site banner

Small-Scale Question Sunday for February 26, 2023

Do you have a dumb question that you're kind of embarrassed to ask in the main thread? Is there something you're just not sure about?

This is your opportunity to ask questions. No question too simple or too silly.

Culture war topics are accepted, and proposals for a better intro post are appreciated.

1
Jump in the discussion.

No email address required.

I am interested in knowing any clever techniques you have heard being used or used yourself as well for/against all things infosec.

For a very broad definition of 'clever,' I basically keep all my internet activity 'siloed' between different username/password combos that generally NEVER interact. I apply somewhat different levels of information hygiene to each.

My pseudonym on reddit was different from my youtube username is different from my motte username is different from my twitter handle is different from my Steam username. Okay, I copied my motte username over from reddit.

Sure, you could probably tie them all to a particular IP address, and then use that to make a connection to a location in realspace that roughly corresponds with my physical location, but fundamentally that is shaky evidence if you want to reasonably prove that a given comment was physically typed out by a given person. If the account in question doesn't include dozens of photographs and videos that really only could have been uploaded by me, it requires a sizeable leap to say that the comments in question couldn't have been generated by someone else.

Most of the time if someone is pilloried IRL for any comments they posted to a pseudonymous forum it means they:

A) They admitted to typing them.

B) They used the pseudo to communicate directly with another party and exposed their identity to said party (maybe even meeting up in person) such that the other person could reliably ID them as the account-holder.

C) They directly connected the pseudo to some account that was directly tied to their IRL identity.

That is, I don't think it is easy at all to tie a purely text-based interaction on a given forum via pseudonyms to a real person in a way that can't be plausibly denied, unless you're a major government or corporation that controls the person in question's account.

Here's a genuine thought I've had: if all they really have on you are internet comments associated with a psuedonym, and they have no further direct proof that you, the real person, actually typed those comments, then one can probably invoke the Shaggy Defense.

Wasn't me!

"Oh but all those personal details divulged in the comments match your profile."

And? those details are all things that someone else could emulate with minimal effort. Why do you assume those details were true about the person typing the comments?

"You saying you were framed?"

I'm saying I'm falsely accused, I never typed those comments.

"The typing style even matches posts publicly associated with you!"

Yeah, so it's wouldn't be difficult to mimic that style. Unless you're saying you saw me physically type the text I'm not sure how you're so certain you found the right person.

"Show me your browser history and I'll maybe believe you."

Nice try, but no. I think we're done here.


This defense has only gotten more plausible in an era of GPT and deepfakes, where generating absolutely gobs of convincing text would require much less effort by a savvy actor.

Of course if you've pissed off someone online enough to come and actually try to harm you or your reputation that denial might not be enough.