Online Abuse Crisis Helpline, resource center, and advocacy group. Staffed by survivors, trying to make the internet a safer place. www.crashoverridenetwork.com
Crash Override is proud to announce sponsorship from Feminist Frequency. By accepting tax-deductible donations through this partnership, Crash Override will be able to greatly expand operations and assist more people, all for free. Together, Feminist Frequency and Crash Override will work to make a safer internet for everyone. We’ve been going through some major internal changes are we grow, and funding will go a long way to help us provide better training, security, tools, and programs both internally and externally.
We’ve also developed a new tool we call COACH - Crash Override’s Automated Cybersecurity Helper. Co-founder Zoe Quinn used the same tools she uses to make games to make an interactive, easy-to-follow security checklist that allows anyone to secure their accounts, remove personal information, and protect their privacy at their own pace. While we love having in-depth and comprehensive guides, they don’t work for everyone. After looking at success rates from manually walking someone through locking their accounts down, versus just giving them a guide, it became clear that we could help a lot more people if we were able to take them through step by step. Since we can’t be everywhere at once, why not make a program to help others do some basic digital self-defense at their own pace? We’re hoping that COACH can use the strength of interactivity to fill in the gaps and assist more people.
The partnership and COACH aren’t the only new things. We’ve overhauled our website to better reflect who we are as an organization. New logos, new aesthetics, new everything. Functionality is a lot better now too - not only are there some cool new accessibility features, but everything is cleaner and easier to find now.
Since launching in January 2015, we’ve assisted over 1,000 people with our casework and countless more with the guides in our public resource center. Crash Override has advocated for our clients to tech giants like Twitter and Google, and in the public eye at Congress and the United Nations. In the next year, we will continue to seek out and build relationships with more tech platforms, advocacy organizations and activists, policy makers, and influential voices.
One of the most frustrating aspects of dealing with online harassment is trying to accurately communicate what is happening to you to the people in your life in a way that they might understand. What seems like an all-consuming tidal wave of hostility and credible threats to someone who works online can seem trivial to people who don’t have that kind of relationship with the internet. We’ve assembled a few basic tips that we’ve found help the less tech-savvy people in our lives understand the very real toll of internet harassment, as well as some basic tips to get on the same page with the people in your life and law enforcement, in the event that you unfortunately need it.
Assess their tech literacy first. A too-common way to alienate someone you’re trying to talk to about online harassment is to overwhelm them with terms and concepts, especially if you’re stressed or panicking. If you’re unsure, try to gauge their familiarity with the technology and services the harassment is taking place on, or how much they know about the internet in general. If you’re someone who spends a lot of time online, it can be easy to forget how people could ever live without it.
Don’t overuse jargon. Ever see those scenes in Star Trek where they’re talking about a specific engineering malfunction and using made up words to be really specific? To some people, that’s what it sounds like when you try to explain internet culture. Not everyone knows what Twitter is, much less what it’s for or the cultural norms of using it. Instead of talking about the particulars right off the bat, start with a summary, focusing on what these terms and concepts might *mean* instead of the nitty-gritty blow-by-blow. You can always go into further detail later. Try to find common ground when you can with devices like metaphor or shared experience - the goal is to arrive on the same page, rather than just dump a bunch of information on their head and hope they can make sense of it.
Stress what the internet means for you. A lot of people who do not participate in any facet of internet culture may not understand what the big deal is, and a simple way to convey that is to tell people *why* these services are important to you. Social media is often a major support network for a lot of people, if you do any sort of work and self promotion online it’s a vital part of your workplace, and talking in these relatable terms can make it easier for people to grasp what is happening to you. If it’s applicable to your situation, it helps to have links to major publications that describe the form of harassment you’re facing, especially if an article deals with the same controversy you’re embroiled in. Mainstream sites like the New York Times and The Verge have covered these topics. This may elevate the import and seriousness of what you are talking about to those unfamiliar with what you may be facing, and makes it less likely that family or friends may brush it off.
Sometimes it just won’t happen. Some people are staunchly uninterested in anything having to do with the internet, and may be the type to dismiss you on that alone regardless of what’s actually happening in your life. It’s important to not blame yourself for this - cultural attitudes toward tech are a thing bigger than any single person, and ingrained ideas do not change overnight. It’s important for your own self-care to make sure that you’re not fighting a battle you can’t win - do not be afraid to disengage and agree to disagree when this is the case, where possible. This is, of course, more tricky in situations when you are dependent on the party who might now face tangential harassment from the people targeting you such as when asking a former employer not to give out your information, or when talking to roommates or parents after being doxed. In those cases, it can be helpful to set aside the justifications and simply ask if they can co-operate with what you’re asking of them.
Common sentiments you may find thrown your way, and some sourced counterpoints that may help:
The internet is “real life”. We watch Netflix instead of television, use Google Maps instead of paper maps and send Facebook messages or emails from our mobile devices when we need to get in touch with someone. Making the distinction between the two is silly in 2015.
There is a larger problem of harassment on the internet. Fully 73% of adult internet users have seen someone be harassed in some way online and 40% have personally experienced it (source: http://www.pewinternet.org/2014/10/22/online-harassment/)
A thing to keep in mind is that other people behaving poorly and crossing lines is *not* your fault. You cannot control the actions of others, only your own, and no action should result in widespread harassment. What we are talking about is not being subject to mere criticism, but having your personal boundaries violated or your safety and well-being threatened in a credible and tangible manner. Everyone has a right to be online without having to experience this.
“Can’t you just call the police and leave it at that?”
Dealing with it. It can be profoundly frustrating to not only have to deal with being harassed by a mob, but then have the people in your life struggle to understand what’s even happening to you. Again, make sure you’re caring for yourself, and not taking the blame for cultural attitudes or tech illiteracy that you cannot control. If need be, please contact us at crashoverridenetwork@gmail.com for further assistance, or consider using another service such as 7cupsoftea.com.
Talking With Police
***IF YOU BELIEVE YOU ARE IN IMMINENT DANGER, PLEASE IMMEDIATELY CALL 911 OR YOUR LOCAL EMERGENCY LINE***
The following advice is based off of law enforcement practices in North America. We will update with an additional guide on other countries & international law if and when we have enough of a knowledge base.
Navigating the world of law enforcement can be tricky for anyone, but talking to police about things that happen online can be a whole new level of frustration. Many people don’t have experience with filing police reports, or even talking to the police at all. This is doubly intimidating when dealing with online mob harassment, in which case there are (in most cases) no names, places, or jurisdiction to report on. However, you may end up wanting to speak with the police for any number of reasons, whether that be establishing a paper trail or tipping them off to credible threats to your safety, which they can oftentimes understand in general terms.
When is the right time to call? Sadly, there is no one “correct” answer to all situations. As stated above: if you are in immediate danger, please call 911.
