Disqus Bug Deanonymizes Commenters

alphatel writes "The Swedish company Resarchgruppen has discovered a flaw in the Disqus commenting system, enabling them to identify Disqus users by their e-mail addresses. The crack was done in cooperation with the Bonnier Group tabloid Expressen, in order to reveal politicians commenting on Swedish hate speech-sites."

A simpler approach

[xiando]

Expressen could have just disabled Disqus on their own site and they would have full access to IPs and e-mails of users commenting on their hatespeech site.

Re:A simpler approach

Actually Expressen are not revealing the identifies of politicians who commented on expressen.se, they are revealing the identities of commenters on racist / xenophobic sites friatider.se and avpixlat.info. The articles and comments on these sites are mostly very harsh, distastefully racist, and written anonymously. They have identified very racist commenters as members of the controversial, Swedish far-right, and most would say racist, party Sverigedemokraterna. The SD-party works hard to portray a more polished image, with for example a "zero tolerance policy on racism", which equates to you might be kicked out if you say or do something too obviously racist. SD has it roots in the 90s far-right racist movement in Sweden (http://www.youtube.com/watch?v=LZWsZyShR_s), and one their mottos is "Sweden for the Swedish". The party is definitely mostly racist, but their official political stance is more xenophobic and social conservative, with a few immigrants joining their ranks complaining, for example, that it is the Somali or immigrants who are the "real problem".

Researchgruppen used a Disqus security flaw to find out which e-mail addresses were behind some of these racist commenters, and are now revealing that behind the nicknames were SD-politicians. So.. This is a big win for Expressen, since the Swedish mainstream media and most Swedes are sworn enemies to Sverigedemokraterna.

And on another note.. Congratulations to Flashback, the quite huge, Swedish, non-profit, ultra-liberal and quite lawless discussion forum, which has absolute free speech and therefore has become illegal to run from Sweden (it's now run from abroad). Flashback has through the years succeeded in keeping their users anonymity safe and freedom to speak total, no doubt without attempts form the Swedish state, police and media to the contrary - since flashback has become the main for hub for discussions about controversial subjects like drugs, racism and much more.

Re:A simpler approach

[Bing+Tsher+E]

The articles and comments on these sites are mostly very
  harsh, distastefully racist, and written anonymously.

It might do some good to expose the people making that sort of post. Because, often enough, the 'over the top' anonymous comments on ANY forum are posted by opposition-trolls whose whole point is to make the other side look bad to bystanders who read the forum comments.

When you go to Conservative forums, there are obvious fake troglodyte racist posts made anonymously by people on field trips from Daily Kos, etc. Usually they're easy to spot, because
the Kossites have such a cartoonish view of what the people they disagree with really are. I am sure this kind of opposition trolling happens on all forums of every political persuation; any tool that helps identify and eliminate this is good.

Re:A simpler approach

[Suomi-Poika]

Actually no.

Researchgruppen is an ultra-leftist organization, run by people who have committed assaults. They are offering a 50 000 SKR bounty for someone to hack the Flashback site to de-anonymize their political opponents there.

These "racist" sites are the ones which post news without Swedish white pixelization and political correctness. However it is true that there are comments which are negative - just like comments in any media outlet.

What Expressen and Researchgruppen did was that they de-anonymized their political opponents. They are also targeting people who have nothing to do with Swedish Democrats, just ordinary people who disagree with the nation wide consensus of immigration and do not want lose their jobs for expressing their opinions.

As a Finnish citizen I am very worried of the state of democracy in Sweden. Swedish media is hell bent to destroy Swedish Democrats and they use any means. Swedish ultra left is extremely violent and seems to enjoy total freedom. It is not the ultra right or racists who do the majority of political violence in Sweden.

Outing political opponents and making a illegal registers of identities breaks Swedish and EU laws. Harassing people because of this also breaks laws, anonymous or not, people have right to express their opinions in the network and ordinary citizens can not expect to be chased by the media or extremely violent political groups because of that.

We Finns always joke how Swedes "Diskuterar" so much of everything but it seems we are little bit outdated on that belief. Swedish media do not want to have civilized discussion and extremist groups are using violence to advance their cause.

Re:Damn!

[tbuddy]

Exactly.

I do.

