What Is Doxxing And Why Is It Bad?

Normal people (those who do not work in infosec) are generally suspicious of someone who wears a mask, who uses an obviously fake name, or who does not present themselves as a real person on social media websites. Their first thought is usually "what do they have to hide?" and many struggle to understand why security researchers sometimes deliberately conceal their real identity online at all times.

It's A Jungle Out There

The truth of the matter is that it's a jungle out there, one filled with all kinds of animals, some of which are dangerous. Infosec is an industry where criminals, law enforcement, white and black hat hackers, nation state actors, hacktivists, journalists, and information security professionals all operate in the same space and you can find a competing agenda or some sort of low level conflict around every corner.

Many infosec professionals and security researchers are engaged in work against serious organized cybercrime groups, adversarial nation state actors, as well as script kiddies and hacktivisits who are engaged in criminal activity or behavior.

“Every time you name yourself, you name someone else.” ― Bertolt Brecht

Others conduct security research and focus on disclosing security vulnerabilities to organizations, something which carries a significant amount of legal risk for the researchers, even when done responsibly.  I have seen security researchers attacked, sued, slurred, accused and arrested when they try to tell organizations about their vulnerabilities, too often do organizations lash out and try to shoot the messenger.

Unfortunately there are also trolls, serial harassers and people who try to make life hard for you if they discovered your true identity. There are toxic people in every industry and infosec has its fair share, people who will call your employers to try and have you fired if you disagree with them publicly, or say something they do not like. There are people who harass women and make life hell for them, this happens more often than anyone wants to admit and is a real problem for women in infosec.

“With his mask and my sword, we could subdue the shadows.” ― Fawkes

There are lots of legitimate reasons for law abiding infosec practitioners to wear a mask, it keeps them safe from those who would harm them and cause trouble for them because of their work and because of who they are, or who they work for.

Wearing A Mask Allows You To Be Yourself

Over and above the obvious allure of completely reinventing yourself online, wearing a mask allows you to be yourself. If you enjoy a position of prominence within our space, or work for a public corporation, you are open to much more scrutiny over the things you say publicly and bound to offend someone at some point.

Wearing a mask lets you speak your mind and lets you participate in infosec culture and it's communities without worrying about a toxic person trying to sabotage your professional life and relationships, or targeting you for other reasons.

There are lots of women out there who wear a mask when they engage with different communities, it helps them avoid a lot of toxic behavior in predominantly male communities. For lots of people a mask is something that helps them breathe and stay beneath the radar in a space where they would normally attract attention.

Of course the criminals wear masks too, but there are many more reasons why you should wear a mask in infosec that have nothing to do with being criminal, racist or offensive. More often than not a mask wearer is simply protecting their own privacy.

What Is Doxxing And Why Is It Bad?

Doxxing is an old school hacker culture revenge tactic, it involves revealing and publicizing records of an individual, records which were previously private or difficult to obtain. When you doxx a person and publish their contact details, home address or identity online you are publicly removing their mask and this is something that is taboo in the infosec space. Those who dox others are usually vilified by their peers for it and it is seen as a bad thing by our community.

“The irony of life is that those who wear masks often tell us more truths than those with open faces.” ― The Rose Society

Revealing the public identity of a masked person could have disastrous consequences for them, especially if they have had a long career in infosec and enough time to have made enemies for whatever reason. By removing their mask you expose the individual to attack from anyone who wants to take a shot at them and make life difficult for them, or even try to take revenge for past injustices.

As Ray Redacted explained in his “History of Hacking” talk at Blackhat 2017:

"The term “doxxing” (often spelled “doxing”) originated in the 1980’s BBS scene, when participants in warez cracking groups would settle vendettas by publishing “docs” about their enemies.  The purpose of the publishing od docs or personal information was to drive an online persona (handle) underground for safety reasons.  By revealing a famous crackers real name and address, it was virtually assured that this person would no longer use that handle or even be associated with that cracking group. Over time, the practice moved from dial up BBS's, to IRC, to Usenet, and eventually to all types of online forums and social media platforms including Twitter. But one part has not changed: the practice is designed to intimidate or harass people who would rather remain anonymous."

The only time when it is considered acceptable to doxx a person is if they are engaged in negative, blatantly criminal, or harmful behavior against another person, group, or organization. Only then can you doxx a person publicly without fear of repercussions from the wider infosec community, sometimes your work unmasking the perpetrator would even be considered a pubic service. Those who would harm others with their actions do not deserve to wear a mask and conceal their identity.

The worst possible reason for doxxing another person is because you disagree with them, whenever I have seen this the person doing the doxxing has felt a strong response from the wider infosec community, especially if they enjoy a position of prominence in our space. When journalists doxx people for the wrong reasons they suffer an immediate backlash and draw ire from the infosec space, depending on their position and status their credibility may never recover and people will be a lot more reluctant to share information with them in the future. It's a really bad move.

Let Infosec People Wear Their Masks

One of the great things about twitter is that it is incredibly tolerant towards those who wear masks compared to other social networks, you can even get verified while wearing a mask. Unlike in other spaces where wearing a mask would be frowned on, wearing a mask in infosec is seen as a positive thing, it lets our space express itself, it allows participants to engage with the wider community and enables our seniors to share their experiences and knowledge with others while protecting their privacy.

In the infosec space assuming the worst about a person in a mask would be a mistake, our brightest and best wear masks when they engage with the community and it is not something that any of us are suspicious or worried about.