
When you browse Instagram and find Tony Abbott's passport number - michael_fine
https://mango.pdf.zone/finding-former-australian-prime-minister-tony-abbotts-passport-number-on-instagram
======
kccqzy
Nice. Here's a similar personal story with a PSA that sometimes blurring is
NOT sufficient.

A friend of mine posted on Instagram a picture of a U.S. visa (or something
similar; it was probably five years ago) to announce her trip to the U.S., and
she took care to blur out sensitive information such as her passport number.
But a Gaussian blur is easy to reverse and I successfully unblurred it and
told her my discovery. I didn't use any specialized software; it was just
Mathematica with its built-in ImageDeconvolve function with guessed parameters
for the Gaussian kernel.

I personally recommend blacking out (add a black rectangle) instead of
blurring, and if it is a PDF, convert to an image afterwards because too many
PDF editors use non-destructive operations to add a new object instead of
changing what's underneath.

~~~
function_seven
Your advice is good, and I agree that you didn't use specialized software to
reverse the blur, but this

> _I didn 't use any specialized software; it was just Mathematica with its
> built-in ImageDeconvolve function with guessed parameters for the Gaussian
> kernel._

is one of the most HN comments I've come across recently :)

~~~
zwayhowder
Reminds me of the Simpson's 3D episode. Professor Frink's

>"Well, it should be obvious to even the most dimwitted individual, who holds
an advanced degree in hyperbolic topology..."

~~~
gropius
Professor Frink, Professor Frink. He'll make you laugh, he'll make you think.
He likes to run and then the thing with the.. person...

~~~
jgwil2
That monkey is going to pay...

------
POiNTx
Apart from the really interesting content, this is an extremely good read,
strikes me as the right kind of balance of information and keeping you
entertained. I really enjoyed this writing style!

~~~
warent
Interesting, I liked the story but got the opposite impression you did. At
first the humor was amusing but I felt like the relentless, extremely heavy
sarcasm dripping off every sentence quickly turned it into a slog and even
started to make me wonder which parts were genuine vs. joking. Not great.

~~~
giarc
I agree... when you listen to a great comedian, it's not 1 joke/sentence. This
article was too much. I still read it all since the overall topic was
entertaining but the attempt at humour was overkill.

~~~
poutrathor
Have you actually listen to nowadays comedians ? It _is_ one joke/sentence
nowadays (at least in my country).

More exactly, they separate each sentence. Each has a tiny bit of funny in it
(in the words, in the way they say it, because they stay in character,
whatever) and they let audience lol. Rinse and repeat.

Look I just googled "up and coming standupers" and picked the first video (new
laptop, not connected to Gaccount)
[https://www.youtube.com/watch?v=s6uW1odtjPc](https://www.youtube.com/watch?v=s6uW1odtjPc)

Check the 36 first seconds.

Humour changed without you (us) realizing ¯\\_(ツ)_/¯

------
sorum
Some Grade A zingers in there:

> The man in question is Tony Abbott, one of Australia’s many former Prime
> Ministers.

> For security reasons, we try to change our Prime Minister every six months,
> and to never use the same Prime Minister on multiple websites.

> Harold Holt was another former Prime Minster and we… lost him? He
> disappeared while going for a swim one morning. This is not a joke. We named
> Harold Holt Memorial Swim Centre after him. I repeat, this is not a joke.

~~~
danieltrembath
"...I called up and was all like “yeah bloody g’day, day for it ay, hot enough
for ya?”. Once the formalities were out of the way..."

~~~
ralphael
I couldn't stop laughing.

His skills at hacking are only matched by his wit at writing.

------
fphhotchips
I feel like this buries the lede massively: Qantas' system was run by Amadeus,
who also run the booking system for some 200 other airlines [0]. If you could
do this with Qantas and get all those notes, you could probably do it to any
other airline and get them too. That would be bad enough, but it also appears
that this issue (or one very much like it) has been reported widely at least
back in early 2019.

So, either Amadeus didn't fix the issue until it was disclosed here (very very
bad) or Qantas didn't update their booking system for a security patch (
_also_ very bad).

[0] [https://techcrunch.com/2019/01/15/amadeus-airline-booking-
vu...](https://techcrunch.com/2019/01/15/amadeus-airline-booking-
vulnerability-passenger-records/)