The legal system can be a complicated thing to understand. There is an important difference between criminal matters and civil matters that a lot of people aren’t well versed with. Criminal cases are considered offenses against the state, and the prosecutor works with the police (not the victim) to file the case in court as a representative of the state. A civil cases are disputes between individuals where the plaintiff is trying to get the defendant to right a wrong, usually through compensation. What this means is that a situation where someone is slandering you or trying to ruin your reputation falls more into the civil category, whereas someone sending you threats would be committing a criminal offense. In the case of harassment, it could be both criminal (someone broke the law by sending you threats) AND civil (which caused you some kind of harm you are asking compensation for), but it’s all highly situational.
Police only handle criminal cases. For civil cases, consider contacting a lawyer through a service like avvo.com to get advice on how to proceed - a lot of them will offer free consultations. Some states have restraining orders or abuse prevention orders that apply to online contact, which can be helpful to people dealing with chronic abusers. While these sorts of court orders are generally handled as civil matters, often they require a police report as well.
Police departments can have widely different reporting procedures across the US. Some will send officers to you, some require you fill out paperwork in person, some have online forms for things like prank calls. The best way to find out your local PD’s procedure is to call the non-emergency line and ask about filing a police report.
Outside of that, there are a lot of considerations. Before contacting the police, it’s good to have a goal in mind. Do you want to establish a record of what’s happening to you? Are you afraid of being SWATted? Do you want to get a restraining order? Knowing this ahead of time can help you ask the right questions of the police, and make it easier to handle the situation properly. The trauma of talking about the abuse you’re facing, combined with the anxiety of talking with cops in general can be a nasty combination to have to fight through, and preparation can help you be more effective at handling the situation. Consider even looking at a sample police report to see what kind of information they might be asking of you. Try to think through your answers to these questions before calling, and keep them fresh in your mind. If you feel like it might help, write your planned responses down beforehand so you can keep your composure.
If you decide to contact the police, research your local police department. Find out whether they have detectives who are assigned to online issues. Try contacting them directly, if possible, but if the situation seems urgent, contact an officer who is on-duty and ask them if they can send a copy of their report to the detective or division which seems to cover these issues, if any.
If you are aware of where a particular person who is harassing or threatening you lives, first file a police report with your local police, then also file a second report with the law enforcement agency where that person lives. Be sure to give them the contact information of the officer assigned to your case, as well as the case number (if you have one.)
You may also want to file reports not only with your local police department, but with state authorities (likely your state attorney general’s office or state-level bureau of investigation), as well as with federal law enforcement. On the federal side, you can contact your local FBI office and file a report online at http://www.ic3.gov/.
Restraining & Abuse Prevention Orders
Restraining orders are intended to prohibit imminent harm. The availability and processes of obtaining a restraining order vary from state-to-state. If you’re unsure whether or how to get a restraining order, you may want to contact local domestic violence organizations, or contact the clerk of your municipal or state court to see whether they can refer you to an organization that can help you prepare a restraining order. While most restraining orders are filed without the assistance of an attorney (and judges usually understand that the people filing them may not be familiar with the legal process), it may be helpful to talk to an attorney to help you prepare a restraining order petition or to represent you at any hearings.
However, keep in mind that because restraining orders are intended to prevent imminent harm, you shouldn’t wait to file one. A judge is less likely to issue a restraining order based on what happened to you last month or last year if the person you’re seeking it against hasn’t contacted, threatened, or abused you since then. If you’re unsure, talk to someone!
If you’ve filed a police report, ask the officer whether you should seek a restraining order, or if they can grant you an Emergency Protective Order (if your jurisdiction has this.) If they say that you should, include this fact on your restraining order petition.
If you’ve filed for or received a restraining order, follow through with it. Go to any hearing. If it’s violated, report the violation to your local police department (and to the police department where the other person lives). If the restrained person lives in another state, report violations to local police in both places and to the FBI.
What sort of harassment are you receiving?
There isn’t much the police can do with someone telling you they wish you would drop dead, but if they use details like time and place they can work with you to address your safety concerns. If you have already been doxed, and the person sending you threats has your address or physical location, be sure to mention that. If you’re receiving harassing phone calls, law enforcement is a lot better equipped to deal with that and can act on those calls with more ease than they can act on web-based harassment.
Do you know who is abusing you?
When you file a police report, one of the first things you may be asked about is the identity of your abuser. It’s very difficult to get much done when you have no idea who is doing it, as the police will rarely go out of their way to do things like trace back IP addresses or work with social media. The more details that you can provide about who is doing this to you, the better.
Are the people you’re reporting in the same jurisdiction as you?
Location matters more than you might think. There is frustratingly little a local police department can or will do about abusive people from outside your state, and when you’re dealing with online abuse that is a major problem. If this happens, however, you still need to file a report with your local police department first before much can happen on a federal level - in the event that you do manage to get the FBI interested, they need this report to work off of first. If you are filing a report because you’re seeking a restraining order or abuse prevention order, under the federal Violence Against Women Act (which also applies to male victims), jurisdictions must give full faith and credit to valid orders of protection. Full faith and credit is a legal term that means that jurisdictions must honor and enforce orders issued by courts in other jurisdictions - so your order will apply across state lines.
When did this occur?
Be sure to have specific dates and times on hand for any incidents you are specifically referencing. The legal system runs on details like this, and you’ll save yourself some time and stress by writing down exactly when things took place.
Miscellaneous Advice:
Document everything. For evidence purposes, make sure you archive and backup everything in multiple ways (screenshots, PDFs, and, if possible, tools that can be independently verified, like archive.today or web.archive.org) with a visible URL and date/timestamp where possible. These details are vital if your case ever goes to trial or investigation.
Bring in printed screenshots, not CDs or thumb drives (unless you are submitting audio/visual evidence, in which case thumb drives may be permissible - even still, see if there’s a way you can play such evidence back to a providing officer for use in a report). The easier you can make it for the police to view exactly what you’re talking about, the easier it will be for them to understand what to do with it. Make sure that you have all of your evidence backed up and are not giving the police the only copy - it’s easy for things to get lost in the process.
It may be helpful to organize your documents by keeping a journal. Who said or did what? When did they do it? How did you respond? Where can someone reading the journal find evidence of that conduct? This can be helpful not only in establishing a record of continuous conduct, but in exercising your feelings.
Remember to follow the above tips about describing your internet life in layperson’s terms. Save specifics for when the report is actually being written and don’t overwhelm the officer with details immediately - they will ask you questions when they’re ready, and it’s good to keep your answers simple unless specific details are needed. Consider writing down a concise, high-level statement of what you’re facing ahead of time, like “A group of people have been sending me death threats online”, “A website is hosting pornography of me without my consent”, or “Someone is planning on prank calling 911 to fraudulently claim that I am holding people hostage in the hopes that a SWAT team will be dispatched to my home, and I wanted to give you advance notice.”
Police reports are the first step in the chain of law enforcement’s involvement on any level, and having one for your records can be useful down the road, even if it seems extreme in the moment. Police are always obligated to take a report from you. If they seem hesitant or dismissive, just explain that you would like one for your records and are establishing a paper trail in case you need one later.
Don’t worry if your police report omits or confuses minor details, especially in complicated and lengthy harassment episodes - the officer on duty may already have a hard time parsing the evidence and will likely be primarily concerned with the overall threat and major events. The purpose of a police report is to create a point from which investigators can look into your case. An investigator should contact you if this is the case, and they are the people you’ll want to show everything to.
