The Rise of Political Doxing

Last week, CIA director John O. Brennan became the latest victim of what's become a popular way to embarrass and harass people on the Internet. A hacker allegedly broke into his AOL account and published e-mails and documents found inside, many of them personal and sensitive.

It's called doxing­ -- sometimes doxxing­ -- from the word "documents." It emerged in the 1990s as a hacker revenge tactic, and has since been as a tool to harass and intimidate people, primarily women, on the Internet. Someone would threaten a woman with physical harm, or try to incite others to harm her, and publish her personal information as a way of saying "I know a lot about you­ -- like where you live and work." Victims of doxing talk about the fear that this tactic instills. It's very effective, by which I mean that it's horrible.

Brennan's doxing was slightly different. Here, the attacker had a more political motive. He wasn't out to intimidate Brennan; he simply wanted to embarrass him. His personal papers were dumped indiscriminately, fodder for an eager press. This doxing was a political act, and we're seeing this kind of thing more and more.

Last year, the government of North Korea did this to Sony. Hackers the FBI believes were working for North Korea broke into the company's networks, stole a huge amount of corporate data, and published it. This included unreleased movies, financial information, company plans, and personal e-mails. The reputational damage to the company was enormous; the company estimated the cost at $41 million.

In July, hackers stole and published sensitive documents from the cyberweapons arms manufacturer Hacking Team. That same month, different hackers did the same thing to the infidelity website Ashley Madison. In 2014, hackers broke into the iCloud accounts of over 100 celebrities and published personal photographs, most containing some nudity. In 2013, Edward Snowden doxed the NSA.

These aren't the first instances of politically motivated doxing, but there's a clear trend. As people realize what an effective attack this can be, and how an individual can use the tactic to do considerable damage to powerful people and institutions, we're going to see a lot more of it.

On the Internet, attack is easier than defense. We're living in a world where a sufficiently skilled and motivated attacker will circumvent network security. Even worse, most Internet security assumes it needs to defend against an opportunistic attacker who will attack the weakest network in order to get­ -- for example­ -- a pile of credit card numbers. The notion of a targeted attacker, who wants Sony or Ashley Madison or John Brennan because of what they stand for, is still new. And it's even harder to defend against.

What this means is that we're going to see more political doxing in the future, against both people and institutions. It's going to be a factor in elections. It's going to be a factor in anti-corporate activism. More people will find their personal information exposed to the world: politicians, corporate executives, celebrities, divisive and outspoken individuals.

Of course they won't all be doxed, but some of them will. Some of them will be doxed directly, like Brennan. Some of them will be inadvertent victims of a doxing attack aimed at a company where their information is stored, like those celebrities with iPhone accounts and every customer of Ashley Madison. Regardless of the method, lots of people will have to face the publication of personal correspondence, documents, and information they would rather be private.

In the end, doxing is a tactic that the powerless can effectively use against the powerful. It can be used for whistleblowing. It can be used as a vehicle for social change. And it can be used to embarrass, harass, and intimidate. Its popularity will rise and fall on this effectiveness, especially in a world where prosecuting the doxers is so difficult.

There's no good solution for this right now. We all have the right to privacy, and we should be free from doxing. But we're not, and those of us who are in the public eye have no choice but to rethink our online data shadows.

This essay previously appeared on Vice Motherboard.

EDITED TO ADD: Slashdot thread.

Posted on November 2, 2015 at 6:47 AM • 80 Comments

Comments

mike~ackerNovember 2, 2015 7:18 AM

two necessary habits:
(1) use a secure endpoint operating system. a secure operati g system is one which will not allow itslef to be compromised by the activity of an application program -- whether by acident or by intent .

(2) take up the habit of using PGP/Enigmail -- or -- add PGP-Desktop (Symantec) to your Outlook system .

alternative:
have fun being doxxed

erratic luteNovember 2, 2015 8:45 AM

@ mike~acker: I'd add a third one: split things up.

Do NOT use the same e-mail address for all your logins and transactions. Do NOT publish personal information in social networking sites. Use different passwords for different services (ideally managed by a secure offline password manager). Use as many different credit cards for different transactions as you can. Avoid giving real identifying personal information to websites whenever possible.

This form of security by isolation will not necessarily protect you, but it will significantly mitigate the effects of a successful attack.

ToNovember 2, 2015 8:51 AM

Bruce,

What happened with GamerGate is among the most twisted things I've ever seen in my decades on the Internet. Introverts and the autistic are being scapegoated with the most heinous of claims. It's grade-school bullying brought into adulthood.

Human trust models can be hacked just as well as computer ones, Bruce. Redefine some basic words, don't communicate those redefinitions to others, flood a bunch of news outlets with stories using these redefined words, and never let the people you're attacking have a chance to rebut on an equal platform. Add in a pinch of guilt-by-association and a massive helping of financial censorship and intimidation of forum mods, and the Internet's most bizarre and sustained drama is what you get.

I've seen the aftermath of multiple people attempting suicide because of this. (http://www.twitlonger.com/show/n_1sm8voo)

I've seen a FOSS leader in the Django community have a heart attack after 6 months of having his family sent death threats (see item #8 on https://mail.python.org/pipermail/python-cuba/2015-June/000085.html) and him being coerced into stepping down from a FOSS leadership position. (https://mail.python.org/pipermail/python-cuba/2015-July/000106.html)

I've had multiple friends have their employers called with lies in an apparent attempt to get them fired. I've had one friend end up homeless for 4 months because of this. Because she spoke out against bullying being done to some of her friends in gaming.

I'd love to see my friends have a chance to speak out against the non-stop allegations. Against the cartoonishly evil narrative that keeps being parroted for 14 months. But we're never given a chance to defend ourselves on an equal platform....

Bruce - there is unprecedented censorship going on. DDOSing, cutting off payment processors, destroying the personal and professional lives of those being disagreed with on the Internet. It's gotten into the realm of *bomb threats* in an attempt to intimidate people. http://kotaku.com/gamergate-meetup-evacuated-after-apparent-threat-1701761645 http://www.polygon.com/2015/8/16/9161311/bomb-threat-shuts-down-spj-panel-discussing-gamergate

As for the Felicia Day doxing? It was terrible, but I don't see why a brand new Twitter account making a single tweet of that dox is supposed to be representative of tens of thousands of people rather than a single troll.

Clive RobinsonNovember 2, 2015 9:04 AM

@ mike~acker,

(1) use a secure endpoint operating system.

Depending on what you mean by "secure" that may not be possible.

Thus I would consider as a minimum using atleast two systems "air-gapped". However as I don't believe that is sufficient these days I would look further to "energy-gapped" with external guard and instrumentation systems on both sides of the energy gap.

This by the way is not to keep out the likes of the NSA and GCHQ or what many consider "paranoia", but for sound "commercial" reasons. The level of industrial espionage APT and Ransomware attacks are just as if not more sophisticated than many state level attacks. Information is becoming increasingly of value and worth rather more than the price you might think. You only have to look at just how similar the new range of Chinese millitary aircraft are to those top of the line US and European aircraft are to see that the French are right. That is it is financial good sense for not just for national security, to steal others leading edge research. At the very least it saves you the time and money of repeating others mistakes...

The "short term" "shareholder value" driver as practiced in many C level offices is ignoring the inevitable. Target rich environments become less target rich with time, so the probability of having a major security breach on "your watch" is now actually quite low. Further it is becoming a sufficient non externalisable risk that it needs to be actively addressed, now just to keep up with the attackers.

u38cgNovember 2, 2015 9:31 AM

I think the answer to this is not technical or whatever. When the media is given a story by a blackmailer - a gay family values politician, or whatever - the tacit understanding is that they do not run it. We need the same approach here. No, you can't stop Twitter getting hold of it, but you can stop it being part of the media conversation.

Clive RobinsonNovember 2, 2015 9:52 AM

@ Bruce,

Last year, the government of North Korea allegedly did this to Sony. Hackers the FBI believes...

One of these days you will have to stop swinging your legs backwards an forwards over the fence on this one ;-)

My viewpoint is as it has always been, I can see how easy it would be to set up the North Koreans for this, even a teenage script kiddy could probably do it. The US are continuously looking for reasons to condem NK [1], and the US authorities have made themselves look silly by making an accusation then saying we cannot provide evidence for National Security reasons. Which most will guess means the US has hacked the NK's first and thus if there is real evidence it is at best tainted as it's the proceadces of a US based Cyber-attack on NK, and not even worth the propaganda value. But bearing in mind the fact a script kiddy could have done it, and SPE managment employee relationships are so godam awful, there is a very high probability it was entirely an inside job.