~~~
bostik
The underlying issues have been known for quite a while. There was a fantastic
talk in CCC at 2016 about the airline booking systems and the various bits of
information you can glean from them.[0]

0:
[https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme...](https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carmen_sandiego)

~~~
namdnay
The underlying issue is that PNR+Last Name has always been the "secuirty" to
access a booking, and no airline or travel agency wants to enforce stronger
measures unilaterally, for fear of increasing friction for their customers

------
tomerico
I found his advice to Tony on how to get better with computers remarkably
insightful:

> I said there probably was a book out there about “the basics of IT”, but it
> wouldn’t help much. I didn’t learn from a book. 13 year old TikTok
> influencers don’t learn from a book. They just vibe.

> My mum always said when I was growing up that:

> There were “too many buttons” She was afraid to press the buttons, because
> she didn’t know what they did I can understand that, since grown ups don’t
> have the sheer dumb hubris of a child, and that’s what makes them afraid of
> the buttons.

> Like, when a toddler uses a spoon for the first time, they don’t know what a
> spoon is, where they are, or who the current Prime Minister is. But they see
> the spoon, and they see the cereal, and their dumb baby brain is just like
> “yeA” and they have a red hot go. And like, they get it wrong the first few
> times, but it doesn’t matter, because they don’t know to be afraid of
> getting it wrong. So eventually, they get it right.

> Okay so I didn’t tell the spoon thing to Tony Abbott, but I did tell him
> what I always told my mum, which was: “Mum you just gotta press all the
> buttons, to find out what they do”.

~~~
jhealy
A similar anecdote from my family.

My uncle (a sheep farmer) and I discovered that:

1\. I was afraid to touch anything in a car engine, but happy to muddle
through unfamiliar computer issues

2\. He was afraid to click unknown buttons on a computer screen, but
comfortable pulling apart and rebuilding an unfamiliar car engine.

In both cases, we were confident because we knew whatever mistake we made we'd
be able to reverse it. And in both cases, we were afraid of making a mistake
that we couldn't reverse.

~~~
dorkwood
That's basically how I taught my father to use a computer. It came down to two
things:

1\. He was terrified of breaking it, so I told him that there was nothing he
could possibly do to it that I couldn't fix. I made sure to sound overly
confident -- almost like I was challenging him to break it. That gave him the
confidence to do whatever.

2\. Every time there was a problem with it, I would Google the answer in front
of him, and he'd watch me figure it out in real time. Eventually, he got the
confidence to start Googling things himself. The tech support calls dropped
off pretty steeply after that.

~~~
toyg
Give a man a fish, and he'll eat for a day.

Teach a man how to google, and he'll never go a day in his life without being
obsessed with conspiracy theories.

~~~
dorkwood
You're not far off, to be honest. Just replace 'conspiracy theories' with
'extreme political YouTube channels'.

It's not all bad, though. He invites his friends over and shows them how you
can find all sorts of cool stuff online. One of them the other day was
apparently trying to stump YouTube with increasingly obscure woodworking
joints.

I think most people would be surprised how many people are still out there who
have no idea what the internet is or what it does. Imagine discovering that
there's a machine that can show you how to do anything, or play any song
you've ever listened to, and you had no idea something like that even existed.

------
abhiminator
Great post, thoroughly enjoyed reading it.

BTW, on a side note, when you try and visit the blog's homepage[0] and scroll
down to the bottom, you find a link to an actual (password protected) PDF file
called Mango.pdf[1]. The author 'Alex' says the password for the PDF has been
embedded in the page and it didn't take me a lot of time to figure the
password out from the HTML source[2].

But when I opened the PDF, I was hit with this random string of characters:

cGJhdGVuZ2h5bmd2YmFmLCBsYmggZmJ5aXJxIHpsIHlodnR2IGNobW15ci4gQCB6ci
BiYSBnanZnZ3JlIGp2Z3UgbGJoZSBzbmliaGV2Z3IgcXJmZnJlZyBnYiB0cmcgbGJo
ZSBlcmpuZXEuIFZnJ2YgeXZ4ciwgYWJnIG4gaXJlbCB0YmJxIGVyam5lcSBmYiBodQ o=

I tried to decode this using every available decoder, but it only throws up
random result. Was wondering if any of you smart people here had any idea
about this code.

[0] [https://mango.pdf.zone/](https://mango.pdf.zone/)

[1] [https://mango.pdf.zone/mango.pdf](https://mango.pdf.zone/mango.pdf)

[2] view-source:[https://mango.pdf.zone/](https://mango.pdf.zone/)

EDIT: SOLVED IT!

As the commenters who replied to me mentioned, this puzzle is double-encoded.
I think the trick is to figure out which decoder to use first.