The level of cooperation and understand of your local police department can be dependant on the nature of the officer on call to take your report that day. Some are more internet savvy or empathetic, other may be more glib, and their attitude can be affected by everything from the complexity of your situation to your gender or ethnic background. Remember that in keeping the nature of your harassment relatable and the jargon to a minimum, your chances of getting a cooperative and accurate police report without issue are much greater.
Different police departments will have different rules for obtaining copies of your report - some will give you one before you leave if you go in person, others will request you write-in for a copy a week after you file. Make sure you know your local PD’s protocols if you need to file a report, and don’t be afraid to ask. Ask for a business card from the officer if need be, as they will typically be happy to provide one. Police reports are created and then occasionally escalated to a detective if there is anything they can act on. Often they tell you that they’ll follow up with you in a few days if you’re not in immediate danger, but they forget sometimes. Don’t be afraid to call back and keep your case number somewhere safe.
Swatting
More people than ever are aware of, and worried about, being swatted. This is highly uncommon in situations where people have not been doxed, and you likely do not need to take action unless you are currently being specifically targeted. SWATing tends to happen post-dox, and while it can happen to anyone, it is more commonly used against celebrities and people who are involved with politics, tech, or gaming. While the police always have to respond to calls where someone is in danger, calling them ahead of time can help de-escalate the situation if you’re lucky. Again though, this all comes down to who is sitting at the desk when your call comes in, but we have seen this work in the past.
While it is our hope that you will never have to deal with the eventuality of a SWATing, there are a few things worth knowing if the worst should come to pass.
If you believe a SWAT is imminent and have any dogs, lock your dogs into a crate (if you have one) or in your car. If the officers can see the dogs are contained they will typically leave them alone. Do not lock them in a room/closet as officers will clear all rooms, and when they open the door in a heightened state of alert, they are more likely to react negatively. Too often, dogs are casualties of overzealous SWAT teams, and keeping them locked up reduces the risk of an officer harming them.
During the first minutes of a SWAT raid, do not try to explain/talk to the cops. Let them determine they are in a safe place first, and that there is no present danger to anyone, then speak calmly to the team leader. Ask for him/her with a simple “Can I speak to your Team Leader?”.
–
If you have any specific legal concerns, please contact your local police department or seek legal counsel from an attorney that specializes in what you’re facing. This guide is by no means exhaustive or the definitive authority on an evolving and complicated subject, and simply seeks to disambiguate a stressful process and share tips from people who have already been through it.
IF YOU FEEL THAT YOU ARE IN IMMEDIATE DANGER, PLEASE CALL YOUR LOCAL EMERGENCY NUMBER
For everyone else, including those curious about doxing and those who have already been targeted, the following is a primer on the realities, pathology, and personal solutions for this particularly nasty form of online harassment.
What is doxing? Have I really been doxed?
Doxing (named for documents, or “dox”) is the public release of someone’s private information. Some argue over what constitutes a legitimate “dox” because of how freely available personal information is online, but at Crash Override, we use the following definition:
“Doxing is the act of publishing someone’s personal information, of which there would be a reasonable expectation of privacy and dubious value to the conversation, in an environment that implies or encourages intimidation or threat.”
This includes information that may arguably be easy to find, such as a home address from a WhoIs lookup or personal photos from Facebook, so long as it is wielded in a threatening manner - for instance, tweeted at someone in response to a disagreement. Doxing is less about the availability of the information, and more about the way it is used to intimidate or harass a target.
Of all forms of online harassment we observe at Crash Override, doxing is one of the most prevalent due to its relative ease and high emotional impact. For harassers, the pathology behind doxing is about rationalizing oneself as “blameless” for pawning off personal information for others to harass with. The person who paints a target on you might not be the one to act on it, but the message is clear: “I can’t be held responsible for what happens next.” Aside from intimidation, harassers will often use dox to create the illusion that they have totally invaded your personal space, even if their information is of limited value or inaccurate.
The most common response to being doxed is fear, if not outright panic. Feeling vulnerable is entirely understandable. Doxing is intentionally designed to violate your sense of security and cause you to panic, lash out, or shut down.
If you find yourself in this position, there’s a lot to consider. Our goal with this guide is to help you navigate your options and better understand your situation. Of course, if you feel you still need advice, please email us at crashoverridenetwork@gmail.com for personalized assistance.
I’ve been doxed - what do I do?
Before you do anything, remember that documenting your doxing is of the utmost priority. Things like screenshots, downloading the webpage, web archive (e.g. https://archive.org/web/ or http://archive.today/ - though it should be noted that using public services like this will make your dox viewable to others using that service), and other methods of record-keeping, preferably with things like timestamps and URLs visible, are crucial for both your own reference and for any third parties who may have an interest in your case. Not only does it create a chain of culpability, but the site of your doxing and surrounding threats can make it much easier to secure police or legal involvement should the harassment escalate.
This doesn’t mean you should leave your dox up if you can help it. Once it’s documented, sites like Pastebin, which are often used to share doxed information, have procedures in place (http://pastebin.com/contact) for removing private information. Twitter has also recently made doxing a violation of their TOS (http://gizmodo.com/twitter-just-banned-revenge-porn-and-doxing-1690916107), and accounts used to harass in this manner can often be reported and the offending posts removed.
When you get doxed, panic can set in quickly. There is no “right” way to feel, as your state of vulnerability and what your personal information means to you is different from person to person. Whatever your initial response to being targeted may be—fear, anxiety, anger, confusion, helplessness–it is a valid and reasonable response to have in the face of such things. Don’t beat yourself up over it, and don’t worry about whether or not your reaction was the right one.
If you don’t feel you are at any great risk, and especially if your dox is comprised of freely-available information and/or sent directly to you in an effort to unnerve you, you may feel fine dismissing it as a cheap intimidation tactic, blocking/reporting the harasser, and moving on. This is often someone just trying to get a rise out of you. However, if your dox contains sensitive personal information, especially things that are hard for people to sniff out with simple detective work, or appears in a public forum where people distribute dox to have others act on it, you may want to take further precautions. This is especially true for marginalized people, especially in the case of trans people who have been deadnamed due to the greater risk of violence that trans people face in society at large.
Do I go public with it?
The first impulse you might have is to immediately alert as many people as you can with a public announcement - in fact, harassers usually intimidate their targets into not publicizing their harassment to deny them needed support. Officers will generally not tell you to stay silent about harassment. This is purely a victim-blaming and silencing tactic. The choice to go public and let people know about your doxing is a personal decision. Going public can expose you to immediate support if you have a sympathetic audience, but carries the risk of increased aggression from harassers. Not everyone has the time, energy, inclination, or freedom to bear further harassment (and, indeed, no one should have to).