So now your legs are on the "allegedly" side of the fence, how about getting down and enjoying the view :-)

Ray DillingerNovember 2, 2015 10:11 AM


It's hard for me to give a crap about someone doxxing American politicians.

Not after 30+ years of American politicians politically obstructing the spread of exactly the kind of technological and institutional security that could have protected them, penetrating and putting holes in the security of the providers being subverted instead of helping those providers fix them, and promoting a "total take" methodology that left all the doors open for the people doing the doxxing.

For every "export grade crypto" you get FREAK attacks biting you in the ass later. For every social media that's been left riddled with holes and backdoors, you get your accounts on that media doxxed. This was no more than the obvious and foreseeable result of US government policy.

And, ultimately, because it's probably the only thing that could motivate any change in that policy, it's hard for me to call it an unequivocally bad thing.

Unnatural PickleNovember 2, 2015 10:12 AM

An important point to add to the mitigation list: do not e-mail any information that you would not be happy for a group of strangers to read.

When someone sends/requests personal data or discusses a sensitive subject with you by e-mail, do not be afraid to take it offline. The bottom line is, if you e-mail it in clear text, someone somewhere has read it.

AnonNovember 2, 2015 10:36 AM

Bruce - you forgot probably the best example: Sarah Palin.
No - it doesn't matter if you like her or not. Her yahoo account was hacked for this reason. In that case though they didn't find anything too juicy.

meldrocNovember 2, 2015 10:37 AM

Relevant: Hackers speaking as Anonymous have doxxed several US politicians, including several US Senators, reporting their affiliations with the Ku Klux Klan. This should get interesting...

boogNovember 2, 2015 10:45 AM

What this means is that we're going to see more political doxing in the future... It's going to be a factor in elections.
Which may be interesting - obviously a lot of time and money will go into preventing doxing. But then who do you vote for? The doxed candidate you know, or the secured candidate you don't?

boogNovember 2, 2015 10:47 AM

Bruce - you forgot probably the best example: Sarah Palin.

...In that case though they didn't find anything too juicy.

Probably why it's not the best example.

Lashaun VolinoNovember 2, 2015 10:54 AM

My 2c worth to the self-evident dos and donts: don't give real answers to the password reset questions. Given enough time, any schmuck can figure out your mother's maiden name and where you went to school.

In the Shadow of RavensNovember 2, 2015 11:00 AM

"Political" doxing, and related "cause based" doxing, especially between nation states is not a trend we should expect to do anything but expand.

North Korea, in a sense, very well sent a strong shot over the bow on this one.

Consider: What if the OPM hacker was not China, but was North Korea, and what if they doxxed it?

Work back from that, and consider how nation states might use such tactics in the future against one another.

Add to that the ease of nation states attacking while providing ample attribution evidence which is false and points to another nation state. Remember, nation state and cyber attack attribution, in general, is difficult, fuzzy, and often can be faked. Even when the circumstantial evidence is made very strong, that evidence often can be used to create a fake smoking gun for another nation. (For instance, taking attack code where strong circumstantial evidence points to one nation, modifying it, and using it in an attack against another nation.)

While the value of doxxing OPM against the intelligence value of using it is greatly weak, there certainly are scenarios where countries may not act in rational ways. Further, another historical example of faking national attack information is by the very nation under attack -- for instance, with the falsified attack in the Gulf of Tonkin incident. And related historical incidents, such as what brought the US into WWI, or the rumor of WMD falsely made into "fact" in the Iraq engagement.

Contrast this against typical "ddos" scenarios, and you can see it provides options where a foreign country might choose that strategy instead, as it can continue their business, but damage significantly the regime in question. If not total it.


DanielNovember 2, 2015 11:04 AM

I was worried when Bruce went to Harvard and now I'm convinced it is doing him harm.

has since been as a tool to harass and intimidate people on the Internet. Someone would threaten a woman with physical harm, or try to incite others to harm her, and publish her personal information as a way of saying "I know a lot about you­ -- like where you live and work."

Notice the shift from the generic "people" to the focus on a specific sex. As if men as a category aren't subject to doxxing. It's more of this GamersGate nonsense where the internet is filled with men stalking females.

I'm disappointed Bruce. I honestly am.

albertNovember 2, 2015 11:20 AM

@Bruce,
While you certainly have the right and privilege to editorialize, I must comment on your point about Sony:

"...The reputational damage to the company was enormous; the company estimated the cost at $41 million...."

Boo Hoo...SonyPE had 8 billion(USD) revenue last year, so that 41M is chump change, and I guarantee it's inflated at that.

@Ray is totally right on about doxing public figures, especially those in government 'service'. I don't give a RSA about those 'victims'. They're all crooks and liars. Brennan (head of an agency responsible for more bloodshed and terror than can be imagined) gets doxed and we should feel sorry for him? Not gonna happen.

There needs to be more doxing politicians and the media controllers. It's the only way to get the common folk to wake up about propaganda war being waged on them.

You said: "...As people realize what an effective attack this can be, and how an individual can use the tactic to do considerable damage to powerful people and institutions, we're going to see a lot more of it...."

You're right. You get the popcorn, I'll get the beer. Things are getting interesting...
. .. . .. _ _ _ ....

blakeNovember 2, 2015 11:52 AM

@Daniel

The first line of this very article: "...CIA director John O. Brennan became the latest victim..."

LeonidNovember 2, 2015 11:56 AM

I'm with Daniel. Please, let's get away from the idea that all victims are women, and all women are victims. Neither is true, far from it.

In the Shadow of RavensNovember 2, 2015 12:27 PM

@any reader

Unnatural Pickle wrote:

An important point to add to the mitigation list: do not e-mail any information that you would not be happy for a group of strangers to read.

Very agreed. Though, caveats may apply. You should have a mindset that you may be under surveillance 24/7, with special awareness strategic communication 'choke points' such as public emailing systems.

Not an easy mindset to get into. I got into it from very special training (and a sort of maintenance) where I was shown by work to be under exactly that manner of surveillance. (Obviously, I have a very unusual job.)

There can be odd caveats, one learns, most very ill advised for anyone else to use.

(For instance, in very rare scenarios you may have the need to establish the false fact that you believe you may not be under surveillance when you know you are. In which case, there are tactics one can employ to assure the surveillor that you truly do not believe you are under surveillance. These tactics can be usually summed up by 'stating and or doing things no one would ordinarily do in public' which, obviously, do not involve igniting the surveillors ire in a manner truly detrimental to your self -- such as 'testing if surveillance is really there by making false threats' which is a Very Bad Idea, and certainly an entirely different matter then what I am talking about at all. Instead, I am talking about 'double cross' like tactics, where disinformation is used as a tactic to control the surveillor. It is very related to tactics undercover agents used to regain cover, when their cover is potentially jeopardized.)

[And then others are exhibitionists, who do not care. Perhaps there are even some who auto send goatse.cx like pictures out on a regular basis to torment forever the minds of any would be illicit viewer with matters they will eternally be unable to "unsee". Har har har, giggle.]

It should be noted that Brennan's real fault here was keeping the email. Routinely delete your email box of everything, if you can. Especially the sensitive data. I note this because SF86 forms are or were sent via email after filling out. Had he simply done this, his risk would have been substantially less.

Someone could MITM it, but there is only so much data on there, and if they are that close to you, you have far bigger problems to worry about anyway. Whereas compromise of an email account is often a massive treasure trove of critical and confidential data.

Another lesson to learn here:

Brennan is the second CIA director in a row to find himself compromised by online evidence. Unlike Patraeus he even had less reason then Patreaus to have his guard so low, as he is a life long CIA employee, even with an analyst background -- who tend to be the smartest of intelligence employees. And most informed.

Both men felt 'it couldn't happen to them', clearly. So, everyone should mark out that ill caution for our own selves. It can happen to anyone, anywhere, anytime.

Analyst or not, it is true, operatives or those otherwise under real and continual threat will tend to be much more aware of this danger, however, then analysts or upper level individuals, home users, or other manner of regular, everyday users -- be they in intelligence, military, corporate, or other.

lackadaisical batteryNovember 2, 2015 12:30 PM

Re trolls: yes, this blog gets its fair share of them. They're seasonal, like mushrooms. Thet try their luck, they generally fail to cause any significant disruption, and give up.

