If you cannot bear these stories then the society is unbearable. Who am I to remove the clothes of this society, which itself is naked. I don’t even try to cover it, because it is not my job, that’s the job of dressmakers- Saadat Hasan Manto
One of the most malicious forms of internet vigilantism, hacking or hacktivism that has re-emerged today is Doxxing i.e. a portmanteau for online document sharing without obtaining permission from the owner of the data. It has caused irreparable damage to many -celebrities and commoners alike. However, it is also a very poignant reminder for the user to think twice before posting content on the internet. As platforms such as Facebook, Twitter morph from being just platforms that curate users data for advertisers to sources of news and more nefariously — weapons of psychological warfare, nobody is spared from the agony of unwanted access to personal information. More importantly, big data shared online can transform people into widgets capable of manipulation by master craftsman i.e. technological Luddites as far as the art of mental manipulation. The irony is that we share a lot of our information voluntarily. Even if we don’t, sensors in our homes, on the street, on applications and on our watches are monitoring our everyday life. This trend is only going to magnify as the human thirst for data multiplies exponentially and the enabling technologies such as 5G act as catalysts to exacerbate this trend. This article explains some of the popular types of hacking attempts and provides an overview of ‘Doxxing’ as a malpractice.
How Has The Online World Changed
On August 15, 1995, exactly 48 years after India obtained Independence, a government owned Internet Service Provider — the Videsh Sanchar Nigam Limited (VSNL) opened up the internet to public access. I was not even a teenager then. By 1997, I was officially an internet addict. The ring tone confirming the fact that my Personal Computer (PC) had connected to the ISP was one of the most blissful sounding tones in my life. Finally, after three agonizing attempts, I was on the grid. I could craft my digital avatar without any restriction. For all you know, I could be Rambo plus Einstein to the other users out there. Yes, those were the days of dial-up internet. I distinctly remember I had a Zyxel modem and an assembled computer with Intel Pentium II inside. On average, I would spend up to 12 hours on the grid devouring information, checking email, creating my own blogs using HTML coding and learning about the counterculture. Hacking was a very romanticized word because the world was just linking up millions of pages on the World Wide Web (WWW). People still remembered Tim Berners-Lee and Richard Stallman — a prominent leader of the open source movement.
As a teenager, the most philosophical question I was grappling with was: to share or not to share my A/S/L? on that chat window. What if someone could just locate me down to my postal code and start stalking me? Very soon, I realized I did not fall into any of the usual categories of people getting stalked but every time I entered my details, I kept reminding myself ‘privacy is a myth’. Once you are online, anything you post is permanent and susceptible to hacking. Social engineering was a popular tool for hacking innocent surfers. An anonymous email of an unknown origin would congratulate you for winning an astronomical amount. All it needs is your bank account number and your password. To many, its just an innocuous thing to do. Phishing and social engineering are the top hacking techniques in play today.
As the web grew in kinds of content shared (e.g. multimedia), Cascading Style Sheets (CSS), Macromedia Flash and a plethora of tools became available to designers and content creators. Geocities and Orkut were becoming bigger platforms.Enabling technologies evolved from dial-up to leased lines to broadband internet very fast.
However, very little has changed today. That’s because humans are the weakest link in the Information Technology (IT) security value chain. Sharing of passwords, leaving desktops unlocked, sharing PII in response to phishing attacks are all relatively commonplace. All of these provide an inlet to the hacker to get access to more information.
There are basically four types of hackers i.e. Black Hat (malicious hackers) , White Hat (ethical hackers), Grey Hat (middle ground hackers) and Red-Hat hackers (ethical hackers testing for system vulnerabilities).
Today, popular frauds involve an offshore and onshore team of people impersonating Microsoft employees or IRS representatives who have detected a flaw in your operating system or can help you with your taxes. All they need is your PII.
As per optimal networks, 95% of successful cyberattacks are the result of a phishing scam. he cost of cyber crime is expected to hit $6 trillion in 2021 (up from $3 trillion in 2015). Businesses are increasingly experiencing phishing attacks.
Recently, within a span of two weeks in December 2018, Personally Identifiable Information (PII) was hacked from the databases of Starwood Hotels (‘Marriott Chain’) and to a limited extent from the online question and answer platform — Quora. Quora reported 100 million user accounts were hacked. Of course, credit card skimming and creating fake credit cards isn’t anything new either.
Origins of Doxxing
As per Wikipedia, Doxing (from dox, abbreviation of documents) or doxxing is the Internet-based practice of researching and broadcasting private or identifiable information (especially personally identifiable information) about an individual or organization. This exposure is often unwanted and draws a lot of attention — very similar to paparazzi stalking celebrities. The term ‘dox’ derives from the slang “dropping dox” which, according to Wired writer Mat Honan, was “an old-school revenge tactic that emerged from hacker culture in 1990s”. Hackers operating outside the law in that era used the breach of an opponent’s anonymity as a means to expose opponents to harassment or legal repercussions.
Doxing has cryptovirology origins. Cryptovirology is the use of cryptographic techniques to designed malicious software such as Trojans or malware that extract PII from a users computer. After information is extracted, it can be posted on various forums to wreck damage on the victim. Doxing was an attack invented by Adam Young and further developed with Moti Yung (an Israeli American cryptographer) that carries out doxing extortion via malware.
The duo have written a book on the subject titled ‘ Malicious Cryptovirology’. It was first presented at West Point in 2003. The attack is rooted in game theory and was originally dubbed “non-zero sum games and survivable malware”. Doxware is the converse of ransomware. In a ransomware attack (originally called cryptoviral extortion), the malware encrypts the victim’s data and demands payment to provide the needed decryption key. In the doxware cryptovirology attack, the attacker or malware steals the victim’s data and threatens to publish it unless a fee is paid (source: wikipedia)
Pieces of everyone’s identity are scattered in various databases i.e. social security administration, birth records, DMV data, property tax information, behavioral data from social media. All of these data points can truly create a lifelike digital image of an individual. Gathering all these pieces of data requires varying degrees of sophistication. Today, the level of sophistication needed to gather publicly available information such as address , telephone number from Facebook isn’t much. However, Personally Identifiable Information (PII) such as credit card numbers, social security numbers is much harder to gather because it probably requires hacking or physical surveillance or a combination of both.
One of the most high profile cases of doxing in recent times was the doxing of members of the judiciary committee and of a senator as well as Dr. Christine Blasey ford during the confirmation hearings of Brett Kavanaugh’s nomination to the US supreme court. As in most cases, if you go to YouTube and search for ‘How to Dox’, which I am not recommending at all, you will come across a wide plethora of tutorials to do so. Ironically, it is not completely illegal for someone to Dox someone else.
The Unintended Consequences
The biggest takeaways for me have always been the unintended consequences of my actions. Non-verbal communication (body posture, eye movements etc.), as opposed to verbal communication, is the bulk of our communication. Similarly, the unintended consequences of our actions are more susceptible to inappropriate magnification than our harmless, intended consequences. No matter where you go, you will always be close to someone with a handheld supercomputer. In that sense, anything you say or do can be held against you- not in a court of law but in the underground world of the dark web and by malicious actors on the internet. So, the next time you create content, please think twice — once for the intended consequences but more importantly, give a second, much harder thought to the unintended consequences.