There are some good arguments to be made for being initially cautious with information - While sharing your story can bring you support, the most important thing to do right now is to secure yourself in order to not expose yourself to further harm. Immediate announcements can trip up your security efforts - Whether or not the information posted about you is accurate, no one is likely to use it to cause you any serious harm without first confirming at least some part of it. Posting “I’ve just been doxed!” on a social media account immediately provides not only a confirmation that your information is accurate, but that you have seen where it was posted, and are properly terrified.
Denying the veracity of any information posted about you can be just as bad. This still confirms that your harassers have gotten your attention, and signals to them that they just need to keep digging. Sometimes, one of the most effective initial public responses is no response at all - don’t make any major changes to posting habits, or visibly show any fear if you can help it. This sends the message that your doxer probably missed the mark, and that the attack was a failure.
You should, however, prepare for more active efforts at verification. Usually, but not always, harassers will test the waters by calling whatever phone number is posted and asking to speak with you, or sending you emails/social media messages in hopes you’ll respond. Keep in mind, however, that with this sort of crowdsourced harassment, multiple unconnected parties may attempt this.
Evaluating Doxing Threats
Upon being made aware of a dox, it’s important to establish what information may translate into credible threats. Oftentimes, doxing is a precursor to more intrusive offline harassment, or comes paired with threats to act on the information revealed. The spillover could be anything from threatening phone calls and mail deliveries to pointed death threats or a SWAT call.
It is sometimes difficult to understand what makes a threat “credible” in relation to a dox. In order to be credible, a threat merely needs to inspire fear of safety by way of dox falling into the hands of people who may not be acting rationally or morally. The mindset of coming under credible threats is perhaps best outlined by this summation from a Reddit user (warning, NSFW language):
Creating this sense of panic is the typical end-goal of a doxing, but even if their intent is only to “harmlessly” ruffle your feathers, once the information is out there, it can pass under the nose of people willing to take it to new extremes. For this reason, it’s important to evaluate the information that they have gathered and the risks associated with that information in order to respond effectively. Any information pointing to your home address or financial information should be treated as a top priority, perhaps involving law enforcement if there are credible threats attached.
Responding appropriately can significantly reduce your stress and help you reclaim a feeling of control over your life. Focusing on hardening the areas they are attacking, and preventing them from ever finding the information they don’t have, can make the harassment you are receiving more bearable and prevent further escalation. Due to the crowdsourced nature of most online mobs and the bully mentality that drives them, “hard targets” are often quickly passed over.
Also, in evaluating your risk profile, the unfortunate truth is that online mobs are particularly vicious and persistent when their victim is a woman, LGBT (particularly trans), disabled, or belongs to a racial, ethnic, or religious minority. If you fit one or more of those elements the chances of someone acting on your dox increases substantially.
What follows is a cross section of the various kinds of information that diggers will collect, with a summary of how that information can be used:
Home address: The highest risk factor, home addresses often lead to unwanted food deliveries, magazine subscriptions, missionary visits, and COD products, and carries with it the risk of SWATing or physical stalking, harassment, abuse, or assault.
Finances/legal: Credit card numbers, banking information, social security numbers, anything of this sort should be reported immediately to the relevant institutions. Your bank, credit union, and law enforcement will recommend further actions you should take to protect yourself from further fraud and identity theft. Consider if your security questions could be answered by information now contained in your dox (like mother’s maiden name) and change it with your financial institution. Fortunately, these cases are rare, as harassment mobs try hard to avoid drawing too much scrutiny in order to prolong the harassment as long as possible, and openly committing credit card fraud is a great way to get federal agencies involved.
Work/School: Harassment that bleeds over into your workplace or school can be particularly stressful, as abusers will seek to have you sanctioned or even fired by way of mass false reporting. Even without a specific accusation, this harassment can place your job at risk as some employers may find that firing you is simply less trouble than dealing with the harassment. Particular professions, notably those that rely on privileged confidence or involve working with children, are especially sensitive to accusations.
Account Passwords: This becomes quite dangerous, especially if the account has access to reset other accounts or third party posting permissions. Often hijacked accounts are also used to impersonate you. Securing any compromised accounts should be a top priority, ideally adding two factor authentication to any account that supports it. If you suspect one of your accounts has been compromised, immediately attempt to recover it, change passwords, sign out all other sessions, and notify anyone who may have been contacted from it.
Social Media Handles: Social media is principally used as a vector for further harassment and as a source of additional information. Generally dumping this information is somewhat redundant, as harassers have typically already honed in on these public channels as a means of abusing targets long before a doxing. While stressful, this information doesn’t represent a serious breach in and of itself. If more sensitive information was readily available through your social media (such as a phone number on a poorly secured Facebook account) then that info would have been posted as well. Generally respond to these by bumping up privacy permissions, using an auto blocker, so on and so forth. Avoid clicking any suspicious links you’re sent from unknown people, as harassers may be looking for confirmation of your handles or attempting to get you to download malware.
Email: Typically this information will be used to send hatemail, signing you up for spam mailing lists, or using the address to register for embarrassing forums and services (filling your inbox with confirmation notices). A vulnerability that sets email apart from other social media, though, is that an email address that’s been used to sign up for lots of services, forums in particular, can lead diggers to additional information. Services such as Unroll.me and Mailstrom can help you quickly manage and unsubscribe from junk mail and clear up your inbox.
IP Address: This is often used to find a target’s physical location. While this sounds severe, and does require your attention, a home IP address is of limited use outside of that unless an attack goes unnoticed for a significant time. Check with your Internet Service Provider about changing your IP address - often this is a simple request.
Skype Handle: Skype handles should be treated with particular concern, as many cases we take at Crash Override stem from security holes in Skype and harassers using it as a vector to impersonate you to contacts, or single out said contacts for harassment themselves. Should this be the case, Microsoft thankfully offers live chat support (https://support.skype.com/en/faq/fa10656/what-is-live-chat-support) that allows a representative to freeze your account and return control over to you in short order. Additionally, linking your Skype account to a Microsoft account will allow you to enable two-factor authentication.
Biographical Info: What high school you attended, your sexual history, previous forums you visited, dumb things you said as a teenager; This is a catch all for information that isn’t directly useful, but can be used to embarrass, slander, or shame you. Details like these are also used by “diggers” to cross reference other information. Depending on the severity and nature of the information, this can translate from a quick episode of doxing to an extended slander campaign as harassers attempt to promote your dirty laundry, no matter how innocuous, untruthful, or irrelevant it may be, simply to get a rise out of you.
Phone Number: An especially obnoxious means of harassment, this will typically result in spamming you with text messages or harassing phone calls at all hours of the day. These may come from the abusers themselves, or from services that they may sign your number up for. In especially prolonged cases of harassment, the only means of alleviating this could be changing your phone number. However, law enforcement has an easier time investigating and prosecuting harassment by phone than it does harassment online, so be sure to document everything if you plan on going this route.
Deadnaming: Deadnaming is a particularly vile and callous form of direct harassment wherein the mob digs up and in some way weaponizes a target’s former name. This is most commonly (though not exclusively) used against transgender individuals, whose birth names can be a source of anguish, or even professional and physical danger. While other doxed information might be passed around for others to act on, harassers will often use a dead name to directly bombard a target to cause them distress. In some cases, we’ve seen things like harassers registering sockpuppet accounts with someone’s dead name and then following their friends on social media. Many social media networks do not consider this a violation of their TOS despite the direct intent to cause suffering, and we are advocating for more networks to address this issue.
