On the use of aliases at security conventions...

Re: On the use of aliases at security conventions...

I like to think of my handle as being a completely different person to my real-self. I almost see it as having different lives - with my friends I am known by my childhood nickname, which I've carried with me for 15 years. For my newer friends and online friends, I'm known just by my handle, and although some of them know my personal nickname, I still prefer to be known by my handle, to the extent that I would refer to myself as 'Damyard', rather than by "me"/"I" when I doing something under the name 'Dj Damyard'.

Don't get me wrong, I'm not schizophrenic, I just think that the mask you wear online can be one you grow into online and it can become your real online-face, rather than just a disguise. And so you can have several different persona in life...

However, it's very obvious that if you are to appear in court you cannot say that you broke the law whilst acting under another alias... So at the end of the day, no matter what your name is online, or who you say you are, it is always possible to get traced right back to the person you are in real life, so it is something which you must always think about when you do say things whilst wearing one of these 'masks'.

Re: On the use of aliases at security conventions...

Back to the original topic again, as an article related to this was recently published:

Using Real Names has Real Consequences (URL1)

To this point, I would also ask if announcing a vulnerability in a product or services is an act of "whistle-blowing" ? You can see examples of stories I and other have linked to, earlier in this thread, which demonstrate a kind of retaliation from corporations when they know the identity of the person that has drawn attention to a failure in a product or services. (A current event item could be considered the Sony Play Station root key, and how Sony is forcing their target to spend time and money in and on court, respectively, demonstrating in a very public way to everyone what they want to be a cautionary tale, or example for others to see.)

If you did not see value in keeping a pseudonym for security conferences separate from your professional or, "Legal Name," do you agree with the author of this story on anonymity for whistle-blowers, and if so, do you believe that announcing vulnerabilities or failures in products or service to be that act of a whistle-blower? Has this changed your thoughts on this subject?

Re: On the use of aliases at security conventions...

For some people I think handles may not be necessary at actual conventions. However, I for one would like for people to not know my real name as a matter of personal security. I don't trust the people I associate with casually. On the other hand I also carry mace EVERYWHERE, so perhaps I'm a little paranoid.

Side note: My washer kept emitting a bizarre noise (something out of an alien scene from a scifi movie?) while I was typing this, so my response isn't as well thought out as it could be.

Re: On the use of aliases at security conventions...

A recent Slashdot story provides more links on this:

URL1
This sounds to me as though it leads to the conclusion that making no attempt to hide your identity and associations means you give up rights to privacy. The implication for users of facebook is obvious, especially if they use their real identity, and publish who they associate with or make public their points of view.

URL2
This is more interesting, as it is evidence of the trends in law that permits legal gathering of evidence that is part of the outside of the "envelope" (sender, recipient, but not the "body" or content inside) which has been expanding when applied to electronic substitutes for older methods of communication, as more details are placed on the "outside" of this metaphorical envelope.

Does this added information convince any more people to choose anonymity by pseudonym as a form of protection against future problems?

Re: On the use of aliases at security conventions...

Non-content information would likely fall under the same category as information collected by pen registers and trap and trace devices, and therefore not have any Fourth Amendment protection. People can be outraged over this, but it's been the interpretation of the law since at least 1974 (Smith v. Maryland). In that case, since "petitioner voluntarily conveyed numerical information to the telephone company," he had no expectation of privacy in the numbers he called. Likewise, as the magistrate said, making your posts and associations publicly available removes your expectation to privacy.

Using an alias or pseudonym may give you an additional level of protection, but whether or not that proves effective remains to be seen.

On a side note, I do find it interesting that Birgitta Jónsdóttir felt her privacy was special because she was a member of Iceland's parliament. I wonder if Julian Assange and WikiLeaks, in their stated claim to "open governments," would agree? ;-)

Re: On the use of aliases at security conventions...

1. Handles are easy to remember. I know a lot of my closer friends by their handle and call them as such because its easier than trying to associate a real name to a fake one.
2. Handles are "genrally" earned. Some people make one up to be one of the "cool" kids but the ones that are earned are a badge of honor and I respect that.
3. If you get to know someone long enough their handle/real ID becomes a non-issue. If you are trusted by someone using a handle enough for them to share their real name then they trust you will keep that a secret or it is for professional reasons.

For me my handles, and there are many, people associate things they have read, white papers they have seen or stories with who I am. IF I get to know you I use my handle and name interchangeably. What 99% of us do is a grey area from day to day, due to random law changes (PS3 case comes to mind and the jailbreaking of iPhones on the other end of the spectrum.) I like to know that only a select few people know who I really am.

I agree some of my friends like Hackajar come with a great story, other friends I know like C-P come with no story but enjoy watching people guess what it means.

In the end do what feels right. Go with a handle if you were given one/ have earned one/ or just like to go by a handle. If it is notoriety you seek you can't go wrong with your real name because once your name hits the news media everyone knows it.

