Sherlock: Hunt down social media accounts by username across 400 social networks

259 points
1/21/1970
3 days ago
by leonry

Comments


Tepix

And this makes it obvious why you should use a unique username everywhere!

It makes pervasive tracking a lot harder.

Also when you do any research on health related topics, be extra privacy conscious.

3 days ago

nurettin

This is why I try to use the same name across websites. I want to be identified as the same person. Just resist the urge to post information you don't want others to have.

3 days ago

prophesi

We often don't know what is or isn't information we don't want others to have, and it will be a lot harder, if not impossible, to delete it after-the-fact. Especially when you consider how it only takes a few innocuous data points to derive what might be information you'd rather not disclose.

3 days ago

cruffle_duffle

The secret is multiple accounts. I too have a Brand Name Account(tm) I like to float around but it sure as heck isn’t this one.

Doing the multiple account thing isn’t as easy as it sounds though. Some sites like Reddit make switching between accounts incredibly easy while others aren’t so much. Plus laziness kicks in and soon enough your Brand Name Account gets tainted and you have to consider taking it out back to the dumpster.

Such is life I guess.

3 days ago

moehm

> Doing the multiple account thing isn’t as easy as it sounds though. Some sites like Reddit make switching between accounts incredibly easy

And it's as easy to dox yourself by responding with the wrong account, as I have seen multiple times on Reddit.

3 days ago

idontlikeirc

This happens a lot with viral-bait accounts. One of the top posts on the UFO board just got caught sockpuppeting this week.

2 days ago

john_the_writer

trick here.. create different chrome profiles, with different color schemes. Peach is my "nice person" account. Red is for accounts that I want to be a little more argumentative.

I do this at work too.. where I have to have different user profiles to emulate working as an admin, staff, client, sub-client. Blue seems adminny :)

2 days ago

sangnoir

> The secret is multiple accounts.

There was a "show hn" many months ago that did stylometry on HN commenters to show which accounts were most stylistically similar; I ran a throwaway account of mine through it, and it showed my account in the top 3 - which was impressive.

Having multiple accounts won't save you when your own word choice, grammar and style can uniquely identify you to anyone sufficiently motivated to link your disparate identities at any point in the future. The author even said their tool was rather basic; IIRC the basis was all pairs similarity on n-grams

3 days ago

malfist

You wouldn't happen to have a link to that would you? I'd really like to check that out

3 days ago

sangnoir

3 days ago

betaby

> Just resist the urge to post information you don't want others to have.

Self-censor you mean?

I personally like that information anonymous account `William Shakespeare` posted around 1585–1613.

3 days ago

derektank

I don't understand what point you're trying to draw here. William Shakespeare was by no means anonymous in his day and age and he almost certainly had to consider the views of the aristocracy and other elite figures that might watch his plays i.e. self censor. Ben Johnson, a contemporary playwright, was imprisoned for writing "The Isle of Dogs".

2 days ago

eks391

I think parent is saying that by self-censoring, expression others enjoy is lost, with the example of Shakespear as an expresser whose impact would have been lost if he'd decided to be anonymous instead.

2 days ago

[deleted]
3 days ago

01HNNWZ0MV43FF

Then I wouldn't be able to talk about my kinks anywhere

3 days ago

deadbabe

Actually it should be the opposite. Claim one handle everywhere that you want people to associate as your “real” persona and then use unique names in places where you want to be controversial.

3 days ago

w4ffl35

Actually, this makes it obvious why you should keep a page that contains all your links. It's easy to just make an account and pose as someone in order to destroy their reputation. It's also difficult to get unique accounts, often times my accounts overlap with existing names. Even my real name is shared with many people. Employers who use technology like this are actually quite foolish to do so.

3 days ago

dylan604

just to be slightly pedantic as there are still sites that have screen names vs account names where the screen name the public sees has no correlation with the account name (typically an email account).

so don't re-use email accounts across sites. SecOps matter

3 days ago

d3VwsX

I have a somewhat common firstname.lastname@gmail.com and others with the same name use it pretty often. Surprisingly often it seems as if sites allow accounts to exist without email confirmation. I estimate at least 50% of the accounts out there that use my gmail is actually not me, and I like the idea of anyone trying to make sense of that data, if they can even guess that I am the Firstname Lastname that the address belongs to.

2 days ago

quaddo

I’m in a similar situation and hadn’t thought of it that way. My take on the email I receive is that they fall into one of these categories: a) genuinely intended for me (and not spam), b) spam, c) genuinely intended case of mistaken address (they forgot to include another character), d) someone using mine as their throwaway (site sending verification email), and e) someone using mine as their throwaway (no verification process, ergo not altogether different from spam).