Should I wait until I’m doxed to contact the police or family?
If you’ve been doxed (or fear being doxed), the natural extension of that fear is that tangible harassment is not far behind, more so if you’ve been targeted by a group with a history of employing SWAT calls or physical intimidation. Depending on how much information you have about the people targeting you, the police may be of limited use; if all you have is a premonition, they may not be useful at all. However, if the dox is surrounded by any sort of credible intent to follow up on your information, especially specific threats of assault, death, or fraudulent police reports, do not hesitate to contact your local police. We have produced a guide for talking to family and the police about online harassment, which you can find here: http://crashoverridenetwork.tumblr.com/post/113748237272/guide-talking-to-family-police
If the dox does not have any credible followup attached, this is not to say that the situation you are faced with is any less harrowing, or that people may not follow up on the dox. In this stage, self-care, informing relevant parties, and enacting personal security are safe and effective ways to regain control of your life.
Should I Go Offline?
One stubbornly persistent attitude about online harassment is that the victim can “just step away” or otherwise disengage at any point to stop the harassment being committed against them. This is patently false, and again, a victim-blaming tactic - once harassers have you in their crosshairs, their “win condition” is highly situational. Some seek to simply silence you, others to provoke a visible reaction, some to ruin your life and reputation or even cause you physical harm. There might not be a “correct” action in any case, and no guarantee that harassers will stop, especially while your dox are still accessible. If you do step away, it should be a personal decision enacted for reasons of self-care.
Stepping away from online spaces can feel like admitting defeat, like your harassers “won” and have driven you off the Internet; such is the psychological trap abusers intentionally create. Laying low for a while is no different than creating some distance in a high-friction relationship, or taking time off from a stressful job. You have the right to feel safe in social spaces, and you have the right to back away from those spaces.
We often find that cases that benefit from “stepping away” involve people who are targeted incidentally or don’t provide their aggressors with any “entertainment value” from being doxed, leading the mob to move on because of diminished returns on their harassment. However, this also encourages the same aggressors to return to doxing as a strategy any time they want to silence their target. Losing the attention of harassers in this fashion should be treated as an opportunity to harden defenses, such as removing dox from websites and taking countermeasures like registering for WhoIs privacy (all explained in our guide here: http://crashoverridenetwork.tumblr.com/post/108387569412/preventing-doxing), or in severe cases, changing things like phone numbers/emails/address.
In other cases, there is a fear that stepping away may cede a narrative to your harassers. This is usually when the harassment is taking the form of a prolonged campaign of libelous or embarrassing dox across social networks, as opposed to merely bombarding you with abusive emails, magazines, or pizza deliveries. These situations may be severe enough that they benefit from active monitoring to better ensure that you do not return to a reputation in tatters. Should this happen, do not feel bad about asking others to monitor your social media for anything worrisome - you should not feel forced to subject yourself to psychological abuse out of fear alone.
My dox contains my address/credible threats. Should I leave my home?
If you ever feel unsafe in your home, do not feel bad about choosing to vacate it for any length of time. It is not an overreaction to remove yourself from the potential of harm if there is good reason to believe your security may be compromised, and labeling your actions as such is a form of victim-blaming. It is your choice to make based on your own standards, beliefs, and justifications.
In extreme cases, law enforcement may even recommend leaving your home. If this is the case, they will oftentimes work with you, or at the very least dispatch offers to your location in a protective capacity.
Summation and Further Resources
As has been mentioned, this guide is meant to be a high-level informative primer on the realities, consequences, and considerations of being doxed. Attitudes about what to do and how to go about it can differ by culture, region, ethnicity, gender, and myriad other factors - but hopefully, this guide can give you a sense of direction or comfort in the current environment.
If you find yourself facing coordinated online mob harassment, we welcome you to contact us at crashoverridenetwork@gmail.com, in hopes that we can better direct you to appropriate resources, advice, and practical knowledge. No two cases are the same, and common wisdom can often be inapplicable to your particular climate of online discourse and moderation. You are the best judge of your own needs and circumstances, and our hope is to empower you to make informed decisions when the time comes. You are not alone.
If you’re reading this post, you’ve probably been using the Internet for a couple of years, or perhaps your whole life - Email, funny cat videos, school stuff, work stuff, wedding invitations, the usual stuff. Maybe you don’t think you’ve made enough of a splash to get targeted by hackers, hate mobs, or worse. But, hypothetically, let’s say you find yourself in the crosshairs.
After all, it doesn’t take much to be targeted. Maybe you spoke up about a controversial topic, or you were related to someone who did. Maybe it wasn’t really anything you said, but you turned out to be an easy ‘mark’ because you’re still using the same passwords from high school, or someone was able to answer your security questions by snooping your social media. Once your identity has been compromised online and you find yourself unable to login to your Facebook or email account, that sinking feeling in your stomach sets the tone of what’s to come; you’re in trouble.
Hopefully, you won’t find yourself in this situation. But as life online dialogue becomes increasingly focused on hot button issues like religion, social issues, and Top 40 music, it pays off to make sure that what’s yours will remain yours. Keeping information out of the wrong hands used to be difficult, but with new tools and platforms like cloud computing and storage, it’s becoming easier to quickly boost tech literacy levels of everyday people. The right tools, tips, and habits can help you stay safe, keep track of what’s going on, and help you come out clean on the other side. After reading this guide, it’s our hope that you will have the knowledge you need to stay secure online in the event of being targeted by harassers, hackers, or anyone who may be trying to compromise your online security.
If you feel anything to be missing or have specific questions, feel free to email us at crashoverridenetwork@gmail.com.
Most of us aren’t taught how to create secure passwords. It’s tempting to use the same easy-to-remember password for multiple websites, but that can create a domino effect and end up compromising your entire online identity if discovered. Insecure passwords like “123456”, “password” and “iloveyou” are easy to remember, but set you up for trouble. If you’re like most people, you don’t think anyone would be interested in anything on your computer or smartphone, but being interesting isn’t the only thing that can make you a target. Sometimes, it may be the very act of being lax with security practices, or being made an easy mark by a website’s security flaws; other times, you might just be targeted for kicks or practice by trolls and hackers. The reasons can be diverse, but the result can be singularly devastating.
Before we dive into managing your passwords, there are a few bits of common wisdom to ingest:
Your password should be over six characters long (and here’s why). A six letter password can be cracked in less than 15 minutes, depending on the targeted system.
Think “passphrase,” not “password.” (We’ll revisit this in a moment.)
Stop trying to remember all your passwords! Some people try to use memory tricks like cyphers and site name integration, but this can still be insecure if someone figures out your patterns.
Never, ever store all of our passwords in a plaintext file, in any location, anywhere, ever. C’mon. It’s 2015. Let that practice go the way of NetZero and Geocities.
In this section, we are going to introduce you to password managers: Apps that hold all your passwords securely in one place with a master passphrase.