Re: On the use of aliases at security conventions...

Dark Reading: Researcher Overcomes Legal Setback Over 'Cloud Cracking Suite'

These events seemed to have been triggered by a mistranslation from English to German in a newspaper. I cite this as yet another example of how using an alias that is not linked to your legal identity can provide insulation from legal woes.

A little anonymity through use of a pseudonym could have delayed these events in this person's life long enough for them to direct the media to corrections, anonymously, and preempt legal action by the government, and law enforcement.

In this case, however, it probably would not have afforded much time for the speaker, as it would not take much for the people at google to correlate the events discussed at the presentation and the use of services and identify the account in question, and then establish links to the paper-trail and money-trail in order to obtain the real name of the person that was giving the presentation.

This highlights another issue with presenting research in specialized spaces like this: how can a person gain as much anonymity with electronic purchases online as they can with paper-cash in-person? I'm not sure that this is entirely possible. There are MasterCard/Visa/AmericanExpress cards that are "debit" cards that allow people to recharge with cash, and it is possible in some grocery stores to pay for these and initially charge them with cash, the few I have seen have limits and restrictions, and many do not support setting up an "identity" with the card with a name, 'billing address," and more which are required when making many online purchases, like photo ID with matching name is often required when using these cards at "brick and mortar" stores.

What other options are there for anonymous transactions online and in-person? (If this becomes an interesting enough topic, I'll fork this into a new thread with this as a topic.)

Re: On the use of aliases at security conventions...

http://searchsecurity.techtarget.com...240857,00.html

Best thing I found so far. However, it was posted in 2007, and I can't seem to find anything else on it. There's also IBM's Web Sphere Application Server that appears to be some variety of server software for businesses with security and support to allow for more private business transactions. Otherwise, I'd stick to what I personally do and pay cash at solid foundation stores for purchases you don't necessarily want the world to see.

Re: On the use of aliases at security conventions...

With so many examples of this problem through recent history, it looks as if other people have observed this problem on letting corporations and governments know your identity when you find a problem and wish to report it:

URL1=drop-box deduplication and hash searches by court order and information leakage


I do believe the smarter or at least wiser independent researchers will be going this route when there is a question or uncertainty on how the entity with the failure may react. Looking at the hassle endured by GeoHot with respect to Sony and the PS3, and his concession to never hack Sony equipment again*, and the "community" complaints** about him not taking the case far enough and the cash that was, "wasted" in court, it is easy to see how the safest path with the least drama is through anonymity.

*= I've not found a reputable site that says this was a requirement of the settlement, only claims by GeoHot like this:
URL2=http://news.cnet.com/8301-17938_105-20055048-1.html
This implies that a condition of the settlement is to not hack Sony products again, it is not explicit in this. I've found non-news organization sites with claims to having copies of the court settlement scanned and put online, but I would feel better about them being "real" if multiple major organizations carried scanned copies that were different scans, not re-scaled copies of an original, single source.

**= In the comments to various stories about this, you find comments like those attached to URL3
Some comment were far more critical using words like "coward" or complaints with citations of alleged claim from geohot on how far the case would go.
Others are far more realistic and comment how it is easy to be critical when you are an arm-chair quarterback, second-guessing other people's decision, and risking none of your own resources, freedom, or future.

Re: On the use of aliases at security conventions...

Another example:

URL1=Another Researcher Hit With Threat Of German Anti-Hacking Law

(Mentioned earlier in this thread.)

Re: On the use of aliases at security conventions...

Maybe use of aliases or some sort of anonymous notification might be needed outside of hacking to include whistle-blowers:

URL1

Re: On the use of aliases at security conventions...

It makes one easily recognizable to people one might know through hobby lock picking or an activist group or whatever. It isn't a way to hide, it is a way to be found.

I suppose if you really don't want to be recognized then use one that isn't related to anything and don't do anything anyone would care about. I suppose if you want to be cloak and dagger about it you can not register at the hotel etc.

" FBI raids dental software researcher who discovered private patient data on public server FBI raids dental software researcher who discovered private patient data on public server : http://www.dailydot.com/politics/justin-shafer-fbi-raid/

If this guy used anonymization software, a nickname, and kept his private information private, and complied with responsible disclosure, and this story is accurate on the reason for the FBI coming to his house, would he be facing costly legal fees and lost time talking with Law Enforcement?

It is hard to estimate what future laws or actions will be taken against people that follow responsible disclosure.

The executive branch does not need to successfully win a court case in order to financially ruin the life of a researcher.

I have hopes there is something more to the sending "people with guns to arrest someone" for accessing publicly available files on an FTP server than was is covered in this story, but won't be surprised if his life is being turned upside down for being a messenger of bad news.

If you can't neutralize a message, neutralize the messengers.

Messengers will "get" the message, and move back underground.