2 days ago

112233

Where I am, it is official government agencies that seem to not verify email (and send me sensitive documents meant for others with the same name — a chore to call and ask them to correct their stuff regularly, sigh)

Any comercial sites - dating, gambling etc. end with verification attempts

2 days ago

Tepix

Yes, another thing you can do is use email subadressing for every account you create, ideally with a non-default separator (i.e., not "+").

3 days ago

dylan604

Doesn't this subaddress all just resolve to the same account? The accounts are free, so just make up a completely different account. Yeah, it might get a bit of a mess for a user to manage, but that's what password managers are for.

let's face it, we're not talking about Joey Beercan doing this. Anyone even tossing around the term SecOps is already moved out of mass populace and into the somewhat informed. Someone practicing SecOps would definitely be the type to use some sort of credentials management. So I don't think unique totally unrelated emails is too much of a burden. Using different free email providers is even better.

3 days ago

mazambazz

It depends on the underlying email server. But strictly speaking, the "+" is a valid identifier, and "joe+admin@example.com" is a completely different address than "joe@example.com".

It just so happens that email servers tend to recognize the usage of "+" as a "tag" and route incoming mail using the tag to the root email that precedes the plus and tag.

But, as the sender, you cannot assume that this is always the behavior. You must assume that those are two different emails.

3 days ago

sizzle

I use periods and they work fine like for exampl.e@gmail.com or e.xampl.e@gmail.com which surprisingly resolves to my main email and I’ll block spam from any sender spamming that period address. Anyone know why this works?

2 days ago

purkka

This is a Gmail-specific feature. I'd guess it's there for user convenience and some protection against typos (accidental or malicious).

https://support.google.com/mail/answer/7436150?hl=en

2 days ago

[deleted]
a day ago

jpollock

As a sender, that's entirely true. As a flag to identify correlated emails and accounts, it can be a very useful assumption to make.

2 days ago

immibis

Gmail accounts aren't free: I believe they only allow up to 4 to be linked to the same phone number (which is mandatory).

Microsoft is worse: they'll let you create an account, then lock it the next day, after you've already used it for something, if you don't link your phone number.

Phone number is used because it costs money to get, is hard to get in bulk, and in many countries is always tied to your identity.

I wonder what the market for throwaway phone number verification is worth.

3 days ago

stuffoverflow

It is still possible to register Gmail accounts without a phone number. I suppose they primarily use IP reputation to determine when they allow it but device seems to matter too.

In the past you could use BlueStacks android emulator to register Gmail accounts without sms verification even with VPN IPs. This year I've created a few Gmails without sms verification, once on desktop chrome (with Firefox they would've required sms) and a couple of times using the Gmail app on an Android phone.

2 days ago

eks391

There are several cheap (not free) email providers that allow you to create unique emails per service for this precise purpose, and do not require a phone number, however they are lacking significantly in every other way, like an easy to use inbox, so not great for your main contact. One I tested out I found to be good for these random sites that want emails as your username. Then I set the custom email to forward the mail thereby maintaining unique usernames on each site. If the site does not use an email for the username and does not make the provided email public, you could use your regular email with the handy features that come with a Google/Microsoft suite, or air on the side of caution by still having the unique email.

2 days ago

sizzle

This functionality is built into iCloud subscriptions with throw away Apple addresses that resolve to your AppleID registered email.

2 days ago

packtreefly

> I wonder what the market for throwaway phone number verification is worth.

I pondered this recently, and it seems to top out at a couple bucks per shot.

The problem is that the phone number tends to need to be persistent for the sake of security. You can't typically sign up for something that requires a phone number and then expect to be able to keep the account safe without maintaining exclusive access to that number.

I'm sure if it were cost effective, one of the password managers would have some kind of SMS integration, like Apple's hide my email, but for phone numbers.

2 days ago

immibis

If you're the kind of person who doesn't want to provide their own phone number to make an account, you probably also wouldn't be using any account long-term.

2 days ago

dylan604

That’s not true. None of my Gmail accounts have a phone number, and I’ve used them for their discrete purposes continuously since their creation. I doubt I’m the edge case

2 days ago

dylan604

I’ve never provided a phone number for any of the gmail accounts I have. When was this mandated?

3 days ago

eks391

Very recently. I only noticed it about 2 years ago when I went to make a throwaway gmail account exactly for the above opsec purposes.

