Monday, December 23, 2013

Aussie Dox Challenge

I just want to start off by saying that I'm not a stalker because I feel like this post has a better than decent chance of landing me on some sort of government watch list. This is by far the creepiest I've felt doing a challenge so far in my brief run.

A challenge was put up in /r/GoForGold in which the task was to find the name and address of the user and send him a letter. The challenge may be viewed HERE.

For those who may not know, this practice is called Doxxing. "Dox" is a play on "Docs", which is short for "Documents". Doxxing is essentially finding someone's personal information on the internet.

To clarify, this redditor was requesting his own dox, not that we dox someone else. Please do not ever do anything that I describe here. Do not ever dox anyone unless they are requesting their own dox, such as those who post in /r/DoxMe. This is a huge invason of privacy and possibly illegal, depending on the circumstances.

The rules are pretty simple:
  1. Find out who [he is], and send a letter to [his] current address.
  2. The letter must arrive within the month.
  3. Only the internet may be used.

The reward for my effort is one month of Reddit Gold.

This challenge was posted on a public forum, so I don't feel too bad reposting it here, but I feel so shameful over the things I've done over the past few days that I don't even want to refer to the guy by his username. He shall henceforth be refered to as "Waldo".
Forgive me...

So Waldo posts this challenge asking us to find him. Here's what I did and how I did it. I'm going to be a bit vague at times, because I don't want anyone else trying it.

First I read through his comment history. Reddit records every post and comment you make and these are visible to anyone who clicks on your username.

He had posted pretty often in /r/Sydney, but a few months ago, he switched to posting in /r/AskNYC and I found a single post in /r/Brooklyn.

He made one comment in /r/Sydney where he mentioned that he now lived in New York with his wife, to whom he was recently married. I also found a picture of him.

After a while, I figured out what city he lived in in Australia and a good amount of other stuff about his life. I went to Google and tried a bunch of searches. I had a pretty good guess what his first name was based on his username, so I searched for a few dozen combinations of his first name with his past employer, name and city, name and a weekly gathering he hosted. I couldn't find anything. He just wasn't showing up.

I went to Facebook, and tried searching there, too, and I found a Facebook page for /r/Sydney. I tried searching the member list for the name I was guessing was his, but he didn't show up there either.

I tried the Facebook page for the weekly gathering he hosted, too, but he wasn't on there either, possibly because he hadn't been involved in it since he moved to New York a few months ago.

However, this Facebook page had instructions for newcomers who wanted to join the gathering and who they need to talk to to sign up. There was a picture of five people who were said to be in charge now. I figured they had to be pretty close with Waldo if they were able to take over for him when he left. Maybe Waldo was on there Friends lists, but these five in the picture were not listed by name. The photo was tagged with five Reddit usernames.

A lot of people use the same username of every site they go to, so I went to Google and typed in each username. I was able to find the full name and Facebook page of everyone in that photo.

For example, one of the guys used to same username on Steam, which listed his first name and the first letter of his last name. I searched for this on the Facebook pages and found him on the page for /r/Sydney. I then checked his page and Friend list. Waldo was not there. A few more of them had their privacy settings set so that I could not see their Friend lists.

One of them had their settings turned down, though, and Waldo was on there. I wasn't sure if it was him, though, because the profile picture was of a fairly obese woman, but I did have a full first and last name.

I googled the full name and got Facebook, Twitter, Google+, Vimeo and a few others. The pictures on those sites matched the picture I had found posted in Waldo's reddit comments.

I found him!

So I started sifting through his comments and posts on these social media sites, including the obese-lady Facebook page I had found.

After this breakthrough, it actually got really hard for me to find anything else that was useful. I found the names of some friends and family, his wife was tagged in a Facebook album of the wedding, and I found his current employer, but none of that really got me any closer to his address soley using the internet.

One of the things that began to make this difficult for me was that he had moved so recently, and from another country, no less. So there were a lot of free and frightening online directories that he could be showing up in, but he wasn't. In addition, even when I did find contact information for him, it was his former information.

I started looking into his wife, assuming they had the same address, but both her first and last names are so common that way too many results came up and I had no method or patience to narrow it down.

In the end, I contacted Waldo privately and let him know what I had found and how I had found it. Never in my life have I been so happy to fail, and Waldo was a good sport about it and said that if no one else managed to get a letter to him, then the Gold was mine.

I want to share a few things I've learned while doing this. I'm not an expert on online security, and my advice here is not authoratative or comprehensive, just a few things I've noticed.

  1. The fact that I can go onto Reddit, click on someone's username and see every comment and post they've ever made is scary. Even if you do not give out actual personal information about yourself on such a site, it's amazing how many clues and traces you leave around which are easy to spot to someone looking for them.
  2. The fact that I can go onto Facebook, type in a first name and get a last name is also scary. Facebook has this default autofill thing that works on member lists in groups and on friends lists which makes it way too easy to find people with partial informaiton. Tagging people in photos also seems like an awful idea. That's how I found Waldo's wife.
  3. On the subject of Facebook, you can set your privacy setting to whatever you want, but unless your friends do it, too, I can still find you. However, setting your privacy settings to be pretty strict does make it more difficult for me to get anything from your profile once I've found it.
  4. Also, I don't think I'll ever set my profile pic to be an actual picture of me again. If someone doesn't know what I look like, they don't know me well enough to be looking at my informaiton anyways and a profile picture is ultimately how I was able to confirm that I'd found the right guy.
  5. Don't use the same username on every site you go to. A lot of sites pretend to be secure because they only give out partial information on you, such as a first name and last initial on Steam, but if I have something in common with all of them, such as your username, then I can find all those partial pieces and put them all together myself. Odin help you if your username is also your email address.
  6. Don't pick a username that is your name, or a variation of your name, or a reference to your name, or a pun of your get the idea.
  7. If you ever start a website from scratch and purchase a domain name, do it through a service that blocks "whois" search tools. Finding the full name, address and phone number of someone close to Waldo was as easy as copying and pasting a web address into one of these search tools. GoDaddy made things very difficult for me, though.

I think the scariest thing about this challenge is not that someone could find my info online, but that anyone could find my info online! I have absolutely zero exerience or knowledge in this sort of thing and with only a few hours of looking I was able to find an absurd amount of information on Waldo and many of his friends and family.

Privacy is no more. I think I'm going to go delete some stuff...

Until next time!

No comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...