Almost Anonymous
Sunday, 19 August 2012
I really wanted to blog a second time last week, but I had two looming deadlines. Also, my hosting provider changed their version of PHP. As a result of the change, the public-facing blog software worked, but the administrative login script was broken. (Some deprecated commands became obsolete, breaking the blog software.) Yes, I was locked out of my own blog. Late last week I managed to update my software and I'm back in business. Special thanks to the folks in the Serendipity forums.
Remember that online hacktivist group "Anonymous"? They pride themselves on being unknown. Yet time and time again, members end up getting identified and in some cases arrested. Why is that? It's because online, nobody is really anonymous. (My primary research focus is on forensics in a project I call "Nobody's Anonymous". My work predates the group Anonymous by a few years and includes public presentations titled "Nobody's Anonymous".)
The mug lists a few of the different approached used in computer forensics for identifying people who would otherwise be anonymous.
For example, how did they catch Higinio O. Ochoa III? They used network addresses with geolocation, social networking, and behavioral analysis to identify a likely suspect. Then they used photo forensics and social network mapping to confirm the identity.
And remember Hector Xavier Monsegur a/k/a Sabu from Anonymous and Lulzsec? He was caught early on using network addresses, traffic analysis, and behavioral analysis. And then he turned in his buddies. (Don't forget your "friends".)
Even the 2011 London rioters thought that they were anonymous... until the police reviewed their video camera footage and began making arrests.
You may think you are anonymous online because you don't use your real name and you use anonymous proxy networks and you never take the same route twice. But really, nobody's anonymous.
I recently read in Wired about Eugene Kaspersky -- the guy who founded Kaspersky Labs, the big anti-virus outfit. Since it comes from Wired, I'll take the claims and representation with a sense of suspicion. (Knowing the ground truth behind some of their other articles, and being misquoted myself, I interpret Wired as sensationalism that is only slightly better than Fox News but with more entertainment value.) However, the article did repeat things that I have heard before. Namely, Kaspersky thinks there should be a lot less anonymity online, and he wouldn't mind if there was no online anonymity. (Hey Eugene: If my understanding is incorrect, please feel free to correct me.)
He does have a point. People do very bad things when they think they are anonymous. So let's run through a hypothetical: What if there was no anonymity online. What if everything online could be attributed to the person or system that initiated it. People who think "we'll, I'd just use Tor" or "I'd create my own darknet" need to remember that in this hypothetical, there is no way you can be anonymous. Even with a series of anonymous proxy relays, we'd still know it is you.
However, this certainly would not be a panacea. There are plenty of legal things that would bother us much more if we were not anonymous. Like advertisements. You would no longer receive requests like "To current resident" or "Dear sir" or "May I speak to the homeowner?" Now everything would be personalized. They know who you are, they know how old you are, they can do much more data mining and link your shopping habits and lifestyle to their offers. If you thought advertisements were bad today, just wait until there is no anonymity.
Right now, I'm getting calls from anonymous surveys who want to know how I intend to vote in the upcoming election. This would be much worse if they knew who I was and could direct their harassment specifically at me.
And remember those mugs that I ordered for the Meet the Fed panel? The place I ordered them from (VistaPrint) gave my name to M2 Marketing -- one of their business partners. M2 didn't know anything about me, but they bought me a year-long subscription to Essence magazine. Essence is a magazine directed toward upwardly-mobile young black women. I'm a spiraling-downward old white man. By completely missing the market, they have manged to irk me. And I'm not the only person to complain about being signed up for Essence or Latina or some other magazine that doesn't interest me.
Without anonymity, M2 would probably send me some other magazine that better fits my profile. But really, I don't want to receive any magazine unless I subscribe to it myself. So with or without anonymity, this problem does not go away. (And if you happen to be one of these VistaPrint/M2 magazine victims, there's a form to fill out to make it stop. I filled it out but I'm still waiting for the rebate.) Remember: buying someone an unwanted magazine subscription is slimy and douchey and will make me think twice before ordering anything from VistaPrint ever again, but it is not illegal.
Without online anonymity, we might end up with some significantly worse problems. For example, whistle blowers and crime tipsters (for those anonymous real-world crimes) and even employee/manager reviews would no longer be anonymous. Do you want to report sexual harassment at work, or do you want to be known as the gal who got felt up? Do you still want to turn in the mob boss if you are certain he will know it was you? And do you want to tell the truth about a bad manager, or do you want him to put in a good word for you when raises come around again... Anonymity certainly has its places.
Bottom's Up
Last week I mentioned giving some mugs out to the Defcon Meet-the-Fed panel. A couple of people suggested that I should start selling them. (Unless there are a ton of requests, I really don't want to get into the mug-selling business. Update: The mug is available by clicking on the 'Swag' link at the top of this blog.) But a few people said that they didn't understand it.Remember that online hacktivist group "Anonymous"? They pride themselves on being unknown. Yet time and time again, members end up getting identified and in some cases arrested. Why is that? It's because online, nobody is really anonymous. (My primary research focus is on forensics in a project I call "Nobody's Anonymous". My work predates the group Anonymous by a few years and includes public presentations titled "Nobody's Anonymous".)
