And this makes it obvious why you should use a unique username everywhere!
It makes pervasive tracking a lot harder.
Also when you do any research on health related topics, be extra privacy conscious.
just to be slightly pedantic as there are still sites that have screen names vs account names where the screen name the public sees has no correlation with the account name (typically an email account).
so don't re-use email accounts across sites. SecOps matter
Yes, another thing you can do is use email subadressing for every account you create, ideally with a non-default separator (i.e., not "+").
Doesn't this subaddress all just resolve to the same account? The accounts are free, so just make up a completely different account. Yeah, it might get a bit of a mess for a user to manage, but that's what password managers are for.
let's face it, we're not talking about Joey Beercan doing this. Anyone even tossing around the term SecOps is already moved out of mass populace and into the somewhat informed. Someone practicing SecOps would definitely be the type to use some sort of credentials management. So I don't think unique totally unrelated emails is too much of a burden. Using different free email providers is even better.
It depends on the underlying email server. But strictly speaking, the "+" is a valid identifier, and "joe+admin@example.com" is a completely different address than "joe@example.com".
It just so happens that email servers tend to recognize the usage of "+" as a "tag" and route incoming mail using the tag to the root email that precedes the plus and tag.
But, as the sender, you cannot assume that this is always the behavior. You must assume that those are two different emails.
I use periods and they work fine like for exampl.e@gmail.com or e.xampl.e@gmail.com which surprisingly resolves to my main email and I’ll block spam from any sender spamming that period address. Anyone know why this works?
As a sender, that's entirely true. As a flag to identify correlated emails and accounts, it can be a very useful assumption to make.
> Doesn't this subaddress all just resolve to the same account?
Not in OAuth/OIDC compliant identity providers. As one example, I frequently use + email addresses for testing on auth0-secured apps, where I use the + text to tag a role or some other user attribute that identifies what makes the test account special. eg stult+admin-staging@example.com or stult+user-declined-gdpr-prod@example.com. Each plus variant resolves to its own separate account with its own password (which I do in fact manage via a credential manager), without requiring me to set up multiple full email addresses to simulate multiple users with verified email addresses.
Gmail accounts aren't free: I believe they only allow up to 4 to be linked to the same phone number (which is mandatory).
Microsoft is worse: they'll let you create an account, then lock it the next day, after you've already used it for something, if you don't link your phone number.
Phone number is used because it costs money to get, is hard to get in bulk, and in many countries is always tied to your identity.
I wonder what the market for throwaway phone number verification is worth.
There are several cheap (not free) email providers that allow you to create unique emails per service for this precise purpose, and do not require a phone number, however they are lacking significantly in every other way, like an easy to use inbox, so not great for your main contact. One I tested out I found to be good for these random sites that want emails as your username. Then I set the custom email to forward the mail thereby maintaining unique usernames on each site. If the site does not use an email for the username and does not make the provided email public, you could use your regular email with the handy features that come with a Google/Microsoft suite, or air on the side of caution by still having the unique email.
This functionality is built into iCloud subscriptions with throw away Apple addresses that resolve to your AppleID registered email.
> I wonder what the market for throwaway phone number verification is worth.
I pondered this recently, and it seems to top out at a couple bucks per shot.
The problem is that the phone number tends to need to be persistent for the sake of security. You can't typically sign up for something that requires a phone number and then expect to be able to keep the account safe without maintaining exclusive access to that number.
I'm sure if it were cost effective, one of the password managers would have some kind of SMS integration, like Apple's hide my email, but for phone numbers.
If you're the kind of person who doesn't want to provide their own phone number to make an account, you probably also wouldn't be using any account long-term.
I’ve never provided a phone number for any of the gmail accounts I have. When was this mandated?
Very recently. I only noticed it about 2 years ago when I went to make a throwaway gmail account exactly for the above opsec purposes.
This is why I try to use the same name across websites. I want to be identified as the same person. Just resist the urge to post information you don't want others to have.
We often don't know what is or isn't information we don't want others to have, and it will be a lot harder, if not impossible, to delete it after-the-fact. Especially when you consider how it only takes a few innocuous data points to derive what might be information you'd rather not disclose.
The secret is multiple accounts. I too have a Brand Name Account(tm) I like to float around but it sure as heck isn’t this one.
Doing the multiple account thing isn’t as easy as it sounds though. Some sites like Reddit make switching between accounts incredibly easy while others aren’t so much. Plus laziness kicks in and soon enough your Brand Name Account gets tainted and you have to consider taking it out back to the dumpster.
