[HN Gopher] Sherlock: Hunt down social media accounts by usernam...
___________________________________________________________________
Sherlock: Hunt down social media accounts by username across 400
social networks
Author : leonry
Score : 139 points
Date : 2024-12-25 17:14 UTC (5 hours ago)
(HTM) web link (sherlockproject.xyz)
(TXT) w3m dump (sherlockproject.xyz)
| mrkramer wrote:
| Nice OSINT tool.
| pluc wrote:
| So what's a non creepy use for this?
| mrkramer wrote:
| Cybercrime research; locate malicious actors across social web.
| hn_throwaway_99 wrote:
| I think the "non creepy" use is really just making people aware
| how easy it is to correlate all your different traces online.
| It's like when someone released on HN a tool that would link
| various HN accounts (and maybe Reddit accounts too IIRC), but
| by looking at commenter word choice similarity.
|
| It makes people realize that actual anonymity online is a
| smokescreen.
| deadbabe wrote:
| Finding usernames that you can register and own across all
| social networks.
| anticorporate wrote:
| *For some very narrow, twisted definitions of the word "own"
| hooverd wrote:
| That's the great part- there isn't. Following people you like
| on every platform I guess.
| diogonr95 wrote:
| It's also a great education tool to showcase the need to be
| careful about internet hygiene. The creeps have done this sort
| of things for decades
| lupusreal wrote:
| Like hiring a PI to follow people around to educate people
| about about stalkers.
| jedberg wrote:
| Seeing what it finds about yourself?
| some_random wrote:
| Realistically it's doing this to people who deserve it, trouble
| is that no one is going to agree on that criteria
| s1artibartfast wrote:
| Who deserves it, and what is "it"?
| Mountain_Skies wrote:
| To socially harass and drive to suicide anyone that doesn't
| conform to the dominate cultural outlook. Think that's creepy?
| Well, you just made the list!
| yieldcrv wrote:
| I'm on a lot of lists and still have TSA Precheck, Global
| Entry, can hold US security clearances, pass professional
| background checks
|
| so what are you lesser relevant people worried about exactly?
| Tepix wrote:
| Is it creepy if you google a job candidate?
| naavis wrote:
| In many parts of the world it is illegal for a recruiting
| party to search for information on a candidate without their
| consent.
| JSteph22 wrote:
| Whichever parts of the world that may be, you can guarantee
| that it happens anyways.
|
| Unenforceable rules are never followed.
| EGreg wrote:
| Letting a person sign up on your site and choose to import
| stuff they've put onto other sites under that username, maybe.
| fragmede wrote:
| Clean up the online footprint for someone that hires you to do
| so before they run for office. I don't remember every single
| web site I've every signed up for going back to when I started
| using the Internet, and neither can you.
| pluc wrote:
| Internet Archive likely renders that point moot, no? There a
| plenty of sites that index tweets outside of Twitter for
| example... at least there used to be
| jdiff wrote:
| The Archive is _much_ less discoverable. There 's no search
| engine for the wayback machine.
| webdevladder wrote:
| Reminder that malicious impersonation is common and easily
| automated with LLMs.
| gotoeleven wrote:
| This will be very handy because when I see someone post something
| I disagree with on HN I can also go downvote them on reddit and
| swipe them in the ugly direction on tindr and/or grindr. I am
| justified in doing this because everything I don't like should be
| banned.
| penguinburglar wrote:
| Don't forget to report the reddit posts for suicide concerns.
| jmyeet wrote:
| Remember when IPv6 decided on 128 bit addreses and defaulting to
| /64 blocks because someone thought using a 48-bit MAC address as
| the IPv6 equivalent of a port was a good idea? Fast forward a
| decade or two and we realize how this is a PII leak issue so
| nobody does it but we're still stuck with 128-bit addresses (for
| those who use IPv6).
|
| There are several things that are a security issue or simply a
| privacy issue. These include:
|
| - Your username (as I assume this tool is demonstrating)
|
| - Your email address. While this is treated as your "public
| identity" to some extent, I think we're rapidly approaching a
| point where we need to not do this;
|
| - Your phone number; and
|
| - Your profile pic. I would advise to never use the same pic
| across accounts and certainly don't use services like gravatar
| (if that's still a thing).
|
| Email is particularly problematic because you can end up on spam
| lists if a site is compromised and you can't really identify
| where it comes from.
