I’m surprised by the backlash regarding this tool. Well, I guess surprised is the wrong word. I get that it is creepy. There are lots of websites that do this very thing like whatsmyname.app.
I personally like running my username through tools like this and aggregating my digital presence. When I was younger, I signed up for lots of sites that were the cool, new thing. Checking myself years later, I am shocked by the wide berth I left. Fitness accounts. Accounts from that time I was getting into studying chess. I’m the type of person who is always on to the next hobby. I go 100% in on something, then pop to the next thing. It was a big wake up call to me looking back seeing how much presence I left. Many accounts are so old I can’t even get into them anymore to clean up what’s out there. Tools like this can be used for good.
That said, I totally understand the cyber stalking/bullying concerns. I am also astounded by the cyber sleuth types. In the documentary, Don’t F* with Cats, people spent 100s of hours carefully walking through streets in Google Maps to match a location to a photo they had of a guy who killed a cat on YouTube. It seems to me where there’s a will, there’s a way. It’s scary, and unfortunately a lot of tools we can use to protect ourselves are the same tools that can be used against us. Look at cyber security in general. A black hat and a white hat are people with the same skills, but ethics draw a line between them.
Tools like this also make me uncomfortable and I said as much last time an issue like this was discussed [1].
But I don't think the "it can be abused" argument is compelling. Most of the tools we have today can and have been abused. As you point out, we know bad actors use infosec tools and run the same POCs that researchers produce when they find new exploits and vulnerabilities (after disclosure); they check the same CVEs and read the same papers. But this information has to be released and these tools have to be out in the open. Security through obscurity is a disaster.
Besides the other intended goals of these tools, I am hoping they will raise awareness and get many people to realize how easy it is to identify and deanonymize them online.
I somehow agree that there is no good strategy against "dual use" . However, why not simply put usage terms in the licence. The copyright owner chooses actively what uses they allow. IMHO it would be an ethically good thing to at least try to at least legally disallow "abuse": Authors of software need to claim more responsibilty and at least actively reflect on potential uses of their software.
What would that achieve, in terms of actually stopping bad actors? Genuine question: I’m guessing the ability for the copyright holder to sue a stalker? But why would they, and that remedy wouldn’t really work, if my guess is right. I must be missing something
Forgive me for being so dumb despite being on this website for so long. How do I download and install this program from github (macbook, no dev tools or terminal or anything on my computer)?
> API, CLI & Web App for analyzing & finding a person's profile across +300 social media websites
> could help in investigating profiles related to suspicious or malicious activities such as cyberbullying, cybergrooming, cyberstalking, and spreading misinformation.
It will much more likely be used to aid cyberbullying and cyberstalking. Those types love digging for more information by finding their targets' profiles on other social media sites.
Those types of trolls are much more adept at using randomized usernames, disposable e-mail addresses, and VPN clients because they know what they're doing is potentially illegal.
Would you also consider Google search a recipe for stalking? It provides a larger set of results, but you can easily narrow down your results to social media sites...
It’s a tool, much like a knife is a tool. They can be used for good or bad. The tool is indifferent.
People who have something to be ostracized over do this all of the time. This tool is great for someone trying to hide something about their identity (e.g. being gay).
BUT, this may bring awareness to regular folks. You can also use it to remove your own stuff from said networks because people do not catalogue their online activity and it can be hard to remove your digital footprint.
There’s privacy duck and delete me, but they’re mostly focused on the scammier public data collection sites where it’s harder to remove your information.
I think that anyone developing a social media app for the 2020s will need to make a conscious decision to not let users pick their own unique identifiers. You can't expect users to protect themselves, because you don't know what dangers might exist in the future for them that do not exist today.
The other thing you can do is not allow your API to iterate over the set of all users by user-set identifier. It's an extreme flaw of the telephone numbering system. You would think by the 2020s we'd have learned to use a unique UUID designation for every user for any public facing APIs. If users want to link to it on their public pages, that would be on them.
I think that the idea of not allowing users to pick their own identifiers is not compatible with how a lot of people use social media.
It’s a heck of a lot easier for me to tell my GitHub username to someone, than it would be to tell them a random UUID like 3ffdf0d2-b9a5-4fff-9f38-75afae67dbea.
Even a shorter random-looking username like the one that you have chosen as your HN username, is difficult to relate to for me and I suspect for a lot of people.