Password Managers: One Keyring To Rule Them All
A password manager is a piece of software that holds all your passwords and requires one unique master password in order to gain access. Think of like Online Security Inception: Passwords within a password. You have to break in to break in.
Needless to say, this creates the issue of having a treasure trove of security information stored in one central location, which makes it a valuable prize for anyone trying to compromise your online security. To protect it, you’re going to want a reliable manager and a big, mean mother of a master password to hold it all together, something uncrackable by brute force and tough to guess by either computer or human. This would be a good time to learn how to make Awesome Passwords from Scratch™.
In this comic strip by xkcd, Randall Munroe illustrates the problem of how most people try to create secure passwords:
As illustrated above, what many tech-savvy people do is use a cypher, replacing letters with numbers and special characters, sometimes integrating the name of the service the password is intended for. While this creates technically robust and unique passwords, it still has its faults. Using the same cypher across multiple sites still makes it easy for people to guess your passwords if they can glean the patterns you’re using, and an inconsistent cypher is still a pain to recall. This is why many people have negative feelings towards unique passwords in general.
Passphrases are easier to remember, and also happen to be more secure, especially when the words are unrelated (as opposed to, say, song lyrics or famous quotes). It’s a good habit to get into, and definitely recommended as a method of generating a password to secure your manager of choice.
Speaking of which….
Password Manager Options
Password managers have a lot of benefits. At their most basic level, they centralize all your passwords in one area so you can always find them. Many offer password access via the web and on your mobile device. Why type your password each time when you can have it automatically typed for you?
Several of these apps feature an auto-login feature so that when you visit a site, it’s not necessary to retype your password each time.Some even include the option of performing a security audit on your existing passwords, testing not only their complexity, but also if the websites in your manager have recently experienced a security breach (like Sony, Target and LinkedIn have from time to time.)
With your shiny new password manager, you can generate long, technically complex random passwords (typically up to 100 dual-case alphanumeric with special characters). Since the passwords for each site are unique, one site being compromised doesn’t mean losing access to the rest. There are many password managers available, but there are a few of note that we highly recommend.
1password(Mac, Windows, iOS, Android): With an excellent UI, mobile access, device syncing, and browser plugins that make storing and generating new passwords a breeze, 1password is a great choice. It stores information locally (that is, on the computer you install it on), so remember to make sure you are backing it up - there’s also an option to sync your 1password to Dropbox if you’re comfortable doing so. Make sure you have 2-factor authentication turned on on Dropbox if you use this option! 1Password is $50 for a desktop license, but the mobile version is free.
LastPass(Web, browser extension, iOS, Android, Blackberry, Windows Phone): If you’re looking for the swiss army knife of password managers, look no further. LastPass is an incredible and convenient password manager. It’s web-based (but does offer offline access), so all your passwords are securely synced to the cloud. Like 1Password, LastPass also offers browser plugins (for Internet Explorer, Firefox, Chrome, Safari, and Opera), and offers mobile versions of the password manager. LastPass also has all sorts of “enterprise” features that let you manage passwords across an organization or company. Where LastPass stands out is raw power and plethora of security options. For those of you who like to get into the geeky details, LastPass offers services like multifactor authentication, password porting, and device whitelisting. You’re also not done once LastPass stores your password - you can be notified when high profile websites are compromised, plus have your existing passwords analyzed to see if their hash was included in the breach. The basic version is free, and Premium (which includes the smartphone client) is $12/year (and recommended).
Keepass(Windows, Linux, browser extension, iOS, Windows phone, Blackberry, PalmOS): As one of the first password managers to hit the market (and also open source), Keepass is a bit less stylish and not as feature-rich as other options, but it makes up for that with the wide variety of platforms it can be run on. It is nonetheless a very powerful and practical password management software. With the project being completely free and open source, it allows people to build Keepass for many different environments. Storage is local, so we recommend you keep your password manager and its associated vaults backed up.
Piece of Paper (Physical): While less convenient than other methods, writing passwords down on physical paper is a tried and true method of password wrangling. While it may seem like a simple, free, no-hassle solution, there are some very important caveats to consider. You’ve likely read advice telling you to “never write down your passwords.” This is because we, as human beings, have a bad habit of leaving the password to a secure computer sitting on the desk next to the computer that is being secured. Physical copies of passwords can be kept secure just like any small, valuable item you own. Treat passwords in paper form the same as money, passports, legal documents, your great grandmother’s antique pearl earrings, the deed to old man Withers’ silver mine, and of course, the keys to your house. Don’t leave passwords on the desk at work or taped to your monitor. This is what characters do in video games just before your crack their work computers wide open.
Don’t be that guy.
For those of you wanting an extra layer of security on top of this, consider using different usernames and emails to log into services. If there’s an account you absolutely cannot deal with having compromised, consider using an email that is only used as a login to that specific account, that you do not make mention of anywhere else.
Finally, keep it regular - Just like changing the filter in your furnace or the wiper blades on your car, consider setting up a recurring calendar event to review your security situation by regularly doing things like checking the audit logs on your website (guide on how to do this for Google located here, for instance). Some people get into the habit of also changing their passwords regularly, but if you do, make sure you’re not re-using old passwords (which shouldn’t be a problem with those generated by a password manager). If you feel your situation warrants a higher level of vigilance, please don’t hesitate to do your due diligence more frequently, especially if you’ve experienced a compromised account. Password managers like Keepass can set expiry dates on entries to remind you to do this.
Multifactor Authentication
Armed with a good password manager, you’ve already taken the first step in securing your online information, so let’s take a look at another thing to be aware of - websites can be hacked and their password databases compromised, which can also put your information at risk if you don’t catch it in time. This is where multifactor authentication comes in.
Multifactor authentication (or MFA/2-Factor Authentication/2-Step Verification) is a method of requiring the person who wants access an account to verify their identity in more than one way. While this technology has been around for more than 20 years and is deployed in many large organizations, it is increasingly becoming available to individuals to protect their various accounts from social platforms like Twitter, Facebook and LinkedIn to online banking and gaming-related services. Google, for example, allows you to enable multifactor authentication for their Gmail and Google Apps products.
Multifactor authentication requires a short-lived one-time code in addition to your password. You can get these codes in a number of ways:
Sent to your mobile device as a text message.
Generated as a text list of one-time “backup codes” to carry with you in case you were to lose your phone or authentication device. Services such as Google offer this service.
Instead of a code, you are given a login prompt on a mobile app in order to gain access to an account.
One important caveat: don’t use Google Voice to receive reset texts; if your Google Account is compromised, that grants the attacker access to those texts. This has been used in a number of targeted attacks, and severely undermines the effectiveness of two-factor auth.
Typically this process is experienced as logging in with your password, and then being prompted for the code or login verification. What this means is that a hacker would need access to both your password and your multifactor device (such as your mobile phone) in order to compromise your account. This one of the strongest available deterrents against hacking attempts, and is relatively simple to set up for most services that offer it. The EFF has a guide here on how to do so for some of the most popular services on the web.
