From owner-freebsd-chat Sun Jan 9 15: 8:40 2000 Delivered-To: freebsd-chat@freebsd.org Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (Postfix) with ESMTP id AB55C14D05 for ; Sun, 9 Jan 2000 15:08:30 -0800 (PST) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.3/8.9.3) with ESMTP id AAA26683; Mon, 10 Jan 2000 00:08:27 +0100 (CET) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id AAA55598; Mon, 10 Jan 2000 00:08:27 +0100 (MET) Date: Mon, 10 Jan 2000 00:08:26 +0100 From: Eivind Eklund To: Jay Nelson Cc: jle@gtonet.net, freebsd-chat@FreeBSD.ORG Subject: Re: Identity theft (was: Re: load spike strangeness) Message-ID: <20000110000826.Q51101@bitbox.follo.net> References: <20000109192152.G51101@bitbox.follo.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from noslenj@swbell.net on Sun, Jan 09, 2000 at 02:46:32PM -0600 Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'll start with answering 'What is a nym?', in order to have the terminology in place: A nym is an anonymous persona, one that somebody use without direct connection to the physical person. Sort of a 'digital person'. On Sun, Jan 09, 2000 at 02:46:32PM -0600, Jay Nelson wrote: > On Sun, 9 Jan 2000, Eivind Eklund wrote: > >I won't detail my verification methods in public - I see no reason to > >fully break your cover, and I see no reason to give a detailed list of > >how to break the cover of other people. > > Why not detail the methods you used? If "FreeBSD" wants anonymity, > you'll help him achieve it and help the rest of us avoid risks we > may want to avoid. I wouldn't help him achieve anonymity by publically posting information that gives ways to trace back to his real persona while there is focus on him. However, I have since learned to my satisfaction that the trace I did was wrong, and a red herring pointing at one of his non-volunteering business partners (Jeff Lesley, AKA holeyman/Hole-yMan). Jeff has since closed down his account and removed his access (and OK'ed that I post this.) What I did was the following: 1. Check which IP he is posting from, along with ident information etc. This said holeyman@.gtonet.net 2. Check ARIN and check the reverse lookup on all IPs in the vicinity, to find out what kind of outfit gtonet.net were, size-wise. 3. Find that this was really small. 4. Check the whois information on gtonet.net, to trace who owned this. Find Jeff Lesley. 5. Check Jeff Lesley against the phone books, in order to verify that he's a likely to be a real person (not a nym). 6. Use a web search to find out all I could about Jeff's public history. Find a number of mailing list postings from him, the earliest dating back to 1996. 7. Go through all the mailing list posting to verify what Jeff's been up to, where he's had web pages, what he's been associated with, etc. Notice that Jeff here used the handle 'holeyman'. 8. Verify the pecularities of Jeff's writing style with the ones from "FreeBSD". I'm not a pro at this, but I went through carefully, and found a large number of similarities that are distinct from normal use, and no large dissimilarities. At this point, I thought there was reasonable evidence to support that either Jeff Lesley, holeyman, and "FreeBSD" was the same person, or that "FreeBSD" had been using Jeff Lesley as a front for a long time. However, I'd neglected one obvious possibility: Identity theft. "FreeBSD" wasn't the same as Jeff Lesley - he'd been attempting to hide behind Jeff's identity, making sure that any attempts at tracing back would end up with Jeff. He *did* get me, at least. > With a number of states selling public records to off-shore > companies who make all the information required for identity theft > available at 35 cents a query, I see no way of preventing identity > theft. Do you know of a way to avoid or minimize that risk? The only thing you can really do is to make your identities discardable - load-balance between them, so that if you lose one, you won't have lost as much as if you get problems for your single identity. > >However, I *do* care to send the public message that if somebody is > >going to try to do identity protection, they need to do quite a bit of > >work to do it - doing a half-assed job won't work. I used to run a > > What constitutes a good job? A couple of things: 1. Use anonymous remailers or "Freedom" (Zero Knowledge Systems) nyms rather than unnamed accounts. 2. Do not ever explictly tell anybody about the connection between your nyms, or between a nym and your physical person. 3. Make sure your nyms are as hard to distinguish from real persons as possible. 4. Do not ever re-use a nym which has had an association to you 5. Make sure that you get your writing style changed between various nyms. This is something that will be very hard to do without strong expertise in the techniques that are used to identify texts by the same author. > Is it even possible to participate in a public forum and maintain > anonymity? Yes. However, it is not easy. > >nym (stopped around 1990), and I was *careful* about it - and it still > >got broken to a point where only a few work-weeks would probably be > >able to connect the nym to me (at least I found points where it broke > >- I don't know if anybody else did, but I assume that if NSA got > >interested, they now know the connection of my nym to me - not that it > >matters.) > > It seems that nothing stops the NSA -- not even the law, so I'm not > sure that's worth worrying about. That depends on what you are doing - if what you are doing is related to making it easier to detect and/or hinder NSA's spying on you, it can be a worthwhile goal. And I tried, mostly as an intellectual exercise, to keep that level of security around the nym that I used. > Still, privacy is nearly extinct and identity theft is a growing > problem. The only short-term protection I can see for identity theft is insurance - I'm pretty sure that it will be possible to get coverage for a policy insuring against identity theft through Lloyd's. > It would be more productive to explain where he failed instead of > ridiculing his desire for anonymity. I agree that having anonymity more readily available would have a large number of benefits. However, in order to make this feasible for "normal people", it is necessary to do a lot of things around trust, and a lot of things to mask your individual information "fingerprints". Doing anonymity in the FreeBSD community in without giving the credit you are building to a clearly identifiable and re-usable nym is IMO a waste - and doing so in order to protect against random identity theft is pointless waste. (If you are into fighting, you might want to do it in order to protect against your enemies doing it against you - but that seems unlikely.) Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message