Slashdot Mirror

← Back to Stories (view on slashdot.org)

Disqus Bug Deanonymizes Commenters

Posted by Unknown on from the anonymous-cowards-unmasked dept.

alphatel writes "The Swedish company Resarchgruppen has discovered a flaw in the Disqus commenting system, enabling them to identify Disqus users by their e-mail addresses. The crack was done in cooperation with the Bonnier Group tabloid Expressen, in order to reveal politicians commenting on Swedish hate speech-sites."

17 of 151 comments (clear)

  1. Re:Damn! by tbuddy · · Score: 3, Funny

    Exactly.

  2. I do. by Dr.+Manhattan · · Score: 4, Interesting

    I've always used my real name when commenting, or (in the case of places like Slashdot) made it easy to find my real name. For decades now. There are a couple posts on Usenet I'm embarrassed about (for example, I got my signs reversed trying to explain the link between electricity, magnetism, and Relativity once) but nothing I would be uncomfortable if a prospective employer saw, or appearing on the front page of the newpaper.

    --
    PHEM - party like it's 1997-2003!
    1. Re:I do. by Anonymous Coward · · Score: 5, Insightful

      You're not the one who gets to decide what is unacceptable; prospective employers do. If employers see something that is, to you, completely innocuous or just a tad embarrassing, and they find it offensive or unacceptable, it's not really going to matter how minor you believe it is. Using your real name is just stupid.

    2. Re:I do. by Vanderhoth · · Score: 4, Informative

      I've had death threats and threats to burn down my house from commenters, not on /., before for simple things like saying abortion is a hot button topic. Not even picking a side, just pointing out people get riled up over it. I'd be willing to stand behind anything I post in a public forum, but I have a wife and child and don't want some overly conservative, overly liberal or someone with an extremist view on some other topic showing up at my house with a molotov cocktail while we're asleep or while I'm away on business. I have no delusions that I'm anonymous and know I *could* be tracked down, but I'm not going to just hand out that info. There are too many crazies out there.

      I mean heck, CBC posted a story about a baby chair that lets someone stick an iPad in front of an infant and people are flying off the hinge about how that should be considered reckless endangerment and child services should be involved for anyone using that product. Are those really the kind of people you want showing up at your house because they think they know what's better for your child than you do?

      I have a friend in animal control who had to deal with a case where a neighbour went into someone else's backyard and killed their puppy by gouging it's eyes out with his bare hands because he thought tethering it to a stake in the yard was cruel.

    3. Re:I do. by WWJohnBrowningDo · · Score: 4, Funny

      my photography stuff

      "Bad news, Sir. Looks like we need to throw the third candidate out."
      "Why? He looked the most promising."
      "I dug around his Internet postings, and I found something disturbing. He's... he's... a Canon user!"
      "*gasp* He got some nerve, apply to for a job at Nikon while owning Canons. Feed him to the hounds immediately."

    4. Re:I do. by Jiro · · Score: 4, Insightful

      I wouldn't want to work for an employer that would consider anything I've said "unacceptable".

      If work was something we wanted to do, it wouldn't be work, it would be hobbies. The whole idea of work is that you do something you otherwise wouldn't because people are willing to pay you for it.

      Nobody wants to work for a bad employer, but most people want to be without money even less. People work for assholes because they need the money, not because they want to work for assholes.

    5. Re:I do. by guytoronto · · Score: 4, Funny

      I got my signs reversed trying to explain the link between electricity, magnetism, and Relativity once.

      How can you even look at yourself in the mirror? For shame!

    6. Re:I do. by Requiem18th · · Score: 3, Insightful

      However, if you are a social conformist living an entirely unthreatening life, you really have nothing to hide in the first place. People have had good reasons to hide something for as long as there have been governments. Maybe it's something as simple as enjoying a beer (once an illegal practice), or maybe it's something as heroic as protecting a Jew family from extermination, with a lot of grey areas in between, like marring a person that desperately needs to obtain citizenship or helping a girl get an abortion from a dangerous pregnancy in a state that doesn't allow.

      The government is not perfect, so it should have perfect reach. Through out history we have benefited from the inability of governments to enforce the law with absolute efficacy. The US wouldn't even exist today if England had the ability to know everything that was being discussed in their territories. And yes, sometimes social progress needs heroes. People who are upfront about their beliefs in open disobedience. Sometimes we need martyrs. But social progress doesn't actually happen there. It happens at home, at the homes of the low profile individual.

      Morality is flexible and nuanced but the law is rigid, short-minded and often manipulated by special interests. Between activism and suppression there is a valley of unenforceability. I'll dare to say that valley was the reason the US flourished while Europe fell into totalitarianism.

      You need this environment. Even if none of your current opinions are controversial. Because one day yours, or your childrens' opinion won't won't be welcomed by government.

      --
      But... the future refused to change.
  3. Disqus is evil by johnsie · · Score: 5, Insightful

    One company being able to build up a collection your comments and opinions across multiple websites.... Thank goodness I only comment on Slahsdot

  4. Re:Damn! by TWX · · Score: 5, Insightful

    Bear in mind, most of the people the world haven't structured their lives to understanding technology. They may like technology, they may be technology groupies, but they probably haven't really contemplated the ramifications of technology or how it can be used differently than their preconceived notions. They probably don't necessarily get that databases can be cross-referenced so easily or that unless they're willing to go through a specific amount of work each and every time they want to obfuscate their identities, it's likely that someone can figure out who they are.

