Half-Elf on Tech

Thoughts From a Professional Lesbian

Tag: identity

  • The Truth In Presentation

    The Truth In Presentation

    By now, the internet knows about how the Gay Girl in Damascus was a hoax and Paula Brooks of Lez Get Real is a straight man. These aren’t the first people to be caught ‘faking it’ to tell a story. In fact, both Tom MacMaster (‘Amina’ from Gay Girl in Damascus) and Bill Graber (‘Paula’) claimed to do what they did with the best intentions. They had seen the way gays are treated and felt that, as men, their point of view would be dismissed. Where this crosses the line from ‘best intentions’ and wanders right into out and out deception, however, is where they begin lying to cover their tracks.

    Look, this isn’t new. George Eliot (who wrote Silas Marner) was a woman. James Chartrand of Men with Pens fame is actually a woman. George Eliot did it to protect her personal life, James Chartrand did it to make a living. (Her story about the whys, hows and repercussions is pretty awesome.) There’s a long history of people using pen names, and a lot are mentioned in Carmela Ciuraru’s new book Nom De Plume: A Secret History of Pseudonyms.

    Pretending to be someone else is draining. You’re constantly aware of pronouns and speech patterns. Do I sound like who I am supposed to be? I’ve done it before as a social experiment in college, to see if someone can ‘fake’ being a man online so well that no one would know.(Of note – this was in the early 90s, so things were pretty new then.) I did it so well that, when I carried on doing it for a few more years, there was a hilarious point where I was flirting with my girlfriend (she knew the truth behind the ‘character’) on a public forum, and someone felt it was important to tell me that she was both taken and a lesbian.(This may be why so many people think I’m a man online… I guess I ‘write male.’)

    Using a pen name is something we all accept and can understand. It’s when you delve into the complete fake persona that the world gets a little hinky. ‘Paula’ was a deaf lesbian, who had a girlfriend, kids, and a father who answered the phone and ‘interpreted’ for her (most people think the ‘father’ was actually Graber). At some point, ‘Paula’ killed off her girlfriend. And ‘Amina’? She told in depth details about her parents, how she hid in secret rooms (ala Anne Frank), and how most of her family had to leave the country.

    These people became deceitful when they crafted complex dramas for their fake lives, and wrapped in layers upon layers of excuses and explanations as to why they can’t meet you.(My excuse is the truth – I’m really shy and nervous around meeting new people.) The bigger the lie, the more likely they are to get caught. ‘Amina’ was caught because her blog claimed she was arrested and no one in Damascus could find information on her.

    And this is where the technology aspect of the drama unfolds. This becomes a post about technology and not just a rant about deception when you realize how careful you need to be to keep up the lies. If ‘Paula’ left a comment on my blog, her IP address would be logged. If she, subsequently, said ‘I’m in Amsterdam this week and…’ I could look at her IP and sort out where she really was. If she was using something like The Tor Project (aka Onion routing) to hide her location, I would be suspicious.

    Thankfully, for people like me who spend time worrying about impersonators, you can peel back the onion layers of Tor and deduce who people are. Currently, there is no 100% reliable way to back-trace an IP through all the Tor layers, but simply the use of it on common, casual sites would be enough to raise eyebrows and some risks.(If you’re really interested in tracing Tor/Onion users, read Practical Onion Hacking) In 2007, a German blogger acting as a Tor providor was arrested because someone used his service to download child porn.

    Why would someone want to use Tor at all? Tor is great for doing things you aren’t supposed to be doing, and while a lot of the time that means impersonation, trolling and general internet asshollery, it also can be used to allow information to be posted from places where a repressive government doesn’t permit, or where it would be socially unacceptable if you were found out. Like if ‘Amina’ had been real, her use of Tor would make sense. If you really were a persecuted lesbian in a hostile environment, you would use Tor to make your blog posts so the local government couldn’t track you down at your house. Assuming they don’t know how to hack a Tor setup.

    Besides the technical aspects, there’s a lot of social engineering that goes on behind impersonation. ‘Paula’ turned herself in after constant questions from the news(I should mention that the Paula Brooks story is even more intricate and crazy than originally though! Bilerico reports on the inconsistencies and the more we learn the less we seem to know about the ‘real’ person behind Paula Brooks.), but ‘Amina’ was found out only after red flags were raised when people tried to help the poor arrested girl. In both cases, there were enough holes in their stories that people began to question the ‘facts’ as well as the motives. There is a difference between using a pen name to protect yourself (or to advance your career) and creating a whole persona. The difference between James Chartrand and someone like JT LeRoy is that James didn’t create an elaborate backstory, James just wrote under a pseudonym. It’s most likely that no one ever asked if James was really a man, they just assumed. There are a lot of ways, legally, to do that. Get a good lawyer you can trust, and they can act as your proxy in all things. Now no one has to know.

