On the use of aliases at security conventions...

Re: On the use of aliaes at security conventions...

My "real" name is something no one knew for ages, I hated it, never did like, always wanted to change it. I never considered Nikita as a handle. Now it is my Legal name and I do feel great about that, because there is no confusion on what I want to put on paperwork and what my paycheck is made out as. If my name was goddess zero cool, that'd be different. I like handles tho, its WAY easier to remember who you are talking about as there is only one L0sT. It gets trickier when you have 70 acid burns or zero cools, HOWEVER I attribute that to not having really come into one's own yet. If you are just another zero cool, then maybe you haven't earned a handle yet, either socially or by experience. Most people have a story behind their handle, an experience, and some sort of recognition by multiple people who will propagate that handle. It means something to them. Also, Not many people will take interest in spreading a positive reputation for another noob named Morpheus. A$$hole on the otherhand...well there you go.

So, thankfully I don't have to go to room 103 and ask for a guy named zero cool or a guy named James. Both would suck badly and I guarantee you, neither would leave a neural impression to associate with them specifically.
That's my opinion, and having the experience of receiving for example speakers real names all the time, it's way easier on me when I can associate something unique and not common place like tom, dick and harry. The only thing that stops this, for me at least, is repetition, seeing Dan Kaminsky, Shawn Moyer, etc etc cross my desk enough times, then no matter how many times they tell me a handle or a nickname, I'm not going to remember, they will just always be Kaminsky and Moyer.

To me, I'm not bothered by it in the least and will respect it. If you want to be called Fluffi Bunny, then so be it. Why does a name really matter? A rose by any other name will still smell like rose.

Re: On the use of aliaes at security conventions...

Indeed. About 4 years ago a fella came up to me at the 'con and proclaimed 'You can't be 'blak'. That is a primary color!'. His handle was 'black mystic' or something to that affect. I laughed and moved on... hard to explain that I didn't choose this.

Through no effort of my own I was called 'blak' by the community. My handle, as was given to me some 18 years ago, is 'blakdayz'. The community labeled me 'blak' almost instantly and as such it has stuck since dc 3 in the defcon crowd. Go into any room, anywhere and ask for 'blak', and you will most assuredly be pointed in my direction.

Outside of the 'con(s) I am still called my this short version of my handle - by my friends, family, and even my wife (and kids sometimes).

I am with Nikita here - If you want to be called something it makes no difference to me. Some advise would be: If you 'choose' your handle: don't then be taken back when you realize that an established persona already has a social monopoly on the term.

that is just my humble opinion.

Re: On the use of aliaes at security conventions...

Escaping notoriety after stepping in front of 10 thousand people to give a talk is a farce. I gave that up a long long time ago.

Re: On the use of aliaes at security conventions...

i am totally guilty of that, particularly as far as the DC-Shoot is concerned, where both of you had been on my hand-written sign-up notes at one point or another.

Re: On the use of aliaes at security conventions...

I don't really like the idea of my Nickname associated to my face(Well this nickname I am using right now is obviously associated to my face and my real name), I think using multiple nickname might be the way to go...

Anyway considering I run a conference, and that I have been in the Media a few time, I pretty much given up on keeping my face dissociated from my real name. Hiding behind a fake name at a conference is a false sense of security(at least for me)...

Recently while registering on site at a conference, I got shocked that they asked me my real name... I came up with a fake name for their registry and the person registering me find it really weird (I was obvious about giving her a fake name)... For this conference they really had no business of knowing my real name (it's not like I was paying by credit card, it was a cash transaction).

At my conference, while all our payment are done in advance by paypal it's rather hard for people to hide behind a alias but as long as the transaction pass we don't really care if it was a real name or not. People doing the registration doesn't have the list with name, they only get the hash, only the core trusted organizators have the master list in case we need to troubleshoot a registration issue(Someone who didn't bring there secret hash).

I also do not like badge that have the real name on them...

Re: On the use of aliases at security conventions...

At first, I didn't want to use my real name online for any number of reasons. But as time went on and I made friends, I had a nickname that just stuck. To this day, personally and professionally, people meet me by my nickname - which has been my handle online. But lately, I've started to mix it up such as wizardai. The reason is, if one day things really get out of hand, I don't want an employer to search for my handle and be like, oh, this guy does this, this and this. That 2nd thing I don't agree with, no job!

