

Ask HN: What is this? 158268a350000000 - DonnyV

Found this twitter account https://twitter.com/googuns_prod posting these weird encrypted tweets. The locations are all over the globe. You can find them using this site http://onemilliontweetmap.com/. Anyone know what it is?
======
chrisacky
This is highly relevant for the conspiracy theorists.

Random number radio stations.

<http://en.wikipedia.org/wiki/Numbers_station>

    
    
        A numbers station (or number station) is a type of shortwave radio station 
        characterized by their unusual broadcasts, which consist of spoken words,
        but mostly numbers, often created by artificially generated voices reading 
        streams of numbers, words, letters, tunes or Morse code.
    

Now, if you take a look at any random tweet, you will notice that the location
that it was tweeted from changes every time (often in the middle of the Sea).
This could also be a hidden chunk of information that encodes/hides other
relevant data.

It is certainly not by accident that the lat/lngs change on each Tweet. If I
had the time as an experiment, I'd probably try and find patterns between the
lng/lats to see if the decimal equivalent means anything? How hilariously
awesome would it be if when mapped on a globe, it builds up a large picture.
(Fair warning.. this runs WebGL and will most likely nuke your browser for a
few seconds <http://data-arts.appspot.com/globe-search/> )

~~~
JackWebbHeller
The creepiest Numbers Station of them all: UVB-76 -
<http://en.wikipedia.org/wiki/UVB-76>

Just listen to the buzzing sound clip... Sends chills down my spine. Then
after years of 24/7/365 buzzing, a Russian voice reads a bizarre encoded
message. Spooky.

~~~
samwilliams
I am sure this is just interference or something and please excuse me if this
is stupid thing to point out but I decided to check this out and listen to the
live stream of this linked to via Wikipedia and after 5 minutes or so I
started to hear a distorted conversation. It has continued ever since. Is this
normal?

~~~
xentronium
It's said to be quite active since 2010 [1]

[1] <http://priyom.org/number-stations/slavic/s28.aspx>

~~~
samwilliams
I see, I was under the impression that had died down since feb 2011 though?
That was the impression the Wikipedia article gave anyway.

------
shanelja
The keys it is sending appear to be in pairs, in sets of 16, if you
concatenate them you get the 32bit entire key. All of the keys are presented
in hexadecmial format, you will notice none of the letters go above f. Most of
the keys sent end in eight 0's, this would me to believe that this is padding
and infact, the two keys concatenate to build up one 32bit string, but if you
look carefully you will note that some of them only have 7bits of padding on
the end, so I will disregard this assumption.

These tweets appear to originate from Russia.

Now, common uses of 16bit (and 32bit) encryption keys are for WEP keys,
traditionally used in router password protection, which can be provided either
in a full ASCII spectrum or in merely hexadecimal format.

Taking these points together I can conclude that these could possibly be the
encrypted WEP keys of a Russian router.

Or I could be totally wrong, but I really wasn't given much to work with :)

~~~
DonnyV
Whats it monitoring?

~~~
shanelja
Sorry, dyslexia, I spelt router wrong, just went through and spell checked it,
unfortunately, my spell checker saw Monitor as being spelled correctly.

------
parktheredcar
Here's a way to easily pull down the data without all of that extra gui stuff:
[https://api.twitter.com/1/statuses/user_timeline.xml?screen_...](https://api.twitter.com/1/statuses/user_timeline.xml?screen_name=googuns_prod&count=200&trim_user=1)

The maximum is 200, but you can move down the line by using since_id or max_id
optional parameters. 'xml' can be replaced with 'json' or 'rss' if you'd
prefer a different format.

Looking over the data briefly reveals the additonal fact that the 'source'
field is populated with a link to Google. That, combined with the other
accounts including one that outright says it's associated with google on its
profile. So this is either google maybe doing some sort of recruiting thing,
or somebody that wants us to think it's google for whatever reason. One guess
is that the account name could mean Google User Notification Service.

Additionally, the tweets are published at a (more or less, this is the web)
regular interval. Always around the HH:M9:30, HH:M0:00, and HH:M4:30 and
HH:M5:00 marks. As stbullard speculated
(<https://news.ycombinator.com/item?id=4697813>), there could be two instances
of whatever this is running, publishing every 5 minutes independently, with
one instance having the code baf200000000 associated with it and another
having the id of 2350000000. Note that the length of these two are different-
the former is 12 while the latter is 10. This could mean a variety of things
regarding the format in which the data is published, or variance in the data
itself.