There is a constantly updated list of sites that offer two-factor authentication at https://twofactorauth.org/; We highly recommend going down the list and enabling 2-factor for any sites you may use that support it, and when considering new services to use, you can consult the site to see which ones already support it. If you use a service shared across multiple users (such as a shared Dropbox, Basecamp project, or files shared across Google Apps), remember that everyone should be enabling multifactor authentication. Your security is only as strong as its weakest link - that includes accounts that may be shared across your friends and family, so encourage the people you know to utilize this form of security as well!
Multifactor Hard Mode: Yubikeys
Want to get even more secure? Pick up a Yubikey! These small USB dongles allow you to “unlock” and access your online account with several providers including Google, Dreamhost, LastPass, and a large number of other services listed on the Yubico website. For the more geek-minded, the NEO model (pictured) supports near-field capabilities (for mobile devices) as well as FIDO U2F and OTP (One Time Password) protocols. Think of it like a personal smart-card; It’s recognized on your computer as a USB keyboard, and when the button is pressed, it will generate an OTP that a service responds to, and can sometimes even be configured to only allow access to an account when the Yubikey is physically plugged into the USB port. Some platforms and operating systems don’t support the Yubikey automatically, but Yubico offers custom programs, drivers, and an active help forum to bridge the gap.
Once a Yubikey is enabled with your service, the reward is an impressively secure setup. Like we described above with two-factor authentication, when you connect your Yubikey to a service, the only way to get back in is with your username, password, and the Yubikey physically inserted into your computer’s USB port. Sounds pretty good, huh? For rockstar level password security, use your Yubikey with LastPass (the password manager we mentioned in the last section). You can also configure your Yubikey for all sorts of different password protocols, or even to generate a single, static character string you can use as a master password for any other password manager. Plus, you can wear them on a chain like a necklace! Fancy.
Of course, all multifactor security runs the risk of being inaccessible if you lose your authentication device. For this reason, we suggest you have multiple devices that you can authenticate with. For instance, when buying Yubikeys, consider buying two, configuring both of them identically, and then keeping one stored somewhere safe in case you lose the first.
App Passwords and Third Party Access
One potentially tricky issue posed by two-factor authentication is when you want to use an app that don’t have a place to accept multifactor codes at login. Some applications store OAuth tokens when it’s used to log in for the first time, meaning it’s “authenticated” for future logins without storing the password. Other apps, however, don’t do this, and instead store a password for use every time you log in. This becomes a problem when logins require ever-changing multifactor authentication codes. What are you supposed to do?
In these cases, you might be tempted to generate app-specific passwords. These are unique static password that grant full access to the account (here is a guide on using them for Google accounts, for instance), used to help apps that use password storage circumvent the need for a multifactor code. The assumption is that the login is kosher since you need to be logged into the service to generate the app passwords in the first place. They’re also generally only around 16 characters long, which is a major time saver when you consider the alternative of trying to enter a 100-character alphanumeric password to give your Playstation Vita access to your Facebook.
While these are useful and convenient, there are some major security concerns to keep in mind with app passwords. There’s further reading on the how and why here, but the short story is that these passwords aren’t necessarily application-specific, they’re just new master passwords to your account - passwords that automatically bypass multifactor authentication, we might add - and they’re by no means tied to a specific application (in that many applications can use the same app password).
You may be wondering what the point is to having these, then. They allow you to use multifactored services with apps that don’t support OAuth (a trend that many developers are thankfully moving away from), and that’s better than no multifactor auth at all, but they are still a major security flaw. If someone breaks into your account, they may generate app passwords for backup measures of intrusion, or a database leak may reveal an app password that allows a hacker to bypass your multifactor security.
The best way to avoid this? Don’t use application specific passwords. Seriously, they’re awful, and really just a stopgap until developers catch up.
But, if you absolutely must use them for whatever services you need, you should be regularly checking them and revoking unfamiliar passwords or those used by services with less-than-stellar security, with an ultimate goal of getting down to few-to-none. Limit your use of them as best you can, and from time to time, see if the services you are using have integrated OAuth support, as most major services have.
While not as insecure as application-specific passwords, it would also make sense to occasionally review third-party apps that may have permission to access or modify your main accounts such as Facebook, Twitter, and Google. There’s a guide here for doing this on most major services. While it may not allow full access to your accounts in the way application-specific passwords do, one of these third-party apps getting compromised could give hackers posting rights to your social media or even access to your data, depending on what the app pulls from your account to function.
Physical Access: Wiping Data Securely and Remotely
Being able revoke permissions and passwords is especially useful if a device that uses them becomes lost or stolen. Speaking of which…
While we’ve focused on protecting your passwords and data from remote intrusion, there’s one point of ingress that’s far more difficult to avoid by these security measures: Hackers gaining physical access to the data. This can include someone finding your lost phone, acquiring a discarded hard drive that wasn’t securely wiped, or straight-up physical theft of a device. This is also why many reputable data centers have physical security for their servers.
Not pictured: reputable data center
If you lose physical possession of your phone or computer with all of your accounts logged in, your data is in danger. Don’t be lulled into thinking your password or your secret swipe pattern will keep the thieves at bay - PIN codes are easy to compromise via brute force (only 10,000 possible combinations), and pattern-based lock mechanisms can be gleaned by simply reading smudges on the screen. This is doubly troubling if it’s a mobile device to which two-factor authentication codes are sent, as it allows whoever is in possession of the device to log into your other accounts if they can retrieve or reset the password.
To combat this, mobile OSes like iOS and Android offer the ability to wipe your phone remotely should it become lost or stolen (guides here and here, respectively). Windows Phone and Blackberry offer this functionality as well (guide here). There are also a number of third-party applications such as Lookout Security and Prey which can track, wipe, and encrypt your devices from a web interface, but they must be installed in advance of you losing your device - take some time to do this now if you’re concerned.
This is also a good reason to wipe your hard drives or phones completely if you intend to discard them, as it’s not unheard of for people to try and compromise your data by dumpster-diving for discarded electronics or restoring old mobile phones and hard drives you may have written off. Lifehacker has a guide here to securely erasing all data on your mobile phone here, and one for your computers here.
Social Engineering
Of course, for all the techno-wizardry we throw at account security, the simplest solutions are often the most effective. All too often, people looking to break into your accounts can pull it off with old-fashioned deceit - calling up sites and services while posing as you, digging through your mail for documents, and getting around weak security questions with basic research. This can also extend to phishing attacks, where a subject is tricked into downloading malware, entering sensitive information into imposter websites, or revealing information that can help abusers compromise their information. Frequently, harassers will even register sockpuppet accounts on social media and try to befriend you in order to gain access to your social media information or undermine your confidence and security.
The best tactic for combatting social engineering hacks is old-fashioned preparedness and awareness. For the sake of common sense, here are a few pointers to know:
Try to avoid having one single point of failure in your security chain, or one bit of information that, if compromised, will betray the rest. If there’s one single thing that would screw you over if it got compromised or discovered, syndicate the risk across multiple services and security barriers. For instance, consider using a private, non-primary email address exclusively for password recovery options on websites; This way, if someone gains access to your primary email, they will be unable to reset other passwords from it.