We've even had threads analyzing their behavior: what subjects make them nervous, how they use sock puppets, what we can learn from them through stylometric analyses, etc. They're interesting in their own right.

The usual proviso applies: just don't feed them.

BobTheBuilderNovember 2, 2015 12:55 PM

"The reputational damage..." also known as a number that we made up by is not supported by any empirical evidence. Pretty weak argument here, Bruce.

HelenNovember 2, 2015 1:02 PM

@ Bruce Schneier

In your latest Harvard talk (I think it was on October 9), you declared that you could talk an hour about abuse (of surveillance). Please do so in the near future.

Privacy advocates need good examples why excessive surveillance is bad. For surveillance advocates, it is too easy to come up with movie-plot threats like "terrorists will kill your children".

I hope you can give privacy advocates good examples of surveillance abuse in one of your next talks.

I would very much appreciate that! :-)

Public Service AnnouncementNovember 2, 2015 1:04 PM

OK, politicians of loose morals and public-facing officials of ill-repute (and anyone else who just cares about their privacy): here is a roundup of the tips that have been mentioned to hopefully keep those skeletons firmly inside the closet.

1. use a secure endpoint operating system (forget windows, think airgap for serious opsec)
2. encrypt (pgp is your friend)
3. do NOT use the same e-mail address for all your logins and transactions
4. do NOT publish personal information in social networking sites
5. use different passwords for different services (think offline password manager)
6. use as many different credit cards for different transactions as you can
7. avoid giving real identifying personal information to websites whenever possible
8. do not e-mail any information that you would not be happy for a group of strangers to read
9. delete or safely store away messages that you are not using (think POP3, not IMAP)

Cheri KyhnNovember 2, 2015 1:33 PM

@Public Service Announcement:

So the conclusion we can draw from that list is that Silicon Valley and national security agencies are hell-bent on making doxxing easier...

ianfNovember 2, 2015 1:59 PM


I can not comment on Clive Robinson's assertion(s) in regard to DPRK's alleged hacking or not hacking SONY, because it's one of these news stories that I elected not to follow in depth. Only every time that I hear of North Korean hackers, I wonder ?where? would they get them from. One can not become a proficient computer professional, let alone a hacker, in a vacuum. I know NK has developed fission weapons, and missiles, but their makers were engineers, a more traditional and structured learning path and occupation, than data hacking, which also is based on for the NK fascist clique dangerous idea of subverting authority. One simply can not order hacking of so-and-so between hours so-and-so, esp. as there is no infrastructure needed for the emergence of a hacking mindset.

Nowhere was it more apparent than in the travelogue that Sophie Schmidt, young-adult daughter of Google's Eric S. posted after accompanying her father and 7 other invited diplomats and professionals on a high-profile tour of NK in January 2013. Below is the relevant computer-presence part of it:

The Kim Il Sung University e-Library, or as I like to call it, the e-Potemkin Village
[picture of apparently commandeered NK "Internet users" in front of static terminals]
Looks great, right? All this activity, all those monitors. Probably 90 desks in the room, all manned, with an identical scene one floor up.

One problem: No one was actually doing anything. A few scrolled or clicked, but the rest just stared. More disturbing: when our group walked in—a noisy bunch, with media in tow—not one of them looked up from their desks. Not a head turn, no eye contact, no reaction to stimuli. They might as well have been figurines.

Of all the stops we made, the e-Potemkin Village was among the more unsettling. We knew nothing about what we were seeing, even as it was in front of us. Were they really students? Did our handlers honestly think we bought it? Did they even care? Photo op and tour completed, maybe they dismantled the whole set and went home.

When one of our group went to peek back into the room, a man abruptly closed the door ahead of him and told him to move along.

The full monty by Sophie Schmidt
https://sites.google.com/site/sophieinnorthkorea/home

    Of course it could all be a part of an ingenious disinformation campaign to even further lull us into believing that the North Koreans are just bumbling and ignorant yahoos. If so, then they succeeded—champagne all around!

[also reported elsewhere, e.g.
http://www.theverge.com/2013/1/20/3896570/sophie-schmidt-reports-on-north-korea-trip]

DanielNovember 2, 2015 2:13 PM

@Blake

Yes, I did read the entire article.

My point is the way comparisons can be used to create misleading impressions. Brennan is used to paint the picture of the outlier--if it can happen to him it can happen to anyone. Which is fine, it's a point. If the powerful can't protect themselves how can the ordinary?

The problem comes in when Bruce genderizes the ordinary doxxing case as females. So first he sets up a powerful/weak contrast. Then he explicitly associates the weak and the powerless with females.

So Bruce is making the point that if big strong alpha chest thumping military males cannot protect themselves then OMG think of the poor weak helpless females. THEY GET VICTIMIZED ALL THE TIME.

He could have used the neutral person rather than woman. He could have coupled the female example with an example of a powerless male who was victim of doxxing. But he didn't. He explicitly took a problem that besets both men and women and made it sexist.

Bruce is a highly intelligent man. He knows exactly what he is doing. But this will backfire. He is only going to persuade people that doxxing is just another example of over-educated whiny bitches looking for something to complain about. And that's tragic because the issue affects everyone.

In the Shadow of RavensNovember 2, 2015 2:51 PM

on 'what about men', that men can be as much as victims of doxing as women:

As the article notes, the victim here, of course was a man. But, this raises an interesting insight I have come across from some darker areas*. While some may find this controversial, those who deal with it professionally consider it conclusively.

But, first, some humor:

Monty Python -- Blackmail
https://www.youtube.com/watch?v=xrRZVCg31fE

(*'Darker areas'. Primarily, I researched this area for interest in hidden facets of human psychology. Particularly, in regards to how human beings have a sort of confidence gauge, which directly relates to security. Confidence artists, including undercovers manipulate that confidence, but there are significant other aspects it pertains to security. Another interesting gauge human beings have which actually ties into a primary motivator is a praise/honor and revulsion/shame gauge. Like the confidence gauge, and very likely "the very same thing", it is both a send and receive gauge. But, it can be noted that human need for honor/praise/power and need for evading shame/revulsion/powerlessness is very core to the human experience and up there in terms of motivators with food, sex, shelter, clothing.)

A reason why this is so focused on women, in terms of "revenge porn" or "doxing women" in regards to exposing them in sexually compromising situations is that, for the submissive, being exposed sexually is far more profoundly damaging and so considered far more "private" then it is for the dominant.

So it is that men find usually little problem with being "slut shamed", and actually often take knowledge of many partners as a matter of honor, and something they boast about. Whereas, it is the exact different with women.

Or, as some say of women "they give their honor up to the man" in a traditional sexual experience where the woman is the submissive and the man is the dominant.

This, however, surely can effect men, because many men engage in submissive sex, or even submissive sexually oriented activity such as being a submissive in BDSM activity, or related, like with in the recent emergence of "financial domination" fetish.

Almost ironically, many strong dominant males often enjoy playing the submissive in bed. (Though many, decidedly, do not.) Historically, and realistically, this is a profound "attack point" for their enemies, and has been engaged in countless honeytrap operations.

Of course, there are many caveats here and outliers: homosexual couples, for instance. Generally, the one on bottom will experience more shame then the one on top by exposure. And some heterosexual couples, like with homosexual couples switch around dominant and submissive sexual roles. Further, depending on the relationship, the dominant may be even as invested in protecting the submissive's honor as the submissive is. Though the feelings there are different on exposure -- the dominant generally does not feel intense shame on such exposure. But anger.

Submissives tend also to be more sexually motivated by less visual cues, and more sublime mechanics like "power"/"honor" whereas dominants tend to be very visually oriented, and weakness of clothing (soft, cute, frilly) and body (thinner, softer skin, less hair, etc) are more appealing to them. Therefore, visuals such as photographs provide more danger and so emotional damage in exposing.

All that said, one should expect such details to get very specific, especially for the real b613's out there interested in either doxxing or engaging in extortion like behavior, for control, for instance, of potential assets, agents; or for other purposes, including political and corporate manipulation of VIPs and others. Like network administrators and security personnel.

(*B613, fictional domestic clandestine 'off the books' intelligence agency depicted in show 'Scandal'. While typically a "female" viewer oriented show, for the deep detail of the mechanics of B613 alone, well worth viewing for anyone heavily engaged in computer security.)

In the Shadow of RavensNovember 2, 2015 3:09 PM

^ I should also add, something else -- again, much of this information, if not all "everybody knows", but we as human beings tend to operate on the unconscious level, especially with "sexual social" communication, so while "we know", we very often are unconscious about it....