It might be worth looking at the unique parts of the 235 ones as color.

If anyone can pull these tweets down into a single file and share them that
would be amazing.

------
jgrahamc
I suspect what you are seeing is the output of a password cracking program
that is dumping out cracked MD5s or similar. The zeroes at the end is a
technique that's been seen before to mark a password as cracked, see for
example with the dump of the LinkedIn hack:
<http://news.ycombinator.com/item?id=4073309>

~~~
danielweber
The lesson I learn from that is that I should come up with a password that
starts with 5 zeros when Sha-1'd!

------
46Bit
Can't find anything related to this account, so I'd speculate it could be C&C
for a botnet.

~~~
madmaze
True this is likely some botnet coordinating where/who the C&C is currently. I
wonder if this can be reverse engineered.

EDIT: I wonder if it does some sort of transform on the number to get an IP
addr? perhaps its part of a IPv6 Addr?

Perhaps its a distributed brute-force on a password or checksum being carried
out by a botnet? Its interesting distributed this is, too bad we dont have IP
addrs associated with the posts

~~~
madmaze
Interesting to note is that all tweets from
<https://twitter.com/googuns_staging> have random Lat/Long coordinates
associated with it..

see:
[https://twitter.com/googuns_staging/status/22294385659595980...](https://twitter.com/googuns_staging/status/222943856595959809)

[https://maps.google.com/maps?q=-20.73906235%2C-145.82847672&...](https://maps.google.com/maps?q=-20.73906235%2C-145.82847672&z=10)

~~~
icoder
Or perhaps the GPS numbers are not random but do contain 'information'?
Perhaps totally unrelated to geolocation?

~~~
madmaze
Perhaps it is a botnet trying to locate all of its clients.

Each client has his/her own UUID(the tweet) and the geolocation is where the
client is located.

It seems as though the googuns_staging was the trial, all fake/useless
location and googun_prod(as the name suggests) is the actual "in-the-wild" run
of locating all of its clients

Also interesting is at the moment there are many tweets ending in either
a350000000 or baf200000000 but that may just be coincidence based on some
counter thats incrementing

~~~
pyre
It can't be the geolocation of compromised machines unless some of them happen
to be on boats or planes. Some of the geolocation coordinates are in the
middle of the ocean.

~~~
madmaze
True, or it could be geolocations that it failed to resolve.. but then again
it would likely be the same geolocation for every time it fails to resolve

------
Permit
Wow I was looking at this exact account after that globe post haha. Bizarre.

Also there is an (inactive) GooGuns_Staging:
<https://twitter.com/googuns_staging>

As a note, the last nine digits just alternate between 200000000 and
350000000. On staging they're simply ba0000000.

~~~
martindale
Also, Goo Guns Dev: <https://twitter.com/googuns_dev>

------
tobyjsullivan
It's clearly a viral marketing ploy. Standard theme: create some type of
countdown website (or some other cryptic message) then seed a few high
popularity forums by pretending to have stumbled across this thing nobody
would ever actually find.

Yeah, I'm looking at you DonnyV.

~~~
DonnyV
Sorry to burst your bubble but no. I just happened across this by accident.
I'm a GIS Developer and was checking out this site.
<http://onemilliontweetmap.com/> I noticed there were a lot of single tweets
floating out in the ocean.

------
emeraldd
It probably has nothing to do with this but there is another account
<https://twitter.com/googuns> which claims to be associated with google . . .
. In particular the page has a title "Google Notifications".

~~~
blauwbilgorgel

      "screen_name":"googuns"
      "created_at":"Tue May 05 19:13:53 +0000 2009"
    
      "screen_name":"googuns_dev"
      "created_at":"Thu Sep 24 19:21:47 +0000 2009"
    
      "screen_name":"googuns_staging"
      "created_at":"Tue Jul 28 22:48:11 +0000 2009"
    
      "screen_name":"googuns_prod"
      "created_at":"Tue Jul 28 22:49:22 +0000 2009"

~~~
curiousdannii
Did it start sending tweets then or some time later?

------
madmaze
It could also be a distributed game of battle ships...

each shot is defined by one unique hash and a geo location.. waiting to see a
tweet about "hit" or perhaps "miss" but those wouldnt need to be ACKed

~~~
unimpressive
Even though this almost certainly isn't it, this is the coolest "Telematic Art
Demo" idea I've heard in weeks.

