This is why I try to use the same name across websites. I want to be identified as the same person. Just resist the urge to post information you don't want others to have.
We often don't know what is or isn't information we don't want others to have, and it will be a lot harder, if not impossible, to delete it after-the-fact. Especially when you consider how it only takes a few innocuous data points to derive what might be information you'd rather not disclose.
The secret is multiple accounts. I too have a Brand Name Account(tm) I like to float around but it sure as heck isn’t this one.
Doing the multiple account thing isn’t as easy as it sounds though. Some sites like Reddit make switching between accounts incredibly easy while others aren’t so much. Plus laziness kicks in and soon enough your Brand Name Account gets tainted and you have to consider taking it out back to the dumpster.
trick here.. create different chrome profiles, with different color schemes. Peach is my "nice person" account. Red is for accounts that I want to be a little more argumentative.
I do this at work too.. where I have to have different user profiles to emulate working as an admin, staff, client, sub-client. Blue seems adminny :)
I do a similar thing with my terminal emulator: Different background colours in PuTTY depending on which server it's connected to. Green for Dev, red for Prod...
There was a "show hn" many months ago that did stylometry on HN commenters to show which accounts were most stylistically similar; I ran a throwaway account of mine through it, and it showed my account in the top 3 - which was impressive.
Having multiple accounts won't save you when your own word choice, grammar and style can uniquely identify you to anyone sufficiently motivated to link your disparate identities at any point in the future. The author even said their tool was rather basic; IIRC the basis was all pairs similarity on n-grams
I don't understand what point you're trying to draw here. William Shakespeare was by no means anonymous in his day and age and he almost certainly had to consider the views of the aristocracy and other elite figures that might watch his plays i.e. self censor. Ben Johnson, a contemporary playwright, was imprisoned for writing "The Isle of Dogs".
I think parent is saying that by self-censoring, expression others enjoy is lost, with the example of Shakespear as an expresser whose impact would have been lost if he'd decided to be anonymous instead.
Actually it should be the opposite. Claim one handle everywhere that you want people to associate as your “real” persona and then use unique names in places where you want to be controversial.
Actually, this makes it obvious why you should keep a page that contains all your links. It's easy to just make an account and pose as someone in order to destroy their reputation. It's also difficult to get unique accounts, often times my accounts overlap with existing names. Even my real name is shared with many people.
Employers who use technology like this are actually quite foolish to do so.
just to be slightly pedantic as there are still sites that have screen names vs account names where the screen name the public sees has no correlation with the account name (typically an email account).
so don't re-use email accounts across sites. SecOps matter
I have a somewhat common firstname.lastname@gmail.com and others with the same name use it pretty often. Surprisingly often it seems as if sites allow accounts to exist without email confirmation. I estimate at least 50% of the accounts out there that use my gmail is actually not me, and I like the idea of anyone trying to make sense of that data, if they can even guess that I am the Firstname Lastname that the address belongs to.
I’m in a similar situation and hadn’t thought of it that way. My take on the email I receive is that they fall into one of these categories: a) genuinely intended for me (and not spam), b) spam, c) genuinely intended case of mistaken address (they forgot to include another character), d) someone using mine as their throwaway (site sending verification email), and e) someone using mine as their throwaway (no verification process, ergo not altogether different from spam).
Where I am, it is official government agencies that seem to not verify email (and send me sensitive documents meant for others with the same name — a chore to call and ask them to correct their stuff regularly, sigh)
Any comercial sites - dating, gambling etc. end with verification attempts
Doesn't this subaddress all just resolve to the same account? The accounts are free, so just make up a completely different account. Yeah, it might get a bit of a mess for a user to manage, but that's what password managers are for.
let's face it, we're not talking about Joey Beercan doing this. Anyone even tossing around the term SecOps is already moved out of mass populace and into the somewhat informed. Someone practicing SecOps would definitely be the type to use some sort of credentials management. So I don't think unique totally unrelated emails is too much of a burden. Using different free email providers is even better.
It depends on the underlying email server. But strictly speaking, the "+" is a valid identifier, and "joe+admin@example.com" is a completely different address than "joe@example.com".