2 days ago

dylan604

You claim OpSec, but if you’re using such bad opsec, then I’d suggest you’re not actually doing opsec. Tying a throw away account to actual data that can directly identify you is just such bad opsec, you might as well use your actual name as your user name.

2 days ago

immibis

Opsec can be a relative term. Yes, some people are selling drugs or spying for the Russian government but other people just don't want to be OSINTed by scripts like this. Then creating a new Gmail account from the same IP address is enough. It's a lot easier to hide your identity from people who don't have the power to issue subpoenas.

2 days ago

dylan604

IP address != phone number

2 days ago

john_the_writer

I think his point was that he wasn't looking to be totally invisible. Just less obvious to people who won't spend a pile of time looking for you.

If you're adding your phone number to a throw away account you use on Target or Walmart, it's likely okay.

The IP comment was likely because if someone can get your phone number from the Walmart service (via subpoena), to track you down, they can also get your IP address too.

2 days ago

stult

> Doesn't this subaddress all just resolve to the same account?

Not in OAuth/OIDC compliant identity providers. As one example, I frequently use + email addresses for testing on auth0-secured apps, where I use the + text to tag a role or some other user attribute that identifies what makes the test account special. eg stult+admin-staging@example.com or stult+user-declined-gdpr-prod@example.com. Each plus variant resolves to its own separate account with its own password (which I do in fact manage via a credential manager), without requiring me to set up multiple full email addresses to simulate multiple users with verified email addresses.

3 days ago

blitzar

And this makes it obvious why you should use the same username everywhere!

When maintaining an official online public presence, or if you are privacy minded you likely want to "plant the flag" to stop others from impersonating you.

2 days ago

mystified5016

This is like preventing identity theft by putting your SSN on the side of a truck

a day ago

morkalork

In what kind of dystopia would one need to hide doing research on health related topics? Oh, right.

3 days ago

[deleted]
3 days ago

karlzt

Or better yet, be extra privacy conscious with everything you do.

3 days ago

w4ffl35

I strongly suggest the opposite. Collect everything and do on a personal site, do good seo on your pages, expose your content. Go totally anon for anything you don't want exposed of course. But you should expose as much of yourself as you're able and control the conversation.

3 days ago

idontlikeirc

This reminds me of a friend who was a steam moderator, and they had an alternate account on twitter pretending to be mexican. The amount of times they got people thinking they found their real name was larger than "juan".

2 days ago

TacticalCoder

But then at this point we can take a username, take a user's posts on one site, train a LLM with these posts and ask the LLM to write comments in the style of that user on another forum/subject.

How do you even determine anymore if something is really written by someone?

Websites are already for a huge part written by bots/LLMs and we all know to take them with a huge grain of salt.

How long until we consider users posts aren't to be trusted anymore either?

It already started (impersonating usernames) for sure.

So what is this even tracking?

Heck, at this point it's nearly a guarantee we already have bots trained on outputs of other bots.

I wonder what the implication of all this is going to be.

2 days ago

mihaaly

Using online services require so much special attention it starts to weight up to the benefits given. Considering the risks, it is already in pair with the value delivered.

3 days ago

mrtksn

>And this makes it obvious why you should use a unique username everywhere!

Actually I was disappointed by the post, I was hoping it will be able to find the same person regardless of the username through analyzing the writing style, what they are talking about, the timezone etc.

The username doesn't prove anything, anybody can take any username anywhere. If someone targets you, they can take usernames on platforms you haven't claimed your username yet and pretend being you and damage your reputation.

3 days ago

portaouflop

That’s why you should claim your main handle on all platforms, just don’t use it if you want privacy.

3 days ago

throwaway519

I have no interest on some platforms.

Whatvabout the platformsthat I don't know of? Or that don't exist yet?

Even major corporations don't bother with all TLDs.

It's far more plausible to not seek to have the same identity behind the same handle.

3 days ago

portaouflop

You don’t need every single one obviously, just the major ones.

And I’m saying you should reserve your main handle - you can still have a unique one that you actually use.

2 days ago

542354234235

>I was hoping it will be able to find the same person regardless of the username

>Sherlock: Hunt down social media accounts by username

I don't know why you would have been hoping for this. The title isn't exactly ambiguous.

2 days ago

cookiengineer

Doesn't matter for the next day's witch hunt

They are just gonna make fake accounts that look like yours and shitpost ahead anyways.

Social media has multiple problems, including authenticity, transparency, validity and verifiability. All of which don't exist and make it the optimum propaganda machine (referring to the criteria that Chomsky described) because it can be corrupted through multiple attack vectors.