Such is life I guess.
> Doing the multiple account thing isn’t as easy as it sounds though. Some sites like Reddit make switching between accounts incredibly easy
And it's as easy to dox yourself by responding with the wrong account, as I have seen multiple times on Reddit.
This happens a lot with viral-bait accounts. One of the top posts on the UFO board just got caught sockpuppeting this week.
> The secret is multiple accounts.
There was a "show hn" many months ago that did stylometry on HN commenters to show which accounts were most stylistically similar; I ran a throwaway account of mine through it, and it showed my account in the top 3 - which was impressive.
Having multiple accounts won't save you when your own word choice, grammar and style can uniquely identify you to anyone sufficiently motivated to link your disparate identities at any point in the future. The author even said their tool was rather basic; IIRC the basis was all pairs similarity on n-grams
You wouldn't happen to have a link to that would you? I'd really like to check that out
https://news.ycombinator.com/item?id=33755016
I can't get the site to load
Then I wouldn't be able to talk about my kinks anywhere
> Just resist the urge to post information you don't want others to have.
Self-censor you mean?
I personally like that information anonymous account `William Shakespeare` posted around 1585–1613.
I don't understand what point you're trying to draw here. William Shakespeare was by no means anonymous in his day and age and he almost certainly had to consider the views of the aristocracy and other elite figures that might watch his plays i.e. self censor. Ben Johnson, a contemporary playwright, was imprisoned for writing "The Isle of Dogs".
I think parent is saying that by self-censoring, expression others enjoy is lost, with the example of Shakespear as an expresser whose impact would have been lost if he'd decided to be anonymous instead.
>And this makes it obvious why you should use a unique username everywhere!
Actually I was disappointed by the post, I was hoping it will be able to find the same person regardless of the username through analyzing the writing style, what they are talking about, the timezone etc.
The username doesn't prove anything, anybody can take any username anywhere. If someone targets you, they can take usernames on platforms you haven't claimed your username yet and pretend being you and damage your reputation.
That’s why you should claim your main handle on all platforms, just don’t use it if you want privacy.
I have no interest on some platforms.
Whatvabout the platformsthat I don't know of? Or that don't exist yet?
Even major corporations don't bother with all TLDs.
It's far more plausible to not seek to have the same identity behind the same handle.
Actually, this makes it obvious why you should keep a page that contains all your links. It's easy to just make an account and pose as someone in order to destroy their reputation. It's also difficult to get unique accounts, often times my accounts overlap with existing names. Even my real name is shared with many people. Employers who use technology like this are actually quite foolish to do so.
Or better yet, be extra privacy conscious with everything you do.
I strongly suggest the opposite. Collect everything and do on a personal site, do good seo on your pages, expose your content. Go totally anon for anything you don't want exposed of course. But you should expose as much of yourself as you're able and control the conversation.
This reminds me of a friend who was a steam moderator, and they had an alternate account on twitter pretending to be mexican. The amount of times they got people thinking they found their real name was larger than "juan".
Using online services require so much special attention it starts to weight up to the benefits given. Considering the risks, it is already in pair with the value delivered.
In what kind of dystopia would one need to hide doing research on health related topics? Oh, right.
Actually it should be the opposite. Claim one handle everywhere that you want people to associate as your “real” persona and then use unique names in places where you want to be controversial.
Doesn't matter for the next day's witch hunt
They are just gonna make fake accounts that look like yours and shitpost ahead anyways.
Social media has multiple problems, including authenticity, transparency, validity and verifiability. All of which don't exist and make it the optimum propaganda machine (referring to the criteria that Chomsky described) because it can be corrupted through multiple attack vectors.
If we want to survive this hellhole of misinformation, the mentioned criteria has to be implemented for the "next big platform" so that censorship and other legislative processes can be encountered with increased transparency and openness.
On a network/society scale it can't be driven by financial incentives to prevent corruption, ergo it must be financed by taxes. Preferably on an EU or UN legislative level to prevent political corruption of single state actors.
A state funded platform with a focus on authenticity, transparency, validity and verifiability, is the best thing against censorship? I don’t get how.
L’etat c’est vous.
It's a really overengineered fn() { browser site1/$1 site2/$1 ... }
Tools like these insult the users' intelligence and generate needless drama[1] the only data needed are the urls from https://github.com/sherlock-project/sherlock/blob/master/she...