It just so happens that email servers tend to recognize the usage of "+" as a "tag" and route incoming mail using the tag to the root email that precedes the plus and tag.
But, as the sender, you cannot assume that this is always the behavior. You must assume that those are two different emails.
I use periods and they work fine like for exampl.e@gmail.com or e.xampl.e@gmail.com which surprisingly resolves to my main email and I’ll block spam from any sender spamming that period address. Anyone know why this works?
Gmail accounts aren't free: I believe they only allow up to 4 to be linked to the same phone number (which is mandatory).
Microsoft is worse: they'll let you create an account, then lock it the next day, after you've already used it for something, if you don't link your phone number.
Phone number is used because it costs money to get, is hard to get in bulk, and in many countries is always tied to your identity.
I wonder what the market for throwaway phone number verification is worth.
It is still possible to register Gmail accounts without a phone number. I suppose they primarily use IP reputation to determine when they allow it but device seems to matter too.
In the past you could use BlueStacks android emulator to register Gmail accounts without sms verification even with VPN IPs. This year I've created a few Gmails without sms verification, once on desktop chrome (with Firefox they would've required sms) and a couple of times using the Gmail app on an Android phone.
There are several cheap (not free) email providers that allow you to create unique emails per service for this precise purpose, and do not require a phone number, however they are lacking significantly in every other way, like an easy to use inbox, so not great for your main contact.
One I tested out I found to be good for these random sites that want emails as your username. Then I set the custom email to forward the mail thereby maintaining unique usernames on each site. If the site does not use an email for the username and does not make the provided email public, you could use your regular email with the handy features that come with a Google/Microsoft suite, or air on the side of caution by still having the unique email.
> I wonder what the market for throwaway phone number verification is worth.
I pondered this recently, and it seems to top out at a couple bucks per shot.
The problem is that the phone number tends to need to be persistent for the sake of security. You can't typically sign up for something that requires a phone number and then expect to be able to keep the account safe without maintaining exclusive access to that number.
I'm sure if it were cost effective, one of the password managers would have some kind of SMS integration, like Apple's hide my email, but for phone numbers.
If you're the kind of person who doesn't want to provide their own phone number to make an account, you probably also wouldn't be using any account long-term.
That’s not true. None of my Gmail accounts have a phone number, and I’ve used them for their discrete purposes continuously since their creation. I doubt I’m the edge case
You claim OpSec, but if you’re using such bad opsec, then I’d suggest you’re not actually doing opsec. Tying a throw away account to actual data that can directly identify you is just such bad opsec, you might as well use your actual name as your user name.
Opsec can be a relative term. Yes, some people are selling drugs or spying for the Russian government but other people just don't want to be OSINTed by scripts like this. Then creating a new Gmail account from the same IP address is enough. It's a lot easier to hide your identity from people who don't have the power to issue subpoenas.
I think his point was that he wasn't looking to be totally invisible. Just less obvious to people who won't spend a pile of time looking for you.
If you're adding your phone number to a throw away account you use on Target or Walmart, it's likely okay.
The IP comment was likely because if someone can get your phone number from the Walmart service (via subpoena), to track you down, they can also get your IP address too.
> Doesn't this subaddress all just resolve to the same account?
Not in OAuth/OIDC compliant identity providers. As one example, I frequently use + email addresses for testing on auth0-secured apps, where I use the + text to tag a role or some other user attribute that identifies what makes the test account special. eg stult+admin-staging@example.com or stult+user-declined-gdpr-prod@example.com. Each plus variant resolves to its own separate account with its own password (which I do in fact manage via a credential manager), without requiring me to set up multiple full email addresses to simulate multiple users with verified email addresses.
And this makes it obvious why you should use the same username everywhere!
When maintaining an official online public presence, or if you are privacy minded you likely want to "plant the flag" to stop others from impersonating you.
I strongly suggest the opposite. Collect everything and do on a personal site, do good seo on your pages, expose your content. Go totally anon for anything you don't want exposed of course. But you should expose as much of yourself as you're able and control the conversation.
This reminds me of a friend who was a steam moderator, and they had an alternate account on twitter pretending to be mexican. The amount of times they got people thinking they found their real name was larger than "juan".