If we want to survive this hellhole of misinformation, the mentioned criteria has to be implemented for the "next big platform" so that censorship and other legislative processes can be encountered with increased transparency and openness.

On a network/society scale it can't be driven by financial incentives to prevent corruption, ergo it must be financed by taxes. Preferably on an EU or UN legislative level to prevent political corruption of single state actors.

3 days ago

inerte

A state funded platform with a focus on authenticity, transparency, validity and verifiability, is the best thing against censorship? I don’t get how.

3 days ago

gopher_space

L’etat c’est vous.

2 days ago

[deleted]
3 days ago

casey2

It's a really overengineered fn() { browser site1/$1 site2/$1 ... }

Tools like these insult the users' intelligence and generate needless drama[1] the only data needed are the urls from https://github.com/sherlock-project/sherlock/blob/master/she...

[1] https://www.reddit.com/r/github/comments/1at9br4/i_am_new_to...

3 days ago

antoniojtorres

That person on the reddit example is as caustic as can be. Perfect example of a nightmare open source user.

19 hours ago

immibis

collecting that data is worth something.

3 days ago

tonmoy

For people who want to have a professional social presence (FB/linkedin) as well as an anonymous one (Reddit etc), it’ll be super useful to see if the accounts are truly unlinkable. Moreover if you are opening a new anonymous account, maybe a good idea to search the new username using this tool to make sure it’s not “taken”

3 days ago

dylan604

Until some ML process is learned to give a probability that accounts are the same based on writing styles

Staying anonymous is very difficult

3 days ago

philipkglass

Stylometry tools may be useful if you already have a small candidate pool of suspected aliases. They produce too many false positives to be useful for blind cross-linking of accounts. Once or twice somebody has done stylometric analysis of HN accounts and I've looked at the results for my accounts. Even though I don't try to obscure style across accounts, stylometry didn't match my actual accounts with each other. My top matches were for accounts controlled by other people.

3 days ago

BoxedEmpathy

I specifically write with different perspectives, tones, and opinions on different sites in a probably vain attempt to mitigate this.

For example, on YouTube I use twitch slang, and on Reddit I use TikTok slang, and on TikTok I use reddit slang. On hackernews a use a slightly whimsical pedantically-infused undergrad tone.

3 days ago

t0bia_s

You really care about this and use most privacy invasive platforms at same time? Sounds like interesting acrobatics to me.

2 days ago

mikeodds

Using stats this is called stylometry and I agree this will probably be easier at scale now. You can also match posting windows, pull additional features from database dumps/hacks.

Fun post applying it to HN, not sure if the site is still live: https://news.ycombinator.com/item?id=33755016

3 days ago

cootsnuck

Then people will start using browser extensions that automatically "fuzz" your writing style randomly. That is, if chasing anonymity is someone's true goal.

3 days ago

[deleted]
3 days ago

domoregood

Interesting tool, but it generates false positives. Try Sherlocking some randomly generated usernames that cannot possibly exist and it will still return results for some of the URLs in its list.

3 days ago

pluc

So what's a non creepy use for this?

3 days ago

hn_throwaway_99

I think the "non creepy" use is really just making people aware how easy it is to correlate all your different traces online. It's like when someone released on HN a tool that would link various HN accounts (and maybe Reddit accounts too IIRC), but by looking at commenter word choice similarity.

It makes people realize that actual anonymity online is a smokescreen.

3 days ago

deadbabe

Finding usernames that you can register and own across all social networks.

3 days ago

anticorporate

*For some very narrow, twisted definitions of the word "own"

3 days ago

jedberg

Seeing what it finds about yourself?

3 days ago

Tepix

Is it creepy if you google a job candidate?

3 days ago

naavis

In many parts of the world it is illegal for a recruiting party to search for information on a candidate without their consent.

3 days ago

JSteph22

Whichever parts of the world that may be, you can guarantee that it happens anyways.

Unenforceable rules are never followed.

3 days ago

steelframe

I recently Googled myself, and in the first page of results I ran across some shit AI website that scrapes random web content about people and attempts to summarize it. It got my current occupation completely and comically wrong -- as in, it has nothing at all to do with tech.

If you're trying to figure out anything about me from social media or other such random web pages, I don't care to have anything to do with you, and I don't care what you're led to believe about me. I suppose this is born of privilege, but the only contacts I care to make are directly via people I already have a relationship with.

2 days ago

pluc

Just did the same, and the form to get your data removed asks for 3 items of personal information "to confirm your identity" lol.

Edit: the site I found was "zoominfo".

