site banner

Small-Scale Question Sunday for February 26, 2023

Do you have a dumb question that you're kind of embarrassed to ask in the main thread? Is there something you're just not sure about?

This is your opportunity to ask questions. No question too simple or too silly.

Culture war topics are accepted, and proposals for a better intro post are appreciated.

1
Jump in the discussion.

No email address required.

This comment I made about how hard/easy it is to find pseudonymous users online identities got me thinking about infosec.

So I spent the rest of the evening researching about OSINT tools and other methods to do bad things (This has the added benefit of implicitly letting you know how to not have bad things done to you, but knowing how to be safe won't necessarily teach you how to be dangerous).

I am not sure how feasible this is, but I checked some emails of people I know using https://haveibeenpwned.com/ and it tells you which databreach the email password combination was found in. So isn't all that remains to acquire the breached data hoping they don't use 2FA? Or am I missing something?

Anyways, back on the topic of infosec/osint, what are you favorite tools that you totally use for security reasons? I am interested in knowing any clever techniques you have heard being used or used yourself as well for/against all things infosec.

If your attacker is particularly skilled/motivated (or maybe this has changed with new tools, too lazy to duck it now), stylometry is also a hard to work around threat. It isn't as easy to use at scale (queries of the type: sort all users on Twitter whose writing most resembles this sample, descending, a la perceptual hashing), but if you can narrow down with communities that a person is likely to be a part of, it can be a pretty fast iterative search.

People particularly intent on segregating online identities often either take on affected styles (harder than it might seem at first, especially with 100% consistency!) or use a scrambling tool (rudimentary form of this used to be roundtripping translation).

If your attacker is particularly skilled/motivated (or maybe this has changed with new tools, too lazy to duck it now), stylometry is also a hard to work around threat.

If stylometry is all they have, though, surely one can simply deny being the person who posted the offending comments?

After all, in order to get a sample to compare the offending comment's style, you had to pull info that was publicly available, which would probably be available to anyone else who wanted to mimic that style.

Sure, it is more plausible that the same person produced comments of the same style. And one can always attempt to track down corroborating evidence to bolster the claim.

But by itself it has to be considered pretty weak evidence that merely because the style matches, the same person must have typed it.

It's not interesting as a proof of identity, more as an extra powerful correlation/fingerprinting attack. Consider the following scenario, you perfectly segregate two identities (separate devices, connection locations, posting times, interests) online. For some piquant, let's assume you have aboveboard beliefs/communications (posts that are kosher for your local authoritarian government) and below-board/seditious ones. Your aboveboard ones often leak your identity location, because why practice aggressive OPSEC when you're asking where's the best place to buy fresh onions near your village (even worse, aggressive OPSEC in these cases could tip off the authorities that someone buying onions around that area is up to no good!)? However, because you don't randomize your writing style, your government eventually is led to suspect that FuckTheGovernment93 is actually the same person as LocalFarmer82. You are arrested by the secret police, tortured and shipped off to a black site.

Even worse, consider a more aggressive scenario that's actually plausible in the modern age: you only have one identity that's completely distinct from your day-to-day activities. There is no other public content to compare to. However, because your government has access to your online schooling records/past essays/whatever writing you performed during mandatory schooling, they still manage to figure out FuckTheGovernment93 is you. Same outcome as above.