But interestingly enough, people still introduce me by my handle. While that bothered me, it's ok with me now because people have a hard enough time pronouncing my name. My name isn't hard to say, but apparently, for some it is. So, my nick comes in quite handy. The good thing about it, is that at least it's a 'respected' name so i'm good. But yeah, booty raider 2003 isn't such a good name lol

Re: On the use of aliases at security conventions...

As no one really knows my handle or my nickname, perhaps you could consider me a newbie when it comes to this topic. I normally introduce myself with my handle because its short, simple, and easy to remember, not really because I want to hide behind it.

I think if i was part of the underground, then I'd be using yet another nickname that wouldn't be advertised except in very private circles.

WiK

Re: On the use of aliases at security conventions...

To be brutally honest, nick or real you are what you do. I don't think it matters, if you do something that people in the TSA/govt don't like... it won't matter. Your name can be associated with a nick if the "man" wants to (given enough time and resources). Echoing what others said above, I highly doubt Moxie got searched/held by TSA officials for his involvement in presenting at various security conferences, working in IT security/development, or even disclosing exploits. All of those fit his basic job description and the government even employs people like that. Where Moxie got it was with his association with Appelbaum, and despite saying he has no connection to wikileaks the govt is still going to try and check for people that are flying under the radar.

Personally, I think Moxie messed up not expecting this. Should I have been expecting it: I would have used a cheap throw away computer or a computer where there is nothing on there I don't mind other people seeing (“They could have modified the hardware or installed new keyboard firmware.”), saved a hard drive backup, put it online while out of country, reformat/encrypt my hard drive before flying back in, and then when seized do the same thing Moxie did by not giving them the encryption key. Also, if I got the computer back the first thing it would go through is malware analysis to see if it's dialing out anywhere, checking registry keys to see if anything has been changed, and also I would be checking to see if data is getting stored anywhere it shouldn't be. It would be interesting to see if something had been modified as I think that would require a search warrant (I could be wrong here though).

Do I have anything to hide? No, but I do value my privacy and the work I've put behind my projects. Is this method a pain in the ass? Absolutely! However like I said, I value my privacy.

Just my $0.02, and I'm looking forward to going to Defcon this year.

Re: On the use of aliases at security conventions...

I fail to see how Moxies recent situation bears on this thread.

There's alot I can add to correct some of your arguments, but respecting privacy precludes me from discussing specifics.

Re: On the use of aliases at security conventions...

When TheCotMan started the thread, the first post had a link to a story about Moxie being detained at JFK back in November. Cot was asking whether or not using a alias might prevent/minimize authorities from making an association between a real name used at a border checkpoint and one's hacker activities, which may be seen as undesirable by a given government.

Re: On the use of aliases at security conventions...

On the topic of the thread.

I've thought alot about this and it for me, it comes down to an issue of identity. A name (psuedo or real) serves to represent a specific individual to others.

In terms of real names, alot of people take variations of their real names (Robert/Bob, Richard/Dick), and the world accepts those names as 'real'. The rub comes when a person chooses a new identifier. Since this breaks the chain of identification (no easy way to establish identity from birth or that a person is), it tends to rub people weird and thus they subconsciously become suspect of the person. Considering the climate of security we are in and the irrational insistence on ID checks,

For many of us though, it's the old adage of 'A rose by any other name' where a persons character is the identifier, not a specific label. As many people pointed out, they didn't care for their original identifier (name) and chose a new one, but the underlying person is still the same.

For myself, I originally took on the handle, drawing from a high school nickname, in order to firewall my online activities from my meatspace activities. After a while, it became more and more of who I was as a person, to the point of it being the more comfortable identifier. This caused some problems since most of my activities that are noteworthy, were attached to the RenderMan name. Trying to trade on that for a career was obviously an issue since most employers don't acknowledge or understand (see above point about suspicion). Writing books proved to be the crossover. Putting both names on the cover allowed me to merge the two and provide a path for people to follow the identity from both names to the person behind it. Doing non-hacker conferences as RenderMan also added to the cache of legitimacy. More than once I've gone up to registration tables to be greeted with 'oh, your that guy'

It's to the point where Grey calls me Render more than my given name, hell even my parents call me Render fairly often.

