Defense
DEFENSE AGAINST DOXING - IT'S EVERYBODY'S BUSINESS, by QUINTUPLICATE, 2022.
Also by the author:
IRC Made Easy (https://pastebin.com/LHFUkyhF)
CONTENTS
Preface
Part I. What Is Doxing
Part II. Prevention
Part III. Damage Control
PREFACE
If you're reading this, you were probably taught not to share personal details with random people on the Internet.
This has become all the more important of late. Too many people didn't take this advice to heart. As a result, they lost jobs, homes, friends - everything.
Those people don't just hurt themselves by disregarding this advice. When you've found out the personal information of one person, it's much easier to do the same to their friends and associates. They become a door into the lives of everyone they share a community with.
That's why I am writing this guide - to protect you and the communities you are a part of.
Defense against doxing - it's everybody's business!
THE AUTHOR.
PART I. WHAT IS DOXING
1. Definition of doxing
2. Doxing is legal
3. Doxing is not fatal
4. Doxing can be harmful
-
Doxing is the exposure of information about a person which can cause undesirable consequences to the person.
-
Doxing is not illegal, nor need it be done using illegal means. Voter registries are public; so are most high school yearbooks and driving records, and that's not even getting into social media accounts. With the amount of resources available free online, MOST AMERICANS CAN DOX EACH OTHER.
-
Doxing is not fatal or irresistible. There are things you can do today to protect against it. Even if you are doxed, there are things you can do to control the damage.
-
Doxing is not harmless either. Most people have some skeletons in their closets; even if your history seems "clean" today, 10 or 20 years down the line it may be enough to get you fired. If you've spent enough time online to need this guide, you don't need examples.
PART II. PREVENTION
5. Prevention is better than cure
6. Ways to prevent doxing
7. Do both ways
Div. 1. Angering People
Div. 2. Oversharing
Div. 3. Leaking Metadata
Div. 4. Reusing Usernames
Div. 5. Writing Style
-
Your grandmother taught you this: a stitch in time saves nine.
-
There are two ways to prevent doxing:
First, by reducing the reasons people will want to dox you.
Second, by making it hard for someone who wants to dox you to do so.
- Effective prevention requires doing both. This part will describe the reasons why, and methods how, people get doxed, so you can protect against them.
Div. 1. Angering People
8. Real name means real life
9. You shouldn't use real name
10. When you're pseudonymous, imagine your real name
11. Anonymity doesn't mean safety
-
Any platform where you use your real name is part of your family, social and work life. Don't post anything under your real name you wouldn't want everyone who knows about you to read.
-
You should not use or mention your real name in any Internet community.
-
Before you press enter, imagine what your message would look like if it were under your real name. Maybe your username can't be linked to your real life identity. But most usernames can be, by an attacker determined enough.
-
You're only fully free on an anonymous community. This doesn't mean you're completely safe. Whoever owns the server the community is hosted on has your IP, and you can inadvertently leak information in other ways.
Div. 2. Oversharing
12. You're an info leak
13. You reveal info you don't wish to expose
14. You can't trust anyone perfectly
15. Personal details are broader than you think
16. Date of birth
17. Don't talk about your birthday
18. Or the college you're attending
19. Don't post your picture
20. Or your area
21. Think before you speak
22. Lying might not work
-
You leak information in many ways. Sometimes you don't know you're leaking information; other times you know what you're sharing, but not the consequences of your doing so.
-
When you talk to someone in real life, you're saying more than what comes out of your mouth. Your listener can use your tone of voice, body language, eye contact, etc. to decide if you really mean what you're saying. It's similar, but different, online. When you communicate anything through the Internet, you're also saying things that reveal more or less of who you really are. This division will help you find out what those things are.
-
The difference between virtual and real communication is that body language and eye contact don't go through. You have no way of knowing if someone is trustworthy just by chatting with them, whether through text or voice. It's a lot easier for a bad person to gain your trust online. Think about that before you privately message anyone your personal details. Remember that online, "paranoid" is a compliment.
-
But what are "personal details"? You probably know not to tell anyone your national identity document or social security number, your bank account details, and your home address. But most victims of doxing don't do that. They don't drop their phone number, address, real name, and occupation, all in one go ready for attackers to find. Instead, attackers pick up bits of the information they leak, and piece them together.
-
Is your date of birth personal details? Let's do some ballpark math here. The current world population nears 8 billion. Assuming that births are evenly distributed in the year, 20 million people share your birthday. Assuming that people live for 75 years, your birthday and year of birth are shared by LESS THAN 300,000 PEOPLE - the size of a small city. That, by itself, wouldn't be enough to uniquely identify you; but if you've leaked your date of birth are you sure you haven't leaked anything else about you?
-
So, when it's your birthday, don't say how old you are anywhere public. Jesus was betrayed by a kiss; and you may be betrayed by a "happy birthday".
-
Is the university you go to personal details? In 2019, almost 20 million students were enrolled in nearly 4,000 institutions of higher education throughout the United States. This means that the average college had 5,000 students. The median college, however, fell within the "1,000 to 2,499" students range, whereas the majority of students attended universities with 10,000 or more students. Those numbers are too small for comfort - and they will be even smaller outside the United States.
Note. The source of those figures is https://nces.ed.gov/programs/digest/d20/tables/dt20_317.40.asp
-
Is your picture personal details? Facial recognition has advanced greatly in recent years. Google is already better at faces than many people. And the technology will only continue to improve until every picture can be linked to a name, and thence to everything else about that person.
-
Are landmarks in your area personal details? If you say "no", you're forgetting that there has been a database of the view from every road in the developed world for over a decade - Google Street View. Anyone in the world can "know your area", or at least what it looks like, as well as someone who was born and raised there.
-
Things which are widely believed not to be revealing, and even encouraged to be shared, can strip you of your anonymity. THINK TWICE BEFORE YOU SAY ANYTHING ABOUT YOURSELF - if you want to talk about yourself - talk about things that CAN'T be recorded in a database - like your personality.
-
Will lying to throw people off work? Well, only if your lies are consistent. An attacker can easily distinguish what's true just by seeing what stays constant from day to day.
Div. 3. Leaking Metadata
23. You might leak info unknowingly
24. Pictures
25. Office documents
26. IP address
27. VPNs
28. Google Docs
-
Sometimes you leak information because you don't really know what the consequences of leaking it will be. Other times you leak information without knowing you're doing it. A big part of unknowing leaking of information is metadata - data about data. Would you put a return address on an anonymous letter? Why should it be any different if a computer does it for you?
-
Every picture you take includes information about where you took it and the device you took it with. This is known as EXIF metadata. It is easy to view, and it's easy to find software that will scrub it.
Note. Even if you don't mind people knowing the location of the picture, you still have to contend with information about the device.
-
Use Microsoft Office? Next time you send any of your work products, take the time to right-click and select "Properties". If your real name is there, don't panic. Saving as .odt or converting to .pdf should remove it.
-
When you access a website, you give its server the address of your router - called an IP address - so it knows where to send the data you want. THIS CAN SHOW YOUR APPROXIMATE GEOGRAPHICAL LOCATION. Clicking on links you don't recognize is bad for many reasons, most of which are beyond the scope of this work; but for our purposes, it can help identify you from a small group of other people who share your description.
-
A virtual private network gives websites another IP address which forwards the data they send there to you. You should use one you trust to access a website run by anyone who would have a reason to dox you.
-
You should view a Google Doc in a private or incognito tab if you have a Google account (including one you have as part of your school or workplace) that is tied to your real name.
Div. 4. Reusing Usernames
29. You should have many separate identities
30. Why you should do so
31. The less unique your username the safer
32. Password and email should be different
33. Don't talk about other sites you use
-
Why do companies tie many different things under the same name? Because they want consumers to link those things together. This is the opposite of what you want.
-
You do not want to use the same username on different sites, especially sites without much overlap, because:
First, if you say something embarrassing or compromising on any one of the sites you use the common username, everyone in any other of those sites can see and know that you said it.
Second, anything you say about yourself on any one of the sites you use the common username can be combined and crosschecked with what you say on any other of those sites.
Third, by searching a username on one site, attackers can and do find other accounts held by the same person on other sites.
-
The risk of username reuse making doxing you easier is somewhat decreased if your username is a word (even an uncommon one). This does not, however, apply to combinations of words (unless the combination is itself commonly used), or if any community you use the common username has a problem with any other of those communities.
-
Take note that if the username is different, the password and email address (for password reset) should be different as well. While most sites do a decent job of keeping passwords and emails secret, just one leak might be the bridge the attacker needs to connect one of your personas to another or compromise your accounts using both personas.
-
Don't say you use a site on another one. If you do, don't say the username you use.
Div. 5. Writing Style
34. Writing style is unique for each person
35. Use correct spelling and grammar
36. Use commonly used idioms
37. Don't self-plagiarize
38. Software can analyze your writing even if a human can't
-
Remember when you passed your friend a note in school and how you were caught when the class snitch recognized your handwriting? Well, it's similar online. We all have our own writing style, and since online our writings are preserved indefinitely, anybody can analyze what you write, and in doing so, connect your personas.
-
To start off, if you always spell a word wrong or make a grammar mistake, this can be used to spot you. Two people are unlikely to break the same grammar rule the same way. That doesn't mean always making sure your sentences don't start with "and" or "but" or end with a preposition, but it does mean taking care that you write mostly like everyone else on the site. If your distinctive mistake is one native speakers often commit (can't distinguish between "it's" and "its", for example), or does not occur too often (have no idea how many Rs "embarrassing" has? you're not alone), you may be safer.
-
If you have any idioms you like to use, this can be used to spot you, especially if they are not in a pocket dictionary. Your English teacher might not want you to use cliches, but they are safer than coming up with your own expressions.
-
Copying and pasting the same thing between different websites is basically saying that your accounts on those sites belong to the same person, especially if it's longer than a short sentence. Why do it? If your idea is truly original, then you can express it in a different way.
-
Writing style analysis software has improved greatly in recent years. Often, a machine can tell if two text samples are written by the same person, even if a human can't.
PART III. DAMAGE CONTROL
101. Don't panic
102. Treat incorrect dox as if they were correct
103. Delete everything
104. You're not beat until you think you are
105. Don't point out false dox
-
The first rule of being doxed is to remember that NO REAL LIFE SITUATION IS IMPROVED BY PANIC.
-
The second rule of being doxed is to TREAT INCORRECT DOX THE SAME AS CORRECT ONES.
-
Whenever any personal information about you is revealed, you should DELETE EVERYTHING ABOUT YOURSELF THAT IS ONLINE. "Everything" includes information that would not suffice to identify you normally, because the attacker may have narrowed you down to a small group and that information may be all they need to separate you from the herd. The faster you do so, the better. Just because the attacker knows something about you doesn't mean they know everything else.
-
If any one of your address, real name, or workplace has been revealed - the attacker is now in the home stretch. But remember that YOU'RE NEVER BEAT UNTIL YOU THINK YOU ARE. If you do all you can to prevent your attacker from finding the other two, you still have a chance.
-
It goes without saying that YOU SHOULD NOT TELL SOMEONE WHO POSTS FALSE DOX THAT THEY ARE FALSE - this includes mocking them or interacting them in any way. Many a person has been doxed because they interrupted their attackers while they were making a mistake. You should instead treat it as a drill. The attacker has given you time to conceal true information about yourself - do not waste it.