How traceable is your internet presence?

With all the recent nonsense regarding the delivery of threats over the internet, people must be wondering if it could happen to them.

Yes.
Alright, moving on...

I'm going to hit on some of the information required to locate you in the non-intarweb world, and what you can do to minimize this risk. So, read up!

Your IP address
To those who are not familiar, your IP address is similar to your regular address. It shows where you're coming from, and can provide fuzzy information about your physical location. Your IP address is tied to your point of internet presence, so if you connect from home your IP will be different from when you connect from work. Your IP address can be tracked to a general geographical location (usually, down to the city), but can not provide any more information than that.

Determining IP addresses
Obtaining your IP address would be the first step of someone looking for you. Finding your address can be difficult, as it requires direct interaction between you and the searcher, or the searcher's hardware. The searcher may use a direct-connect instant messaging program to find your IP (should your IM name be public or attainable), or try to match a connection to his server or website with a comment or message left by you. The most effective way of determining your IP address is by use of a web bug. Web bugs are not special software or hardware, but a different way of using existing software. The searcher will create a webpage or post an image that no one else will know about, they will then send you a link to this secret image or page, and when you click on the link to the page, or load the image, the server logs will show the exact IP that requested the page/image that only you should know about. Unfortunately, with so many e-mail applications processing HTML no matter what the user prefers (really, it's just outlook), you may not know that you've been bugged. The searcher may send you an e-mail that contains a 1x1 pixel image in the corner, your mail program will request this image from the searcher's server, and you'll never see it, or know it has happened. Some mail programs have the ability to disable external links to images, you should activate this setting if you don't have html turned off. Picking up your IP address will only be part of the battle, but it's one that the searcher will likely win, unless you are particularly sneaky.

Geolocation
This is the scary one; this is where someone actually gets your street address. Fortunately, this rarely happens (if you're even remotely careful). If the person seeking you, is doing it to puruse legal action against you, your personal information can be subpoenaed (jesus, that's spelled strangely) from your ISP. You may do some searches to see how protective your ISP is of your personal information, some will give it up at the mere threat of legal action, while others will demand proper documentation be sent through the proper channels. Legal action aside, from only the IP address, someone can easily find your general location. The your state will always be found, your general location within the state will likely be found (IE: North West New Mexico) (my example is notably unfortunate, as a quick search on google maps notes only two cities in that particular region), and your city may or may not be found. My advice? Don't move to North Western New Mexico! (it should also be noted that that particular bit of advice applies to much more than avoiding geolocation)

Protecting your IP
The easiest way to protect your IP address is not to use it! There are a number of free web proxies that can afford you a pretty good level of anonymity. You may also remotely connect to a PC at another location (work, grandma's house, etc.) and do your protected work from there. Though the easiest and probably best, is simply to use someone else's network. This could be your local coffee shop, or your neighbor's unsecured wireless connection (existingthing does not endorse the activity of illegally establishing a connection to, and using the bandwidth of any networking hardware that does not belong to the reader, and strongly encourages his readers to do as he says, and not as he does).

Protecting your name
If you mention your full name (assuming your name isn't John Smith, or something), and own a home, your address is as good as found (with a little legwork). Most people are unaware of this. Renting is a little bit tougher to find, but not impossible. Your best bet is to adopt an alias. While some folks find use of an alias childish, they probably haven't had someone coming after them (or they just don't know about it yet!). Try not to use any names you use elsewhere on the internet. I have about 10 different names, and try to keep them as separate as possible. If you go to great lengths to keep your blog personal information free, but talk about visiting a board, and use a similar name on that board; you need to sanitize the personal information from that board too. If you have a notable internet presence, it can become hard to keep track of what can lead to where. You may be leaving puzzle pieces around the internet, that someone is trying to put together. My choice of name was kind of a lark; I wished I could have changed it in the past, but have grown rather attached to it. When I got an e-mail talking about how professional looking my blog was (wha?!), but wondering why I had to hide behind an alias, my answer was simple. If I used my real name it would take someone about two seconds to find a pretty good clue to find more information about me, and another 8 seconds to find out where to find me. (even less if my work e-mail was known!) (after some work, I was able to make my picture a bit harder to find :)
When doing expensive penetration tests (or just when I get bored or hit a wall with a cheap one) I'll find employee names and do internet searches for the presence of that person elsewhere on the internet. Sometimes I find information that leads me to an address, sometimes I find information that leads me to a password.

Protecting your e-mail address
This can become similar to protecting your name when you have one main address that you use a lot. That address may be getting around. If a google search doesn't bring anything up, think of what you may be able to get with a few bucks and an e-mail to a company that gathers demographics. Post to any newsgroups? Chances are that your e-mail address is out there somewhere. I'd recommend establishing a free e-mail address for just public purposes and using it that way. Just because your e-mail address isn't public information on a board you frequent doesn't mean it's unattainable. Use the public one as often as possible. When it fills up with spam and junk, make a new one with an obscure name, and point the sites using the old one to the new one.

Protecting your dealings
This is an obscure one, but keep in mind that businesses or persons with whom you have dealings may not be as disciplined about keeping their lips zipped about your personal information. If I were to mention the shop that I purchased my upper receiver from, someone may be able to call pretending to be me to "confirm" shipping information for future order. Unfortunately, people are notably susceptible to social engineering, so refrain from mentioning specifics when talking about people or businesses with which you deal.

Don't think it can't happen to you!
If you think you're small enough that you're flying below the radar, or haven't made any enemies on-line, you're probably wrong. People are fucking nuts. You have NO idea if some innocent comment sent some wack job on the far side of the net off the deep end. When dealing with these kinds of people, you don't usually worry about the folks who say they're going to kill you; you worry about the kind who are passively seeking you, the ones you never know about. You may be laughing, and thinking that anyone who posts their address or personal information is a fool for doing so, and deserves whatever he or she gets. Well, the chances are that you've let slip some telling information about yourself somewhere on the internet, and even if it seemed harmless at the time; a dedicated stalker (for lack of a better word) will put these pieces together, and may come up with enough information to find something really dangerous. And if you are someone in the public eye, who can not avoid your information being made public? Erm... Get a gun. I'm sure that even the most tight-assed police agencies would be happy to furnish you with a CCW once you receive some e-death threats (though you may have to open a case with the FBI) (which is advisable if you're receiving threats, even if you aren't doing it just for the CCW)

There's little reason for some personal information to be made public on the internet, and more reason to do just the opposite. Think before you post.

Just because you aren't paranoid, doesn't mean they aren't out to get you... *knock knock knock*