    Another thing to remember, it's never really been possible to be truly anonymous when saying something in text. In the days when the printing press was the preferred way, one still had to have trusted people to help print and distribute the words. In early electronic days when dialup was king, there were always phone records and one had to have accounts on bulletin boards, and systems like fidonet kept origination records. In the days of Usenet, messages could at least be tracked back to a newsserver of origin, and assuming that records were kept, the ISP information could be found and then the subscriber account could be identified.

    Nowadays, unless the person wants to take the special laptop that's only used for this purpose, with a special add-on wifi adapter, go park next to a public wifi hotspot and use that public connection, being sure to store the equipment far enough away from themselves when not using it for plausible deniability, there's really isn't true anonymity. If one wants to truly remain anonymous, one generally has to not say anything. That's the tradeoff, true anonymity comes at the price of nonparticipation.

    --
    Do not look into laser with remaining eye.
  5. Re:The methos is not uncalled for. by jellomizer · · Score: 4, Insightful

    Part of the problem is the fact that Europe has been trying to block free speech on it.
    I am not supporting racist or care for their ideals. But blocking out hate speech is more dangerous then trying to stop it.
    Why?
    Because the hate speech goes underground, where there is no sense of the scope of the problem. So the government doesn't understand how big the problem is and unable to do an appropriate protection of the hated groups.
    Secondly there isn't a counter dialog going on to discredit the hate logic. So people get this feed of hate in private and told that it is taboo, so they keep it quite, however there isn't anyone pointing out the flaw in their reasoning. So they can create more people who hate.

    Free speech is necessary, however it isn't safe or easy.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  6. Blocked at firewall ... by gstoddart · · Score: 4, Insightful

    Disqus has been blocked at my firewall for some time.

    Not because of this, but because I was seeing it on so damned many sites it's not funny. Which means I didn't trust it to be anything good for me.

    There's so much shit on the internet these days that if you're not using cookie/script/beacon blockers you're just handing over your information to a company for profit.

    I believe every hacker on the planet should be working to release the private details of every company executive (and their families) involved in this stuff. If our personal information is a commodity, then don't act like yours is any different. Assholes.

    Much like Zuckerfuck fiercely protects his privacy while undermining ours, you don't get to choose that your privacy is more important than mine.

    --
    Lost at C:>. Found at C.
  7. Re:A simpler approach by Anonymous Coward · · Score: 5, Informative

    Actually Expressen are not revealing the identifies of politicians who commented on expressen.se, they are revealing the identities of commenters on racist / xenophobic sites friatider.se and avpixlat.info. The articles and comments on these sites are mostly very harsh, distastefully racist, and written anonymously. They have identified very racist commenters as members of the controversial, Swedish far-right, and most would say racist, party Sverigedemokraterna. The SD-party works hard to portray a more polished image, with for example a "zero tolerance policy on racism", which equates to you might be kicked out if you say or do something too obviously racist. SD has it roots in the 90s far-right racist movement in Sweden (http://www.youtube.com/watch?v=LZWsZyShR_s), and one their mottos is "Sweden for the Swedish". The party is definitely mostly racist, but their official political stance is more xenophobic and social conservative, with a few immigrants joining their ranks complaining, for example, that it is the Somali or immigrants who are the "real problem".

    Researchgruppen used a Disqus security flaw to find out which e-mail addresses were behind some of these racist commenters, and are now revealing that behind the nicknames were SD-politicians. So.. This is a big win for Expressen, since the Swedish mainstream media and most Swedes are sworn enemies to Sverigedemokraterna.

    And on another note.. Congratulations to Flashback, the quite huge, Swedish, non-profit, ultra-liberal and quite lawless discussion forum, which has absolute free speech and therefore has become illegal to run from Sweden (it's now run from abroad). Flashback has through the years succeeded in keeping their users anonymity safe and freedom to speak total, no doubt without attempts form the Swedish state, police and media to the contrary - since flashback has become the main for hub for discussions about controversial subjects like drugs, racism and much more.

  8. How it was done: by 140Mandak262Jamuna · · Score: 5, Informative
    Disqus site had md5 hashes of users' email addresses. Some flaw in the site leaked the hashes and made them public. They probably thought nobody could reverse the hash. But they did not "salt" the email ids. So simple dictionary attack, of hashing millions of known email ids, produced matches. Now they can link email ids to disqus user ids.

    Morals of the story:

    don't leak hashes.

    Salt the data before hashing

    Don't trust any website to value your anonymity over their profits.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:How it was done: by QuasiSteve · · Score: 3, Insightful

      This is particularly disturbing because they should well have known about this. Disqus used (uses?) Gravatar, and Gravatar's failure in this exact same fashion has been previously covered and was not even fixed for a long time afterward (disclaimer: that AC is me. At least, I think it was. The company I referred to in there did respond to my complaint and fixed it on their side (making Gravatar use opt-in and using a generic 'profile picture' when it wasn't enabled) - not sure if there's statistics on how many people decided to enable it.)

  9. Re:Damn! by Sqr(twg) · · Score: 4, Informative

    But seriously, who uses a real email address to register anywhere?

    In this case, members of the Swedish racist party "Sverigedemokraterna". They are trying to paint a picture of them selves as "not racist" and "merely anti-imigration", and the party leadership has adopted a policy of excluding anyone who makes racist statements openly. The "avpixlat" site was officially not associated with the party, but it was an open secret that this was where they vented their true opinions anonymously.

    Now the hackers have a list hundreds of names linked to incredibly racist quotes that they will presumably publish one at a time in order to do maximum damage to the party before the elections next year.

  10. Re:The methos is not uncalled for. by Hatta · · Score: 3, Insightful

    In Europe we have an increasing problem with racism and hate speech, especially on anonymous internet forums.

    Which is appropriately countered with more speech.

    --
    Give me Classic Slashdot or give me death!