The Butt Ugly Weblog

Some advice to anonymous bloggers

Don Park has a good warning post on potential XSS hacks. A typical example of these is Haloscan, who does provide commenting and trackback capabilities also to a number of Finnish bloggers.

However, sometimes no clever hacking is required. Haloscan actually provides RSS feeds of all the comments, making it really easy to subscribe to the comments of a blog. This is cool and clever, and I wholly applaud this. The Feed can be found at:

http://haloscan.com/members/rss.php?user=<username>

You can figure out the username by looking at the HTML source, or just by guessing (most people use their blog names).

Up until last weekend, Haloscan also provided IP addresses in the feeds. This meant that IF an anonymous blogger was commenting in his own blog, it was possible to find his IP address. If the said person would then comment on other blogs under his real name (or visit your own blog, where you have some sort of site tracking), it was possible to either figure out his real identity, or at least the Pinseri account name (a known Finnish aggregator). Haloscan has now removed this feature, so it's safe again to use it. I have not checked other comment services whether they also have this issue.

Note that figuring out the IP address does not reveal your identity. But if combined with other information, it may be possible to figure out who you are. Or at least make a very educated guess.

Another issue you have to be careful with if you are an anonymous blogger is that if someone sends you email with a link, don't click it. If you do, something like this might appear on the recipient's log files (let's assume the anonymous blogger has an yahoo.com mail account, and I've sent him an email to ask to come to my weblog.)

cs65129.pp.htv.fi - - [31/Mar/2004:16:52:08 +0300] 
"GET /ButtUgly/ HTTP/1.1"
 200 35547 
"http://us.f413.mail.yahoo.com/ym/ShowLetter?MsgId=4207_260177_12756_
  1095_187_0_87_-1_0&YY=51786&inc=25&order=down&sort=date&
  pos=0&view=a&head=b&box=Inbox" 
"Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/124 
(KHTML, like Gecko) Safari/125.1"

Due to the referrer (mail.yahoo.com) it's rather easy to figure out which of the hits came from your mysterious web friend. Now we know that he lives in Helsinki and has a cable modem, and that he uses a Mac OS X 10.3 computer. If you embed suitable Javascript on your weblog, it is possible to figure out even some more things. If he, however, had cut and paste the address from the mail to the address, you get something like this:

cs65129.pp.htv.fi - - [31/Mar/2004:16:59:34 +0300] 
"GET /ButtUgly/ HTTP/1.1" 
200 35558 
"-" 
"Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/124 
(KHTML, like Gecko) Safari/125.1"

There's now a lot less evidence to tie the mysterious Yahoo user to a specific IP address because of the missing referrer field. Yet, it is still possible, but it will require a bit more data and logic. Of course, if he'd wanted to be absolutely safe, he would've used a service like Anonymizer, in which case the line would look like this:

outgoing.anonymizer.com - - [31/Mar/2004:17:02:12 +0300] 
"GET /ButtUgly/ HTTP/1.1" 
200 34933 "-" "Mozilla/4.78 (TuringOS; Turing Machine; 0.0)"

Not a lot to pinpoint you, yes?

So, a couple of practical tips, if you want to protect your online anonymity:

• Don't click on links from web mail, cut-n-paste them to your address bar.
• Check out all the services that you are using that none of them is leaking information about you
• If possible, use a web proxy (like anonymizer), or only assume your anonymous identity from a location which you do not usually use, like a web cafe
• Try to vary your habits: if your normal email is from hotmail.com, use yahoo.com for your anonymous email. If you have a known blog at blogspot.com, use blogdrive.com for your anonymous one. Use different layouts, styles, etc. If you normally use IE to browse, use Mozilla to post your anonymous comments. The easy and predictable way is always the unsafe way.
• Be prepared that you WILL be revealed sooner or later - your entire reputation could be ruined. Online anonymity is weak, unless you really know what you are doing.
• Turn off Java and Javascript from your browser (both can be used to figure out detailed information about the computer you are using and your browsing habits.)

(I'm not touching the issue of embedded images in HTML mail, the so-called "web bugs", which can be used to track your whereabouts even when you do not click on any links, but perhaps I'll talk about them later, and also mention cookies and how they can be used to track you.)

Update: made the log entries a bit narrower so that people who are not using a standards-compliant browser don't get the layout screwed.