Using online services require so much special attention it starts to weight up to the benefits given. Considering the risks, it is already in pair with the value delivered.
But then at this point we can take a username, take a user's posts on one site, train a LLM with these posts and ask the LLM to write comments in the style of that user on another forum/subject.
How do you even determine anymore if something is really written by someone?
Websites are already for a huge part written by bots/LLMs and we all know to take them with a huge grain of salt.
How long until we consider users posts aren't to be trusted anymore either?
It already started (impersonating usernames) for sure.
So what is this even tracking?
Heck, at this point it's nearly a guarantee we already have bots trained on outputs of other bots.
I wonder what the implication of all this is going to be.
>And this makes it obvious why you should use a unique username everywhere!
Actually I was disappointed by the post, I was hoping it will be able to find the same person regardless of the username through analyzing the writing style, what they are talking about, the timezone etc.
The username doesn't prove anything, anybody can take any username anywhere. If someone targets you, they can take usernames on platforms you haven't claimed your username yet and pretend being you and damage your reputation.
They are just gonna make fake accounts that look like yours and shitpost ahead anyways.
Social media has multiple problems, including authenticity, transparency, validity and verifiability. All of which don't exist and make it the optimum propaganda machine (referring to the criteria that Chomsky described) because it can be corrupted through multiple attack vectors.
If we want to survive this hellhole of misinformation, the mentioned criteria has to be implemented for the "next big platform" so that censorship and other legislative processes can be encountered with increased transparency and openness.
On a network/society scale it can't be driven by financial incentives to prevent corruption, ergo it must be financed by taxes. Preferably on an EU or UN legislative level to prevent political corruption of single state actors.
I don't think so. He doesn't care about the source code or want the source code. He just wants an executable file. If there was the exact same project that was closed source and had an .exe file he would have never even gone to the github.
For people who want to have a professional social presence (FB/linkedin) as well as an anonymous one (Reddit etc), it’ll be super useful to see if the accounts are truly unlinkable. Moreover if you are opening a new anonymous account, maybe a good idea to search the new username using this tool to make sure it’s not “taken”
Stylometry tools may be useful if you already have a small candidate pool of suspected aliases. They produce too many false positives to be useful for blind cross-linking of accounts. Once or twice somebody has done stylometric analysis of HN accounts and I've looked at the results for my accounts. Even though I don't try to obscure style across accounts, stylometry didn't match my actual accounts with each other. My top matches were for accounts controlled by other people.
I specifically write with different perspectives, tones, and opinions on different sites in a probably vain attempt to mitigate this.
For example, on YouTube I use twitch slang, and on Reddit I use TikTok slang, and on TikTok I use reddit slang. On hackernews a use a slightly whimsical pedantically-infused undergrad tone.
Using stats this is called stylometry and I agree this will probably be easier at scale now. You can also match posting windows, pull additional features from database dumps/hacks.
Then people will start using browser extensions that automatically "fuzz" your writing style randomly. That is, if chasing anonymity is someone's true goal.
Interesting tool, but it generates false positives. Try Sherlocking some randomly generated usernames that cannot possibly exist and it will still return results for some of the URLs in its list.
I think the "non creepy" use is really just making people aware how easy it is to correlate all your different traces online. It's like when someone released on HN a tool that would link various HN accounts (and maybe Reddit accounts too IIRC), but by looking at commenter word choice similarity.
It makes people realize that actual anonymity online is a smokescreen.
I recently Googled myself, and in the first page of results I ran across some shit AI website that scrapes random web content about people and attempts to summarize it. It got my current occupation completely and comically wrong -- as in, it has nothing at all to do with tech.
If you're trying to figure out anything about me from social media or other such random web pages, I don't care to have anything to do with you, and I don't care what you're led to believe about me. I suppose this is born of privilege, but the only contacts I care to make are directly via people I already have a relationship with.
Clean up the online footprint for someone that hires you to do so before they run for office. I don't remember every single web site I've every signed up for going back to when I started using the Internet, and neither can you.