[Dr.+Manhattan]

I've always used my real name when commenting, or (in the case of places like Slashdot) made it easy to find my real name. For decades now. There are a couple posts on Usenet I'm embarrassed about (for example, I got my signs reversed trying to explain the link between electricity, magnetism, and Relativity once) but nothing I would be uncomfortable if a prospective employer saw, or appearing on the front page of the newpaper.

Re:I do.

You're not the one who gets to decide what is unacceptable; prospective employers do. If employers see something that is, to you, completely innocuous or just a tad embarrassing, and they find it offensive or unacceptable, it's not really going to matter how minor you believe it is. Using your real name is just stupid.

Re:I do.

Then maybe, just maybe, you wouldn't want to work for that employer. I have always thought you should be able to stand behind your thoughts and opinions should you chose to share them publicly.

Re:I do.

Nice sentiment, but here in the real world, people in general, which make up the vast majority of employers, are petty, vindictive assholes. As a general rule, you want to keep your personal life as separate from your professional life as humanly possible, especially in a job market where choice is a luxury few enjoy.

Re:I do.

[Dr.+Manhattan]

You're not the one who gets to decide what is unacceptable; prospective employers do.

I wouldn't want to work for an employer that would consider anything I've said "unacceptable".

Re:I do.

[Vanderhoth]

I've had death threats and threats to burn down my house from commenters, not on /., before for simple things like saying abortion is a hot button topic. Not even picking a side, just pointing out people get riled up over it. I'd be willing to stand behind anything I post in a public forum, but I have a wife and child and don't want some overly conservative, overly liberal or someone with an extremist view on some other topic showing up at my house with a molotov cocktail while we're asleep or while I'm away on business. I have no delusions that I'm anonymous and know I *could* be tracked down, but I'm not going to just hand out that info. There are too many crazies out there.

I mean heck, CBC posted a story about a baby chair that lets someone stick an iPad in front of an infant and people are flying off the hinge about how that should be considered reckless endangerment and child services should be involved for anyone using that product. Are those really the kind of people you want showing up at your house because they think they know what's better for your child than you do?

I have a friend in animal control who had to deal with a case where a neighbour went into someone else's backyard and killed their puppy by gouging it's eyes out with his bare hands because he thought tethering it to a stake in the yard was cruel.

Re:I do.

[Vanderhoth]

Just to drive the point home, from the comment section on the CBC article:

"Off grid gal
The radiation from these things is unbelievable, parents should not even be holding their kids hands when they're on these things...I even have witnessed mothers breast feeding while they hold their smart phones centimeters from their baby's brains!!! We need to wake up out of our techno-haze stupour and get back out into nature, untethered!!"

"globecare
No, they should be banned. Not available. This is a children's rights issue. We want healthy, well developed children."

Re:I do.

[WWJohnBrowningDo]

my photography stuff

"Bad news, Sir. Looks like we need to throw the third candidate out."
"Why? He looked the most promising."
"I dug around his Internet postings, and I found something disturbing. He's... he's... a Canon user!"
"*gasp* He got some nerve, apply to for a job at Nikon while owning Canons. Feed him to the hounds immediately."

Re:I do.

[Jiro]

I wouldn't want to work for an employer that would consider anything I've said "unacceptable".

If work was something we wanted to do, it wouldn't be work, it would be hobbies. The whole idea of work is that you do something you otherwise wouldn't because people are willing to pay you for it.

Nobody wants to work for a bad employer, but most people want to be without money even less. People work for assholes because they need the money, not because they want to work for assholes.

Re:I do.

[guytoronto]

I got my signs reversed trying to explain the link between electricity, magnetism, and Relativity once.

How can you even look at yourself in the mirror? For shame!

Re:I do.

[Requiem18th]

However, if you are a social conformist living an entirely unthreatening life, you really have nothing to hide in the first place. People have had good reasons to hide something for as long as there have been governments. Maybe it's something as simple as enjoying a beer (once an illegal practice), or maybe it's something as heroic as protecting a Jew family from extermination, with a lot of grey areas in between, like marring a person that desperately needs to obtain citizenship or helping a girl get an abortion from a dangerous pregnancy in a state that doesn't allow.

The government is not perfect, so it should have perfect reach. Through out history we have benefited from the inability of governments to enforce the law with absolute efficacy. The US wouldn't even exist today if England had the ability to know everything that was being discussed in their territories. And yes, sometimes social progress needs heroes. People who are upfront about their beliefs in open disobedience. Sometimes we need martyrs. But social progress doesn't actually happen there. It happens at home, at the homes of the low profile individual.

