Hackers could track the person behind your usernames

Discussion in 'privacy general' started by lotuseclat79, Feb 7, 2011.

Thread Status:
Not open for further replies.
  1. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,103
  2. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    FWIW, that was essentially Aaron Barr's plan for the protocol that he hoped to sell to the FBI et alia. See this Wired article.
     
  3. katio

    katio Guest

    Can someone explain to me in plain words what this is all about:
    http://planete.inrialpes.fr/projects/how-unique-are-your-usernames/

    Use the same unique and rare username on different service, of course you can be tracked. Duh, what a surprise!
    But maybe you WANT to be tracked?

    Want to use a user name that "can’t be used to track you on the Internet"?
    There is a tool for that, everyone knows about it and it's been available for the longest time, it's called Google. Type in the name you want to use and make sure there are a lot of results in all sorts of contexts.

    The tool also touts it can detect how "linkable" two usernames are. My quick testings shows it's absolutely not capable of doing just that.
    Following pairs are all labeled as "likely do not belong to a single person":
    John.Doe Doe.John
    John.Doe JDoe
    This on the other hand was detected as "likely belong to a single person"
    johndoe john.doe
    johndoe johndoe1
    while
    1johndoe johndoe1
    wasn't detected once again
    Seriously, this is utterly worthless. This is really primitive regex nothing one couldn't write yourself in a few minutes (and it would be more capable).

    Are these people for real?
    Dear Jamie Condliffe,
    before writing a "news article" what about checking your facts and sources like any other "reporter".

    A "new wave"? This is as old as the concept of usernames and emails linked to different accounts. Most people use the same email for everything, the same username for everything and yes, the same password for everything too. But that's boring old stuff, doesn't bring new readers who click on your ads?

    Geez, I'll stop now.
    A final remark: Before spreading their news at least /you/ should check the facts.
     
  4. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    Wow, katio -- their tool is indeed worthless. Maybe Aaron worked on it ;)

    When I read your comment, I first thought that John.Doe and Doe.John might be rated as not similar because "even two quasi-identical usernames, like sarah and sarah2 might have a low similarity because deemed too common." However, the tool also reports that alernaz.gavarkux and gavarkux.alernaz are not similar.

    Also, I want to clarify that Aaron's approach also involved many other sorts of correlation, such as relationship patterns and timing analysis.
     
  5. nix

    nix Registered Member

    Joined:
    Sep 22, 2010
    Posts:
    257
    Location:
    Miami
    I liked this little article, actually. Not because it was breaking news, as it obviously isn't, but because it triggered a few thoughts about pseudonyms composed of random strings, as a signaling device that means that the sender plans to send one message, and one message only, within certain parameters.

    So I was intrigued with the inverse of this problem. And I'm always interested in information about pseudonyms. Nothing wrong with putting your information out there - sometimes thoughts cascade in others differently than in ourselves.
     
  6. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    I'm pretty sure i fall on this category on some forums (Security related, i'm always called Noob) BUT i'm pretty sure there's lot of random people with this username :rolleyes:
     
  7. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    btw, passwords from rootkitdotcom were stored as single MD5 hash :rolleyes: personal info has been put up online so if you were a member and use the same passwords anywhere else better change them.
     
  8. katio

    katio Guest

    They could have been salted "sha1024" (I know, just to illustrate the point) and passwords could have been cracked nonetheless:
    http://www.f-secure.com/weblog/archives/00002095.html

    Even then, if a server is rooted attackers can sniff passwords, redirect traffic etc. They have full control over everything.
    Of course other attacks aren't as quick and easy to automate against thousands of users but it's something you should keep in mind when another site gets hacked that actually stores passwords in a secure manner.
     
  9. MakePB

    MakePB Registered Member

    Joined:
    Jan 18, 2007
    Posts:
    85
    Location:
    Find-IP-Address.org
    It's interesting research but it is hard for me to believe that usernames can identify a person.
    I would like to see that tool.
     
  10. katio

    katio Guest

    @MakePB:
    The idea was to link different online "identities". Some of which may be pseudonymous, some of which are linked to your real identity like ebay.
    That's how they could id real persons.

    Nothing new, nothing interesting to see. All they did was come up with some statistics and formulas to more accurately describe the phenomenon.

    These sensationalist articles as I said are crap. Read the white paper for more details and more level headed insights.

    What should you take home from this?
    Uniques passwords are just one part, if you don't want everyone to track your activities on the internet also use unique usernames. Preferably ones that give a lot of "false positives" in a google search.
     
  11. I no more

    I no more Registered Member

    Joined:
    Sep 18, 2009
    Posts:
    358
  12. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    Well with Facebook Connect and OpenID, it is not going to be that hard to track down usernames. By the way, I prefer one username, got used to it. :shifty:
     
  13. Heimdall

    Heimdall Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    176
    None of this means anything. There are two groups of people who willingly provide 'real' information on the Internet:

    1. People who don't care (yet)
    2. People too stupid to know the difference.

    If you fall into either of those categories, I can 't see that being able to ascertain anything about your real name, is going to be of much benefit, apart from profiling.
     
  14. I no more

    I no more Registered Member

    Joined:
    Sep 18, 2009
    Posts:
    358
    I've never used the same one twice. In fact, I've been known to just throw some away if I've posted too much with it.

    I just use whatever random thought enters my head for a username when I sign up.
     
  15. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    The attack on rootkit.com by Anonymous used social engineering to get the password. They didn't really "crack" anything.
     
  16. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Doubt they can tack any regulars from here.
     
  17. katio

    katio Guest

    Actually they did, I posted this link in another thread about rootkit.com here already. Seems like this information hasn't really spread as well as the "16 year old" anecdote...

    http://arstechnica.com/tech-policy/...eaks-the-inside-story-of-the-hbgary-hack.ars/

    SQL injection, Raise hands if you didn't see that one coming. You'd think people (right, "security" people) would really know by now :(
     
Loading...
Thread Status:
Not open for further replies.