[1] https://www.reddit.com/r/github/comments/1at9br4/i_am_new_to...
collecting that data is worth something.
Interesting tool, but it generates false positives. Try Sherlocking some randomly generated usernames that cannot possibly exist and it will still return results for some of the URLs in its list.
For people who want to have a professional social presence (FB/linkedin) as well as an anonymous one (Reddit etc), it’ll be super useful to see if the accounts are truly unlinkable. Moreover if you are opening a new anonymous account, maybe a good idea to search the new username using this tool to make sure it’s not “taken”
Until some ML process is learned to give a probability that accounts are the same based on writing styles
Staying anonymous is very difficult
Stylometry tools may be useful if you already have a small candidate pool of suspected aliases. They produce too many false positives to be useful for blind cross-linking of accounts. Once or twice somebody has done stylometric analysis of HN accounts and I've looked at the results for my accounts. Even though I don't try to obscure style across accounts, stylometry didn't match my actual accounts with each other. My top matches were for accounts controlled by other people.
I specifically write with different perspectives, tones, and opinions on different sites in a probably vain attempt to mitigate this.
For example, on YouTube I use twitch slang, and on Reddit I use TikTok slang, and on TikTok I use reddit slang. On hackernews a use a slightly whimsical pedantically-infused undergrad tone.
Using stats this is called stylometry and I agree this will probably be easier at scale now. You can also match posting windows, pull additional features from database dumps/hacks.
Fun post applying it to HN, not sure if the site is still live: https://news.ycombinator.com/item?id=33755016
Then people will start using browser extensions that automatically "fuzz" your writing style randomly. That is, if chasing anonymity is someone's true goal.
So what's a non creepy use for this?
I think the "non creepy" use is really just making people aware how easy it is to correlate all your different traces online. It's like when someone released on HN a tool that would link various HN accounts (and maybe Reddit accounts too IIRC), but by looking at commenter word choice similarity.
It makes people realize that actual anonymity online is a smokescreen.
Seeing what it finds about yourself?
Is it creepy if you google a job candidate?
In many parts of the world it is illegal for a recruiting party to search for information on a candidate without their consent.
Whichever parts of the world that may be, you can guarantee that it happens anyways.
Unenforceable rules are never followed.
I recently Googled myself, and in the first page of results I ran across some shit AI website that scrapes random web content about people and attempts to summarize it. It got my current occupation completely and comically wrong -- as in, it has nothing at all to do with tech.
If you're trying to figure out anything about me from social media or other such random web pages, I don't care to have anything to do with you, and I don't care what you're led to believe about me. I suppose this is born of privilege, but the only contacts I care to make are directly via people I already have a relationship with.
Cybercrime research; locate malicious actors across social web.
It’s also a great education tool to showcase the need to be careful about internet hygiene. The creeps have done this sort of things for decades
Like hiring a PI to follow people around to educate people about about stalkers.
Finding usernames that you can register and own across all social networks.
*For some very narrow, twisted definitions of the word "own"
Clean up the online footprint for someone that hires you to do so before they run for office. I don't remember every single web site I've every signed up for going back to when I started using the Internet, and neither can you.
Internet Archive likely renders that point moot, no? There a plenty of sites that index tweets outside of Twitter for example... at least there used to be
The Archive is much less discoverable. There's no search engine for the wayback machine.
You can request them to take down personally identifying information about yourself. They respond quickly and seem to have someone employed to handle GDPR requests.
That's the great part- there isn't. Following people you like on every platform I guess.
Letting a person sign up on your site and choose to import stuff they've put onto other sites under that username, maybe.
To socially harass and drive to suicide anyone that doesn't conform to the dominate cultural outlook. Think that's creepy? Well, you just made the list!
I’m on a lot of lists and still have TSA Precheck, Global Entry, can hold US security clearances, pass professional background checks
so what are you lesser relevant people worried about exactly?
What lists are you on?
Realistically it's doing this to people who deserve it, trouble is that no one is going to agree on that criteria
Who deserves it, and what is "it"?
I’ve successfully used Sherlock to track down a colleague that I only connected with on MeetUp. It’s an amazing tool. Worth running on your own usernames as an easy account inventory
Oh noes I hope they don't find my USENET posts from between 1992 and 1997.
I haven’t used my real name online since the late 1990s once I realized things are stored forever.