Internet Archive likely renders that point moot, no? There a plenty of sites that index tweets outside of Twitter for example... at least there used to be
You can request them to take down personally identifying information about yourself. They respond quickly and seem to have someone employed to handle GDPR requests.
To socially harass and drive to suicide anyone that doesn't conform to the dominate cultural outlook. Think that's creepy? Well, you just made the list!
I’ve successfully used Sherlock to track down a colleague that I only connected with on MeetUp. It’s an amazing tool. Worth running on your own usernames as an easy account inventory
Remember when IPv6 decided on 128 bit addreses and defaulting to /64 blocks because someone thought using a 48-bit MAC address as the IPv6 equivalent of a port was a good idea? Fast forward a decade or two and we realize how this is a PII leak issue so nobody does it but we're still stuck with 128-bit addresses (for those who use IPv6).
There are several things that are a security issue or simply a privacy issue. These include:
- Your username (as I assume this tool is demonstrating)
- Your email address. While this is treated as your "public identity" to some extent, I think we're rapidly approaching a point where we need to not do this;
- Your phone number; and
- Your profile pic. I would advise to never use the same pic across accounts and certainly don't use services like gravatar (if that's still a thing).
Email is particularly problematic because you can end up on spam lists if a site is compromised and you can't really identify where it comes from.
What I think we need is a more integrated solution for logging in and creating throwaway addresses (eg like SimpleLogin) so it's basically seamless. Gmail seems well-positioned to do this. I honestly don't know why Google hasn't done this.
Interestingly, Facebook Groups seem to handle this kind of anonymity reasonable well. Each group your in is a separate profile. You can't find out what other groups someone is in from either their personal identity or any group's identity. Weirdly, your FB profile is associated with any pages or profiles you comment on.
It should be clear to these companies by now that people want to silo their public identities (aka pseudonomity).
> Remember when IPv6 decided on 128 bit addreses and defaulting to /64 blocks because someone thought using a 48-bit MAC address as the IPv6 equivalent of a port was a good idea?
No, I don’t, and I’m well-aware of EUI-64.
IPv6 uses 128-bit addressing because some on the design committee or making comments on the drafts thought that 64 bits might not be enough.
Reminds me of this excerpt from "A Study in Scarlet".
'Have you read Gaboriau's works?' I asked. 'Does Lecoq come up to your idea of a detective?'
Sherlock Holmes sniffed sardonically. Lecoq was a miserable bungler,' he said, in an angry voice; 'he had only one thing to recommend him, and that was his energy. That book made me positively ill. The question was how to identify an unknown prisoner. I could have done it in twenty-four hours. Lecoq took six months or so. It might be made a text-book for detectives to teach them what to avoid.'
There's a UI design element here which I don't like.
The UI presents a text field which is for entering search terms.
You click it and expect to type - but NO! - SURPRISE!!! it's actually a button!!
And now the page changes, pops up an actual text field, somewhere else and new, and you abruptly are forced to set aside your thoughts about search to process the page layout a second time and go and click again to type in a term.
Why on God's clean Earth would anyone ever do this?
I dont plan to run for president or anything, but find myself increasingly censoring my online speech. I think the biggest risk is some out of context post being pulled into a civil suit, or professional cancellation following that.
Things like advice in an alcohol recovery forum would be prime evidence for a liability suit.
There are also groups that vacuum the internet for offensive posts, and use them to try to get people fired for things they said 10 years ago.
At this point, I assume all internet activity can and will be de-anonymized, and restrict my speech accordingly. I'm sure there are some meaningful precautions and nuances, but it is too much to keep up with.
There was a story, a couple of years ago, about a teacher who got fired, because she posted a picture on Facebook, holding a margarita, or something. She was on a vacation in the Caribbean.
One of the parents saw the post, and raised a stink.
Now that I'm retired, it doesn't really matter that much, but I do my best to behave well (this joint is pretty much the only place I post much). In the past, I was not so circumspect. In fact, I was a troll.
I remember once, signing up for Disqus, and they came back, and said something to the effect of "We found all these posts from around the Internet. Would you like to claim any as yours?"
Included, were some of the worst troll posts I'd made, many years ago, under the [obviously mistaken] assumption that they were anonymous.
