Discovering the identity of online posters

[Danimal]

Yes and no. Using proxy layers like Tor (yes I know there are some US Gov exploits, largely surrounding idiocy) with VPN's can generally result in total anonymity even from the gov't. As long as you don't do something that links to your identity.

Contrary to what people think, if I hack your IP address I don't know where you live. You need access to ISP logs to see what IP was assigned to what customer and when to achieve that. And even then, with wireless internet connections, you can't say who actually utilized the computer or even how many computers use that IP - it could be shared by hundreds. The prior post about using Lexis to identify usernames is misinformed. There is in fact, no such central database. There is no database for this site, for instance, that links your username to your identity, because the information cannot be harvested using regular means - they would have to hack this site, then hack the ISP, then hack the USPS to see who lived at the house, and then build a time machine to see who was using a computer. Why is LOGIC completely gone...

What happens is when people connect their usernames to their real identity on the web, such information can be sold, and then linked by search providers. Realistically, Lexis only can match less than 5% of a username to an identity. Probably less than 1% accurately. Social engineering accounts for basically all of the "found their identity" cases; googling, finding pictures that are geotagged, finding facebook profiles, pictures of cars with license plates, house numbers, etc. If you aren't a complete moron [don't link to your identity and don't post PII or pictures with geotags], it's not possible to do that.

What can actually be achieved by common hacking and what people think can be achieved by common hacking... it's a rift bigger than the grand canyon. 99% of what people are talking about in this thread (18 year olds finding your identity, lexis, etc.) has absolutely nothing to do with your IP address, as those parties don't have access to it. Once again, don't be an idiot.

EVERYTHING you need to be concerned about centers around social engineering. Your IP address is irrelevant, even with the information, it's not assigned to your house, it's assigned to the ISP which loans them out, meaning your IP is changing all the time. The last thing you should worry about is your IP address being hacked.

If the gov't subpoenas information, then IP addresses can be obtained - sometimes - but most websites don't even hold that information all that long nor are they required to. Even then, it is obtained by asking YOUR browser, which often reports it entirely incorrectly. It takes work and multiple subpoenas for the gov't to arrive at an identity, case in point. Out of those eight IP's the gov't obtains by subpoena in this case, they will be lucky to identify a person in even 25% of the instances despite all the resources available to them. You need the accurate IP from the website (50% chance, good luck), you need the ISP logs, you need address information, even then you don't know who was using the computer without lots of additional information. Any weak link and it's not possible to identify someone.

There's massive amounts of tinfoil required in this thread.

While this is true, the social engineering part is super easy. Do you use the same user name across different forums? Different websites? To pay bills, or login to a website that has your shipping address? How secure are all of the systems? Generally it is pretty easy to hunt for a common user name that turns up an email that is used for an account login that can then be hacked from the owner side of a small business that shipped you a stapler last summer. The system is only as strong as its weakest link, and the average small business owner cannot afford to fully secure their POS transactions.

The real question then becomes why someone wants to find that information? Usually there is no benefit to find your name and address, your IP is enough to send you those fancy tailored adds for things you just looked at. Now with all of the social media there is the idea of meta data that forms a collective image of who you are online. Systems are capable of linking multiple accounts together even if there are no actual known connections. Content, user name, email, even writing style, anything that it finds online will eventually be rolled into a profile that it can tie seemingly disconnected events together. This is used for marketing and collecting data on user activity for large scale trending of markets. That is where people make money from it.

The problem now is that it is an easy target if someone wants to target you maliciously. That is how people are found and tormented online by the media and pitchfork wielding "hackers" that disagree with what yo said or did, or what someone else said you said or did. It doesn't really rely on social engineering in the classic honeypot sense like hacking into secured systems. They get a collective picture of you, use metadata to find a weak point transaction, and if there is incentive can have your identity pretty easily. It is just a matter of wanting to find you among the billions of people online.

It is hard to identify someone using legal channels, which is why it is hard for the government to find a specific person for the purpose of prosecution or to testify at trial. Illegal means that breach privacy are not that hard and can easily done by 18 year olds.