I dont plan to run for president or anything, but find myself increasingly censoring my online speech. I think the biggest risk is some out of context post being pulled into a civil suit, or professional cancellation following that.
Things like advice in an alcohol recovery forum would be prime evidence for a liability suit.
There are also groups that vacuum the internet for offensive posts, and use them to try to get people fired for things they said 10 years ago.
At this point, I assume all internet activity can and will be de-anonymized, and restrict my speech accordingly. I'm sure there are some meaningful precautions and nuances, but it is too much to keep up with.
There was a story, a couple of years ago, about a teacher who got fired, because she posted a picture on Facebook, holding a margarita, or something. She was on a vacation in the Caribbean.
One of the parents saw the post, and raised a stink.
Now that I'm retired, it doesn't really matter that much, but I do my best to behave well (this joint is pretty much the only place I post much). In the past, I was not so circumspect. In fact, I was a troll.
I remember once, signing up for Disqus, and they came back, and said something to the effect of "We found all these posts from around the Internet. Would you like to claim any as yours?"
Included, were some of the worst troll posts I'd made, many years ago, under the [obviously mistaken] assumption that they were anonymous.
I nuked the signup, and went and had a lie-down.
Since then, I have never bothered to try being anonymous. I probably could, if I wanted to, but I'd rather just stay public, and not say stuff that I'd regret.
It's a relatively new and novel thing for people your age to be able to look up anything online, to the point where it's scandalous.
This card will be played over and over again by politicians, influencers, prosecutors, police, etc, until the smartphone-from-birth generation reaches office. At that point, it'll be so easy to dig up dirt on anyone, people will just stop caring (as they should anyway).
We're just in a weird transition period right now.
Im not so confident. Digital natives seem just as eager to apply purity tests as anyone, if not more so. Throwing rocks still feels good, even if everyone is living in glass houses. It was true in the 1300's when the saying was coined, and is still true today.[1]
https://www.bookbrowse.com/expressions/detail/index.cfm/expr...
> try to get people fired for things they said 10 years ago
I assume the implication here is that the thing they said 10 years ago was less inappropriate back then. So how do you predict sensitivity changes 10 years in the future to limit your speech today? Even if you delete posts after, say 1 year, archives exist. Shouldn’t you just not say anything if you’re afraid of this? Maybe discussion of self-censorship like this will be taboo in 10 years and the ship has already sailed.
I wasn't implying that it depends on sensitivity changes, although that is possible too. Sorry if I wasn't clear on that.
My thought was more about time and distance. Something can be unpopular or even wrong when it's first said too. People are dynamic and change over time. The mechanism of change is living their lives.
Taboos can change as well, so there is a motivation to steer clear of controversial topics in recorded media. You can use discretion to judge risk. It's unlikely that someone's going to fire you for discussing ice cream in 10 years.
Yea, that's also a big danger: A totally innocent or trivial comment written today might be taboo in 10 years, and some future justice warrior is sure to dig it up and use it against you, and you have no idea what is going to be taboo. Maybe in the far future, owning pets will be taboo, and all the pictures of me and my dog are going to be dug up and used to shame me for violating an animal's sovereignty or something.
There is no way to know what people are going to get offended about in the future, but the clear trend is people getting offended about more and more things over time, rather than fewer and fewer things.
> for things they said 10 years ago.
I don't think this is an automatic negative as you are implying. There's definitely lots of qualifiers involved though. There would have to be significant evidence to show that the sentiment expressed is still no longer held which could be more than problematic to prove. If it was someone up for supreme court justice that posted pics showing how much they liked beer and their antics as a party person could be shown as lack of maturity by comparing that they no longer drink now. Someone posting racist comments would be much harder as you don't really know if they've changed their view or just learned not to post publicly their views.
Edit: automatic negative should really read automatic disqualifier
That second example pretty much demonstrates why it is so dangerous. There were attitudes that were commonplace 30 years ago that are now considered racist, in many cases because they were racist, that people don't subscribe to today. I imagine the same can be said about 10 years ago. People's values change. We should not be giving them life sentences when the have reformed their attitudes and behaviors, otherwise the incentive to reform is taken away.
One example of this I can think of is a show from the late 90's which used the word "spaz" very liberally, which was already iffy at the time but not fully demonized. Using it nowadays could be considered a major point of contention towards your image. Words like Gypsy and Retard are more recent inclusions in this field.
