From Easter Egg Hunter to Online Sleuth

As a child, one of my favorite parts of spring was Easter. It’s easy to say, “Sure, every kid likes chocolate,” but the reality was that I liked the hunt. My parents hid those tiny chocolate eggs all over our house, and my sister and I – and occasionally our cousins – would run all around racing to be the one to find the most eggs. The door handle for the oven, the heater vent behind the couch, in the soil of each potted plant. Everywhere had chocolate and a lot of it was easy to find. Some of the eggs, however, were more difficult to find and you really had to search. The top of the door (clearly out of reach for little kids) meant shaking the door back and forth to see if any fell. The eggs in front of the old CRT television brought you to the less obvious trail on the carpet around the corner of the entertainment center. On that morning, you weren’t just a kid in pajamas running around with a colorful wicker basket, you were a detective honing your skills like Nancy Drew and the Hardy Boys. Your parents, on the other hand, had forgotten where they’d placed the eggs the night before and were secretly hoping you really were the world’s greatest sleuth, so that they could avoid finding melted chocolate behind the couch a month from now. As you got older, your parents stop hiding eggs or you start hating chocolate (both if you’re me) and the chance to be the Sherlock Holmes disappeared.

I suspect that I’m not the only one that feels a loss when they think back to that overflowing basket on Easter morning and realize their sleuthing days are over. Puzzle solving video games are incredibly popular and reddit is filled with amateur detectives just looking for a mystery to solve. Look at what happened when Netflix premiered Making a Murderer, everyone started sleuthing around, pausing their TV and analyzing the images that were displayed. Facebook is constantly showing me sponsored ads for Hunt a Killer and I’ve seen multiple friends mention the monthly interactive mystery game. One of the most popular forms of social entertainment today is the escape room – where you are locked in a room with friends and you must use your powers of deduction to solve the mystery and beat the buzzer. Deep down, we all secretly want to be the next Jim Rockford or Jessica Fletcher (Shawn Spencer or Veronica Mars for the younger readers).

Personally, as an avid online gamer and security professional, I find it fun to play detective with my fellow gamers. We live in a world where cyber bullying and doxing are an all too common occurrence, so it’s important to know just how much you reveal about yourself when you jump online to play your favorite MMO with gamers around the world. Whether it’s your teenager taming a Devilsaur in World of Warcraft after they finish their homework or you logging in to join a fleet in EVE Online, it’s important to understand just how much you reveal about yourself in private conversation and how those comments can be used to associate your online identity with your physical one. Disclaimer, when I engage in this form of entertainment, I involve the person I’m researching; they always know I’m doing it and are actively involved in the verification of data.

The first thing to keep in mind is that you are likely revealing information about yourself every time you speak. This information, over time, can help others identify who you are. More importantly, remember that every time you interact with a service controlled by another gamer, you are revealing information to them. This could be a voice chat like TeamSpeak or Mumble or simply a forum that you use for planning and conversation. You are revealing your IP address (assuming you don’t use a VPN) which is likely to reveal your country (by determining your ISP) and potentially your city or state (depending on how your ISP sets up DNS – the service that translates domain names into IP addresses and vice versa). If we look at the domain name assigned that my IP address resolves to, we see the following: toroon####w-lp###-##-##-##-##-##.dsl.bell.ca. (all numbers are replaced by #). Right away, we know that I get my internet services from Bell Canada, one of the biggest Canadian ISPs. A quick Google search for toroon bell.ca domain reveals a list of DNS servers in Canada hosted by public-dns. A quick search for bell.ca in their full list of 446 valid servers reveals that Bell uses 6 characters, 4 for the city (otwa for Ottawa, mtrl for Montreal, and toro for Toronto) and two for the province (on for Ontario and qc for Quebec). Immediately, anyone who has access to my IP address knows that I live in Toronto, Ontario, Canada.

We know that a minimal number of people will control services that you access, so you may think this is a small risk, but it’s not the only way that you reveal data about yourself. Casual conversation with online friends can lead to all sorts of discoveries with a minimal amount of sleuthing.  Perhaps, you’ve mentioned casually that you live in Idaho but you’ve avoiding telling people the city you live in because you don’t feel comfortable sharing it online. What happens when you mention that your spouse ran out to Walmart? A website like Allstays.com will quickly tell me where I can find a Walmart in Idaho (there are 25 of them). Google Maps will even let me focus on a specific section of the map and use Search This Area, letting me focus on specific areas within Idaho. Maybe you mentioned that you were only about an hour from the Canadian border after I mentioned I was Canadian. Using directions on Google Maps, I quickly learn that the northern most Walmart in Idaho, located in Ponderay is only 75 minutes from Lister, British Columbia, a town close to the US border. Maybe you live in Kootenai or Sandpoint (neighboring towns to Ponderay), but we’ve now narrowed your location down to Bonner County, population 41,000. Perhaps in another conversation you mention living on the water or watching planes land in the backyard, each of these pieces of information allowing an online “friend” to more closely narrow in on your location.

It only takes a matter of minutes and a few innocent comments about life for an online stalker to narrow down your location. With a longer term conversation, what else are you likely to mention in passing? Your first name? Your high school? Perhaps that you “ran across the street to grab McDonalds for lunch today” or “stopped at Starbucks during your 2 mile run.” Now imagine that it’s not you, it’s your teenager or child and they’re playing Minecraft or League of Legends with some other “kid” on the internet. It’s amazing how these little bits of casual conversation can help someone build a profile and identify you.

As I mentioned, this type of thought exercise brings me back to my dreams of being a detective while egg hunting as a child. It also provides a form of entertainment for myself and my fellow gamers. We’ve played video games together for years, we’re mostly in our late 20s to early 40s, and many of us have met outside of video games. It’s become a game for us, “How fast can Tyler find <insert information request here>?”  This is where you realize how scary this is and how important it is to educate our children with regard to online privacy, because with a couple of pieces of information dropped in casual conversation, it’s often easy to identify someone in under 30 minutes.

Consider that the next time Facebook asks you to verify your privacy settings or you wonder how much detail you should add to LinkedIn to aid in your upcoming job search. Educate your kids, spend time online with them and see what type of information they are sharing with strangers. Consider reviewing my Checklist for Online Gaming Privacy with them. Even more importantly, however, pay special attention to where you place those Easter Eggs this Sunday, you may have just created a spy school for the next budding 007.

Posted by Tyler Reguly on Mar 30, 2018