~~~
nbgl
Hint: try ROT13.

~~~
barbs
Quick posix shell rot13 tip: pipe it into:

tr '[A-Za-z]' '[N-ZA-Mn-za-m]'

~~~
ramses0
Also sometimes useful is vim: `g?` ... it's useful to have "scrambled" lines
in notes for protection against casual disclosure.

Vim used to have a (terrible) encryption capability, but lately I've been
fairly happy with `pass` (passwordstore.org) for basic local encryption.

------
ibudiallo
The power of Inspect Element. This is exactly how I found out I was
underpaid[1]. A company I worked for used a software called erecruit to manage
my contracts. When you click on a clients name, it makes an ajax request to
fetch the data. Being a web developer, I inspected the data returned.

I'm pretty sure all the developer did was:

    
    
        echo json_encode($queryResult);
    
    

I saw how much I was getting paid vs how much they were charging clients. I
quickly changed my prices after that.

[1]: [https://idiallo.com/blog/how-much-do-you-charge-for-your-
wor...](https://idiallo.com/blog/how-much-do-you-charge-for-your-work)

~~~
dylan604
I think this is a lesson lots of early AJAX/client-side coders should be
forced to learn. When you do a `SELECT * FROM` and return the entire result,
that data is visible on the client end in full detail (if you're familiar with
how to use the browser's dev tools that is). Maybe you only make some of that
data visible to the user in the UI, but the data you didn't use is still part
of that AJAX return. Only send to the browser the data you actually need!

------
vishnugupta
I accidentally discovered a way to get hold of passport details of random
people by applying for Visa on arrival to Vietnam. There are these online
portals which do some document pre processing which is legit. And on landing
in Vietnam we are expected to show that we have already applied for Visa. It
so happens that these portals do batch processing. Which means my application
is processed along with a half a dozen or so other random applicants.

And so I applied for one. And when I received the confirmation document I
received the entire batch file. It included passport number, expiry date and
other PII of ten random people which would be super valuable in the hands of
criminals and such.

And conversely ten random people know my PII

~~~
hdi8534
The same when you apply to give up vietnamese citizenship, all your info are
public on the goverment website (pdf files with name, birthday, current
addresss...)

~~~
rntksi
with the way how the government over there works, even if you have those
information... there's really nothing much to do with it.

~~~
mannykannot
If you are applying to give up Vietnamese citizenship, I would guess that you
are no longer living in Viet Nam, so this information might serve as a starter
kit for someone to steal your identity?

------
tschwimmer
This is one the of the funniest things I've read in recent memory. He made an
Instagram post 30 second check of Chrome's dev tools into a narrative I
couldn't stop reading. Thanks for brightening my day author!

------
zamfi
I am very impressed by this piece. Something about how “Alex” manages to blend
the kind of humor not typically associated with compassion or competence, with
a story that is most spectacular because of the very compassionate and
competent actions of its protagonist...I literally couldn’t stop reading.

So well done.

------
aahortwwy
> “You could drop me in the bush and I’d feel perfectly confident navigating
> my way out, looking at the sun and direction of rivers and figuring out
> where to go, but this! Hah!”

I mean not to call him out but this did happen and he didn't navigate his way
out (although that says nothing about his confidence).