And even if you made a human readable version that would hand out usernames like “magnificentwalrus”, it would be generating usernames that most users weren’t identifying with. As much as I like walruses I don’t have a personal connection to them, and any other random name is likely to fare the same. Sure you could let users generate names until they come across one that they do like, but mostly I think that would be a lot of hassle. And there is no guarantee for how long it takes before you find a good name that way. Perhaps even never, as adjective + noun or whatever else the site uses as rule for generating names might not be a rule that the user likes.
Names matter a lot to a lot of people.
Aside from this I think it’s also only a matter of time before similar services to the one in the OP show up but where instead of trying to cross-reference usernames it would work similar to Google Reverse Image Search, and would be able to link accounts across different social media platforms based on the facial features in the photos and/or videos that people post, even when the images and videos are not the same ones but are depicting the same person.
You’re assuming that 1) the value of a username or URL is higher than the value of privacy 2) people use those for discovery. I’m sure 99% of social media connections happen via recommendation algorithms, friends-of-friends or search by name (not username), never directly typing a username or profile url.
You're sure about that? I don't think so. There's tons of connections made from people transferring short, human-readable handles. Think business cards, word of mouth.
e.g. I'm at (@) handle. That's much easier to lookup as opposed to searching for someone's name. It may even be a business that's not tied to the individual's name.
All photos of the same mobile phone certainly have a unique fingerprint. Not only the EXIF, also the dead pixels and the unique pattern of low intensity pixels.
If you want to protect user privacy, a unique identifier is not enough. If they posted a gay profile somewhere, a professional profile somewhere else, they will be forever linked.
> I think that anyone developing a social media app for the 2020s will need to make a conscious decision to not let users pick their own unique identifiers.
Completely agreed. If I were to ever set up a forum, I'd find whatever "adjective-adjective-noun" generator that Gfycat uses to generate their URLs and present new users with a list of 100 of these to choose from.
I would like to point out that in my experience the hn admins respond much faster and friendlier than I had ever expected. I think in this case it is very nice thar "just email the admins" leads to experience like that, although I have no idea how they manage that for a site at this scale.
Being inconvenient can be a dark pattern on its own, not necessarily needs them to ignore your request.
Like, if I email them and say "hey, I want to remove these 340 comments I made out of 2000", and I do it every other day, would they still be as responsive? Even if they do, collecting and emailing all these links is still a big hassle compared to just clicking "delete" as I go through my own timeline like other social media platforms.
But remember to break your social graph on occasion with a new phone number and email address, and never sharing your number or stored contacts with the social media network. not that hard just something to be conscious of.
We help companies in areas like payments/account fraud where there are constant bots / rings / account takeover attacks, and this is both good advice... and _really_ hard.
To cycle against entity resolution tools for a regular company, that'd mean things like full simultaneous reset of:
* cookies
* browser user agent
* potentially sequence of sites/services you use
* IP address/location
* linked accounts
* contact info
Even one miss/overlap can void your efforts.
The big sites have much more to work with than that, making it especially hard. Likewise, if a team takes a specific interest, there are even more correlations that can be done, e.g., behavioral analytics.
Yes absolutely, fingerprinting an individual is easy and avoiding that as a user is hard.
Social media sites (Facebook products) might drive ads based on fingerprinting but they aren't re-linking social graphs this way. Sticking with the reliability of shared phone numbers and emails (and people friending/inviting the same people and having the same name theyve seen before)
Storing contact list by any service should be illegal. You might try to not share your data, but if anyone has you on their contact list, it’s out of your hands
I wonder if Google has a backdoor API which lets group people by backup email. If one always creates an account with the previous email as a backup, the link is east to make.
That would be especially useful for censorship services across competitors: Although Google Facebook and Twitter compete, sharing the flagged accounts would allow recognizing the same user coming back with a different email address.
But this is not a problem with the tool, this is a problem with those platforms. Even if this tool is not published, bad actors can still make their own tools.
I think we should rather demand the platforms to enforce better measures against this kind of usage, rather than blaming this tool.
I take an issue with the argument that bad actors can make their own tools. Bad actors can also build their own nuclear weapons, genetically engineer their own deadly diseases but there's certainly value in not making this any easier. If you take the time, money and effort away from bad actors by forcing them to reinvent the wheel, that's a good thing.