Morality is flexible and nuanced but the law is rigid, short-minded and often manipulated by special interests. Between activism and suppression there is a valley of unenforceability. I'll dare to say that valley was the reason the US flourished while Europe fell into totalitarianism.

You need this environment. Even if none of your current opinions are controversial. Because one day yours, or your childrens' opinion won't won't be welcomed by government.

Disqus is evil

[johnsie]

One company being able to build up a collection your comments and opinions across multiple websites.... Thank goodness I only comment on Slahsdot

Re:Damn!

[TWX]

Bear in mind, most of the people the world haven't structured their lives to understanding technology. They may like technology, they may be technology groupies, but they probably haven't really contemplated the ramifications of technology or how it can be used differently than their preconceived notions. They probably don't necessarily get that databases can be cross-referenced so easily or that unless they're willing to go through a specific amount of work each and every time they want to obfuscate their identities, it's likely that someone can figure out who they are.

Another thing to remember, it's never really been possible to be truly anonymous when saying something in text. In the days when the printing press was the preferred way, one still had to have trusted people to help print and distribute the words. In early electronic days when dialup was king, there were always phone records and one had to have accounts on bulletin boards, and systems like fidonet kept origination records. In the days of Usenet, messages could at least be tracked back to a newsserver of origin, and assuming that records were kept, the ISP information could be found and then the subscriber account could be identified.

Nowadays, unless the person wants to take the special laptop that's only used for this purpose, with a special add-on wifi adapter, go park next to a public wifi hotspot and use that public connection, being sure to store the equipment far enough away from themselves when not using it for plausible deniability, there's really isn't true anonymity. If one wants to truly remain anonymous, one generally has to not say anything. That's the tradeoff, true anonymity comes at the price of nonparticipation.

a little to offend everbody, actually

I'm pretty sure some people will have a problem with your wholesale slaughter in Viet Nam.
Those who don't will surely disapprove of you shamelessly displaying your big blue dong all over the internet.

its worth noting, but not in america

[nimbius]

Foxnews.com uses Disqus, although im not certain the merit of pin-pointing racists, xenophobes and homophobes in america. people like Rick Santorum and Steve King can and do go around bashing gays and muslims respectively with little social repercussion. Pamela Geller basically makes a career out of muslim bashing. Alaskas Don Young refers to south american and central american immigrants exclusively as wetbacks in his commentary on radio stations, and a sizeable number of our southern politicians have been card-carrying members of the KKK.

yet freedom of speech gets a good stretch here in america when its true definition was essentially political. In america, the first amendment guarantees your vocal objection to the agricultural policy of tom vilchek cannot result in riot police kicking in your door at 4 in the morning and beating you with riot batons in the street for your dissenting opinion. the freedom of religion granted us the right to organize against the government at a social level, as to deject the church in its occupation as a station of the government was in england considered nearly treasonous.

Re:The methos is not uncalled for.

[jellomizer]

Part of the problem is the fact that Europe has been trying to block free speech on it.
I am not supporting racist or care for their ideals. But blocking out hate speech is more dangerous then trying to stop it.
Why?
Because the hate speech goes underground, where there is no sense of the scope of the problem. So the government doesn't understand how big the problem is and unable to do an appropriate protection of the hated groups.
Secondly there isn't a counter dialog going on to discredit the hate logic. So people get this feed of hate in private and told that it is taboo, so they keep it quite, however there isn't anyone pointing out the flaw in their reasoning. So they can create more people who hate.

Free speech is necessary, however it isn't safe or easy.

Blocked at firewall ...

[gstoddart]

Disqus has been blocked at my firewall for some time.

Not because of this, but because I was seeing it on so damned many sites it's not funny. Which means I didn't trust it to be anything good for me.

There's so much shit on the internet these days that if you're not using cookie/script/beacon blockers you're just handing over your information to a company for profit.

I believe every hacker on the planet should be working to release the private details of every company executive (and their families) involved in this stuff. If our personal information is a commodity, then don't act like yours is any different. Assholes.

Much like Zuckerfuck fiercely protects his privacy while undermining ours, you don't get to choose that your privacy is more important than mine.

Re:reprehensible

[Bing+Tsher+E]

Demonstrating to the public in general that there is little or no anonymity is much more important than any political agenda. Why leave things 'up' so that specialists can fish around?