    Law & Order has done a couple episodes based on this phenomena. Some are about the people who use plastic surgery to hide themselves, another on the woman who hired an actor to ‘play’ her male persona and was betrayed, and so on and so forth. It makes for good TV, I’ll admit, but the truth is that all of those people were found out, and many times before their ‘death.’

    I think the most ironic thing to come from the whole mess is this:

    In the guise of Paula Brooks, Graber corresponded online with Tom MacMaster, thinking he was writing to Amina Arraf. Amina often flirted with Brooks, neither of the men realizing the other was pretending to be a lesbian. (Source: Washington Post – ‘Paula Brooks,’ editor of ‘Lez Get Real,’ also a man)

    Between the technical and social engineering weaknesses, using a pen-name to craft an entirely new identity is something that can get your credibility shot. There’s a reason we leave false identities up to people like WitSec or the CIA. It’s hard, and the costs of being found out are devastating.

  • How do people on the internet know who you are?

    This came up when someone on a bulletin board I frequent sounded a little freaked when the moderators said that they monitor people by their IP address. The problem this board was having was pretty simple, actually. People would sign up with multiple accounts for various reasons, and then over the course of time, reply to themselves. The moderators were complaining that they couldn’t understand why someone would want to have multiple IDs, and one or two of the users were complaining that the moderators knew their IP address.

    Stepping back for a moment, I realize that I’m pretty young, but for my entire life there have been computers. The first home computers showed up around the same time I did, and I really have to take a moment to consider life without the personal computer. Back when I was in elementary school, my grandmother had a DEC terminal hooked up over a phone cradle/modem to her company server to do the books over the weekends, and when I wanted French toast, I’d use the computer to balance books and she’d cook. Personally I think it’s a small miracle nothing went wrong.

    When I was in high school, my friends and I had found the magic of on-line gaming. Text only stuff, or sometimes dialup to a bulletin board system and news groups. None of us actually had our own accounts, and email was a mythical monster we all wanted but didn’t have. Shortly there after came things like Hotmail (back before it was Microsoft Hotmail) and college, which gave us all our own email addresses and virtual identities. Those college IDs had access to a tool I rarely see used now, finger. Via a UNIX terminal (accessed mostly by telnet), we could ‘finger’ a username and find out who the person was, where they lived, and if they’d updated it, what they were interested in. This was nothing compared to what homepages and domain names give us now, but then it was the best thing. We were people. We had identities. We had communities.

    Not far into college, I started to wonder how safe it was to have personal information like that all over the net. My father was working in risk analysis and assessment, so I suspect it’s only natural my thoughts drifted that way. It was at that point I started researching how my identity was maintained and who had access to it.

    How do people know who I am? Bizarrely enough, the first image that comes to mind when I think about this is an old “George Burns and Gracie Allen” radio sketch. Their accountant has come over to drink and commiserate with George and says that Gracie had just been by to do her taxes. He tells George that when he (the accountant) asked Gracie for proof of identification, she opened her compact, looked in the mirror and says ‘Yes, it’s me all right.’ Were it only that easy. In the ‘real world’ I carry IDs with me to say that I am who I say I am. At work, I have a badge with electronic access and a picture ID, to let me into rooms.

    It doesn’t translate all that clearly to the virtual world, however. Microsoft, at one point, had a Passport application that let you use one ID all across their myriad of networks. This has fizzled. Yahoo! had a Yahoo! Wallet feature that is still in use, though even websites that use Yahoo! to sell their wares hardly use it, it seems. The concept of a single point of contact for peoples’ money is unpopular to many people, and this should be surprising. Everywhere you look, people warn you about identity, and I see the lack of faith anyone has in submitting their personal information to one location as a heart warming experience. At last! People are aware!

    And yet, as evidenced by my experience on the bulletin board in the beginning of this tale, that’s not the case.

    People didn’t like Microsoft Passport for the same reason I don’t have Quicken learn all my passwords for my bank accounts. They make me use an additional password to access my other passwords. It’s easier for me to just keep a spreadsheet of all my passwords and use that, then memorize a third (or fiftieth) password. Realistically, this makes sense. Either you have one password (or password schema) for all your accounts, which makes them easier to hack, or you have a thousand different ones and struggle to remember them all. There’s no easy win.

    So on that bulletin board as mentioned above, you have an ID and a password. On the best systems, the moderators have no idea of your password (YaBB’s Gold version, which is a CGI board, actually saved passwords in clear-text!). And yet anyone who’s visited an online community knows that there’s a certain amount of people on the internet who have fun making your life stink. They like to post rude things that have nothing to do with the topic at hand, they insult you, they use language that makes the paint peal. Even if you don’t mind a bit of foulness, these are the people you look at in wonder. How on earth did they get out of elementary school?