Granted, this logic can't be viably applied to most things, but there are projects where you can assume that most of the use-cases will be shady.
Exactly! There’s a totally different bar to entry. Look at North Korea. I don’t think they rank highly as a concern with traditional kinetic warfare, but they have made themselves a major security concern even with scant resources because the bar to entry with cyber warfare is just that much lower.
> Granted, this logic can't be viably applied to most things,…
This specific thing, for example.
> ... but there are projects where you can assume that most of the use-cases will be shady.
An assumption is a poor basis for an argument. Even in the case where the assumption turns out to be correct, I don't buy this line of reasoning, because it would apply generally to security tools. Such reasoning also makes it far easier to attack things even where the assumption is known to be wrong (e.g. bittorrent).
Tools like this are trivial to make and it's trivial to do it manually using Google. I don't see any point in getting angry about the existence of tools like that, as it's beyond anyone's power to stop people from doxxing each other.
I did something similar to this for a hackathon in university. Obviously not as sophisticated as this, but the concept is trivial. If you know enough about the command line to install it, you can build it.
Perfect example was the youtube-dl. Making an app to download videos from YouTube is relatively trivial for most semi-experienced developers but that doesn't mean I want to invest the time doing it, plus the effort of keeping it up to date every time YouTube changes something. So youtube-dl is enabling me and less technical people to download content from YouTube, and it's "going away" for a short time caused an outcry.
So there's a difference between "this is possible" and "this is a tool that makes it really easy"
Depends on what you mean by missile. One worth dozens of millions of USD and produced largely to prop-up a state economy tends to have different ethical considerations versus an adhoc assemblage of propane tanks and plumbing pipes produced to fight over the neighbourhood in which it was made.
You know what would be a great addition to this tool: A transparency panel/dashboard that shows any state organizations or LEO systems that are using it.
List out all the IPs and countries that are state IPs using it.
I was thinking a modification such that the system will report where its run from and if the reported IP is recognized as a government agency, display it - else drop it.
Any openly available tool can be used by anyone for any purpose. The idea that we can pick and choose is ridiculous, and with the exception of rare cases, avoidance of building generally useful tools for the chance that bad actors will also use them is a losing proposition.
Any openly available tool can be used by anyone for any purpose. The idea that we can pick and choose is ridiculous
And yet there are hundreds of laws, conventions, and treaties regulating all kinds of weapons. The idea that humans can pick and choose what exists in their society is ridiculous.
Bad actors can make such tool themselves (if they can't, they are not really that good) and have incentive to do that, so non existence will only slow them down. I don't care about analyzing other people for any purpose so I don't. Having this tool readily available lets me analyze myself and people I care about to protect them from bad actors and educate them in the process.
Please keep in mind that some HNers are modeling their behavior after buggy machines and bad code and that this influences their thinking and language.
The sentence was unnecessary to both your point and any argument in general. Why did you include it? Why are you defending it's inclusion? Why are you now saying "google it"?
It can get much creepier. It's possible to reverse image search a person's profile picture from one site to find out where else they have profiles - given that they reuse their profile picture - which many do.
I’ve been wondering when we’ll see a service that lets you upload a headshot from the company directory or Facebook, and returns every nude of that person that ever found its way onto the internet.
Wait until you find out how HackerNews harvests your data, uses services that use data lakes of bulk collection to confirm your identity, and sell what you generate without your permission.
Regarding the criticism: How is it different from any pentesting tool, portscanner, meta search engine, shodan.io (which you could use to try to find unprotected babycams and whatnot), et cetera, on principle? I know it's creepy, but obviously this is portraying a serious and widespread flaw in how we treat privacy on the net, and for that flaw to be fixed, proclaiming the tool as evil doesn't do it, and actually is counter productive?
It's sort of like a "social media site" (if the broadest possible definition of one is permitted!) that "aggregates all other social media sites"... (how meta!)...
But, I like this idea a lot!
If I were creating such a thing -- I'd add the ability for a person (once their identity is verified) to remove their results from one or more social media sites.
That is, standard opt-in and opt-out.
This would permit the shown functionalities for people that desire such functionalities, while also preserving opt-out, aka, "the right to be forgotten" -- for other people that desired that, specifically...
HackerRank (the coding challenge/interview platform) allows viewing profiles even without logging in - While it doesn't show things you do for specific employers, still not something I realized the site was doing and could have ramifications if you use it to play around.