That is that sexual revelations via doxxing, especially in regards to sexting, visuals, and intercepted or archived and exposed video gives out enormous information to the viewers which deeply impregnates into their minds a lot of powerful information about those engaged in the sexual acts.

So it is the frequent term "things one can not unsee", or even that word, relatively new, but popular, "unseeing" something. Which typically is most poignantly used when used over nakeds, and sex.

Much to say on that, but in social settings, these sorts of things normally are in the 'back of people's minds'. Strongly, however. Obviously, for the creepy who go about with conscious x-ray vision spectacles on, lol, a different matter...

So 'food for thought' next time you watch some porn or fantasize about someone. Or consider the ramifications of such sensitive 'data' being exposed.

...


@Daniel

The problem comes in when Bruce genderizes the ordinary doxxing case as females. So first he sets up a powerful/weak contrast. Then he explicitly associates the weak and the powerless with females.
So Bruce is making the point that if big strong alpha chest thumping military males cannot protect themselves then OMG think of the poor weak helpless females. THEY GET VICTIMIZED ALL THE TIME.


I suppose, then, you will respond to my post above.

A very dominant male (or female, actually) often won't be so bothered by doxing. They won't have the deep, burning shame felt from exposure as the submissives they sleep with. Often, boasting for them about sexual conquests - which are conquests for them - provide them honor, instead of shame.

In fact, some dominant males even share out their partners, to show other males how they are unable to satisfy them, and then 'show them how it is done'.

In sex, of course, few truisms can be made, in specifics. Another specific I left out was exhibitionist submissives, for instances. But, there are certain truisms and generalities which can be made, if one properly applies context.


You can play a mind game for yourself here, but requires a very vivid imagination. Consider a picture of yourself exposed with a very beautiful woman with yourself in the typical masculine sexual posture and her in the typical feminine sexual posture (or one of them, except for her 'on top'). And consider 'how would you feel if that was exposed'.

Then consider yourself in a picture exposed, say in a submissive feminine posture with another man in the dominant masculine posture -- or/and with a female pegging you.

I think, qualitatively, you can then see how the shame and dishonor felt in the submissive posture and actions exposure is significantly different then in the masculine dominant postures and actions.

Horrible stuff to even think about, but grim everyday human realities we all deal with. But... the asexuals among us.


blakeNovember 2, 2015 3:29 PM

@Daniel

You realise you're beating a drum about "not all victims are women!" below an article about how a *guy* was Dox'd?

The other examples actually in the article:
*Sony
*some women
*Hacking Team
*Ashley Madison
*The NSA
*100 celebrities
Bruce's article is pretty comprehensively indicates how Doxing is a thing that can affect anyone. Even things that don't have genders because they're government departments (NSA) or commercial organisations (Sony). Actual quotes:

> More people will find their personal information exposed to the world: politicians, corporate executives, celebrities, divisive and outspoken individuals.

> Regardless of the method, lots of people will have to face the publication of personal correspondence, documents, and information they would rather be private.

> We all have the right to privacy, and we should be free from doxing.

Seems pretty gender neutral.

albertNovember 2, 2015 4:30 PM

Thanks to all for providing psycho-social claptrap, and marginalizing gender-issues in a medium teeming with BS, especially in the comment section of a blog post about "Political Doxing". Very relevant, and well done!

. .. . .. _ _ _ ....

Clive RobinsonNovember 2, 2015 4:53 PM

@ ianf,

Only every time that I hear of North Korean hackers, I wonder ?where? would they get them from. One can not become a proficient computer professional, let alone a hacker, in a vacuum.

Especialy as NK in general does not have the Internet as we know it (that is reserved for a handfull of trusted people). NK have what is in effect a private network run by the state to disseminate state approved information to users running a state developed OS...

As for where the NK supposed genius grade hackers come from, I have no information on this other than that some one has claimed they are being trained by the Chinese underneath a well known restaurant... It could be true, it could be false, stranger things do happen. The important thing to recognise is it is a factually unsupported allegation and acknowledge it as so.

I know several South Koreans, and the subject has come up once or twice when the previous SK premiere made accusations about NK hacking SK banks and endangering SK aircraft by taking over navigation systems. The general response was it was SK "state propaganda" run to please the US and show China what good friends the US are with SK. But it can go wrong as with the US/SK war games that resulted in NK responding to what it saw as a significant provocation in disputed areas, and responded by firing into the desputed area.

The South Korean's I know doubt the existance of all these "super genius hackers" and actually think it is more likely to be either US or Chinese individuals using NK as a proxy.

The simple fact is any of our opinions could be correct, but you can not use Occams Razor on this. Especialy when the opinion is based on what others are saying.

It's why I say be skeptical of the evidenceless statments of atribution, they are at best noises from an agenda. It is easy to see how any evidence could be readily falsified, and lets be honest SPE had a lot of enemies much closer to home. Many of whom would happily see them taken down a peg or four. Then there was of course the issue that the film was regarded as a turkey befor the alleged hack, there was rather more than 41 million riding on that.

Thus the best thing to do is just say the US accusations are at best "alleged". Because without verifiable evidence that is all they are at the end of the day. But importantly if verifiable evidence does surface, then you are neither right or wrong, just factual, and that is more important to your future credability than making a claim and crossing your fingers on a bet.

In the Shadow of RavensNovember 2, 2015 6:40 PM

@Clive Robinson, et al

on north korea hackers:

Another excellent analysis...


Another possibility is that they are self-trained, perhaps in some manner of grouping system, or otherwise have their own training facility outside their country. NK does send workers abroad even still (for horrible jobs, usually), and so they could very well have a hacking team abroad. Could be in South Korea even or the US. Could be in Russia. Could be multiple cells operating nearly anywhere.

Asian espionage I have found tends to be highly influenced by Sun Tzu. And Tzu was all about deep cover agents in foreign countries. We do know that NK surely has some operatives in SK at any given time. We know NK captured some Japanese some years back to learn how they are, possibly for purposes of sending undercover agents there. I am not aware of any such NK operative turning, offhand, however. So, I also do not recall any substantial details on their actual illegals program.

If they truly even have one.

Usually when I have read of NK operatives in SK - if not always, actually - they are on a near suicide assassination mission run.

I would think it would be near impossible to keep a NK illegal operating solo in a foreign country loyal. Everything they see and hear there would prove to them their political system is a deep lie.

Could be they operate in families and as couples, as the Russians used to rely on in the Cold War. (Post-Cold War, I think they rarely send out their illegals as couples, if ever, anymore.)


Again, if they even have such a program. If they did, it is not entirely surprising even the highest level of defectors would have no knowledge of it. And there have been some very high level defectors.


Probably ParanoidNovember 2, 2015 8:32 PM

The notion of a targeted attacker, who wants Sony or Ashley Madison or John Brennan because of what they stand for, is still new.

I don't think I buy this point.

In general another point perhaps not brought up is the whole SSN/NOTB side. Which is to say that there is a big delta between where we are, and where common sense suggests we ought to be already. Which I blame on a widespread crippling of computer science skills by NSA propaganda (undone by the Snowden psy-op)

rgaffNovember 2, 2015 9:41 PM

@In the Shadow of Ravens

"I would think it would be near impossible to keep a NK illegal operating solo in a foreign country loyal."

One word: FAMILY

In asia families are very close and very important, more so than one's own life. Westerners have no idea what that's like living in a society where only one's self matters. You do one misstep and your entire extended family is tortured horribly and executed in the most cruel manner possible, and so will you when they catch up to you...

The "family" concept also extends to larger and larger circles around you too, so it's not just close blood relatives, it's everyone you know and care about. Even people in the same company, city, province, country, or any other social or political group are like ever widening circles of family... very important, and you must be loyal to each one or you bring shame on everything. And shame is worse than death itself, for everyone. So even without threat of death, just the shame all by itself is a big motivator, but then you add them together and wow!

John HardinNovember 2, 2015 10:37 PM

@Ianf:

Only every time that I hear of North Korean hackers, I wonder ?where? would they get them from. One can not become a proficient computer professional, let alone a hacker, in a vacuum. I know NK has developed fission weapons, and missiles, but their makers were engineers,
...and largely Pakistani. :)

tariqkNovember 3, 2015 3:15 AM

In the end, doxing is a tactic that the powerless can effectively use against the powerful.

Weren't you the one who said that while technology initially magnifies the power of those who are powerless and able to adopt and pivot quickly, eventually governments and the powerful will essentially use this method to magnify their already considerable power?