    It’s the duty of the moderators to school those people in proper net etiquette. I’m not going to delve into what is and isn’t good posting, but my short comment on that is that it pays more to be as thoughtful of and respectful to your fellow posters as you would to someone you were talking to face to face. Listen to what they say and reply in an easy to understand manner. There’s a time and place for l33t speak, and you’ll know when it is (if you have no idea what that is, go to http://www.bbc.co.uk/dna/h2g2/A787917 and keep in mind some kid in England turned in a one page essay written like that, the f00).

    How you’re known on the internet is how the moderators can contact you and reprimand you for your wrong doings. Sounds fair, right? So how do they know? That’s surprisingly simple.

    1. Your ID
    People use IDs they can easily redeemer. I have the same account name at Yahoo, Hotmail and Gmail. If I was logged in as, let’s pretend, HintOfTheWeek_111, and I was making trouble, the moderator would likely run a quick Google on that ID and see if you were known elsewhere. When I had a hacker attack a board I moderate, doing that lead me to two notices right away. The first said that he’d done the attack before. The second included how to fix it. Very helpful.

    2. Your email address
    Most boards make you show an email address, at least to the moderators, when you sign up. This is, again, for accountability. They can use that email address and Google it as well, or they can just email you and chastise you. That’s my preferred method, by the way. A private ‘Hey, idiot’ always seemed more polite then being publicly brought to task on the boards where everyone can see it. Mind you, a lot of people sign up with freebie accounts, and never check them, which is why you end up looking at …

    3. Your IP address
    Every time you post to a bulletin board, every time you make an ID/Password on a website, check your web email (Gmail, yahoo, hotmail), every IRC session, online game, etc you log on to, your IP address is recorded. That’s the way the world works, and it’s the only way places have of holding people accountable for their actions. And if that scares you just a little, well good! You’re paying attention. Information is power, and you’re trusting the moderators to use that power wisely.

    On most bulletin boards, moderators would rather ban you from posting using your ID or your email address. The IP address is tricky. While, technically, it’d very easy to implement, it comes with some major drawbacks. Banning someone by ID or email means they can just make a new ID with a different email. Given how easy it is to make new email addresses, you can see how this is a problem for the moderators. The reason the IP banning is viewed as a last resort is that it causes a lot of damage to innocent bystanders. This has to do with how IP addresses are used, as well as what happens when people use dial-up and proxy servers.

    If you use dial-up, your IP address is going to change every time you connect to the internet. That makes it near impossible to ban you. If you use a proxy server (like the Northern people do at work), everyone shows up using the same IP address. You can verify this by getting a couple people around you to go to http://www.whatismyip.com/ and compare.

    This means if I, as a moderator, ban an IP used by a dial-up user, everyone else who uses that IP gets banned. And in all likelihood, the person I wanted to ban is on a new IP address and doesn’t care at all. If I ban an IP used by a proxy, everyone else who uses that proxy gets banned. In a way, it’s a no-win situation. The only solution for board moderators is constant vigilance. If two different user IDs with the same IP starts posting things that look way too similar, and are upsetting people the same way, then it’s probably the same person.

    What does all this mean for you? Now you know how you’re monitored, and in theory how to beat it. But that’s not enough. If the fact that the people who write viruses like Sasser can get caught isn’t enough of a hint, I’ll spell it out. Even if you’re using obfuscating tactics, you can get caught. To date, there’s no 100% fool-proof way of hiding who you are on-line. If you use a proxy server that used by a known troublemaker, you may find yourself unceremoniously banned. If you’re the bad person using the proxy, a court order can make them cough up your real IP address.

    Admittedly, there a many legitimate reasons to have two IDs on one bulletin board. There are many understandable reasons to use a proxy server. I’m not proposing a solution, but I feel that everyone should be aware of the reality of internet usage. In the age of heightened security concerns and identity theft, it’s important to know how some people are getting to know all about you.

    Before you get all scared, the amount of damage that can be done with your IP address, provided you’ve implemented the latest and greatest security patches from Macintosh, Microsoft or whatever other OS you might have, is minimal. They still need passwords and IDs to your computer, among other things. So if you’re essentially a decent person and you don’t knowingly break any laws, don’t panic about logging onto a bulletin board.

    On the flip side, assume that someone knows where you’re logging in from. It’s just safest.

    Helpful Links:
    What an IP address is
    Yahoo!’s explanation of IP addresses and privacy
    Determine what the rest of the world sees as your IP address
    What is ‘l33t’ speak?
    Home Computer Security

    PS: There’s a fairly humorous link I was given once, and it never fails to make me laugh. It’s a 1940’s style intro to posting on the internet: http://albinoblacksheep.com/flash/posting.php