7Cups, the online therapy/talkspace site, allows viewing profiles even without logging in. Far more dangerous and worrisome than a lot of the other sites on here because of stigma around mental health; it's easy for me to imagine an employer or insurance salesman running a username through here and finding out that a candidate has been (likely) dealing with MH issues.
Tinder(!) lets allows viewing a user's public pictures despite not being logged in - seems like a not great privacy measure - not sure how resistant this is to crawlers and the like but a tad bit concerning.
Enough people have voiced their opinion on this tool but I just tried it.
The results were underwhelming. It fails to find obvious links between sites, makes completely incorrect correlations while claiming 100% matches, and has no way of figuring out if it's the same person. The "useful" features seem to be username generator based on your original input, e.g. you input "john doe" and it suggests usernames like "jdoe", "johndoe", etc.
For anyone curious, I found the Python (first) method to be the easiest way to get this up and running. Also it hit a few false positives for my (not the one you see me using now) username.
Edit: Also you can't Ctrl-C to kill it midway through running so don't fat-finger it if you don't want to waste 30 seconds waiting for it to finish.
Forgive me for being so dumb despite being on this website for so long. How do I download and install this program from github (macbook, no dev tools or terminal or anything on my computer)?
I'm so sick of morons open sourcing abuse tools under the guise of "helping". This tool will be misused to abuse and harass more than anything else. Making these tools available to masses is dangerous.
What are "abuse tools"? Trying to suppress knowledge is never the answer. That would mean that only those in the know can either protect themselves or exploit others.
The "never put information about yourself on the internet" mantra from before social media needs a comeback and it will not happen if no one shines a light on how easy it is to track people online.
So if I put up a website at doxsyoc.com with your email address, phone numbers, home address, credit card details, social security number, daily schedule, bank statements and employment information you would presumably not try to have it removed because "Trying to suppress knowledge is never the answer".
I think you chose a weak interpretation of what they said to make your point. I don’t think that’s what they meant.
We’re talking about a tool here that attempts to aggregate all of a particular person’s social medial accounts. Social media is public. Everyone knows this, your are saying things and posting things with the expectation that everyone will be able to see them.
What you said is something totally different. Doxing someone’s private information is heinous. Nobody is arguing that is okay. I think the parent comment made a good point.
If tech can allow a tool like this to be possible, I think it is arguably better that everyone have access to it, instead of just bad actors keeping it to themselves.
There are other technological fields in which capable tech has been kept out of commonly available products in order to prevent people from abusing it.
For whatever reason, techies that are in the information discovery space can't help themselves from showing off how clever they are despite there being very real security risks to random bystanders.
Okay, but assuming thats true, there are ways to make it clear to someone how easy it is to track them online without enabling people to actually do that tracking themselves so easily.
Yes, only governments and private companies should be allowed to have these tools. They are notably less powerful than the dangerous masses. They have never abused or harassed anyone. They also wear some of the most tasty boots.
There is no 21st century option to refuse public social media. As observed with Clearview AI, if you end up in someone's photo on a social media website you will be inadvertently added to a social and location-based graph. I believe Facebook does this internally, so if you have any friends or relatives using Facebook who uploads a picture of you, no matter how old, your social graph is present there.
And try as you may, so long as you have a phone number you will end up in someone's harvested contacts list.
I personally like running my username through tools like this and aggregating my digital presence. When I was younger, I signed up for lots of sites that were the cool, new thing. Checking myself years later, I am shocked by the wide berth I left. Fitness accounts. Accounts from that time I was getting into studying chess. I’m the type of person who is always on to the next hobby. I go 100% in on something, then pop to the next thing. It was a big wake up call to me looking back seeing how much presence I left. Many accounts are so old I can’t even get into them anymore to clean up what’s out there. Tools like this can be used for good.
That said, I totally understand the cyber stalking/bullying concerns. I am also astounded by the cyber sleuth types. In the documentary, Don’t F* with Cats, people spent 100s of hours carefully walking through streets in Google Maps to match a location to a photo they had of a guy who killed a cat on YouTube. It seems to me where there’s a will, there’s a way. It’s scary, and unfortunately a lot of tools we can use to protect ourselves are the same tools that can be used against us. Look at cyber security in general. A black hat and a white hat are people with the same skills, but ethics draw a line between them.