The mug lists a few of the different approached used in computer forensics for identifying people who would otherwise be anonymous.
For example, how did they catch Higinio O. Ochoa III? They used network addresses with geolocation, social networking, and behavioral analysis to identify a likely suspect. Then they used photo forensics and social network mapping to confirm the identity.
And remember Hector Xavier Monsegur a/k/a Sabu from Anonymous and Lulzsec? He was caught early on using network addresses, traffic analysis, and behavioral analysis. And then he turned in his buddies. (Don't forget your "friends".)
Even the 2011 London rioters thought that they were anonymous... until the police reviewed their video camera footage and began making arrests.
You may think you are anonymous online because you don't use your real name and you use anonymous proxy networks and you never take the same route twice. But really, nobody's anonymous.
Being anonymous
And yet, anonymity does exist online. It takes a good amount of effort, resources, and skill to track people online. This isn't something that "just anyone" can do. So unless there is a good reason to get the heavy guns involved, simply using an online alias can be enough to keep your real identity a secret.I recently read in Wired about Eugene Kaspersky -- the guy who founded Kaspersky Labs, the big anti-virus outfit. Since it comes from Wired, I'll take the claims and representation with a sense of suspicion. (Knowing the ground truth behind some of their other articles, and being misquoted myself, I interpret Wired as sensationalism that is only slightly better than Fox News but with more entertainment value.) However, the article did repeat things that I have heard before. Namely, Kaspersky thinks there should be a lot less anonymity online, and he wouldn't mind if there was no online anonymity. (Hey Eugene: If my understanding is incorrect, please feel free to correct me.)
He does have a point. People do very bad things when they think they are anonymous. So let's run through a hypothetical: What if there was no anonymity online. What if everything online could be attributed to the person or system that initiated it. People who think "we'll, I'd just use Tor" or "I'd create my own darknet" need to remember that in this hypothetical, there is no way you can be anonymous. Even with a series of anonymous proxy relays, we'd still know it is you.
Life without anonymity
The first thing we would notice is that all illegal activity would end abruptly. Child porn, spam, computer viruses, scams, and even online social engineering... they would all stop. Why? Because everything would be easily traced back to the person doing it. In this world, you could commit any crime you want... exactly one time. Then you would be arrested. As Kaspersky points out, this would make the online world a much safer place.However, this certainly would not be a panacea. There are plenty of legal things that would bother us much more if we were not anonymous. Like advertisements. You would no longer receive requests like "To current resident" or "Dear sir" or "May I speak to the homeowner?" Now everything would be personalized. They know who you are, they know how old you are, they can do much more data mining and link your shopping habits and lifestyle to their offers. If you thought advertisements were bad today, just wait until there is no anonymity.
Right now, I'm getting calls from anonymous surveys who want to know how I intend to vote in the upcoming election. This would be much worse if they knew who I was and could direct their harassment specifically at me.
And remember those mugs that I ordered for the Meet the Fed panel? The place I ordered them from (VistaPrint) gave my name to M2 Marketing -- one of their business partners. M2 didn't know anything about me, but they bought me a year-long subscription to Essence magazine. Essence is a magazine directed toward upwardly-mobile young black women. I'm a spiraling-downward old white man. By completely missing the market, they have manged to irk me. And I'm not the only person to complain about being signed up for Essence or Latina or some other magazine that doesn't interest me.
Without anonymity, M2 would probably send me some other magazine that better fits my profile. But really, I don't want to receive any magazine unless I subscribe to it myself. So with or without anonymity, this problem does not go away. (And if you happen to be one of these VistaPrint/M2 magazine victims, there's a form to fill out to make it stop. I filled it out but I'm still waiting for the rebate.) Remember: buying someone an unwanted magazine subscription is slimy and douchey and will make me think twice before ordering anything from VistaPrint ever again, but it is not illegal.
Without online anonymity, we might end up with some significantly worse problems. For example, whistle blowers and crime tipsters (for those anonymous real-world crimes) and even employee/manager reviews would no longer be anonymous. Do you want to report sexual harassment at work, or do you want to be known as the gal who got felt up? Do you still want to turn in the mob boss if you are certain he will know it was you? And do you want to tell the truth about a bad manager, or do you want him to put in a good word for you when raises come around again... Anonymity certainly has its places.
Almost Anonymous
While I say that nobody is anonymous online, there is a huge difference between today's cat-and-mouse tracking technologies and having no anonymity to begin with. In today's world, the forensic approach is after the fact. Today you must have a reason to be tracked. Moreover, you must either continue your behavior (making continued tracking possible), or leave behind enough clues that can be linked to you. In effect, today you can be anonymous, until someone feels the need to devote the necessary resources toward breaching the anonymity.Comments
#1
passerby
on
2012-09-03 13:01
(Reply)
Are those mugs available for sale? Do you have an extra you'd be willing to sell?
#2
Fredrik
on
2014-11-16 05:41
(Reply)
I'd buy a couple of mugs if they were for sale too
Add Comment
Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.