Announcement

**astcell** · December 4, 2012, 01:58

Re: Full Disclosure, in public illegal? : On the use of pseudonyms and aliases (pt 2)

Just like in the military, go by the "need to know." And as far as those I hang out with, using an alias and an avatar are not intended to remain hidden, but rather to remain unique. Imagine the feds going to Defcon and they need to speak to a few people but they only have the names Flea, Queeg, and Renderman. They will be found in minutes out of 12,000 people. But if you go asking for John, James, and Sam, well you are going to end up with more than three people answering to the name. A pseudonym will hide you if there is no association at all with any real identifier such as hotel room, automobile, ID, credit cards used, cell phones used, and so on, and ID that .gov can easily acquire. But if the feds get their way and we have to use our rela names, and we do, their jobs will be made harder as we vanish in the sea of Sams and Johns out there.

**renderman** · December 4, 2012, 14:24

Re: Full Disclosure, in public illegal? : On the use of pseudonyms and aliases (pt 2)

As ASTcell noted, nicknames/handles are an identifier. I liken it to a choosen name as opposed to a given name to distinguish ourselves in the group. To some it looks like we are hiding, but it's just that we are using an alternative identifier. Those in the know, it's as good if not even better than a given name or other common identifier.

I for one will not be changing my motis operandi in light of these cases. No research is inherintly illegal. All of my Air Traffic Control stuff came from public records and was done from my couch.

The next few years are going to be interesting from a legal standpoint. The definition of things like public and private are being blurred. I'm expecting things like Google Glass to really shake things up and cause us to re-evaluate common notions.

**Thorn** · December 5, 2012, 22:48

Re: Full Disclosure, in public illegal? : On the use of pseudonyms and aliases (pt 2)

Originally posted by renderman View Post

The next few years are going to be interesting from a legal standpoint. The definition of things like public and private are being blurred. I'm expecting things like Google Glass to really shake things up and cause us to re-evaluate common notions.

That may or may not be for the better, depending on your view. Read Charles Stross' "Halting State" and "Rule 34" for police use of AR type of technology. Here's one example: If society decides to add metatags to smartphones for things like probation, and the cops can have a separate overlay to look for such things, then there could be a cost reduction in GPS ankle bracelet monitoring where both the device and the monitoring costs are directly borne by the bad guys through their phone bill instead of the Probation and Parole Dept.

Anyways, that's an aside to this discussion.

I would agree with ASTcell, an alias is useless and even more unique than your real name. That's doubly so at con, given the size of the cons and who knows whom. There aren't 6 degrees of separation at a con, it's more like one or two.

**TheCotMan** · December 6, 2012, 00:09

Re: Full Disclosure, in public illegal? : On the use of pseudonyms and aliases (pt 2)

There are at least two parts to a name beyond an identifier:
* That which satisfies ego
* Reputation

If we divest ourselves of ego satisfaction, then an alias can exist online with a published public key (like with gpg/pgp) and validation of content, information, security alerts, academic research or warnings by signing statements with a private key, allowing others to validate with your public key.

All interactions can be done through anonymization with tools like tor when posting as that identity. A person could go so far as to only use a single dedicated piece of hardware when becoming the online alias.

Multiple aliases can be created, too, with each having a focus or discipline separate from the others.

While at Defcon, or elsewhere, the person could continue to use an alias or real name as they have established it, in order to network.

If your online alias never trusts anyone with private information about your "real identity" it becomes more difficult for anyone to map this alias to a real identity with drivers license, credit card, or photo/facial recognition.

Would you go that far to avoid lawsuits, and criminal charges while continuing your research?

Yes, I recognise ego is a large part of many "zero day" announcements, especially those cases that include bypassing vendor notification.

**Thorn** · December 6, 2012, 09:51

Re: Full Disclosure, in public illegal? : On the use of pseudonyms and aliases (pt 2)

Discussions of "real identity" always want me to say "I'm Batman" in a gravelly voice; but I digress.

Originally posted by TheCotMan View Post

If your online alias never trusts anyone with private information about your "real identity" it becomes more difficult for anyone to map this alias to a real identity with drivers license, credit card, or photo/facial recognition.

Frankly, I'm not sure this can be done. By revealing information to increase reputation, or even just details of how one went about finding and exposing a given exploit, you reveal information about yourself. Once enough information is revealed, there comes a point when finding the real identity of the person is a matter of connecting the dots.