I nuked the signup, and went and had a lie-down.
Since then, I have never bothered to try being anonymous. I probably could, if I wanted to, but I'd rather just stay public, and not say stuff that I'd regret.
It's a relatively new and novel thing for people your age to be able to look up anything online, to the point where it's scandalous.
This card will be played over and over again by politicians, influencers, prosecutors, police, etc, until the smartphone-from-birth generation reaches office. At that point, it'll be so easy to dig up dirt on anyone, people will just stop caring (as they should anyway).
We're just in a weird transition period right now.
Im not so confident. Digital natives seem just as eager to apply purity tests as anyone, if not more so. Throwing rocks still feels good, even if everyone is living in glass houses. It was true in the 1300's when the saying was coined, and is still true today.[1]
> try to get people fired for things they said 10 years ago
I assume the implication here is that the thing they said 10 years ago was less inappropriate back then. So how do you predict sensitivity changes 10 years in the future to limit your speech today? Even if you delete posts after, say 1 year, archives exist. Shouldn’t you just not say anything if you’re afraid of this? Maybe discussion of self-censorship like this will be taboo in 10 years and the ship has already sailed.
I wasn't implying that it depends on sensitivity changes, although that is possible too.
Sorry if I wasn't clear on that.
My thought was more about time and distance. Something can be unpopular or even wrong when it's first said too. People are dynamic and change over time. The mechanism of change is living their lives.
Taboos can change as well, so there is a motivation to steer clear of controversial topics in recorded media. You can use discretion to judge risk. It's unlikely that someone's going to fire you for discussing ice cream in 10 years.
Yea, that's also a big danger: A totally innocent or trivial comment written today might be taboo in 10 years, and some future justice warrior is sure to dig it up and use it against you, and you have no idea what is going to be taboo. Maybe in the far future, owning pets will be taboo, and all the pictures of me and my dog are going to be dug up and used to shame me for violating an animal's sovereignty or something.
There is no way to know what people are going to get offended about in the future, but the clear trend is people getting offended about more and more things over time, rather than fewer and fewer things.
Herding is the best defense. If everyone who expresses opinions online do so non-anonymously it becomes much more difficult for the sleuths to target specific individuals. If everyone runs the risk of getting "sniped" for something taken out of context they wrote 10 years ago, the tactic becomes less effective.
I don't think this is an automatic negative as you are implying. There's definitely lots of qualifiers involved though. There would have to be significant evidence to show that the sentiment expressed is still no longer held which could be more than problematic to prove. If it was someone up for supreme court justice that posted pics showing how much they liked beer and their antics as a party person could be shown as lack of maturity by comparing that they no longer drink now. Someone posting racist comments would be much harder as you don't really know if they've changed their view or just learned not to post publicly their views.
Edit: automatic negative should really read automatic disqualifier
That second example pretty much demonstrates why it is so dangerous. There were attitudes that were commonplace 30 years ago that are now considered racist, in many cases because they were racist, that people don't subscribe to today. I imagine the same can be said about 10 years ago. People's values change. We should not be giving them life sentences when the have reformed their attitudes and behaviors, otherwise the incentive to reform is taken away.
One example of this I can think of is a show from the late 90's which used the word "spaz" very liberally, which was already iffy at the time but not fully demonized. Using it nowadays could be considered a major point of contention towards your image. Words like Gypsy and Retard are more recent inclusions in this field.
Having the right/freedom to post anything you want does not mean there shouldn't be consequences for those posts later.
Age of post should just not be an automatic "but it was 10 years ago" get out of jail free card. If there's compelling evidence it was just a stupid thing someone did as a teen, then we can have that conversation. If it is a post from someone in some position of leadership that is 10 years old but was made in their 40s is not the same "I was an immature teen" situation.
Being authentic is the ticket to public office now
I’m kind of glad that the value of blackmail futures has plummeted to zero
I always thought millenials would be the culprit because millennials have so much online, but nope, it was just old fashioned baby boomers that have spearheaded it and double down on their indiscretions to be the role models for the country’s top offices
I think that reality is much more heterogenous. Say some edgy or unpopular things 10 years ago, and they can still be shared with your boss and blasted across your employer's social media channels. The social consensus and average result doesn't preclude damage in some cases.