My issues with names then to revolve around when people change them to hide. I've put roughly 14 years into RenderMan, building cred and identity, it's a great motivation to not screw up by doing something stupid and destroying that. Rather than using the handle name to hide, I think it's better to use it as a way to build reputation within our community that is easier to remember than (as many people pointed out) real names that are all to common.

Re: On the use of aliases at security conventions...

Sorry, I was a bit unclear in the post but you hit the nail on the head there. Real name or alias, I don't think it matters much both on the level of being able to build credibility or trying to hide your identity. People with any name can build a credibility based on their actions, whether that be a good or a bad one. If it's a bad enough rap sheet to those in authority of deciding that, no alias in the world will hide you. That's the reason I mentioned Moxie, even though I (personally) don't see his reputation as bad. The DHS must though, and alias or no it still hasn't stopped them from detaining ITsec guys they find as questionable. So for hiding, alias/handle/real name doesn't matter. For building credibility, use whatever is easiest.

As for the rest of the rant (reformatting the hard drive), that's just my $0.02 on what I fear the TSA may drive people like me to do when I travel. Sorry it was a bit off topic, but my privacy and projects are too valuable for me to lose. Just like the credibility aspect you mentioned, I've spent a lot of time building them. I enjoy the privacy of being able to learn and experiment with my computers.

Re: On the use of aliases at security conventions...

A few people here know my real name, and the rest of you can find it easily on Google. I guess I kind of take a different approach when using my handle. Anything I do as AgentDarkApple is representing the real me. Signing AgentDarkApple or ADA to something is giving it my stamp of approval. It means I am being transparent and honest. My real name, on the other hand, is merely an incidental thing used for government documents and obligatory associations with non-geeks whom I may or may not trust. I can sign it all day long and never truly endorse anything. No one who knows me well ever uses my real name - most call me ADA or by some pet name they have given me. And when I do use my real name in real life, I have found that it is so common that people tend to forget it.

Re: On the use of aliases at security conventions...

My handle is not so much of a cover, since all the spammers out there know what my real name is and use it regularly to ask me, in a personal tone, to click on the attached link because I have won a million pounds or need me to help launder some money out of Nigeria left by some dear relative who recently passed on.

As with some of the others who have posted, my handle is a part of my history and indicates a potential link to something to do with saxophones, if you couldn't tell. Little did I know when I chose this handle shortly after figuring out what the Internet was that I was probably the first on the net to use the handle and it would remain relatively unique. And IMHO, good sax, beer, and information security all go quite well together.

Re: On the use of aliases at security conventions...

Back the the original purpose of this thread...

Here we have another story that would suggest use of aliases at "hacker" conventions might be wise:

http://www.wired.com/threatlevel/201...wsuit-factory/

Use of aliases, and use of tools like tor to anonymize your network presence could decrease the effectiveness of corporations intent on causing financial harm to people that may or may not have violated a law on copyright or the DCMA.

There is value in "someone" being a canary to find out if the recently dug mine (examination/[reverse-]engineering) is full of poisonous gas (lawsuits) but it is likely that nobody wants to be the canary.

Additionally, what may be thought to be not illegal now could become illegal later through new interpretations of existing laws, through case-law, or when a lawyer finds a collection of older laws that argue in favor of wider allowances to decrease requirements for finding someone guilty or "accountable" and "responsible" for damages. It is unclear now what laws or interpretations may change in the future.

Is this as another example enough to sway anyone's previous decisions or change their opinions on this topic?

Is the exposure or leakage of your real name in association with your alias a greater risk financially, civilly, and perhaps criminally than the benefits of having a real name associated with your research?

One more thing to consider: With extradition being what it is, and the complexity of laws in other countries, and the added complexity of rules for extradition between different countries and what is necessary and sufficient for extradition, is it possible that you might break a law of be exposed to civil lawsuit in another country, which could bite you when you travel internationally?