2 days ago

steelframe

The only personal information they're going to get from me will be what's in my libel lawsuit.

2 days ago

fragmede

Clean up the online footprint for someone that hires you to do so before they run for office. I don't remember every single web site I've every signed up for going back to when I started using the Internet, and neither can you.

3 days ago

pluc

Internet Archive likely renders that point moot, no? There a plenty of sites that index tweets outside of Twitter for example... at least there used to be

3 days ago

[deleted]
3 days ago

jdiff

The Archive is much less discoverable. There's no search engine for the wayback machine.

3 days ago

sureglymop

You can request them to take down personally identifying information about yourself. They respond quickly and seem to have someone employed to handle GDPR requests.

3 days ago

hooverd

That's the great part- there isn't. Following people you like on every platform I guess.

3 days ago

mrkramer

Cybercrime research; locate malicious actors across social web.

3 days ago

[deleted]
3 days ago

diogonr95

It’s also a great education tool to showcase the need to be careful about internet hygiene. The creeps have done this sort of things for decades

3 days ago

lupusreal

Like hiring a PI to follow people around to educate people about about stalkers.

3 days ago

[deleted]
3 days ago

EGreg

Letting a person sign up on your site and choose to import stuff they've put onto other sites under that username, maybe.

3 days ago

some_random

Realistically it's doing this to people who deserve it, trouble is that no one is going to agree on that criteria

3 days ago

s1artibartfast

Who deserves it, and what is "it"?

3 days ago

Mountain_Skies

To socially harass and drive to suicide anyone that doesn't conform to the dominate cultural outlook. Think that's creepy? Well, you just made the list!

3 days ago

yieldcrv

I’m on a lot of lists and still have TSA Precheck, Global Entry, can hold US security clearances, pass professional background checks

so what are you lesser relevant people worried about exactly?

3 days ago

noman-land

What lists are you on?

3 days ago

jackconsidine

I’ve successfully used Sherlock to track down a colleague that I only connected with on MeetUp. It’s an amazing tool. Worth running on your own usernames as an easy account inventory

3 days ago

blindriver

I haven’t used my real name online since the late 1990s once I realized things are stored forever.

3 days ago

jmyeet

Remember when IPv6 decided on 128 bit addreses and defaulting to /64 blocks because someone thought using a 48-bit MAC address as the IPv6 equivalent of a port was a good idea? Fast forward a decade or two and we realize how this is a PII leak issue so nobody does it but we're still stuck with 128-bit addresses (for those who use IPv6).

There are several things that are a security issue or simply a privacy issue. These include:

- Your username (as I assume this tool is demonstrating)

- Your email address. While this is treated as your "public identity" to some extent, I think we're rapidly approaching a point where we need to not do this;

- Your phone number; and

- Your profile pic. I would advise to never use the same pic across accounts and certainly don't use services like gravatar (if that's still a thing).

Email is particularly problematic because you can end up on spam lists if a site is compromised and you can't really identify where it comes from.

What I think we need is a more integrated solution for logging in and creating throwaway addresses (eg like SimpleLogin) so it's basically seamless. Gmail seems well-positioned to do this. I honestly don't know why Google hasn't done this.

Interestingly, Facebook Groups seem to handle this kind of anonymity reasonable well. Each group your in is a separate profile. You can't find out what other groups someone is in from either their personal identity or any group's identity. Weirdly, your FB profile is associated with any pages or profiles you comment on.

It should be clear to these companies by now that people want to silo their public identities (aka pseudonomity).

3 days ago

gonzo

> Remember when IPv6 decided on 128 bit addreses and defaulting to /64 blocks because someone thought using a 48-bit MAC address as the IPv6 equivalent of a port was a good idea?

No, I don’t, and I’m well-aware of EUI-64.

IPv6 uses 128-bit addressing because some on the design committee or making comments on the drafts thought that 64 bits might not be enough.

3 days ago

immibis

You're not required to put a MAC in the last 64 bits, but the fact that your ISP has to give you at least 64 bits is very cool.

Privacy addresses are random and periodically rotated.

The IPv6 equivalent of a port is a port.

3 days ago

casenmgreen

There's a UI design element here which I don't like.

The UI presents a text field which is for entering search terms.

You click it and expect to type - but NO! - SURPRISE!!! it's actually a button!!

And now the page changes, pops up an actual text field, somewhere else and new, and you abruptly are forced to set aside your thoughts about search to process the page layout a second time and go and click again to type in a term.

Why on God's clean Earth would anyone ever do this?