|
| What I think we need is a more integrated solution for logging in
| and creating throwaway addresses (eg like SimpleLogin) so it's
| basically seamless. Gmail seems well-positioned to do this. I
| honestly don't know why Google hasn't done this.
|
| Interestingly, Facebook Groups seem to handle this kind of
| anonymity reasonable well. Each group your in is a separate
| profile. You can't find out what other groups someone is in from
| either their personal identity or any group's identity. Weirdly,
| your FB profile is associated with any pages or profiles you
| comment on.
|
| It should be clear to these companies by now that people want to
| silo their public identities (aka pseudonomity).
| gonzo wrote:
| > Remember when IPv6 decided on 128 bit addreses and defaulting
| to /64 blocks because someone thought using a 48-bit MAC
| address as the IPv6 equivalent of a port was a good idea?
|
| No, I don't, and I'm well-aware of EUI-64.
|
| IPv6 uses 128-bit addressing because some on the design
| committee or making comments on the drafts thought that 64 bits
| might not be enough.
| tonmoy wrote:
| For people who want to have a professional social presence
| (FB/linkedin) as well as an anonymous one (Reddit etc), it'll be
| super useful to see if the accounts are truly unlinkable.
| Moreover if you are opening a new anonymous account, maybe a good
| idea to search the new username using this tool to make sure it's
| not "taken"
| dylan604 wrote:
| Until some ML process is learned to give a probability that
| accounts are the same based on writing styles
|
| Staying anonymous is very difficult
| cootsnuck wrote:
| Then people will start using browser extensions that
| automatically "fuzz" your writing style randomly. That is, if
| chasing anonymity is someone's true goal.
| mikeodds wrote:
| Using stats this is called stylometry and I agree this will
| probably be easier at scale now. You can also match posting
| windows, pull additional features from database dumps/hacks.
|
| Fun post applying it to HN, not sure if the site is still
| live: https://news.ycombinator.com/item?id=33755016
| philipkglass wrote:
| Stylometry tools may be useful if you already have a small
| candidate pool of suspected aliases. They produce too many
| false positives to be useful for blind cross-linking of
| accounts. Once or twice somebody has done stylometric
| analysis of HN accounts and I've looked at the results for my
| accounts. Even though I don't try to obscure style across
| accounts, stylometry didn't match my actual accounts with
| each other. My top matches were for accounts controlled by
| other people.
| BoxedEmpathy wrote:
| I specifically write with different perspectives, tones, and
| opinions on different sites in a probably vain attempt to
| mitigate this.
|
| For example, on YouTube I use twitch slang, and on Reddit I
| use TikTok slang, and on TikTok I use reddit slang. On
| hackernews a use a slightly whimsical pedantically-infused
| undergrad tone.
| s1artibartfast wrote:
| I dont plan to run for president or anything, but find myself
| increasingly censoring my online speech. I think the biggest risk
| is some out of context post being pulled into a civil suit, or
| professional cancellation following that.
|
| Things like advice in an alcohol recovery forum would be prime
| evidence for a liability suit.
|
| There are also groups that vacuum the internet for offensive
| posts, and use them to try to get people fired for things they
| said 10 years ago.
|
| At this point, I assume all internet activity can and will be de-
| anonymized, and restrict my speech accordingly. I'm sure there
| are some meaningful precautions and nuances, but it is too much
| to keep up with.
| yieldcrv wrote:
| Being authentic is the ticket to public office now
|
| I'm kind of glad that the value of blackmail futures has
| plummeted to zero
|
| I always thought millenials would be the culprit because
| millennials have so much online, but nope, it was just old
| fashioned baby boomers that have spearheaded it and double down
| on their indiscretions to be the role models for the country's
| top offices
| exe34 wrote:
| "criminal activity?"
|
| "no sir."
|
| "for god's sake Baldrick, you're running for parliament. I'll
| put fraud and sexual deviancy."
| echelon wrote:
| Only for this cycle. The pendulum will swing back to
| cancelling and pitchforks after this era of cult of
| personality.
| EGreg wrote:
| I thought canceling never stopped. It was just politically
| motivated.
|
| (Ironically, Dems eat their own for that stuff, so maybe
| "politically motivated" doesn't quite capture it... compare
| e.g. Al Franken and Katie Hill vs Roy Moore or Matt Gaetz)
| seanmcdirmid wrote:
| Democrats cancel and Republicans mostly double down. I
| don't think there is anything Trump can do at this point
| to horrify or even just dissuade his base, for example.