> Being authentic is the ticket to public office now
No, its not.
The preferred image may be more combative, aggressive, and anti-social than in the recent past, but as always adherence to it is more important than actual authenticity.
> I’m kind of glad that the value of blackmail futures has plummeted to zero
It hasn’t, though the value function for current negative information is different, so things that were once valuable for blackmail or otherwise harmful to public image are less so (and things that were not are moreso.)
> I always thought millenials would be the culprit because millennials have so much online, but nope, it was just old fashioned baby boomers that have spearheaded that double down on their indiscretions and are the role models for the country’s top offices
The only boomer I can think of that you might be talking about denies them constantly (even if there is past documentation of his acknowledging them in a general sense) and is supported by favor-currying media magnates who either actively promote propaganda favoring his messaging on that or, at a minimum, actively spike critical coverage.
And even within his movement and with the support of his cult of personality and the same favorable media, others in his orbit have often been less successful in having their indiscretions given a pass (see, e.g., Matt Gaetz’s nomination for Attorney-General of the United States.)
I thought canceling never stopped. It was just politically motivated.
(Ironically, Dems eat their own for that stuff, so maybe "politically motivated" doesn't quite capture it... compare e.g. Al Franken and Katie Hill vs Roy Moore or Matt Gaetz)
Democrats cancel and Republicans mostly double down. I don’t think there is anything Trump can do at this point to horrify or even just dissuade his base, for example.
Yes and no. He has a clear mandate to fix price increases and inflation. If he doesn't he will lose the newcomers that held their nose voting for him. If he screws up big time he will be frozen in 26 and ride out his presidency having accomplished nothing. His core base that you are talking about was always a declining minority.
That’s true. It’s even worse, though, since he promised a bunch of stuff that he can’t deliver or if he delivers (high tariffs, mass deportation), inflation will probably boom. Get the popcorn because the first month after 1/20 will be interesting (and maybe stock up on some electronics that are probably going to get really expensive).
> "I don’t think there is anything Trump can do at this point to horrify or even just dissuade his base, for example."
Pretty sure it's pretty close to true at this point that he actually could get away with literal cold-blooded murder in public at this point and his cult would fold themselves in half backwards tryin' to justify it somehow. [0]
Real Americans are pretty spit on the topic of Gaza. 36% of Americans favor the U.S. providing military aid to Israel. 34% oppose military aid, and the rest are neutral.
I don't really get that impression, in my experience people just realize cancelling is a two-way street and stop it
I’ve been told “I’m making someone uncomfortable” and I said “they’re making me uncomfortable”, and follow that up with “why are you privileging their discomfort over mine” and when they or the mob say something gendered or sexist as the explanation, then I get to cancel all of them or get a nice fat paycheck
what evidence do you have that this is true. at this point, a new theory of physics will be trotted out that shows a pendulum does not have to swing back. it will become trending on all the socials so that people believe. it therefore becomes the de facto truth, and the cult remains
The tool didn’t work as well as I expected. It claimed to have found the username I entered on 40 websites, but when I followed several of the provided links, they led to 404 error pages.
Is it querying an offline or an online database? Because if it's the latter I hope people don't give it their various disparate usernames allowing them to link them together.
It's essentially a loop that fetches www.whatever.com/username and does a regex for "user not found". It then outputs a list of links, to possible profile pages. Pretty simple tool, but speeds up a standard investigation technique.
I would assume it's because checking usernames using your own IP address leads to better results while making it a website would forcefully make it a SaaS (to cover cloud costs).
I'd argue instead why is this not a GUI? Making it a CLI makes it less user-friendly.
This will be very handy because when I see someone post something I disagree with on HN I can also go downvote them on reddit and swipe them in the ugly direction on tindr and/or grindr. I am justified in doing this because everything I don't like should be banned.
For the unfamiliar: this causes a reddit-owned bot to send them a passive-aggressive private message telling them how not to kill themselves. There's no way to know who caused it to be sent.
It makes pervasive tracking a lot harder.
Also when you do any research on health related topics, be extra privacy conscious.