[rndgermandude]

No, that's my response to your question about how you could dox a journalist.

Now, Krebs doxed people in the past who didn't want their true identities revealed. Often because those people were up to no good, but sometimes Krebs went a bit overboard in my opinion.

More in general, and I am not saying Krebs ever did this, there are valid reasons why people might not want their true identities widely revealed. Think whistleblowers, some critical journalists, etc.

A more general definition of doxing would be "publish personal information that the people to whom this information belongs did not give consent to publish". As such, I don't see doxing as generally evil, it depends on the kind of information and context. Out a criminal? OK. Out a journalist? Probably not OK.

[mirimir]

Krebs does indeed habitually doxx alleged criminals. There's a perfect example just a ways down from TFA: "Meet the World’s Biggest ‘Bulletproof’ Hoster".[0]

And he doesn't just rely on public sources:

> KrebsOnSecurity uncovered strong evidence to support a similar conclusion. In 2010, this author received a massive data dump from a source that had hacked into or otherwise absconded with more than four years of email records from ChronoPay — at the time a major Russian online payment provider whose CEO and co-founders were the chief subjects of my 2014 book, Spam Nation: The Inside Story of Organized Cybercrime.

> Querying those records on Yalishanda’s primary email address — stas_vl@mail.ru — reveal that this individual in 2010 sought payment processing services from ChronoPay for a business he was running which sold counterfeit designer watches.

And he posted a copy of the guy's passport!

0) https://krebsonsecurity.com/2019/07/meet-the-worlds-biggest-...

[tptacek]

Where by "habitually doxx", you mean "reports", which is what reporters do. When it's Fortune 500 executives or politicians, we seem to have no problem with this behavior; in fact, we get mad when it doesn't happen. But when it's someone in our "tribe" getting reported on, there's this whole new set of rules that supposedly applies. It seems like special pleading to me.

[mirimir]

Sure, that's what some journalists do. But Krebs' thing is being a grey-hat vigilante. He does social engineering on forums. He trades data with other vigilantes.

> ... you mean "reports", which is what reporters do ...

So this doxx site just reports on people, no?

The distinction between him and the doxx site he writes about is subtle.

[tptacek]

Mainstream reporters semi-routinely break actual laws to break stories, and are received as heroes for it.

[mirimir]

I'm sure that the doxx site in TFA is "received as heroes" by some. As with many things, much depends on whose ox is getting gored.

Also, "semi-routinely break actual laws" is a huge bin. Reporters also get sued for libel. And sometimes lose.

Edit: And hey, once you're "break[ing] actual laws", you're a criminal. And by Krebs' standard, you're fair game.

[tptacek]

Sure? OK? And?

[tptacek]

I'm sorry, but you're confusing two different concepts. In one instance, Brian Krebs uses public, open sources to discover the true names behind pseudonymous Twitter users; in another, people post home addresses and phone numbers.

I'm not asking why it would violate a norm to post home addresses or phone numbers; it's clear to me why that's problematic.

I'm asking what obligation Krebs has to pretend he doesn't know who a Twitter user is, when that information is available to anyone who knows how to consult public sources to find it. Why is Krebs obligated to help someone remain pseudonymous? It seems clear to me that he is not.

[rndgermandude]

Most doxers use public, open sources to discover the true names behind pseudonymous users. And their addresses. People make mistakes, sometimes even about other people's data. Sometimes people have no choice because a lot of the information is public record.

That isn't an excuse for compiling this information and publishing it as wide a possible. You still have to consider the implications if you want to act morally and in good faith.

Think of the stupid pseudonymous twitter user who made a really abhorrent, ill-considered joke and the people used "public information from public sources" to first get to their real identity and then crawl further until they find their employer and get the person fired. The person who did the research and then started the witchburning by publishing the information so that every other bored twitter user could write easily write a mean email to the employer should have considered what compiling and publicizing that dox could do.

Also, I think Krebs does take this into consideration, and is generally acting in good faith and with consideration, it's just that I disagree with his conclusion sometimes.

[tptacek]

I'm still lost. What obligation does Brian Krebs have to pretend that the real identity of a pseudonymous Twitter user isn't discoverable from open sources, or to help conceal that identity? I submit that he has no such obligation, but that message board people like to pretend that he does, and that contravening that norm constitutes the real-world offense of "doxxing". Baloney, I say. Am I wrong? Educate me.

If he's posting home phone numbers or addresses, I'm clear on what the problem is. But if you have a public LinkedIn profile and don't have the OPSEC to keep public sources from linking your secret Twitter handle to that profile, I don't see any problem at all.

[rndgermandude]

What obligation? A moral one. Do no harm.

[tptacek]

I do not have a general moral obligation to actively help shield you from the consequences of your own speech, however harmful they might be.

[rndgermandude]

I am rather speechless... This is just... wow.