| blooalien wrote:
| > "I don't think there is anything Trump can do at this
| point to horrify or even just dissuade his base, for
| example."
|
| Pretty sure it's pretty close to true at this point that
| he actually _could_ get away with literal cold-blooded
| murder in public at this point and his cult would fold
| themselves in half backwards tryin ' to justify it
| somehow. [0]
|
| [0]: https://www.snopes.com/fact-check/donald-trump-
| fifth-avenue-...
| dylan604 wrote:
| what evidence do you have that this is true. at this point,
| a new theory of physics will be trotted out that shows a
| pendulum does not have to swing back. it will become
| trending on all the socials so that people believe. it
| therefore becomes the de facto truth, and the cult remains
| yieldcrv wrote:
| I don't really get that impression, in my experience people
| just realize cancelling is a two-way street and stop it
|
| I've been told "I'm making someone uncomfortable" and I
| said "they're making me uncomfortable", and follow that up
| with "why are you _privileging_ their discomfort over mine"
| and when they or the mob say something gendered or sexist
| as the explanation, then I get to cancel all of them or get
| a nice fat paycheck
| s1artibartfast wrote:
| I think that reality is much more heterogenous. Say some edgy
| or unpopular things 10 years ago, and they can still be
| shared with your boss and blasted across your employer's
| social media channels. The social consensus and average
| result doesn't preclude damage in some cases.
| dragonwriter wrote:
| > Being authentic is the ticket to public office now
|
| No, its not.
|
| The preferred image may be more combative, aggressive, and
| anti-social than in the recent past, but as always adherence
| to it is more important than actual authenticity.
|
| > I'm kind of glad that the value of blackmail futures has
| plummeted to zero
|
| It hasn't, though the value function for current negative
| information is different, so things that were once valuable
| for blackmail or otherwise harmful to public image are less
| so (and things that were not are moreso.)
|
| > I always thought millenials would be the culprit because
| millennials have so much online, but nope, it was just old
| fashioned baby boomers that have spearheaded that double down
| on their indiscretions and are the role models for the
| country's top offices
|
| The only boomer I can think of that you might be talking
| about denies them constantly (even if there is past
| documentation of his acknowledging them in a general sense)
| and is supported by favor-currying media magnates who either
| actively promote propaganda favoring his messaging on that
| or, at a minimum, actively spike critical coverage.
|
| And even within his movement and with the support of his cult
| of personality and the same favorable media, others in his
| orbit have often been less successful in having their
| indiscretions given a pass (see, e.g., Matt Gaetz's
| nomination for Attorney-General of the United States.)
| dylan604 wrote:
| > for things they said 10 years ago.
|
| I don't think this is an automatic negative as you are
| implying. There's definitely lots of qualifiers involved
| though. There would have to be significant evidence to show
| that the sentiment expressed is still no longer held which
| could be more than problematic to prove. If it was someone up
| for supreme court justice that posted pics showing how much
| they liked beer and their antics as a party person could be
| shown as lack of maturity by comparing that they no longer
| drink now. Someone posting racist comments would be much harder
| as you don't really know if they've changed their view or just
| learned not to post publicly their views.
|
| Edit: automatic negative should really read automatic
| disqualifier
| iinnPP wrote:
| I'm at a loss for how your example doesn't lead to
| automatically negative.
|
| Don't post something harmless today that will be deemed a
| "dog whistle" in 2035 so that you don't have to prove a
| negative?
|
| I don't mean to be critical here, it's a genuine ask.
|
| And to add to the above, my post is the kind of post that
| would be gone. If I was taking a similar stance.
| dylan604 wrote:
| Having the right/freedom to post anything you want does not
| mean there shouldn't be consequences for those posts later.
|
| Age of post should just not be an automatic "but it was 10
| years ago" get out of jail free card. If there's compelling
| evidence it was just a stupid thing someone did as a teen,
| then we can have that conversation. If it is a post from
| someone in some position of leadership that is 10 years old
| but was made in their 40s is not the same "I was an
| immature teen" situation.
| DaSHacka wrote:
| Ah, so you're who GGP's talking about.
| II2II wrote:
| That second example pretty much demonstrates why it is so
| dangerous. There were attitudes that were commonplace 30
| years ago that are now considered racist, in many cases
| because they were racist, that people don't subscribe to
| today. I imagine the same can be said about 10 years ago.