2 days ago

rramadass

Reminds me of this excerpt from "A Study in Scarlet".

'Have you read Gaboriau's works?' I asked. 'Does Lecoq come up to your idea of a detective?'

Sherlock Holmes sniffed sardonically. Lecoq was a miserable bungler,' he said, in an angry voice; 'he had only one thing to recommend him, and that was his energy. That book made me positively ill. The question was how to identify an unknown prisoner. I could have done it in twenty-four hours. Lecoq took six months or so. It might be made a text-book for detectives to teach them what to avoid.'

2 days ago

s1artibartfast

I dont plan to run for president or anything, but find myself increasingly censoring my online speech. I think the biggest risk is some out of context post being pulled into a civil suit, or professional cancellation following that.

Things like advice in an alcohol recovery forum would be prime evidence for a liability suit.

There are also groups that vacuum the internet for offensive posts, and use them to try to get people fired for things they said 10 years ago.

At this point, I assume all internet activity can and will be de-anonymized, and restrict my speech accordingly. I'm sure there are some meaningful precautions and nuances, but it is too much to keep up with.

3 days ago

ChrisMarshallNY

There was a story, a couple of years ago, about a teacher who got fired, because she posted a picture on Facebook, holding a margarita, or something. She was on a vacation in the Caribbean.

One of the parents saw the post, and raised a stink.

Now that I'm retired, it doesn't really matter that much, but I do my best to behave well (this joint is pretty much the only place I post much). In the past, I was not so circumspect. In fact, I was a troll.

I remember once, signing up for Disqus, and they came back, and said something to the effect of "We found all these posts from around the Internet. Would you like to claim any as yours?"

Included, were some of the worst troll posts I'd made, many years ago, under the [obviously mistaken] assumption that they were anonymous.

I nuked the signup, and went and had a lie-down.

Since then, I have never bothered to try being anonymous. I probably could, if I wanted to, but I'd rather just stay public, and not say stuff that I'd regret.

3 days ago

exabrial

It's a relatively new and novel thing for people your age to be able to look up anything online, to the point where it's scandalous.

This card will be played over and over again by politicians, influencers, prosecutors, police, etc, until the smartphone-from-birth generation reaches office. At that point, it'll be so easy to dig up dirt on anyone, people will just stop caring (as they should anyway).

We're just in a weird transition period right now.

3 days ago

s1artibartfast

Im not so confident. Digital natives seem just as eager to apply purity tests as anyone, if not more so. Throwing rocks still feels good, even if everyone is living in glass houses. It was true in the 1300's when the saying was coined, and is still true today.[1]

https://www.bookbrowse.com/expressions/detail/index.cfm/expr...

3 days ago

null0pointer

> try to get people fired for things they said 10 years ago

I assume the implication here is that the thing they said 10 years ago was less inappropriate back then. So how do you predict sensitivity changes 10 years in the future to limit your speech today? Even if you delete posts after, say 1 year, archives exist. Shouldn’t you just not say anything if you’re afraid of this? Maybe discussion of self-censorship like this will be taboo in 10 years and the ship has already sailed.

3 days ago

s1artibartfast

I wasn't implying that it depends on sensitivity changes, although that is possible too. Sorry if I wasn't clear on that.

My thought was more about time and distance. Something can be unpopular or even wrong when it's first said too. People are dynamic and change over time. The mechanism of change is living their lives.

Taboos can change as well, so there is a motivation to steer clear of controversial topics in recorded media. You can use discretion to judge risk. It's unlikely that someone's going to fire you for discussing ice cream in 10 years.

3 days ago

ryandrake

Yea, that's also a big danger: A totally innocent or trivial comment written today might be taboo in 10 years, and some future justice warrior is sure to dig it up and use it against you, and you have no idea what is going to be taboo. Maybe in the far future, owning pets will be taboo, and all the pictures of me and my dog are going to be dug up and used to shame me for violating an animal's sovereignty or something.

There is no way to know what people are going to get offended about in the future, but the clear trend is people getting offended about more and more things over time, rather than fewer and fewer things.

3 days ago

bjourne

Herding is the best defense. If everyone who expresses opinions online do so non-anonymously it becomes much more difficult for the sleuths to target specific individuals. If everyone runs the risk of getting "sniped" for something taken out of context they wrote 10 years ago, the tactic becomes less effective.

2 days ago

dylan604

> for things they said 10 years ago.