From here:

“In general, technology magnifies power, but adoption rates are indifferent,” Schneier said. “The nimble and relatively powerless make use of new technology faster. They’re not hindered by bureaucracy or laws or ethics. There was an enormous change when they discovered the Net. Now a decade later when the government figures out how to use the Net, it had more raw power to magnify. That’s how you get weird situations where Syrian dissidents use Facebook to organize, and the government uses Facebook to arrest its citizens.”

How do we know it hasn't already happened?

WinterNovember 3, 2015 4:57 AM

@ ianf,
"Only every time that I hear of North Korean hackers, I wonder ?where? would they get them from. One can not become a proficient computer professional, let alone a hacker, in a vacuum."

Vice has a clip (starts at 1 minute) of a NK computer lab

https://www.youtube.com/watch?v=5hUegMTSh0U

It is totally fake. No one uses the computers but the one man that is allowed to talk to foreigners.

Bruce SchneierNovember 3, 2015 5:06 AM

"One of these days you will have to stop swinging your legs backwards an forwards over the fence on this one ;-)"

Motherboard added the "allegedly." Ever since this article, I have believed the government that North Korea was behind the Sony attack. And I have said so repeatedly.

Bruce SchneierNovember 3, 2015 5:09 AM

"In your latest Harvard talk (I think it was on October 9), you declared that you could talk an hour about abuse (of surveillance). Please do so in the near future."

The place I wrote about it most extensively is in my book.

Bruce SchneierNovember 3, 2015 5:10 AM

"Bruce - you forgot probably the best example: Sarah Palin."

I was going to include her, but I thought her e-mail was not published. Since it was the publication I was talking about, and not the hacking, I left her out.

Was I wrong about that?

Bruce SchneierNovember 3, 2015 5:12 AM

"No mention of Anonymous doxing the KKK?"

Happened after I wrote the piece.

Bruce SchneierNovember 3, 2015 5:22 AM

"Notice the shift from the generic 'people' to the focus on a specific sex."

Yes. That was a crap edit by Motherboard. I originally wrote: "It first emerged in the 1990s as a hacker revenge tactic, and has since been as a tool to harass and intimidate people, primarily women, on the Internet. Someone would threaten a woman...."

I will fix it on my blog, and I will try to get Motherboard to fix it on their site.

I didn't notice it when Motherboard made the change, just as I didn't notice them slip in "allegedly" in front of North Korea.

WilliamNovember 3, 2015 6:38 AM

@ Clive Robinson, "As for where the NK supposed genius grade hackers come from, I have no information on this other than that some one has claimed they are being trained by the Chinese underneath a well known restaurant... It could be true, it could be false, stranger things do happen. The important thing to recognise is it is a factually unsupported allegation and acknowledge it as so."

There were reports of NK sympathizers among SKs, who allegedly are the anti-social types, disenchanted with society, status quo, and probably everything else. On the other hand, if NKs could send a rocket into orbit, wouldn't surprise me if they got people who can do a little hacking too.

ianfNovember 3, 2015 6:53 AM


@ In the Shadow of Ravens

on north korea hackers: Another excellent analysis...

Wasn't an analysis. Were ruminations, human mental version of favorite bovine preoccupation.


Another possibility is that they are self-trained, perhaps in some manner of grouping system, or otherwise have their own training facility outside their country.

I am not a doctor, but if I were one, I'd have you sectioned for polluting the minds of minors with all manner of sterile, cul-de-saccy memes. A North Korean hacker-training facility outside of North Korean blanket control, a hacking team self-training until perfection! TELL US MORE TELL US EVERYTHING YOU KNOW HOW.


Could be multiple cells operating nearly anywhere.

Yes, cloaked in invisibility to their surroundings and the unwitting "hosts" counterintel alike. North Korean hacking teams in self-training composed entirely of mutually watching one another employees of the DPRK Foreign Anti-Dear-Leader-Conspiracies Directorate.


Asian espionage I have found tends to be highly influenced by Sun Tzu

Listen, Sun Tzu is an ancient Chinese philosopher, not a buzzword to be sprinkled about every time one wanks to allude of be reading WSJ Online.


@ rgaff [Ravens] “would think it would be near impossible to keep a NK illegal operating solo in a foreign country loyal."

One word: FAMILY

Yes, fear for family-as-hostages, but that hasn't prevented NK defectors who saw their entire families headed towards starvation. Also, by analogy, because the Israelis made that official, the Palestinian Arab suicide bombers know very well in advance that their family homes WILL be demolished even if they are in the middle of a 4-5 other abodes structurally-dependent cluster. Hasn't stopped them. Families bear the ire of their neighbors, then cash the Saudi etc. "pensions"

So in the case of NK foreign assignees (rather than "workers," DPRK does not export labour for fear of idea contamination), I think other "loyalty-assurance" factors are at stake. Last year the BBC managed to make a half-hour documentary of a DPRK future managers university set up there by a South Korean expat professor from the USA (I kid you not). The students, all thin men in their mid-20s, impeccably dressed as were they funeral directors, marched in step and in formations between lecture halls… they seemed by now so coved and indoctrinated in how one shows deference to one's better-know superiors, that they simply wouldn't know other ways. Even the professor himself, who originally was taken for a deep-cover US spy/ capitalist corrupter of pure NK breeding stock, first did a stint in prison, before being allowed to set up that university (campus built acc. to plans from Central Building Plans Repository).

I read that South Koreans send lots of educational DVDs and AM pocket radios (the NK ones being factory preset for just one FM station) with balloons across the border, but the feedback they get is mostly "send more soaps with So And So.” ("So and so" is a placeholder, not a name.)

So I do not think that the issues that are so self-evident to us, basic human rights etc., EVER GET PLANTED in NK children's minds – and then, past certain threshold in adolescence, it's too late, and the instinctive struggle for survival come what may takes over.


@ John Hardin

... [North Korea's A-bomb engineers] largely Pakistani.

Ah, that explains it… I feel so r.e.l.i.e.v.e.d, much more level-headed, predictable people.


@ Curious

Re: “Internet firms to be banned from offering unbreakable encryption under new laws

Do observe who said that—The Telegraph! Of course they would, they are in competition with this Internet novelty for fat military contracts for unbreakable communication channels and the like.


@ Clive Robinson

unlike other human derived products, teeth are easy to find in your food and remove...

Nolo contendere, but that wasn't my point… which is to be found only in that “Life of Pi” reference… no spoilers.

Person Non GrataNovember 3, 2015 7:19 AM

@ ianf, "So I do not think that the issues that are so self-evident to us, basic human rights etc., EVER GET PLANTED in NK children's minds – and then, past certain threshold in adolescence, it's too late, and the instinctive struggle for survival come what may takes over."

Thanks great post. The riff is likely more complicated than drawing an imaginary line to segregate a peninsula of people who share the same past. What may seem difficult to understand is sometimes quite simple or can be. What little it may take to unite a lonely nation of people. What good are DVDs and AM Radios coming from those who sanction the essentials. Really what good does it do?

In the Shadow of RavensNovember 3, 2015 10:27 AM

@rgaff

Thanks, some very good points there.

@ianf

My, my aren't we grumpy today? "Ruminations"... "analysis"... is it potato or potatoe? In 'Rick & Morty' there is a race of aliens who only use *one* word for saying *everything*. Not unlike in the "Guardians of the Galaxy", where the Groot character says, "I am Groot" for everything. And people just understand what they mean.

...

On the plausibility of it, I did not flesh it out. I did not see much of a reason to. The most plausible answer I have heard, was what Clive had mentioned, and was reported by the BBC earlier this year. That they are being trained by China, in China.

Across the history of espionage, there have been some very solo deep cover illegals, to be sure, and they have performed some amazing stuff. Invariably, however, they will have "controllers", also called "handlers", or "case officer".

Very often illegals operate as case officers their own selves, for agents in country. But, with asian model (what I have read about from Vietnam, China, anyway), they do not tend to run "agents" (paid locals or volunteer locals who operate effectively as spies or 'confidential informants' for the foreign intelligence agency).

Often called in tv "assets".

North Koreans, as I noted, certainly do and have, historically, worked abroad. During the Cold War, they primarily stayed to Communist countries. They were invariably no fan of any Communism post-Stalin. They were and remain to a large degree, stuck in pre-50s, Stalinistic Communism.

They do stay in groups when they do so. Exceptions can be with diplomats. But, like how cults operate, even they certainly are deeply kept close in groups.