[https://www.smh.com.au/national/tony-abbott-lost-in-the-
outb...](https://www.smh.com.au/national/tony-abbott-lost-in-the-
outback-20100303-phd9.html)

EDIT: To be fair, it's been a decade. Maybe he's worked on his orienteering
skills since having that experience?

~~~
chris_wot
Sure, this is the guy who knighted a prince and ate a raw onion. What did you
expect?

Abbott was Australia's Trump. Thankfully he lasted in office an even shorter
time than the people he replaced.

~~~
bmarquez
I don't get it, is there something noteworthy about eating a raw onion?

~~~
boyter
Yes and no. It was the pinnacle in a series of bizzare behaviour from Tony
while he was the Prime Minister. Certainly its the one people most remember of
him. Keep in mind he ate it with the skin on as well. I think its also
something people look out for, with the previous PM Kevin Rudd being somewhat
infamous for eating his own ear wax on live TV.

When I was working on an archive project for the ABC, "tony eating onion" or
some variation was the most common thing people searched for in the system
when they first started using it.

~~~
JadeNB
> I think its also something people look out for, with the previous PM Kevin
> Rudd being somewhat infamous for eating his own ear wax on live TV.

… as a stunt? On a dare? _Why_?

~~~
boyter
It was during a long question time
[https://www.youtube.com/watch?v=_ipvdBnU8F8](https://www.youtube.com/watch?v=_ipvdBnU8F8)

------
sellyme
The contact form on Abbott's website 403ing is impressively on-brand.

~~~
coagmano
I wouldn't be surprised if the staff deliberately sabotaged it. I've worked
for a party before and the emails are horrendous

~~~
iso947
My MP had several death threats last year - including in the post to her home
address inside an otherwise normal looking birthday card.

------
p49k
I would encourage anyone interested in this article to read it thoroughly to
the end. This is one of the most satisfying articles I’ve read recently and I
really enjoy the author’s unique sense of humor.

~~~
rocqua
Try some of james mickens articles: [https://mickens.seas.harvard.edu/wisdom-
james-mickens](https://mickens.seas.harvard.edu/wisdom-james-mickens)

They are written in a similar style, I really love them.

~~~
oefnak
Thank you for this. I ate the entire mango.pdf and was still hungry.

~~~
MattSayar
His presentations are also a fine quality

------
btilly
The following line confuses me, because it contradicts a lot in the post.

 _Update: I have been arrested._

Is that just an obvious mistake? Or is there a news flash that we would like
to hear more on?

~~~
akent
Looks like that was yet another joke.

------
philliphaydon
I still find it strange you can manage a booking with just a reference and
name. About ~5 years ago someone I follow on twitter posted their boarding
pass and I replied to them with a screen shot asking if I should cancel the
booking. They removed their post and I removed mine. But all it took was the
reference on the boarding pass and their last name...

~~~
Cthulhu_
What I've gathered left and right wrt the airline industry is that it was one
of the earliest industries that went digital, and / but they have a lot of
legacy going on.

I mean in this particular case, they could have Abbott create an account on
their website first, but then, someone else booked the ticket for him so that
makes things more complicated (because they don't have an e-mail address), and
then there's tickets being booked all over the world, and then loads of people
don't have computers or e-mail.

It escalates quickly.

~~~
howlgarnish
The amount of pain still caused by things like somebody back in the sixties
deciding that two characters is plenty to encode every single airline ever is
still felt to this day. Witness the majesty of the "controlled duplicate":
[https://en.wikipedia.org/wiki/Airline_codes](https://en.wikipedia.org/wiki/Airline_codes)

------
The_Amp_Walrus
The hacker known as "Alex" also gave a really fun talk at PyCon AU in 2018:
[https://www.youtube.com/watch?v=ZlNkIFipKZ4](https://www.youtube.com/watch?v=ZlNkIFipKZ4)

~~~
adamjb
Associated blog post [https://mango.pdf.zone/operation-luigi-how-i-hacked-my-
frien...](https://mango.pdf.zone/operation-luigi-how-i-hacked-my-friend-
without-her-noticing)

and salty hacker news comments (his words)
[https://news.ycombinator.com/item?id=14919845](https://news.ycombinator.com/item?id=14919845)