| People's values change. We should not be giving them life
| sentences when the have reformed their attitudes and
| behaviors, otherwise the incentive to reform is taken away.
| exabrial wrote:
| It's a relatively new and novel thing for people your age to be
| able to look up anything online, to the point where it's
| scandalous.
|
| This card will be played over and over again by politicians,
| influencers, prosecutors, police, etc, until the smartphone-
| from-birth generation reaches office. At that point, it'll be
| so easy to dig up dirt on anyone, people will just stop caring
| (as they should anyway).
|
| We're just in a weird transition period right now.
| s1artibartfast wrote:
| Im not so confident. Digital natives seem just as eager to
| apply purity tests as anyone, if not more so. Throwing rocks
| still feels good, even if everyone is living in glass houses.
| It was true in the 1300's when the saying was coined, and is
| still true today.[1]
|
| https://www.bookbrowse.com/expressions/detail/index.cfm/expr.
| ..
| ChrisMarshallNY wrote:
| There was a story, a couple of years ago, about a teacher who
| got fired, because she posted a picture on Facebook, holding a
| margarita, or something. She was on a vacation in the
| Caribbean.
|
| One of the parents saw the post, and raised a stink.
|
| Now that I'm retired, it doesn't really matter that much, but I
| do my best to behave well (this joint is pretty much the only
| place I post much). In the past, I was not so circumspect. In
| fact, I was a troll.
|
| I remember once, signing up for Disqus, and they came back, and
| said something to the effect of "We found all these posts from
| around the Internet. Would you like to claim any as yours?"
|
| Included, were some of the worst troll posts I'd made, many
| years ago, under the _[obviously mistaken]_ assumption that
| they were anonymous.
|
| I nuked the signup, and went and had a lie-down.
|
| Since then, I have never bothered to try being anonymous. I
| probably could, if I wanted to, but I'd rather just stay
| public, and not say stuff that I'd regret.
| null0pointer wrote:
| > try to get people fired for things they said 10 years ago
|
| I assume the implication here is that the thing they said 10
| years ago was less inappropriate back then. So how do you
| predict sensitivity changes 10 years in the future to limit
| your speech today? Even if you delete posts after, say 1 year,
| archives exist. Shouldn't you just not say anything if you're
| afraid of this? Maybe discussion of self-censorship like this
| will be taboo in 10 years and the ship has already sailed.
| Tepix wrote:
| And _this_ makes it obvious why you should use a unique username
| everywhere!
|
| It makes pervasive tracking a lot harder.
|
| Also when you do any research on health related topics, be extra
| privacy conscious.
| dylan604 wrote:
| just to be slightly pedantic as there are still sites that have
| screen names vs account names where the screen name the public
| sees has no correlation with the account name (typically an
| email account).
|
| so don't re-use email accounts across sites. SecOps matter
| Tepix wrote:
| Yes, another thing you can do is use email subadressing for
| every account you create, ideally with a non-default
| separator (i.e., not "+").
| dylan604 wrote:
| Doesn't this subaddress all just resolve to the same
| account? The accounts are free, so just make up a
| completely different account. Yeah, it might get a bit of a
| mess for a user to manage, but that's what password
| managers are for.
|
| let's face it, we're not talking about Joey Beercan doing
| this. Anyone even tossing around the term SecOps is already
| moved out of mass populace and into the somewhat informed.
| Someone practicing SecOps would definitely be the type to
| use some sort of credentials management. So I don't think
| unique totally unrelated emails is too much of a burden.
| Using different free email providers is even better.
| nurettin wrote:
| This is why I try to use the same name across websites. I want
| to be identified as the same person. Just resist the urge to
| post information you don't want others to have.
| betaby wrote:
| > Just resist the urge to post information you don't want
| others to have.
|
| Self-censor you mean?
|
| I personally like that information anonymous account `William
| Shakespeare` posted around 1585-1613.
| cruffle_duffle wrote:
| The secret is multiple accounts. I too have a Brand Name
| Account(tm) I like to float around but it sure as heck isn't
| this one.
|
| Doing the multiple account thing isn't as easy as it sounds
| though. Some sites like Reddit make switching between
| accounts incredibly easy while others aren't so much. Plus
| laziness kicks in and soon enough your Brand Name Account
| gets tainted and you have to consider taking it out back to
| the dumpster.
|
| Such is life I guess.