As for training, most of the top security researchers are self-taught. There is a number who have college educations, though it is only recently that any significant computer security material has been covered in colleges and even still it tends to lag far behind the research community.

There have been a number who received some manner of training by government. For instance, the NSA had a training program which produced a number of luminaries, and some other luminaries came from very brilliant defense contracting firms like BBN Technologies.

But whatever the case, the top security researchers have had to significantly self train. And in my estimate that is the toughest requirement for the job. It can be very difficult to train - to teach - people to learn how to become quick studies, to teach them how to learn most effectively.

Deep cover illegals (and related) programs, however, do tend to do exactly this. Because that is exactly what their graduates will have to do. They have to become like Frank Abagnale. They have to be able to become convincing doctors, researchers, scientists, bureaucrats, military officers, and so on. And so these programs often start early and are very extensive.

In general, though, yes you can certainly have a foreign cell who trains together to learn how to hack efficiently. China, of course, is the most likely nation where this is performed, whether the Chinese PRC are really training them or not, however.

But, yes, all these are but possibilities.

Did you know that before the Munich Massacre, a behavioral science criminologist was asked to provide threat assessment scenarios of "what could go wrong"? He came up with 26. And of those 26, one of them exactly described the Munich Massacre.

If you think this is work that nobody does, you would be incorrect. All critical infrastructure teams do exactly this work. They train for disasters and have someone create possible scenarios for their team to reenact.

Where people fail, is when they get caught up in any one scenario, and do not consider all the possibilities. When they get subjective.

Like maybe they are grumpy because they got off on the wrong side of the bed this morning. So nothing looks good to them.

In the Shadow of RavensNovember 3, 2015 10:31 AM

William wrote:

There were reports of NK sympathizers among SKs, who allegedly are the anti-social types, disenchanted with society, status quo, and probably everything else. On the other hand, if NKs could send a rocket into orbit, wouldn't surprise me if they got people who can do a little hacking too.

Very well said, thank you.

thevoidNovember 3, 2015 1:52 PM

@In the Shadow of Ravens, @rgaff

re: NK spies

control of humans is not all that difficult... you don't even need a hostage, or to have been conditioned from birth to be 'thought-controlled.' take the case of one popular cult: scientology. HBO recently had a documentary on them and their tactics ('Going Clear'), featuring many of the original leaders talking about their experiences. at one point in time, there was a shakedown and many of the old guard were ousted from their positions and sent to what was essentially a concentration camp, where they were indeed subjected to what most would consider torture (if mild, relatively speaking). rumors of this leaked out (i don't recall how, but i think someone did get out), and in a face saving move, they took the wives of the old guard (believers themselves), dressed them up nicely, put them on tv to 'defend the faith', denying all of this, that they would in the future acknowledge, and after the broadcast went willingly back to prison and the conditions they just (strenuously) denied existed -- all in California.

they (the old leaders subjected to this and their wives) will tell you (as they did in the doc) that they did so WILLINGLY.

now consider, these were people, whose family were not being held hostage as they would in a dictatorship like NK (well, they were IN A WAY, but mostly mentally. nobody's toes were being cut off though), and who were all products of a 'liberal democracy' (US and AU, probably others but i am going by the doc). and as mentioned, these were former LEADERS, not rank-and-file.

there are any number of examples of this, recently or historically (although the famous Jonestown 'kool-aid' is not entirely accurate. most were murdered by guns.)

francNovember 3, 2015 7:41 PM

Bruce, you have a pretty one eyed slant on gamergate, this is not the first time you have done so. The majority of doxxing is perpetrated by pure vandals that have no interest in the issues whatsoever. But if you observe analytically, pro-gamergate is universally against the vile habit. Anti-gamergate are the ones that justify it - folks like Randi Harper, @srhbutts, Brianna Wu and Rebecca Watson who outright stated it -

http://skepchick.org/2014/12/why-im-okay-with-doxing/#

You won't find anyone in non-troll gamergate who will make the same kind of statement. Please get your facts right. I expect more of you.

Peter KNovember 3, 2015 7:55 PM

@ In the Shadow of Ravens, "On the plausibility of it, I did not flesh it out. I did not see much of a reason to. The most plausible answer I have heard, was what Clive had mentioned, and was reported by the BBC earlier this year. That they are being trained by China, in China."

The NKs are definitely the ones to watch out for, not the Chinese or Russians. Detached, and dangerous, unknown skill sets because theoretically their skills are not tracked as they venture into our worlds. But if you looked and have unexpected encounters, better steer clear, I really think so.

@ Clive Robinson, ianf, "I can not comment on Clive Robinson's assertion(s) in regard to DPRK's alleged hacking or not hacking SONY, because it's one of these news stories that I elected not to follow in depth."

I generally believe he's a good source, provided that he did not have any inside information to make that judgement. He seem to be someone who makes sound decisions.

@ William, "There were reports of NK sympathizers among SKs, who allegedly are the anti-social types, disenchanted with society, status quo, and probably everything else."

It's plausible to look at those who've been discarded by very selective South Korean education system and of social segregation exerted by the top handful of conglomerates, who are super good at whatever they do. The smartest don't slip thru often, as they are handpicked at a young age, to be further trained and selected. The few late boomers who are quietly brilliant are often left to rot in mediocrity. There's both social and intellectual underground that brew discontent, as in any modern westernized liberal semi-free society, outside of fantasy land.

Spaceman SpiffNovember 3, 2015 8:11 PM

This is why we don't let managers handle system security, especially their own...

JustinNovember 3, 2015 10:17 PM

Hmm, maybe I shouldn't have made my previous comment. I certainly didn't mean to bring out the gamergate trolls. Probably the most extreme example of doxxing is revenge porn. Probably more effective against women than against men, as Ravens alluded to.

... a traditional sexual experience where the woman is the submissive and the man is the dominant. ...

Although I think that people overuse the words "submissive" and "dominant." To me, if a woman is "submitting" to it, that means she doesn't really want to do it, and if a man is "dominating" her, he is forcing himself on her whether she wants it or not. That kind of language sounds altogether like rape to me. On the other hand if the woman is receptive to it, she can be an equal partner in it, even if she is "passive" and the man is "active." I feel that this is more neutral and accurate language for a "traditional sexual experience."

The doxxing issue is more at the traditional attraction between men and women. Men looking at images of women and women looking at images of men are not always equivalent. Traditionally, men like to look at beautiful women, and women like to feel beautiful and have men look at them. Certainly women tend to have much more effort and emotion invested in being beautiful than men do.

The realization of being doxxed, "People are looking at me naked on the internet!" is probably going to create a more sexualized involuntary emotional response in a woman than in a man. Most men are probably not nearly as used to unwanted sexual attention as are most women, so they are not as sensitized to it, and may not experience or relate well to that uncomfortable feeling.

But no one can predict the reaction of any one individual to being doxxed, and if a man is doxxed, there are going to be other men looking at him, maybe cyberstalking him, leading to further doxxing --- that could be as humiliating as anything, who knows?

JustinNovember 3, 2015 11:27 PM

"Relevant" Google ad I saw on a totally different website after posting the above:

IS HE CHEATING ON YOU?
Enter His Email Address. See Social Profiles & Hard To Find Pics Now!
http://www.spokeo.com/is-he-cheating

I really need a better ad-blocker. I'm being googlestalked.

Ibe BaboonieNovember 4, 2015 2:49 AM

This

"Do NOT use the same e-mail address for all your logins and transactions. Do NOT publish personal information in social networking sites. Use different passwords for different services (ideally managed by a secure offline password manager). Use as many different credit cards for different transactions as you can. Avoid giving real identifying personal information to websites whenever possible.

This form of security by isolation will not necessarily protect you, but it will significantly mitigate the effects of a successful attack."

Target got hacked so their so call "anon-a-miss" gift card system is probably tracked anyway, but definetely owned also.

I store all my passwords in my head which are long and complicated, and I'd probably have some real difficulty remembering them if asked.

Also run at least 4 or 5 different emails with different providers with some being thown away that should last no longer than 1 to 60 days.

Reset the clock back a few random months in your BIOS regularly and delete all your logs including Firewall AV (which can be cleaned in SAFE MODE) and all OS(with network adapters disabled), after reading them of course, then set your clock back in BIOS. You can also run programs that will let you set timstamps for entire folders (don't do this to your entire computer it will break things).

Make sure your computer is badly organised and don't store stuff in obvious places, make it as badly organised as a hoarders paradise (the human mind has an amazing ability to remember the location of insane places).