When did spaz go out of favor? I was completely unaware it became taboo.
I'm at a loss for how your example doesn't lead to automatically negative.
Don't post something harmless today that will be deemed a "dog whistle" in 2035 so that you don't have to prove a negative?
I don't mean to be critical here, it's a genuine ask.
And to add to the above, my post is the kind of post that would be gone. If I was taking a similar stance.
Having the right/freedom to post anything you want does not mean there shouldn't be consequences for those posts later.
Age of post should just not be an automatic "but it was 10 years ago" get out of jail free card. If there's compelling evidence it was just a stupid thing someone did as a teen, then we can have that conversation. If it is a post from someone in some position of leadership that is 10 years old but was made in their 40s is not the same "I was an immature teen" situation.
Ah, so you're who GGP's talking about.
Being authentic is the ticket to public office now
I’m kind of glad that the value of blackmail futures has plummeted to zero
I always thought millenials would be the culprit because millennials have so much online, but nope, it was just old fashioned baby boomers that have spearheaded it and double down on their indiscretions to be the role models for the country’s top offices
I think that reality is much more heterogenous. Say some edgy or unpopular things 10 years ago, and they can still be shared with your boss and blasted across your employer's social media channels. The social consensus and average result doesn't preclude damage in some cases.
"criminal activity?"
"no sir."
"for god's sake Baldrick, you're running for parliament. I'll put fraud and sexual deviancy."
> Being authentic is the ticket to public office now
No, its not.
The preferred image may be more combative, aggressive, and anti-social than in the recent past, but as always adherence to it is more important than actual authenticity.
> I’m kind of glad that the value of blackmail futures has plummeted to zero
It hasn’t, though the value function for current negative information is different, so things that were once valuable for blackmail or otherwise harmful to public image are less so (and things that were not are moreso.)
> I always thought millenials would be the culprit because millennials have so much online, but nope, it was just old fashioned baby boomers that have spearheaded that double down on their indiscretions and are the role models for the country’s top offices
The only boomer I can think of that you might be talking about denies them constantly (even if there is past documentation of his acknowledging them in a general sense) and is supported by favor-currying media magnates who either actively promote propaganda favoring his messaging on that or, at a minimum, actively spike critical coverage.
And even within his movement and with the support of his cult of personality and the same favorable media, others in his orbit have often been less successful in having their indiscretions given a pass (see, e.g., Matt Gaetz’s nomination for Attorney-General of the United States.)
Only for this cycle. The pendulum will swing back to cancelling and pitchforks after this era of cult of personality.
what evidence do you have that this is true. at this point, a new theory of physics will be trotted out that shows a pendulum does not have to swing back. it will become trending on all the socials so that people believe. it therefore becomes the de facto truth, and the cult remains
I thought canceling never stopped. It was just politically motivated.
(Ironically, Dems eat their own for that stuff, so maybe "politically motivated" doesn't quite capture it... compare e.g. Al Franken and Katie Hill vs Roy Moore or Matt Gaetz)
Democrats cancel and Republicans mostly double down. I don’t think there is anything Trump can do at this point to horrify or even just dissuade his base, for example.
Yes and no. He has a clear mandate to fix price increases and inflation. If he doesn't he will lose the newcomers that held their nose voting for him. If he screws up big time he will be frozen in 26 and ride out his presidency having accomplished nothing. His core base that you are talking about was always a declining minority.
That’s true. It’s even worse, though, since he promised a bunch of stuff that he can’t deliver or if he delivers (high tariffs, mass deportation), inflation will probably boom. Get the popcorn because the first month after 1/20 will be interesting (and maybe stock up on some electronics that are probably going to get really expensive).
> "I don’t think there is anything Trump can do at this point to horrify or even just dissuade his base, for example."
Pretty sure it's pretty close to true at this point that he actually could get away with literal cold-blooded murder in public at this point and his cult would fold themselves in half backwards tryin' to justify it somehow. [0]
[0]: https://www.snopes.com/fact-check/donald-trump-fifth-avenue-...
I mean, he supports the Gaza situation.
Real Americans are pretty spit on the topic of Gaza. 36% of Americans favor the U.S. providing military aid to Israel. 34% oppose military aid, and the rest are neutral.
https://www.pewresearch.org/2024/03/21/views-of-the-u-s-role...
I didn't say Trump was the only one who supported cold-blooded murder.