| moehm wrote:
| > Doing the multiple account thing isn't as easy as it
| sounds though. Some sites like Reddit make switching
| between accounts incredibly easy
|
| And it's as easy to dox yourself by responding with the
| wrong account, as I have seen multiple times on Reddit.
| prophesi wrote:
| We often don't know what is or isn't information we don't
| want others to have, and it will be a lot harder, if not
| impossible, to delete it after-the-fact. Especially when you
| consider how it only takes a few innocuous data points to
| derive what might be information you'd rather not disclose.
| karlzt wrote:
| Or better yet, be extra privacy conscious with everything you
| do.
| w4ffl35 wrote:
| I strongly suggest the opposite. Collect everything and do on
| a personal site, do good seo on your pages, expose your
| content. Go totally anon for anything you don't want exposed
| of course. But you should expose as much of yourself as
| you're able and control the conversation.
| morkalork wrote:
| In what kind of dystopia would one need to hide doing research
| on health related topics? Oh, right.
| w4ffl35 wrote:
| Actually, this makes it obvious why you should keep a page that
| contains all your links. It's easy to just make an account and
| pose as someone in order to destroy their reputation. It's also
| difficult to get unique accounts, often times my accounts
| overlap with existing names. Even my real name is shared with
| many people. Employers who use technology like this are
| actually quite foolish to do so.
| mrtksn wrote:
| >And this makes it obvious why you should use a unique username
| everywhere!
|
| Actually I was disappointed by the post, I was hoping it will
| be able to find the same person regardless of the username
| through analyzing the writing style, what they are talking
| about, the timezone etc.
|
| The username doesn't prove anything, anybody can take any
| username anywhere. If someone targets you, they can take
| usernames on platforms you haven't claimed your username yet
| and pretend being you and damage your reputation.
| portaouflop wrote:
| That's why you should claim your main handle on all
| platforms, just don't use it if you want privacy.
| mihaaly wrote:
| Using online services require so much special attention it
| starts to weight up to the benefits given. Considering the
| risks, it is already in pair with the value delivered.
| blindriver wrote:
| I haven't used my real name online since the late 1990s once I
| realized things are stored forever.
| jackconsidine wrote:
| I've successfully used Sherlock to track down a colleague that I
| only connected with on MeetUp. It's an amazing tool. Worth
| running on your own usernames as an easy account inventory
| ksynwa wrote:
| Is it querying an offline or an online database? Because if it's
| the latter I hope people don't give it their various disparate
| usernames allowing them to link them together.
| jdiff wrote:
| It doesn't query a database, it queries the individual sites.
|
| https://github.com/sherlock-project/sherlock/blob/master/she...
| geor9e wrote:
| It's essentially a loop that fetches www.whatever.com/username
| and does a regex for "user not found". It then outputs a list
| of links, to possible profile pages. Pretty simple tool, but
| speeds up a standard investigation technique.
| EGreg wrote:
| Worth noting that the search bar on top searches the site / code,
| and is not part of the actual search by username!
| n8henrie wrote:
| I get this error upon first run, both with pipx and with a
| regular venv: https://github.com/sherlock-
| project/sherlock/issues/2294
| throwaway78122k wrote:
| What's this tool vs typing a user name in google to find similar
| to same info?
| betaby wrote:
| Even less useful than google for couple of monikers I tried.
| lakomen wrote:
| Why is this not a website but I have to install something?
| ivanmontillam wrote:
| I would assume it's because checking usernames using your own
| IP address leads to better results while making it a website
| would forcefully make it a SaaS (to cover cloud costs).
|
| I'd argue instead why is this not a GUI? Making it a CLI makes
| it less user-friendly.
| keyboardJones wrote:
| I would guess to prevent IP address blocking, or offloading
| responsibility
|
| Edit: added "to prevent"
| pimlottc wrote:
| Because not everything is a website?
| Gooblebrai wrote:
| The tool didn't work as well as I expected. It claimed to have
| found the username I entered on 40 websites, but when I followed
| several of the provided links, they led to 404 error pages.
| casey2 wrote:
| It's a really overengineered fn() { browser site1/$1 site2/$1 ...
| }
|
| Tools like these insult the users' intelligence and generate
| needless drama[1] the only data needed are the urls from
| https://github.com/sherlock-project/sherlock/blob/master/she...
|
| [1]
| https://www.reddit.com/r/github/comments/1at9br4/i_am_new_to...
___________________________________________________________________
(page generated 2024-12-25 23:00 UTC)