a lot of debate and discussion about this issue; I am always surprised at the number and tenor of those who wholeheartedly support making this kind of decision.
Your secrets don't have to be criminal to be secrets.
"If your account is less than a year old, please don't submit comments saying that HN is turning into Reddit. It's a common semi-noob illusion, as old as the hills.
Please resist commenting about being downvoted. It never does any good, and it makes boring reading.
Please don't bait other users by inviting them to downvote you or declare that you'll probably get downvoted. "
https://news.ycombinator.com/newsguidelines.html
https://news.ycombinator.com/newswelcome.html
"The strict 'hacker' definition of 'dropping dox,' as it was initially phrased, involves the publication of documentation (or 'docs'/'dox'). As Schneier points out, these can be addresses, phone numbers, financial information, medical records, emails, and so forth. The part where the definition of 'doxing' gets murky is that the word's prominent appearances in the media haven't involved dropping dox at all. Rather, it's come (sometimes!) to signify the unmasking of anonymous internet users without their consent. ....
"The idea that a 'full name' can constitute a dox represents an understanding that in some contexts, the publication of a legal name serves as an incitement to drop a full dox. Through Google and other databases, a full name can lead to other details...."
While I absolutely think no good would have come out of de-anonymizing SLJ, it wouldn't really be doxing (unless they had somehow attracted people that had an interest in attacking their home, embarrassing them in front of their employer, etc.).
In both cases the desired outcome is achieved: the 'war' is expanded, taking on either new dimensions (personal knowledge of the doxxing victim) or new avenues to attack them with.
That section of the book argues for distinguishing them because, in some cases, de-anonymizing someone (but no more) is legitimate self-defense by a community, but doxing always intends harassment (which is not legitimate self-defense). If there are rules for actual war, there are absolutely rules for "war" in scare quotes; not inciting crime is one of them. I don't think I can make the full argument here concisely, but it is well set-out in the book. (While she has a blog post saying much the same thing, I actually thought that was a much poorer defense of de-anonymization, since it's missing context.)
Obviously in this specific case there is not even "war," just curiosity, so that defense of de-anonymization doesn't apply. But we've gotten on a tangent about the term itself.
Regarding 'unmasking': many doxxers use this argument: when they do publish people's information, they're unmasking bad actors, when their opponents do it, they're doxxing. For example Sarah Jeong, the author of the book you mention, wrote for The Verge, which tacitly endorses doxxing by ignoring it when performed by political groups it supports.
In some contexts, a full name is a full dox, to anyone who has Google access and 10 minutes to spare. There's not really a functional difference. The presence or absence of malicious intent may determine how we judge the doxer, but the potential effect on the doxee is the same either way.
Everyone thinks that until it happens to them. Trust me on this.
So I'd rephrase that: If you haven't done anything that resourceful adversaries consider wrong, you don't have anything to hide.
I can be such a pedant ;)
First answer me: Why do you think they chose to use a pseudonym? I can think of many answers to explain why. Most include risk of harm to the individual in various forms.
For example - there is a reason I use a pseudonym. I always have and always will.
There's a clear difference, yes, but it's only really relevant to how we judge the doxer. It's comparable to outing a closeted queer person: whether it's done maliciously or out of pure, naive innocence, the fallout for the subject is the same.
The harder question is when doxing is justifiable. Maybe it can arguably be self-defense. But even then, consequences are typically disproportionate. And there's no process for trial, opportunity for rebuttal, judgment by neutral third parties, etc.
An interesting question is "How would you rate the ability of e.g. investigative journalists on this score?", to which I answer "Equivalent to their ability to ask someone in their social circle to tell them what the answer is."
Many people who might think that the risk of being fired is worth having the inside scoop on a story might reconsider when the threat is a lawsuit from Google/Facebook/Twitter.
The story about them doing this will quickly shoot to the top of search results for their name, and probably stick with them forever. Who wants to hire someone who is infamous for violating their previous company's privacy policy and abusing their access privilege? Who wants to stay on as a customer of a company where that person now works?
True, but the danger is not only with large enemies. I have had the network admin of my internet provider read my emails because he was bored. I know because we later became friends and he told me about it - with proof. (This was before gmail and everything-important-is-on-ssl.)
I also come live in a country where "government employees are reading your emails" is up there with "the water is wet", so large enemies are pretty much assumed to know everything they care to know.
Now SwiftOnSecurity is so huge people who remember/know this don't really talk about it. I imagine a lot of these things that blow up start like SwiftOnSecurity and then the person realizes "I'm kind of getting a lot of visibility. It could really help me but it could really hurt me. Maybe I should keep this separate from myself".
Beyond basic opsec of keeping your mouth shut, nothing is really necessary...
You might want to throw in a bit of sanitizing with respect to the linguistic analysis side, but generally speaking if you use a clean laptop and a random public connection it will be very difficult for anyone to out you.
This is very similar to the strange (to me) idea that people wouldn't use GMail because they're worried Google will steal their corporate secrets. Seriously? There would be riots in Mountain View if anything like that ever happened...
[0] I'm sure there's a nice, concise word that fits what I'm unable to articulate here.
I guess everyone in the whole world has a scrollwheel and/or touchscreen. Screw anyone who doesn't, you can just read the top of the page...
But really, we just don't have everything done yet, I wrote everything on my own. We'll fix it in an upcoming update, sorry for the issues.
Ummm, yeah, lots of them.
Scrollbars work perfectly when you don't write anything.
I use the scroll bar as my first choice, and I'm pretty sure I'm not alone.
Note to web-devs. If you modify scrolling, you're doing it wrong.
I'd even go so far as to say browser-devs shouldn't allow scrolling to be modified. It's an OS feature, not an application feature.
I was able to view this story without enabling Javascript by using a basic feature of Firefox.
Fortunately this particular website's brain damage had a simple workaround. Some don't. And if they don't, I simply move on and forget about the site.Really. I mean it. If a site is too hard to read, it literally drops out of my memory. No regrets. Life is too short to tolerate brain-dead websites.
Looks like HN has hugged it to death...
Any idea why the images aren't working?
1. Find the people who were within SLJ's first few hundred followers (the API gives an account's followers in the reverse order they followed the account).
2. Assuming some of the early followers knew SLJ's real life identity, find which accounts many of them were following prior to following SLJ.
3. Accounts which are followed by relatively many of SLJ's early followers, but relatively few of SLJ's later followers, are candidates for SLJ's real identity.
Ultimately I couldn't make it work, although my guess is that SLJ has some connection to Pivotal (either is a former employee or has worked with them on projects).
https://en.wikipedia.org/wiki/True_Names