I don't really get that impression, in my experience people just realize cancelling is a two-way street and stop it
I’ve been told “I’m making someone uncomfortable” and I said “they’re making me uncomfortable”, and follow that up with “why are you privileging their discomfort over mine” and when they or the mob say something gendered or sexist as the explanation, then I get to cancel all of them or get a nice fat paycheck
The tool didn’t work as well as I expected. It claimed to have found the username I entered on 40 websites, but when I followed several of the provided links, they led to 404 error pages.
Furthermore it seems to be showing false results for some domains regardless of whatever you type.
I get this error upon first run, both with pipx and with a regular venv: https://github.com/sherlock-project/sherlock/issues/2294
wait, there are 400 social media networks?
Is it querying an offline or an online database? Because if it's the latter I hope people don't give it their various disparate usernames allowing them to link them together.
It doesn't query a database, it queries the individual sites.
https://github.com/sherlock-project/sherlock/blob/master/she...
It's essentially a loop that fetches www.whatever.com/username and does a regex for "user not found". It then outputs a list of links, to possible profile pages. Pretty simple tool, but speeds up a standard investigation technique.
Worth noting that the search bar on top searches the site / code, and is not part of the actual search by username!
Termux should be supported soone4 from default.
No pkg package.
Nice OSINT tool.
Reminds me of this excerpt from "A Study in Scarlet".
'Have you read Gaboriau's works?' I asked. 'Does Lecoq come up to your idea of a detective?'
Sherlock Holmes sniffed sardonically. Lecoq was a miserable bungler,' he said, in an angry voice; 'he had only one thing to recommend him, and that was his energy. That book made me positively ill. The question was how to identify an unknown prisoner. I could have done it in twenty-four hours. Lecoq took six months or so. It might be made a text-book for detectives to teach them what to avoid.'
What's this tool vs typing a user name in google to find similar to same info?
Even less useful than google for couple of monikers I tried.
Why is this not a website but I have to install something?
I would assume it's because checking usernames using your own IP address leads to better results while making it a website would forcefully make it a SaaS (to cover cloud costs).
I'd argue instead why is this not a GUI? Making it a CLI makes it less user-friendly.
I would guess to prevent IP address blocking, or offloading responsibility
Edit: added “to prevent”
Because not everything is a website?
Reminder that malicious impersonation is common and easily automated with LLMs.
Remember when IPv6 decided on 128 bit addreses and defaulting to /64 blocks because someone thought using a 48-bit MAC address as the IPv6 equivalent of a port was a good idea? Fast forward a decade or two and we realize how this is a PII leak issue so nobody does it but we're still stuck with 128-bit addresses (for those who use IPv6).
There are several things that are a security issue or simply a privacy issue. These include:
- Your username (as I assume this tool is demonstrating)
- Your email address. While this is treated as your "public identity" to some extent, I think we're rapidly approaching a point where we need to not do this;
- Your phone number; and
- Your profile pic. I would advise to never use the same pic across accounts and certainly don't use services like gravatar (if that's still a thing).
Email is particularly problematic because you can end up on spam lists if a site is compromised and you can't really identify where it comes from.
What I think we need is a more integrated solution for logging in and creating throwaway addresses (eg like SimpleLogin) so it's basically seamless. Gmail seems well-positioned to do this. I honestly don't know why Google hasn't done this.
Interestingly, Facebook Groups seem to handle this kind of anonymity reasonable well. Each group your in is a separate profile. You can't find out what other groups someone is in from either their personal identity or any group's identity. Weirdly, your FB profile is associated with any pages or profiles you comment on.
It should be clear to these companies by now that people want to silo their public identities (aka pseudonomity).
> Remember when IPv6 decided on 128 bit addreses and defaulting to /64 blocks because someone thought using a 48-bit MAC address as the IPv6 equivalent of a port was a good idea?
No, I don’t, and I’m well-aware of EUI-64.
IPv6 uses 128-bit addressing because some on the design committee or making comments on the drafts thought that 64 bits might not be enough.
You're not required to put a MAC in the last 64 bits, but the fact that your ISP has to give you at least 64 bits is very cool.
Privacy addresses are random and periodically rotated.
The IPv6 equivalent of a port is a port.
This will be very handy because when I see someone post something I disagree with on HN I can also go downvote them on reddit and swipe them in the ugly direction on tindr and/or grindr. I am justified in doing this because everything I don't like should be banned.
Don't forget to report the reddit posts for suicide concerns.