AFAIK there was only one person in the community who was fairly successful in this, until he gave it up some years ago. I say "fairly successful", because he was using anonymizers and other means to avoid detection, yet was fairly well known as a damned fine hacker. For my own amusement, I'd casually tracked a lot of his info using just common, free tools available to the infosec community. (Yeah, yeah, I'm a nosy bastard, and hate a mystery. It comes with the territory.) When he finally revealed his real identity, I went back and looked at the info. As it turned out, I'd hit on his real name out of about 20 possible "suspects" that I'd narrowed the ID down to, and had a fair amount of background info including his physical home address and one past employer.

Again, this was someone who was very careful, and again, I was just casually tracking the info without any legal tools such as subpoenas or warrants. (Yes, I'm trained to do investigations, but being in the private sector now, I no longer have access to said legal tools.) That I was able to narrow it down to 20 people out of the 300m+ living in the US, have one of the 20 actually be his real name, not using things like subpoenas for ISP records, credit cards, or phone records, tells me that government investigators using the full authority of the law can probably do this in short order if they're determined and have some basic information to use as a starting point.

Outside of my own experience, two recent case further cement this in my mind: Those of Hector (Sabu) Monsegur, a co-founder of LulzSec, and Pvt. Bradely Manning. Both were (or should have been) highly motivated not to reveal themselves in any manner as they were actively and intentionally breaking the law. They were both flaunting what they were doing, making themselves high-profile investigatory targets. Yet despite those motivators to not get caught, both were found and arrested. Monsegur has plead guilty and Manning is currently negotiating pleas on a number of counts.

All-in-all, I'm convinced that a person can't "hide" their identity, and still actively publish very much on the Internet. It mind be possible to do it via some sort of double-blind agency, but then again, Wikileaks was supposed to have done that for Manning and that didn't turn out too well.

**TheCotMan** · December 6, 2012, 13:27

Re: Full Disclosure, in public illegal? : On the use of pseudonyms and aliases (pt 2)

Originally posted by Thorn View Post

[chop]
Outside of my own experience, two recent case further cement this in my mind: Those of Hector (Sabu) Monsegur, a co-founder of LulzSec, and Pvt. Bradely Manning.

In the case of Manning, wasn't he found as a result of ego through a desire to allegedly make a claim of responsibility to a person claiming to be a journalist, offering an empty promise of anonymity?

To avoid the pitfall of ego, a person can't advertise their accomplishments outside the protected, anonymized service shield.

In the case of Sabu, there are two arenas of claims on how someone believed to be using his identity was found.
1) Social information provided leakage of regional commentary and current events, such as reviews or comments about places to eat, locally.
2) The person arrested allegedly used their neighbor wireless access point, or another local access point instead of consistently using tor to anonymize their source IP.

One or both of the above were combined to get permission from a judge to eavesdrop on wireless data from one or more suspects that seemed to match what was expected, and then correlations were made with wireless traffic out-going/incoming and interactions of a user online using the anonymized name.

For these cases, we have ego (or maybe hubris) as a reason for leaking information that should have been kept private, and in the other case, a failure in implementation to abide by the rules of using the anonymization service and only the anonymization service when using the anonymous ID, and/or information leakage with social content about interest, and regional information.

A person, strictly releasing advisories, exploits, and comments about risks without explicit social content could still have a strong position.

There are regional styles to language and conversation, and it may be possible to use heuristics to estimate where a person is "from" and maybe analysis of their posting history could suggest a timezone or at least a daily cycle for sleep/awake, but beyond these, what else is there for post-based content?

Web client information is supplied by the client, and can't be trusted. Maybe conditional fingerprint/scans attempted with information leaked through tor, and if so, what? Custom-build pages that cause a broswers broke in a certain way to now request an image, CSS or other file, while another browser does not, and over time, build a best guess on which browser/OS they are using? Hope that they use the same hardware for other content, and then look for tracking cookie information that shows the "person" has returned as someone else?

With interactive content, timing and latency for conversations can provide more hints, but let's limit it to posts on forums and mailing lists for all announcements.

**Thorn** · December 6, 2012, 20:40

Re: Full Disclosure, in public illegal? : On the use of pseudonyms and aliases (pt 2)

I suppose, in theory, someone could do it by sticking strictly to the subject, careful use of anonymizers and other such tactics.