Disqus is awful awful awful

[GodfatherofSoul]

Lots of sites I frequent use it and it's a *terrible* UI model for browsing and commenting on forums. It's slow, has a clunky UI, lacks features, and even WORSE they scrub comments religiously if you even remotely criticize the parent site or any of its prinicipals. I'm assuming Disqus is presenting hosts with a ridiculously cheap package for anyone to think it's a good idea.

Unless it's another Total Information Awareness tool and they don't *care* about how usable it is...

How it was done:

[140Mandak262Jamuna]

Disqus site had md5 hashes of users' email addresses. Some flaw in the site leaked the hashes and made them public. They probably thought nobody could reverse the hash. But they did not "salt" the email ids. So simple dictionary attack, of hashing millions of known email ids, produced matches. Now they can link email ids to disqus user ids.

Morals of the story:

don't leak hashes.

Salt the data before hashing

Don't trust any website to value your anonymity over their profits.

Re:How it was done:

[QuasiSteve]

This is particularly disturbing because they should well have known about this. Disqus used (uses?) Gravatar, and Gravatar's failure in this exact same fashion has been previously covered and was not even fixed for a long time afterward (disclaimer: that AC is me. At least, I think it was. The company I referred to in there did respond to my complaint and fixed it on their side (making Gravatar use opt-in and using a generic 'profile picture' when it wasn't enabled) - not sure if there's statistics on how many people decided to enable it.)

Maybe I'm an outlier...

[Dr.+Manhattan]

Nobody wants to work for a bad employer, but most people want to be without money even less.

I'm willing to take the risk, and I was two decades ago, too. So far, it's paid off. I haven't had too much trouble finding places to work with a minimum of BS. I wasn't terrified when Google put Usenet online - but then, I'd always been polite when expressing my thoughts. If someone wants anonymity so they can be the "asshole", I find I have limited sympathy.

Re:The methos is not uncalled for.

[Bing+Tsher+E]

Since it's trivial to engage in that sort of 'Hate Speech' anonymously, it's probably cranks and even opposition figures posting that crap to pollute the otherwise reasonable opinions being expressed on said forums. People who oppose free speech can easily pollute a forum with crap they have no belief in whatsoever.

Since when did Advocacy become a crime? I'd rather have people advocating the things you listed right out in plain view, easy to identify, and avoid. Otherwise you end up with the Fever Swamp phenomenon. Granted, they're likely cowards who would never express said views in public.

Re:The methos is not uncalled for.

You make an erroneous assumption that people that have a certain strong view and based on emotions can easily be convinced to sway sides by mere logic and facts. You can't. In fact, they use the "facts" to support their own view and disregard of facts contradicting them. Also, they seek more facts and views supporting what they already believe in. It is called information bias and is nothing new, just seems to have become worse and worse lately.

Re:Damn!

[Sqr(twg)]

But seriously, who uses a real email address to register anywhere?

In this case, members of the Swedish racist party "Sverigedemokraterna". They are trying to paint a picture of them selves as "not racist" and "merely anti-imigration", and the party leadership has adopted a policy of excluding anyone who makes racist statements openly. The "avpixlat" site was officially not associated with the party, but it was an open secret that this was where they vented their true opinions anonymously.

Now the hackers have a list hundreds of names linked to incredibly racist quotes that they will presumably publish one at a time in order to do maximum damage to the party before the elections next year.

Re:The methos is not uncalled for.

[Hatta]

In Europe we have an increasing problem with racism and hate speech, especially on anonymous internet forums.

Which is appropriately countered with more speech.

We want healthy, well developed children.

[Runaway1956]

Don't tell US what kind of children we should have! We'll choose whatever the hell we want! Some of us actually love our little mutants.

Re:The methos is not uncalled for.

[jellomizer]

No the point isn't as much about convincing the people with the strong views, but to people who didn't have a particular view already.

Re:Peopel Actaully Use That Shit?

[k6mfw]

Discus is bad for site owners, it gives an external entity control over their sites comments and therefore content.

I see more webpages outsourcing to Discus, probably because managing comments on webpages is a huge timepit and that is just moderating posts. There is also all the "mechanics" of keeping the lists going. But outsourcing leads to other issues (one of many we all argue about on /.), one is loss of capability and control (i.e. counterfeit chips or backdoors in manufactured systems from China).