Keep a clove of garlic in your case to keep out vampires and your own personal amusement.

Get rid of dodgy certificates if you know what you are doing, turn off NDIS and any sneaky OS reporting and automatic updating. get rid of IPv6 and disable NetBIOS. Block all the crappy analytics and collection URLs/IPs in your router or get a better router that can block URLs/IPs and preferably install DD-WRT.

Use Tor and Tails.

At least don't make it easy, and turn off SSL 2.0, SSL 3.0, TLS 1.0 and don't store encrypted pages to disk in your browser even if you don't use your browser.

Read up on what cyphers to use in your OS and browser. The occasional crappy site still wants RC4 but you can enable it for the couple minutes you need it then disable it again, and most likely RC4 will be gone pretty soon entirely, with luck.

Invest in some VPN of some kind, it's better than just giving them all your meta-data without any effort to get it.

Plug up all volcanoes with giant corks in your best swine farmer gear.

Young PersonNovember 4, 2015 3:06 AM

I expect young people to not expect slightly older people to know everything about younger people's hip radical happenings. I also expect young people to be polite to their elders, if you want respect first you got to dish it out yourself. Maybe I expect too much, it's been known. As far as gamers treating women in gaming it's generally pretty poor or shite or impolite at best, though getting better, possibly, I think... Try playing CoD with some kiddies using a female name and see how you get treated boys, though it's been a long time since I've been high enough to put myself through such pain.

Yep I'm calling you out.

Wasn't this post about Doxing y'all, or you some socks trying to derail thread?

I'd probably run some kind of ye old ad blocker or three in your regular browser with your VPN, you can whitelist the sites which need advertising revenue like gaming sites so they don't go broke.

In the Shadow of RavensNovember 4, 2015 10:07 AM

@thevoid

There are a lot of different types of cults. Totalitarian societies and plenty of major religions and even political systems are certainly cultic, kind of a macrocosm of the microcosm of a cult. Some of these systems are extremely divergent with reality and mirror severe psychosis. These sorts tend to be the kind where it is mandated that people remain within a very closed circle of believers at all times. North Korea's major belief set definitely falls under this category.

Other systems are more formed in the wild, even in free speech and belief societies. Their virus grew up in that society, and so it became resistant to divergent data. Scientology is one of those. They definitely still hold psychotic like beliefs, but their virus of their belief system has strong safeguards against the divergence of reality. So, you often see scientologists in the wild without even other scientologists around them. And some of them can even solo debate with others of entirely different belief systems and still maintain their own belief system.

But, with North Korea, their belief system is so psychotic, so divergent from core reality, that going outside the country alone brings a severe danger of the believer's entire belief system collapsing.

They also do put extreme stress on family members of "traitors". All family members, even distantly related, are locked up in effectively death camps... to the third generation. Until they all die out in these camps. Literally. Which literally means they allow some births to happen in the camps, until a family line has reached the third generation, then no more births.

There are fates worse then death, and that would be one of them.

However, in this case, it very well could be their foreign, deep cover illegls spy program trains them from birth to become such a spy. Deep cover spy programs have been doing this since, at least, the old assassins model in the early middle ages.

And probably earlier.

The problem is you want them very well trained, including extremely loyal, and you also want them to spend their grown life in a foreign country. So you kind of have to train them young. They will often be sent out in their early twenties, which gives them a number of decades of good work.

It can be noted, NK does have some public IP addresses, however. But, it is true, regardless, that some attacks that are attributed to NK have come from other countries where a physical presence was found. That is, it wasn't just bounced through proxies or hacked systems.

As they likely grew up in training, they probably were given a very different belief system then what the mainstream in NK gets. One which is resistant to breaking when exposed to the extreme divergence of what non-NK countries are like, compared to what NK says they are like to their mainstream.


In the Shadow of RavensNovember 4, 2015 10:43 AM

@Justin

Most men are probably not nearly as used to unwanted sexual attention as are most women, so they are not as sensitized to it, and may not experience or relate well to that uncomfortable feeling.But no one can predict the reaction of any one individual to being doxxed, and if a man is doxxed, there are going to be other men looking at him, maybe cyberstalking him, leading to further doxxing --- that could be as humiliating as anything, who knows?

Some very good comments.

When a man looks at a woman with sexual feelings, you also are talking about a very different type of look. Like he wants to overpower her and "have his way with her". The masculine burning look in the eyes is very different from the feminine longing look in someone's eyes.

There is enormous aggression required in traditional "male" "female" sex. The man, especially, puts forth an enormous amount of work. Testosterone, isolated, does produce extraordinary aggression, and is the primary chemical that ups sexual drive (in both men and women). I do not believe we human beings have fully evaluated the nature of human sex by any means, nor our chemical hormones. But, there have been a lot of well replicated studies, especially over the past fifteen years... and the isolated and dispensing of hormones/steroids like testosterone, testosterone blocks, estrogen, estrogen blockers also gives a lot of insight.

Psychologically, is what I am mostly talking about here, however, and I have found a lot of this has been very difficult to work out. You really have to have a very firm and realistic grasp of the differentiation between the "conscious" and the "unconscious" mind. Which can be found through deep reading in cognitive behavioral, neuroscience, forensic psychology or behavioral science, and some more arcane work, such as the work of Milton H Erickson.

I find that Freud was actually not too far off about sex being so primary in people's minds, only he hyperfocused on the man's sexual organ. Reality is we tend to have sexual judgments about others very close at hand, but in the "back of our mind", in our unconscious. And it deeply effects our everyday behavior. These assessments include such things as, "how much testosterone does a man have in his chemical balance", "how much estrogen does a woman have", "how satisfied is a man's wife or lover", "how capable of having a baby is a woman", and down into very arcane matters which we would never consciously be aware of being a factor such as "how divergent is this possible mate's immune system from my own, from my father's, from my mother's".

Then, there are tied up in much of the above, and much else, much submissive and dominant "signaling". Verbal and non-verbal.

But, I find, people get very wrapped up in these things. It is difficult for them to come to conscious terms with them, so you see very much "sex talk" to be in the realm of jokes and such. Much sex talk can be very biased and political, and seemingly, for many people, they have a very difficult time being objective about it.

I do, however, use the words "dominant" and "submissive" there, but I understand how that can be kind of controversial to do so. But why is this? It is simply because sex really imprints on people. The actual sexual act is a profound imprint on both (or more) parties. So their definitions can become extremely subjective. It is in this very realm you see fetishes formed, for instance, which call forth immense drives within people.

Traditional sex, however, is, I would argue very dominant and submissive. There is consensual or non-consensual. There very much is a power exchange. With traditional male female sex, the orgasms of the woman and her general "oh you are such a man" communication are signs of that consesuality tied deeply into her submissive postures -- and exactly contrasted against his dominating postures. It can be surely noted that these traditional sex acts do involve exactly submissive and dominant postures.

If you were to be with a man as a woman, you would be in exactly a submissive role. That could be rape, or could be consensual. Most sex is consensual.

In healthy relationships there is often an interchange in roles.

There are definitely plenty of heterosexual couples where the female is dominant and the male is submissive, as well. Or homosexual couples where the traditional "bottom" plays both roles, or even is dominant.

I can certainly understand how people can be very uncomfortable with these words "dominant" and "submissive", but they are very core to the human experience. They certainly apply well outside of sexual activity, into a very wide range of everyday social roles include boss and employee roles, cop and citizen, and so on.

It is also very good to understand because one can see in these exchanges how people deal with very security focused matters such as confidence and credibility, authority and compliance, fear and shame, and so on.

The language is weak because people tend to not talk about these matters or think on them consciously deeply, except in the most subjective of terms. But, we do have this weak language to work with.


fajensenNovember 4, 2015 10:46 AM

I would think it would be near impossible to keep a NK illegal operating solo in a foreign country loyal. Everything they see and hear there would prove to them their political system is a deep lie.

1)
North Korea is basically a cult, who happens to be running an entire country. An effective cult will have solid programming to counter-proove any situation where doubt arises and violence as a fall-back option.

We had people who believed that space aliens would take them away on a comet so it was cool to top themselves with poison - right in the middle of California and these were people who were born, grew up here and only programmed for a few years or so. Very effective.

2)
Would an agent give enough of a toss about the lies to do something?

I don't trust my political system and I positively loathe modern corporate culture. This does not mean that I will just on principles forgo all the bennies I presently get for pretending to be "on the team".