However, I'd also agree with your assessment on both Manning and Monsegur, which proves my point. Both were being cautious, but not cautious enough.* Manning craved recognition and bragged outside of the anonymity Wikileaks supposedly provided. Monsegur let details out that narrowed the possibilities to him and possibly one or two others. In both cases, basic police work did the rest, to the point where both were arrested in relatively short order.

*Disclaimer: I don't sympathize with either of their stances or agree with the reasons for doing what they did. Quite the opposite, in fact. However, for purposes of discussion, both are valid as examples. Or warnings.

**astcell** · December 10, 2012, 10:08

Re: Full Disclosure, in public illegal? : On the use of pseudonyms and aliases (pt 2)

Originally posted by TheCotMan View Post

There are at least two parts to a name beyond an identifier:
* That which satisfies ego
* Reputation

Reputation may not exist before the name does. I have seen some folks change their handles in an effort to become more in line with who they are now as opposed to when they created their name. Name changes like that go over relatively well and are accepted and understood. Ego is an entirely other matter.

If you walk in with an ego, a place like Defcon will immediately put you in check. Go ahead, call yourself 'Unhackable', 'LeetestOne'. or 'NeverCaught'. See if you make it past the hallways without becoming Ground Zero for all the digital wrath your bandwidth can take. I believe we have a thread here too on how folks got their hacker names, some of the results were rather unexpected.

One thing for sure, if you have a name that is definitive and the press wants to talk about you, you will have a storyline sidebar with your name guessing things about you. "Is 'Flea' small or irritating?" "Does 'Renderman' work for the CIA in Pakistan?" You get the picture.

**renderman** · December 10, 2012, 12:20

Re: Full Disclosure, in public illegal? : On the use of pseudonyms and aliases (pt 2)

How come I keep being used as an example :) My damn ears keep burning.

One detail, I think it was one of Sabu's cohorts that law enforcement used corelation of logon/logoff times to establish his identity. Somewhere in Pennsylvania I think. I remember it was the numbnut that got his talk canned back in 2004. I remember specifically because articles at the time mentioned doing surveilance on the wireless network which made me think A) did numbnut not know how to secure his shit? B) did the LEO's have some 0-day method of decrypting his traffic (reaver/WPS exploit most likely).

I think the biggest issue is that it's easier to corellate a physical person to an identifier the longer that identifier is in use. Particularly, as was noted, if it is unique among the population.

**TheCotMan** · December 16, 2012, 18:57

Re: Full Disclosure, in public illegal? : On the use of pseudonyms and aliases (pt 2)

Slashdot article on profilng people based on published content=http://yro.slashdot.org/story/12/12/16/2232238/when-writing-how-anonymous-can-you-be-really

This is a story in favor of some of the arguments some of you have proposed; information leakage about an individual even if using tor to try to hide your location/identity.

**datacurve** · October 6, 2013, 09:47

Re: Full Disclosure, in public illegal? : On the use of pseudonyms and aliases (pt 2)

i was taught about "stranger danger" when i was a kid; to me it still applies; the use of an alias is fine. Facebook is not completely transparent either, But it does make it easier for some predators. When someone opens Pandora's box with your information inside is there really any way of putting it back in?

**Anachronist** · November 29, 2013, 13:54

Re: Full Disclosure, in public illegal? : On the use of pseudonyms and aliases (pt 2)

Originally posted by datacurve View Post

i was taught about "stranger danger" when i was a kid; to me it still applies; the use of an alias is fine. Facebook is not completely transparent either, But it does make it easier for some predators. When someone opens Pandora's box with your information inside is there really any way of putting it back in?

That's the heart of the issue. By putting it all on-line you create a situation that's all but impossible to undo and with consequences that can spin completely out of control at a geometric rate. I summarize it with "I don't have all that much to hide (those who have nothing have lived a sheltered life indeed). I do have several things that are nobody's business but my own. Also, in some cases I'm the custodian of other people's secrets. The last category, I won't discuss. The second and first would depend on the circumstances. As a first post on an internet forum.... Um. No.

Nothing-to-hide-nothing-to-fear is a bogus argument.

Announcement

Full Disclosure, in public illegal? : On the use of pseudonyms and aliases (pt 2)

Full Disclosure, in public illegal? : On the use of pseudonyms and aliases (pt 2)

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment