Identity plays a key role on the web. The Internet offers instant communication with people
all over the world through a plethora of channels: messageboards, email, chat rooms. In communication,
which is the primary scope of any web-related activity, knowing the identity of those with
whom you communicate is essential for understanding and evaluating an
interaction. Yet in the disembodied world of the virtual
community, identity is extremely ambiguous. The recipients are provided only with
the information the sender wants them to see. Many of the basic visual and aural
cues about personality and social role we are accustomed to in the physical
world are absent. And we regularly use exactly such cues -though often not consciounsly aware of it-
to make attributions. Other cues are present on the web, yet difficult to interpret.
If you receive an email from
a guy whose address is Bill.Olderson@yahoo.com with an attached image
of a middle aged man sitting comfortably on the patio of his house, you may be fooled
into thinking that you have to do with a guy named Bill Olderson. It could be, yet you'll
never have any real proof of it. One can have, on the web, as many electronic
personas as one has time and energy to create (and memory to recall :-)
Even more complicated pranks are possible on the web. You could create a complete faked university with
little work. The web is full of
NON EXISTING universities, insitutions, groups and associations.
You may easily
create ex novo a totally bogus university, with nice name, good looking seals, imaginary list of professors.
Each one of them would of course be you, and yet answer to any inquiry with ad hoc pre-prepared
emails: John W. Krasnjewsky, University of Salsaparilla, Department of Advanced Internet Studies, Dean.
Just build a "professional website", foresee adequate fees for entrance, courses and examinations, and offer "accredited" MBAs and diploms
for money (create an "accrediting entity" ad hoc if needs be).
You think I am kidding? Think again: many people do just that already.
The web is full of gullible morons, and -what's even worse- the real
world is full of administrative idiots
that would trust such MBAs:
("Distance Online MBA Certification for who (sic) are studing a MBA or for who already did (sic)
a MBA") in your curriculum vitae. You want a MBA for 150 euro?
Hence the importance of stalking, also in order to bust pranks and prankers.
Yet, while it is true that a single person can create multiple electronic identities that are
linked only by their common progenitor, that link, almost invisible in the virtual
world, is of great significance, and can often be quickly individuated.
That is the weak point of any virtual created identity. It's easy
to say that your avatars should have 'coherent' personalities , i.e. if you create a 'lorry driver'
personality and a 'university professor' personality, the two should have COMPLETELY different
speech patterns, yet this is very difficult to implement.
Stalkers should be very versatile
experts, ready to read and recognize voluntarily altered write patterns.
Usenet, for obvious reason
is the field you should peruse to learn the first elements of the stalking art. These you'll be able to apply, later,
to any messageboard or email exchange. See,
once again: the basic premise is that the users are who they
claim to be. There are, however variances between the different newsgroups
as to what constitutes a real or "legitimate" identity. And there are numerous cases of
identity deception, from the pseudo-naive trolls to the shills and kooks and board spammers.
See for a more detailed explanation the ad hoc related sections of searchlores: Usenet Lore and Trolling Lore
Boring
as most of these little silly wars are, there are GREAT lessons in stalking hidden in there. That's why you too will
have to deal with this. Actually, as usual in the Web, many of our techniques cross and merge reciprocally:
Anonymity techniques, how to search general knowledge,
reality cracking tricks, usenet techniques,
anti-spamming and anti-advertisement knowledge are ALL required to tackle some of the tasks that you'll have
to perform if you really intend to master what you are trying to learn now. Let's, moreover not
forget how useful will be our holy software reversing skills each time we'll decide to
use some of the many tools that the Web offers to track down our targets (tools that are
unfortunately at times crippled or simply too short-lived :-)
If you are an experienced 'global' reverser you'll have more survival
chances that many others, but only your own complementary work, and your own experience,
will keep you
acting as a hunter while keeping at the same time your target acting as a game and not the other way round.
Some professional spammers may turn quite nasty AGAINST you, when you'r chasing them, if you're not careful -and powerful- enough.
In order to gather more material, just search for 'avoiding flaming' and 'trolls flames' on
any good search engine or follow some of the links provided here. As you'll see
there are plenty of documents and faqs on these subjects all over the web.
Trolling, in the stalking context, deserves a special mention: the verb denotes, originally, a style of fishing
in which one trails bait through a likely spot, hoping for a byte. Real, able and powerful,
Master trolls have a double audience:
the idiots (newbies and flamers) that bait the bait and
the 'trolls-savy' (often silent) that enjoy the troll. It is indeed possible, albeit difficult, to
identify and track down experienced trollers. They are in fact among the most interesting game out
there (together with
professional spammers on rogue ISP) for any 'professional' stalker.
So, as said, the basic premise is actually, often enough, that the counterpart, on the web, is NOT who he/she
claims to be... the danger is that the
limited identity cues of the netherworld may make people accept at face value
a writer's claims of
credibility: it may take a long time - and a history of dubious postings - until
people start to wonder about the actual knowledge of a
self-proclaimed expert.
This said it is also true that - for web related
matters - 'official' experts are often FAR inferior to clever autodidacts, so you never
know :-)
When examining communications,
it is important to try to distinguish between the
'expressions given' and the
'expressions given off'. The former are the deliberately stated
messages indicating how one wishes to be perceived; the latter are
the much more subtle - and sometimes unintentional - messages
communicated via action and nuance in the real world. Both forms of
expression are subject to deliberate manipulation, but the "expression given off"
is much harder to control. This is true for the cyber world as well, even if we lack, here,
the many clues offered by "real world" body language. One can write "I am
female", but sustaining a mind set and reactions that are
convincingly a woman's may prove to be quite difficult for a man.
Writing style can identify the author of an posting. A known and notorious net personality hoping to appear online under a fresh name
may have an easier time disguising his or her header ID than the identity revealed in the text. The introduction to the cypherpunks
newsgroup includes this warning:
The cypherpunks list has its very own net.loon, a fellow named L. Detweiler.
The history is too long for here, but he thinks that cypherpunks are evil
incarnate. If you see a densely worded rant featuring characteristic words
such as ``medusa'', ``pseudospoofing'', ``treachery'', ``poison'', or ``black lies'',
it's probably him, no matter what the From: line says.
- Cypherpunks mailing list
In
this case, where the usual assessment signal - the name in the header - is believed to be false, language is used as a more reliable
signal of individual identity. See also
how spammers use multiple identities on the very nice
"Kook of the Month" site.
One newsgroup that contains many business-card signatures is comp.security.unix. The discussion here
is about how to make unix systems secure - and about known system flaws. Many of the
participants are system administrators of major institutions, others are just learning
how to set up a
system in a fledgling company and some other, of course, are just hoping to learn how to break
into systems :-)
A posting suggesting
that administrators improve their sites by changing this or that line of code in
the system software could
be a furtive attempt get novice administrators to introduce security
holes. Identity deception is a big concern of the participants in
this group, and this makes it VERY interesting for any advanced studiosus of these
matters, to try soon or later his luring abilities in this group. (When you'll do
it, if you want to be taken seriously (and you'll probably don't go very far even so :-)
first create 'really' your own company, say 'Software Alternative Limited', then name
yourself 'Director of Software Development', create your domain
and sign with something like "Director@SALSoft.com".
Many varieties of identity deception can be found within the Usenet newsgroup. Some are quite harmful
to individuals or to the community; others are innocuous, benefitting the performer without injuring the
group. Some are clearly deceptions, meant to provide a false impression; others are more subtle identity
manipulations, similar to the adjustments in self-presentation we make in many real world situations.
Until recently, header information was quite reliable. Most people accessed Usenet with software that
inserted the account name automatically - one had to be quite knowledgeable to change the default data.
Today, many programs simply let the writer fill in the name and address to be used, making posting with a
false name and site is much easier. The astute observer may detect suspicious anomalies in the routing
data (the record of how the letter passed through the net) that can expose a posting from a falsified
location. Yet few people are likely to look that closely at a posting unless they have reason to be
suspicious about its provenance.
It is useful to distinguish between pseudonymity and pure anonymity. In the
virtual world, many degrees
of identification are possible. Full anonymity is one extreme of a continuum
that runs from the totally
anonymous to the thoroughly named. A pseudonym, though it may be untraceable
to a real-world person,
may have a well-established reputation in the virtual domain; a pseudonymous
message may thus come
with a wealth of contextual information about the sender. A purely anonymous
message, on the other
hand, stands alone.
There are some useful tricks to narrow down the number of suspected targets in
order to stalk a pseudonym user. One of the best ones I know of is the time trick, but
in order to understand it you mist first know the elementary elements of an email header.
Searching through headers and other
tricks
(This part -I should have checked- comes directly
from Symantec's page ~ begin)
Here is a sample email header (colors added). The final receiver's address is
'you@your.domain.com'.
Received: (2228 bytes)
by <your.domain.com> via sendmail with
P:stdio/D:user/T:local (sender:
<29086328@compuserve.com>) id m0xUFxr-001cL6C@your.domain.dom for you@your.domain.com; Sat,
8 Nov 1997 10:50:35 -0800 (PST) (Smail-3.2.0.98 1997-Oct-16 #12 built 1997-Oct-28) Received: from simon.pacific.net.sg (simon.pacific.net.sg [203.120.90.72]) by
your.domain.com (8.8.7/8.7.3) with ESMTP id KAA01565; Sat, 8 Nov 1997 10:43:34 -0800 (PST) From: 29086328@compuserve.com Received: from pop1.pacific.net.sg (pop1.pacific.net.sg
[203.120.90.85]) by simon.pacific.net.sg with ESMTP id CAA25373; Sun, 9
Nov 1997 02:44:51 +0800 (SGT) Received: from
po.pacific.net.sg (hd58-032.hil.compuserve.com
[199.174.238.32]) by pop1.pacific.net.sg with SMTP id CAA12179; Sun, 9 Nov
1997 02:43:10 +0800 (SGT) Received: from mail.compuserve.com (mail.compuserve.com
(205.5.81.86)) by compuserve.com (8.8.5/8.6.5)
with SMTP id GAA04211 for <87789123456@aol.com>
It may look confusing, but there are some patterns that tell you everything you need to
know. The header can be broken into several sections, each beginning with the word
"Received".
The first 'Received'
is from your email server. This section lists the supposed
sender, the message ID number, and when the message
came in. The other 'Received: from' tags are
from remailers that the spammer used to make it more difficult to track him/her down.
- Find the last 'Received: from' entry in the header.
This usually shows the originating server.
- Find and write down the server domain and its IP address.
This information appears in parenthesis in each 'Received: from'
entry.
Machine Name |
IP Address |
| mail.compuserve.com |
205.5.81.86 |
| hd58-032.hil.compuserve.com |
199.174.238.32 |
| popl.pacific.net.sg |
203.120.90.85 |
| simon.pacific.net.sg |
203.120.90.72 |
(This part -I should have checked- comes directly
from Symantec's page ~ end)
Of course you should by all means read Gandalf's info, which is far superior to the
Symantec information above, at http://ddi.digital.net/~gandalf/spamfaq.html
More URLs to help you figure out how to look at the headers:
http://www.concentric.net/~Nvam
http://help.mindspring.com/features/emailheaders/index.htm
http://help.mindspring.com/features/emailheaders/extended.htm
Time pattern matters (fravia's trick)
Now, all the above can be easily faked, what could be really important is that you may be able
(unfortunately NOT always :-) to discern the TIMES of the day "patterns" when these operations have been
performed that you can read above. See: if your target
updates his web page, or mails letters to usenet, he will mostly
tend to do it on a REGULAR basis. Even if
he uses automated dynamic providers like Compuserve or AOL (which is always a good idea),
and even if he writes to the usenet groups through an
anonymous remailer, or DejaNew itself or whatever, he will tend to do it at FIXED TIMES. It is sometime incredibly
easy to find out in which part of the world a target lives just studying his timing patterns!.
Most of the people work on Internet in the evening hours, say between 21 and 24:00 local time.
A common used 'luring' techniques consists in publishing or emailing to your target some 'luring baits' (in order to get the target to react) indicating a (faked and bogus) page of yours on some
free server, where you have -supposedly- put something that
the target badly needs or is interested into. Examining the loggings for that page
you'll be able to see WHEN the target has accessed it. Many targets will access it
anonymously just in case, yet few targets are careful enough to do that at an "abnormal" hour of the
day.
Deleted postings (Balif's trick)
It may at times be useful to check which cancel messages have been sent to
the newsgroups.
As Balif pointed out in a famous posting on alt.2600:
to examine all the cancel messages, you can use Dejanews, which does
not honor them but actually archives them. Do a power search on group
alt.2600, for "control cancel", sorted by date. You can see there all cancel
messages coming from a given address.
Unfortunately Dejanews strips important headers. On your news server,
cancel messages do not appear in the newsgroup, and are unseen to you.
However you can view them by looking in the group "control.cancel". Beware,
this group will most likely be enormous. It contains every cancel message
your news server has received for all groups. Mine had 75,000 some messages.
Here you can examine the headers of the cancel message. Yet it takes feeling and
time to stalk information in this way.
Sharp edges (SPUTUM's trick)
Say you have as your target your balooney@enemy.com; do Altavista and
Dejanews searches for balooney@enemy.com looking for eventual postings where
you may find his real name. Especially check all various alt.test.whatever
groups, as these may contain at least one instance of 'rough' preparatory
postings, when the target fine-tuned her newsreader's configuration.
Do Altavista and Dejanews searches on any "sharp edge" that sticks out.
"Sharp
edges" are,
according to SPUTUM "unique characteristics which can lead one to the real poster".
Example: balooney@enemy.com may use as Organization: "balooney inc." on all his
Usenet posts. Maybe he forgot to remove this info when posting later.
You search for "Organization: balooney inc." (as well as for posts
containing his sig), and maybe find all his fatuous
posts to alt.fetish.threelegs, and from thence
you will find (if you'r lucky) his narcissistic website chock full of juicy
personal information (or at least of many more "sharp edges").
Other promising "sharp edges": trailing user name in path
(...!news.foo.com!imamoron), funky newsreaders (ZippityDooDah News Alpha
0.9), unique signature components.
You may add signature patterns, and even particular
emoticons like :--> :*) 8-[
Look hard.
Be clever. Reverse your target.
There is a whole section of mine, about sharp edges:
read my
Language patterns and the stalking tablet section.
3) What if the target used "X-No-Archive: yes" in her headers and all previous
steps fail? You may get lucky, and find a follow-up to a previous post
which was posted without the "no-archive" clause. Otherwise, the
old fashioned 'heavy' way might work: go to the relevant Usenet newsgroup, sort the
posters by author name, and look for your target "by hand". Yes the task
can be extremely tedious...which is why real stalking is for the patient hunter.
enemy worth
investigating