------
timmclean
I poked around the data a bit (I uploaded a JSON file below). First, I
separated the tweets into two sets based on the last eight hex digits (00s and
50s). In each set, I parsed each 16-digit message as an integer, converted
that to a binary string, and reversed the binary digits. Parsing that as an
integer again gives numbers that roughly increase over time.

Here is a chart of the 00s (plotted against tweet number):

<http://i48.tinypic.com/svl4jm.png>

and of the 50s:

<http://i46.tinypic.com/2mn1wg7.png>

It's rather strange that the data isn't perfectly monotonic.

I'll look into the tweet coordinates next.

------
fla
To me it looks like trying to bruteforce something and post the current
sequence every 5 min.

------
mosburger
The pattern of the gap between the times that they are tweeted is somewhat
interesting too... 1 minute, 4 minutes, 1 minute, 4 minutes, 1 minute, 4
minutes, etc.

~~~
stbullard
The gap for <https://twitter.com/googuns_staging> is 5 minutes; that account
was started the same date as @googuns_prod: 28 July 2009.

I would guess googuns_prod is the output from two of whatever googuns_staging
is, running at a 1-minute offset, with each thing identifying itself with the
last nine digits: 200000000 and 350000000 for the production thing, ba0000000
for the staging thing.

~~~
zacharypinter
Interesting... If we ignore the zeros and the 20/35/ba, it looks very much
like the 7 digit short identifier of a git sha1.

Maybe it's just announcing a continuous deploy script saying that a particular
build made it to prod/staging?

~~~
tshadwell
That... is the most plausible suggestion so far.

------
manuscreationis
I wonder if this odd placeholder site has anything to do with it...

<http://www.googun.com/>

~~~
madmaze
interesting metadata:

<meta name="keywords" content="googun googun googun googun googun googun
googun googun gay gay gay gay gay gay gay gay seattle seattle seattle seattle
hot hot hot hot hot hot hot hot hot Tshirts t shirt t shirt t shirt t shirt
t-shirt t-shirt t-shirt coffee coffee coffee coffee coffee">

~~~
lmm
Maybe everything including this ask HN is the start of a viral marketing
campaign for a new startup? Or am I being too paranoid?

~~~
PostOnce
Yeah, I look at all out-of-the-blue mysteries with no context as the start of
viral campaigns now, they've overused that trope. I can't even get interested
in this because I don't want to waste time on something that turns out to be a
sales pitch, which would sort of suck if anything ever ends up being genuine.

------
zerostar07
Anyone could spoof geolocation, plus why would spies use twitter of all
things. this sounds more like a prank

------
rrmm
I was actually planning on doing something like this for fun. In my case, the
numbers would be generated from a random function and wouldn't mean anything.
YMMV.

------
stevejalim
There's also a <https://twitter.com/googuns_dev> account - but 0 tweets

------
ahv
Well, here are two plots from the data earlier today showing some patterns:
<http://i.imgur.com/q2Qc0.png>

Left one for the data ending with "f200000000", right one with "50000000". For
these I just assumed the numbers were 64-bit little endian integers.

------
astrodust
It could be part of someone's crazy Twitter-based deployment strategy, using
Twitter as RPC or pub-sub.

------
squeed
Probably trying to reverse-engineer the Twitter geolocation database instead
of buying one.

------
timmclean
I collected the last 3244 tweets (a limit of the Twitter API) and posted them
here in JSON for your enjoyment:

<http://www.sendspace.com/file/7huqe8>

~~~
parktheredcar
Nice, thanks.

------
robk
Seems like some sort of coordination effort I'd have to guess. Perhaps for a
region where Google traffic might normally be blocked, it's an alternative way
to get a message in?

------
datashaman
This is the next stage of Google's Interview Process, post riddles on the
Internet, hire the people who solve it.

------
runjake
<http://pastebin.com/eRbKmmCW>

------
gizzlon
That account has almost as many followers as I do on twitter :'(

------
datashaman
The birth of Skynet?

