Hackers could track the person behind your usernames

Hackers could track the person behind your usernames.

Related link: How unique are your usernames?.

-- Tom

 

FWIW, that was essentially Aaron Barr's plan for the protocol that he hoped to sell to the FBI et alia. See this Wired article.

 

Can someone explain to me in plain words what this is all about:
http://planete.inrialpes.fr/projects/how-unique-are-your-usernames/

Use the same unique and rare username on different service, of course you can be tracked. Duh, what a surprise!
But maybe you WANT to be tracked?

Want to use a user name that "can’t be used to track you on the Internet"?
There is a tool for that, everyone knows about it and it's been available for the longest time, it's called Google. Type in the name you want to use and make sure there are a lot of results in all sorts of contexts.

The tool also touts it can detect how "linkable" two usernames are. My quick testings shows it's absolutely not capable of doing just that.
Following pairs are all labeled as "likely do not belong to a single person":
John.Doe Doe.John
John.Doe JDoe
This on the other hand was detected as "likely belong to a single person"
johndoe john.doe
johndoe johndoe1
while
1johndoe johndoe1
wasn't detected once again
Seriously, this is utterly worthless. This is really primitive regex nothing one couldn't write yourself in a few minutes (and it would be more capable).

Are these people for real?
Dear Jamie Condliffe,
before writing a "news article" what about checking your facts and sources like any other "reporter".

A "new wave"? This is as old as the concept of usernames and emails linked to different accounts. Most people use the same email for everything, the same username for everything and yes, the same password for everything too. But that's boring old stuff, doesn't bring new readers who click on your ads?

Geez, I'll stop now.
A final remark: Before spreading their news at least /you/ should check the facts.

 

Wow, katio -- their tool is indeed worthless. Maybe Aaron worked on it

When I read your comment, I first thought that John.Doe and Doe.John might be rated as not similar because "even two quasi-identical usernames, like sarah and sarah2 might have a low similarity because deemed too common." However, the tool also reports that alernaz.gavarkux and gavarkux.alernaz are not similar.

Also, I want to clarify that Aaron's approach also involved many other sorts of correlation, such as relationship patterns and timing analysis.

 

I liked this little article, actually. Not because it was breaking news, as it obviously isn't, but because it triggered a few thoughts about pseudonyms composed of random strings, as a signaling device that means that the sender plans to send one message, and one message only, within certain parameters.

So I was intrigued with the inverse of this problem. And I'm always interested in information about pseudonyms. Nothing wrong with putting your information out there - sometimes thoughts cascade in others differently than in ourselves.

 

I'm pretty sure i fall on this category on some forums (Security related, i'm always called Noob) BUT i'm pretty sure there's lot of random people with this username

 

btw, passwords from rootkitdotcom were stored as single MD5 hash personal info has been put up online so if you were a member and use the same passwords anywhere else better change them.

 

They could have been salted "sha1024" (I know, just to illustrate the point) and passwords could have been cracked nonetheless:
http://www.f-secure.com/weblog/archives/00002095.html

Even then, if a server is rooted attackers can sniff passwords, redirect traffic etc. They have full control over everything.
Of course other attacks aren't as quick and easy to automate against thousands of users but it's something you should keep in mind when another site gets hacked that actually stores passwords in a secure manner.

 

It's interesting research but it is hard for me to believe that usernames can identify a person.
I would like to see that tool.

 

@MakePB:
The idea was to link different online "identities". Some of which may be pseudonymous, some of which are linked to your real identity like ebay.
That's how they could id real persons.

Nothing new, nothing interesting to see. All they did was come up with some statistics and formulas to more accurately describe the phenomenon.

These sensationalist articles as I said are crap. Read the white paper for more details and more level headed insights.

What should you take home from this?
Uniques passwords are just one part, if you don't want everyone to track your activities on the internet also use unique usernames. Preferably ones that give a lot of "false positives" in a google search.

 

No they can't. Not even my ISP can track a single username that I've used where I've wanted to stay anonymous. The admins at Wilders don't even know if I have one or a hundred usernames (I have one FYI).

A hacker has precisely 0% chance of getting anything.

 

Well with Facebook Connect and OpenID, it is not going to be that hard to track down usernames. By the way, I prefer one username, got used to it.

 

None of this means anything. There are two groups of people who willingly provide 'real' information on the Internet:

1. People who don't care (yet)
2. People too stupid to know the difference.

If you fall into either of those categories, I can 't see that being able to ascertain anything about your real name, is going to be of much benefit, apart from profiling.

 

I've never used the same one twice. In fact, I've been known to just throw some away if I've posted too much with it.

I just use whatever random thought enters my head for a username when I sign up.

 

The attack on rootkit.com by Anonymous used social engineering to get the password. They didn't really "crack" anything.

 

Doubt they can tack any regulars from here.

 

Actually they did, I posted this link in another thread about rootkit.com here already. Seems like this information hasn't really spread as well as the "16 year old" anecdote...

http://arstechnica.com/tech-policy/...eaks-the-inside-story-of-the-hbgary-hack.ars/

SQL injection, Raise hands if you didn't see that one coming. You'd think people (right, "security" people) would really know by now