I don't think this is an automatic negative as you are implying. There's definitely lots of qualifiers involved though. There would have to be significant evidence to show that the sentiment expressed is still no longer held which could be more than problematic to prove. If it was someone up for supreme court justice that posted pics showing how much they liked beer and their antics as a party person could be shown as lack of maturity by comparing that they no longer drink now. Someone posting racist comments would be much harder as you don't really know if they've changed their view or just learned not to post publicly their views.

Edit: automatic negative should really read automatic disqualifier

3 days ago

II2II

That second example pretty much demonstrates why it is so dangerous. There were attitudes that were commonplace 30 years ago that are now considered racist, in many cases because they were racist, that people don't subscribe to today. I imagine the same can be said about 10 years ago. People's values change. We should not be giving them life sentences when the have reformed their attitudes and behaviors, otherwise the incentive to reform is taken away.

3 days ago

idontlikeirc

One example of this I can think of is a show from the late 90's which used the word "spaz" very liberally, which was already iffy at the time but not fully demonized. Using it nowadays could be considered a major point of contention towards your image. Words like Gypsy and Retard are more recent inclusions in this field.

2 days ago

s1artibartfast

When did spaz go out of favor? I was completely unaware it became taboo.

2 days ago

Pigalowda

It was deemed ableist by the White Knight Censorship company a few years ago. Something about cerebral palsy.

2 days ago

iinnPP

I'm at a loss for how your example doesn't lead to automatically negative.

Don't post something harmless today that will be deemed a "dog whistle" in 2035 so that you don't have to prove a negative?

I don't mean to be critical here, it's a genuine ask.

And to add to the above, my post is the kind of post that would be gone. If I was taking a similar stance.

3 days ago

dylan604

Having the right/freedom to post anything you want does not mean there shouldn't be consequences for those posts later.

Age of post should just not be an automatic "but it was 10 years ago" get out of jail free card. If there's compelling evidence it was just a stupid thing someone did as a teen, then we can have that conversation. If it is a post from someone in some position of leadership that is 10 years old but was made in their 40s is not the same "I was an immature teen" situation.

3 days ago

DaSHacka

Ah, so you're who GGP's talking about.

3 days ago

yieldcrv

Being authentic is the ticket to public office now

I’m kind of glad that the value of blackmail futures has plummeted to zero

I always thought millenials would be the culprit because millennials have so much online, but nope, it was just old fashioned baby boomers that have spearheaded it and double down on their indiscretions to be the role models for the country’s top offices

3 days ago

exe34

"criminal activity?"

"no sir."

"for god's sake Baldrick, you're running for parliament. I'll put fraud and sexual deviancy."

3 days ago

s1artibartfast

I think that reality is much more heterogenous. Say some edgy or unpopular things 10 years ago, and they can still be shared with your boss and blasted across your employer's social media channels. The social consensus and average result doesn't preclude damage in some cases.

3 days ago

dragonwriter

> Being authentic is the ticket to public office now

No, its not.

The preferred image may be more combative, aggressive, and anti-social than in the recent past, but as always adherence to it is more important than actual authenticity.

> I’m kind of glad that the value of blackmail futures has plummeted to zero

It hasn’t, though the value function for current negative information is different, so things that were once valuable for blackmail or otherwise harmful to public image are less so (and things that were not are moreso.)

> I always thought millenials would be the culprit because millennials have so much online, but nope, it was just old fashioned baby boomers that have spearheaded that double down on their indiscretions and are the role models for the country’s top offices

The only boomer I can think of that you might be talking about denies them constantly (even if there is past documentation of his acknowledging them in a general sense) and is supported by favor-currying media magnates who either actively promote propaganda favoring his messaging on that or, at a minimum, actively spike critical coverage.

And even within his movement and with the support of his cult of personality and the same favorable media, others in his orbit have often been less successful in having their indiscretions given a pass (see, e.g., Matt Gaetz’s nomination for Attorney-General of the United States.)

3 days ago

echelon

Only for this cycle. The pendulum will swing back to cancelling and pitchforks after this era of cult of personality.

3 days ago

EGreg

I thought canceling never stopped. It was just politically motivated.

(Ironically, Dems eat their own for that stuff, so maybe "politically motivated" doesn't quite capture it... compare e.g. Al Franken and Katie Hill vs Roy Moore or Matt Gaetz)

3 days ago

seanmcdirmid

Democrats cancel and Republicans mostly double down. I don’t think there is anything Trump can do at this point to horrify or even just dissuade his base, for example.

3 days ago

saturn8601

Yes and no. He has a clear mandate to fix price increases and inflation. If he doesn't he will lose the newcomers that held their nose voting for him. If he screws up big time he will be frozen in 26 and ride out his presidency having accomplished nothing. His core base that you are talking about was always a declining minority.