For loyalties to actually change, someone trustworthy has to offer something much better and, in the case of changing ones ideology, a much more compelling story than the current one.

An epic tale of Purpose, Friendship, Great Achievement, Overcoming Adversity, and also Money does work. So far the best "The West" can offer is some guff about "Freedom" and maybe, if you work really hard and are insanely lucky, you might "Make It". Probably, the agent will say: Ha! It's the same in North Korea - the 0.01% rule, the 99.99% gets to fight over the scraps. They trust me, so I'm "Mister 2%" - which is way better than stocking shelves in Wall Mart!

2a)
It's worth thinking about what "our" story is like: ISIS can persuade people to join them voluntarily and probably get blown up by Russian bombs, while we - or our agents - have to bomb and torture our ideas of "Freedom" into people everywhere. If something is such a hard sell.... maybe it is not offering enough value.

In the Shadow of RavensNovember 4, 2015 11:01 AM

@ 'why is this sex talk relevant'

I actually believe it is quite relevant as the number one thing people are concerned about getting out when they get doxxed is sexual material. This is also true with extortion scenarios -- very much a growing hazard with today's information security.

It is also relevant in regards to non-sexual exposure which causes significant shame.

And it ties into how we define what is truly private data, versus public. Albeit, the discussion hardly stretched out that far.

There are also significant sexual impulses involved in many attacks, just as with rape or types of murders where a person has sublimated their sexual drives into other activity. So it is common for hackers to speak of "owning" a system or "raping" an victim in the same context of sexual conquests.

It is a transfer of power.

In the Shadow of RavensNovember 4, 2015 11:13 AM

@fajensen

I do not disagree, though I came away from your post feeling you did not read my entire post. I have given these matters considerable thought, so the material is densely packed.

You have to span out from what I was saying about cultic belief systems to more "major" belief systems... I really do like to focus on the cultic, because there you can find some "pure" samples of "how psychological virii operate". There are commonalities.

Foremost, however, objectivity must be applied to one's own self, and one's own assumptions and beliefs, in such matters, is my strong belief.

We are highly biased creatures in no small part because of our distinct fallibility of limited perspectives. There are excellent collections of the studies of these things in shows: the brain with david eagleman, mind games. And the best book I have found on the subject, though there are man, is you aren't so smart. Though, eagleman's books are quite good, as is the book "the invisible gorilla".

Not only to we "complete the picture", literally, much of what we physically see of the world is a product of our own imagination as opposed to data our eyes return to us... but we are biased in many subjective ways such as having a significant tendency to believe what we want to believe based on our preferences.

But, plenty of excellent examples of this manner of thing today in America, and related to other democratic nations: consider the civil rights movement and how racism was in the US South at the time, and how people were blinded to their own bad behavior; how old medicine relied on leeches and urine; how "heretics" were tortured and burned at the stake for being literal "witches"; and so on, and so on. How major scientists believed em could be explained by an ether model. How the left in western nations sided with Stalin and the Soviet Union quite often, and the right with Hitler. Neither really knowing the extent of what they were really about -- noting the age before the true information revolution, prevalence of video cameras, and ease of putting up video for mass consumption.

What is mainstream today, that tomorrow will be considered horrific?

One thing, surely, in the US anyway, is the justice system and penal system. Especially in regards to how they deal with minorities and drug users.

(Contrast impoverished drug users dependency on illegal drugs with wealthier drug users dependency on legal, prescribed drugs. For one instance, of many. Or the tolerance of rape in prison societies by so called "civilized Christian people" who believe in "no cruel and unusual punishment", supposedly...)


In the Shadow of RavensNovember 4, 2015 12:56 PM

One other thing...

Doxing & Counterintelligence

It should also be noted that there is certainly a potential distinct relationship between doxing and counterintelligence.

A primary method of controlling an adversarial government is through their intelligence and through secret surveillance. So, for instance, with the double cross program you saw Nazi Germany controlled by information received from their agents - who were turned - and from their intelligence assessments, such as assessments made over the false plans given to them in the mincemeat project. Secret intelligence was further garnered and used in disinformation plans in many ways, including the direct heart of the operation, where they broke the enigma codes and so could secretly surveil German electronic communications traffic.

This is very different from the sort of disinformation many hackers talk about, where the concern is that agents working for counterintelligence are implanting false conspiracy theories, for instance, in order to undermine significant numbers of critical bodies of people -- or to distract them away from genuine secrets.

In these projects, disinformation is used to literally control enemy nations, where their own intelligence is operating as the 'eyes and ears' of their nation, and presented with a compelling delusions which directs them to do what their enemy wants them to do.

Such a reducing troops at a key defensive juncture.

Such as increasing troops at a key location where that controlling adversary wants their troops diverted either to consume their resources and open up other juncture points, or to produce a surprise attack on them.

The problem is getting the enemy to believe information from you, an enemy nation.

This is actually a significant problem. Because your nations are adversarial, it is difficult to talk to them or provide them information which they will take at face value with significant and immediate and deep credibility. With high confidence.

One way of controlling that information is by adversaries turning secret surveillance against their adversaries. Making the adversary believe their enemy is not being secret surveilled, when they are, and so raising very substantially the credibility of the information they are giving them.

Doxxing is very much a related attack. So, for instance, you saw doxxing from HB Gary Federal and Stratfor, with key intelligence data included, some of it damaging. Or you saw much doxxing, of sorts, even with Manning and Snowden's disclosures -- much of it very damaging.

Likewise, it is possible in any doxxing situation - or even in any secret theft of key governmental data - that a counterintelligence operation is being run by the very victim nation.

These tactics and strategies while relatively obscure are critical in counterintelligence, and critical components of analysis performed by intelligence analysts.

Readers outside these areas would do very good studying on some of these programs and how they have been implemented in the past.

A wealth of such programs can be found by studying British intelligence during WWII, much of which is very well documented today and made declassified.


k14November 4, 2015 8:18 PM

Bruce. How about the tools and techniques that have not made the news yet. Is anyone monitoring, for distressed human canaries in coal mines? Cuz there seems to be no relevant category in the Yellow Pages.

KevinNovember 7, 2015 10:38 AM

"a tool to harass and intimidate people, primarily women, on the Internet."

Primarily women? Do you actually have good evidence for this?

NcluNovember 8, 2015 10:22 AM

I was talking with my brother about doxxing a while back and we ended up comparing it with True Name (https://en.m.wikipedia.org/wiki/True_name). Social security, private phone, emai, andl home address. These all give the anonymous Internet vigilantes a lot of power over us. Most of us live a sort of security through obscurity in our day to day lives by just being invisible to widespread interest.

fajensenNovember 9, 2015 6:09 AM

Are there nude pics of you out there on the internet?
Hm..mmm.. Tapetty, Tapetty, , . There is *now* ;-)

Kevin S. Van HornNovember 9, 2015 8:59 AM

@Justin

Snarky comments do not qualify as actual evidence. You haven't provided any of the latter.

PpptpNovember 10, 2015 8:25 PM

The goatse idea is truly top notch. VPNs are a good idea but since the terminating end of the vpn resides usually in another geographic zone, you are now in a seperate jurisdiction. Also you have to wonder if the provider himself doesn't keep logs.

J on the river AcheronNovember 16, 2015 10:22 AM

@Bruce

You have written extensively about this type of thing. Political doxing is meh. You may not want to dip your foot into the current crybaby bullies we have seen on college campuses. There is a mind set in certain political circles that shouts down dissent and seeks to destroy. But I would understand you not stepping into that steaming cow pie. Limited upside for your SOP.

They are not hacking political figures. Clinton's email server was an excercise in stupidity just as one go agency I know is running Windows XP. Not to mention the fun that is the IRS brittle systems.

What is the point of political doxing? Embarrassment or intelligence gathering/exposure. Currently reading the "Future of Violence". Interesting summation.

Keep up the good work, but I would like to see you talk more about the political environment I discussed. This has a bearing because discussion of dissenting views in security is critical. Often the curmudgeon or outside the box is need to know information.

Take care, Jacob

JimNovember 19, 2015 12:21 AM

The large corporations and governments already have our dox. This is mostly leveling the field. And women with a over inflated sense of their own importance who think they are actually going to be harmed are literally causing their own mental meltdowns. It also makes them look like they are less capable than men in challenging situations which is distinctly anti feminist.

BrownonamousDecember 5, 2015 4:47 PM

Barrett Brown published a link to StratFor dox for whistleblowing and is in jail. Read his stuff on the Intercept it is security entertainment.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.