While most legitimate IT/finance companies will never ask you for login or personal information via email or phone, you may get the occasional request; Deal with those by asking for a number to call them back, and verify online that it’s a legit number. Be extremely suspicious of unrequested password reset or login emails, and always pay attention to the URL when directed to a page that requires login to make sure it’s legit. Healthy suspicion is just that: healthy. Additionally, consider installing browser extensions like NoScript if you go to sites that may not be the most reputable of places, but know that they make browsing a bit of a PITA.
Make it a general practice to not friend people you don’t know on Facebook without confirmation, especially while you are being targeted. If you are worried that an incident of mob harassment is inevitable and have been in the practice of adding people liberally, consider revisiting your friends list and purging anyone you don’t explicitly trust, or yanking down statuses/photos that might reveal information you don’t want in the hands of an angry mob. This is one of the most frequent vulnerabilities we see exploited during episodes of mob harassment, and something we will expand on in forthcoming posts.
If you are currently being targeted by online harassment, do not rule out the possibility that someone who you’re talking to may not be the person they claim to be. If you get any requests for sensitive information from an unfamiliar account, it’s not too paranoid to spend a few seconds finding out who is asking. Is someone claiming to be press? Google the email address that they’re emailing you from and ask for previous articles they’ve written or other credentials if you have any concerns. Is someone messaging you from an account claiming to be someone you know, and acting a little off or asking questions they might not normally? Verify their identity in another format if you have doubts.
If you ever need to come up with a PIN or 4 number passphrase for any service ever, do not use your birth year. That is literally as insecure as making your password “password”. This includes the pin to your voicemail if you have one - often when people are doxed, voicemails will be compromised and occasionally hijacked (and occasionally used for SWATing attempts). Make sure you’re checking that if you find yourself having your cell phone number out there.
Additionally, ensure that your account PIN with your cell phone provider is not the same account PIN as your voicemail. If your voicemail becomes compromised, it becomes that much more dangerous if a hijacker can gain access to your entire account with the same number.
When chatting on any social media with people and the topic of sensitive information comes up, remember that nothing is ever really off the record, even if gchat says it is. Delete your logs if you ever have to send someone a password to a shared account (make sure they do the same), or ideally, use a method that’s not online at all like texting or voice chat. You can even split information like numbers and URLs over multiple networks to reduce the chance of intruders putting it all together. As an extension of this, realize that when you’re transmitting sensitive information online, you have to account for the other person’s security measures as well. Keep that in mind if you need to discuss anything that could compromise your account (or physical) safety. People are also unpredictable - be wary of what you tell people in anything other than total confidence.
When choosing security questions, try to get creative and make them unique or unresearchable. There are also a number of other tricks you could use, such as answering questions with all the keys shifted over, or using non-sequitur answers only you would know. You can also use password managers like Keepass to generate unique passwords for answer fields and track them within the manager. Sometimes you’ll find yourself having to choose from a list of drop-down questions that anyone with google can search for - in that case, consider having two passphrases that you use instead of the actual answers to that question, that are totally nonsensical and inapplicable.
If your financial institutions are forcing a default “mother’s maiden name” type question and answer system without room for varied input, consider calling them and explaining your concerns - or just use something different anyway, though keep in mind that it will be hilarious to say that your first pet’s name was Ptzq#!k. They can deal. Generally they are understanding and will work with you - and while you’re at it, make sure to work with them to make sure that nobody can access your banking information with your SSN, which may be easy to acquire. Many banking breaches occur with this kind of identity spoofing, not a hard hack.
Well, this all sounds like a pain in the ass.
True, it’s not as simple as a single universal password. But until we enter the brave new world of biometrically locked data, it pays to be careful (and even then, you can bet people will try to clone your finger just to gain access to your Gamestop account). We’re thankfully at a point where just a little common sense and a few sleek programs mean all the difference. Thirty minutes of setup and review could mean a lifetime of breathing easy. Why wait?
Crash Override has published a one-page information sheet, meant to be printed out and given to employers whose employees are facing mob harassment. The information sheet focuses on giving a high level overview of how online mob harassment works, what to expect, suggestions for positive courses of action, and some resources for employers who want to dig deeper.
“Doxing” is a common first-stage tactic of mobs of anonymous online groups looking to intimidate you and start digging up information on your life. Sure, where you live may have nothing to do with whatever their beef is with you, but by bringing up personal information, irrelevant to the subject at hand, that the target could have some reasonable expectation of privacy around, they are to trying to violate the target’s boundaries and intimidate them into fearing how this information may be used. What’s worse is that once this information is out there and in malicious hands, it’s likely been backed up across several pastebin and archive.today type services, making it difficult to remove.
The best thing you can do, then, to prevent doxing, is to preemptively not put your address out there, or remove any mention from it that already exists.
Common Ways Anonymous Mobs End Up With Your Dox
Whois Information: Whois info is what you used to sign up to any domain names you may own. You can check what info is displayed by running your websites through this Whois Lookup tool. If you have concerns about your address or number getting out there, consider listing a PO Box or google voice number instead, or purchase domain privacy along with your URL. It’s often an extra 10 dollars or so a year to do so, so weigh the likelihood of ever needing it against the cost. Sadly, thanks to whois history services, once your name is on your whois, it becomes very difficult to do much about it later. You can often find whois privacy coupon codes over at retailmenot if cost is an issue.
Facebook And Other Social Media Where You May Have Posted Firsthand Info: Have you ever posted sensitive info yourself? Maybe photos of new places you’ve lived? If you have security concerns, you should go through and change privacy settings of ideally your entire account, if not the specific posts that may have exposed sensitive info. It doesn’t have to be something as brazen as posting a specific address - sometimes tangential hints to your location can give away something you may not want to. Remember that the online mob has nothing better to do than play Detective Poopsock sometimes, and if you’re at risk or currently being targeted it’s much harder to control a situation once things have already started to fall apart. There’s a guide to Facebook privacy settings that is always updated here. Make sure to lock down the visibility of things like your friends list along with information like your phone number if you feel that you’re at high risk of being targeted. Google old usernames you remember and delete anything you don’t want to come back to embarrass you later.
Third-Party Info Sellers Like Spokeo: These sites are like glorified online phone books you don’t even have to agree to be a part of to have your information out there, and are a favorite tool of doxers. There’s a good site to help delete your information from them here, but here’s a list of sites and links to removing yourself from them. Sometimes the process is a huge pain in the ass (some even require faxing).
Once again, the best way to handle doxing is preventatively if possible because of how hard it is to remove information once it’s out there. If you are worried you might someday be targeted, consider taking an evening to stalk yourself online, deleting and opting out of anything you’re not comfortable with. Also, if you’re worried about your cell phone number and feel like changing it, a lot of cell phone providers will allow you to do this online with minimal fuss.
Remember, it’s not your fault if online mobs do someday find your information and try to use it for cyberstalking or intimidation. But if removing your information and securing your online identity can help you have some peace of mind or make it harder for them to do it, and you have the time and desire to do it, it can’t hurt.