3 days ago

seanmcdirmid

That’s true. It’s even worse, though, since he promised a bunch of stuff that he can’t deliver or if he delivers (high tariffs, mass deportation), inflation will probably boom. Get the popcorn because the first month after 1/20 will be interesting (and maybe stock up on some electronics that are probably going to get really expensive).

2 days ago

blooalien

> "I don’t think there is anything Trump can do at this point to horrify or even just dissuade his base, for example."

Pretty sure it's pretty close to true at this point that he actually could get away with literal cold-blooded murder in public at this point and his cult would fold themselves in half backwards tryin' to justify it somehow. [0]

[0]: https://www.snopes.com/fact-check/donald-trump-fifth-avenue-...

3 days ago

immibis

I mean, he supports the Gaza situation.

3 days ago

s1artibartfast

Real Americans are pretty spit on the topic of Gaza. 36% of Americans favor the U.S. providing military aid to Israel. 34% oppose military aid, and the rest are neutral.

https://www.pewresearch.org/2024/03/21/views-of-the-u-s-role...

2 days ago

immibis

I didn't say Trump was the only one who supported cold-blooded murder.

2 days ago

yieldcrv

I don't really get that impression, in my experience people just realize cancelling is a two-way street and stop it

I’ve been told “I’m making someone uncomfortable” and I said “they’re making me uncomfortable”, and follow that up with “why are you privileging their discomfort over mine” and when they or the mob say something gendered or sexist as the explanation, then I get to cancel all of them or get a nice fat paycheck

3 days ago

dylan604

what evidence do you have that this is true. at this point, a new theory of physics will be trotted out that shows a pendulum does not have to swing back. it will become trending on all the socials so that people believe. it therefore becomes the de facto truth, and the cult remains

3 days ago

EGreg

Worth noting that the search bar on top searches the site / code, and is not part of the actual search by username!

3 days ago

n8henrie

I get this error upon first run, both with pipx and with a regular venv: https://github.com/sherlock-project/sherlock/issues/2294

3 days ago

throwaway78122k

What's this tool vs typing a user name in google to find similar to same info?

3 days ago

betaby

Even less useful than google for couple of monikers I tried.

3 days ago

Gooblebrai

The tool didn’t work as well as I expected. It claimed to have found the username I entered on 40 websites, but when I followed several of the provided links, they led to 404 error pages.

3 days ago

saturn8601

Furthermore it seems to be showing false results for some domains regardless of whatever you type.

3 days ago

ksynwa

Is it querying an offline or an online database? Because if it's the latter I hope people don't give it their various disparate usernames allowing them to link them together.

3 days ago

jdiff

It doesn't query a database, it queries the individual sites.

https://github.com/sherlock-project/sherlock/blob/master/she...

3 days ago

geor9e

It's essentially a loop that fetches www.whatever.com/username and does a regex for "user not found". It then outputs a list of links, to possible profile pages. Pretty simple tool, but speeds up a standard investigation technique.

3 days ago

mrkramer

Nice OSINT tool.

3 days ago

[deleted]
a day ago

buildsjets

Oh noes I hope they don't find my USENET posts from between 1992 and 1997.

2 days ago

lakomen

Why is this not a website but I have to install something?

3 days ago

ivanmontillam

I would assume it's because checking usernames using your own IP address leads to better results while making it a website would forcefully make it a SaaS (to cover cloud costs).

I'd argue instead why is this not a GUI? Making it a CLI makes it less user-friendly.

3 days ago

keyboardJones

I would guess to prevent IP address blocking, or offloading responsibility

Edit: added “to prevent”

3 days ago

pimlottc

Because not everything is a website?

3 days ago

throwaway519

Termux should be supported soone4 from default.

No pkg package.

3 days ago

gotoeleven

This will be very handy because when I see someone post something I disagree with on HN I can also go downvote them on reddit and swipe them in the ugly direction on tindr and/or grindr. I am justified in doing this because everything I don't like should be banned.

3 days ago

penguinburglar

Don't forget to report the reddit posts for suicide concerns.

3 days ago

immibis

For the unfamiliar: this causes a reddit-owned bot to send them a passive-aggressive private message telling them how not to kill themselves. There's no way to know who caused it to be sent.

2 days ago

webdevladder

Reminder that malicious impersonation is common and easily automated with LLMs.

3 days ago

noworriesnate

It doesn't even have to be malicious if you have a common username.

18 hours ago

ksajadi

wait, there are 400 social media networks?

2 days ago