------
dayjobpork
It's nice to live in a country where not only do various parts of the
government actively try to help someone with a really bizarre issue, but no
one got arrested (or shot) for bullshit trumped-up hacking charges. I can't
think of many other countries responding well to 'hi I'm some random person
and I used the PM's boarding pass and found out all this secret stuff'

------
chrismorgan
A few years back when I was looking to buy a house, I was interested in how
long the property had been on the market. (I was looking in country towns and
their outskirts, where six months is a typical time for a property to be on
the market; I even saw one or two blocks of land that seemed to have been for
sale for at least five or six years.) Few real estate agents tell you this on
their websites (though if you ask, they may), and aggregators like
domain.com.au and realestate.com.au don’t either. Except sometimes they do, in
the markup. My vague recollection (I don’t have the scraping scripts I wrote
handy right now, they’re just on my old laptop and backups) is that I found a
JSON blob in the realestate.com.au mobile website containing two dates, and
that the domain.com.au desktop website fetched a JSON response from an API
which happened to contain one date. I ended up deciding that REA’s dates were
when the listing was first seen and last updated, and the Domain one was one
of those. Neither of these sites were actually _displaying_ this date, but the
data was there for me to take and feed into my research.

Careless or unwitting information disclosure from APIs—sometimes sensitive,
sometimes not—is a real problem.

~~~
strange_aeons
That's interesting. The time on market is always listed on Danish real estate
websites. And the aggregator sites also have previous listings.

------
logifail
In some countries, identity documents are in relatively frequent use. The
number of authorised strangers who would have access to one's identity
document might be significantly higher in these jurisdictions than, say, the
number who would be able to view Tony Abbott's passport number. I'm thinking
of - for instance - the 'personnummer' in Sweden (I've heard friends recite
theirs in public when asked for them).

Q: Should (merely) the _number_ from your passport really be considered a
secret?

~~~
toyg
In theory no, but in practice yes. It's the same for a lot of metadata about
our lives that routinely doubles up as authentication factor, e.g. "to verify
your identity, can you please confirm the first line of your address and your
postcode?"... Most of my neighbours know that!

~~~
extraduder_ire
As an example of metadata revealing a lot about you:

Ireland got a postcode system in 2015 (the last time they considered
implementing postcodes to improve autosorting, they were so late to the party
that "an post" (Irish postal service) had OCR machines good enough to just
read the whole address) which assigns each residence in the country a 7-digit
alphanumerical code. Called an "Eircode" [1] It is purported to be a solution
to packages getting lost or delayed, and an unambiguous way of giving someone
a building's address.

An Eircode can be resolved into a full postal address, and GPS co-ordinates
for the address.

e.g, here's some Eircodes;

Facebook's headquarters: D02 Y098

President's house: D08 E1W3

Data protection commission: D02 RD28

To get the info for any of these, check out:
[https://finder.eircode.ie/](https://finder.eircode.ie/)

Personal note: I'm not too jazzed on the specifics of the implementation, but
it sure is handy when you're shitfaced and can trivially explain exactly where
you live to a food-delivery driver over the phone.

[1]:
[https://en.wikipedia.org/wiki/Postal_addresses_in_the_Republ...](https://en.wikipedia.org/wiki/Postal_addresses_in_the_Republic_of_Ireland#Eircode)

------
pretendgeneer
Great read.

I really like the bit about learn "the IT", there's no book or anything to be
good at computers you just gotta fuck around and find out a bunch.

> Like, when a toddler uses a spoon for the first time, they don’t know what a
> spoon is, where they are, or who the current Prime Minister is. But they see
> the spoon, and they see the cereal, and their dumb baby brain is just like
> “yeA” and they have a red hot go. And like, they get it wrong the first few
> times, but it doesn’t matter, because they don’t know to be afraid of
> getting it wrong. So eventually, they get it right.

~~~
Cthulhu_
The problem is that there are a LOT of books, but what is relevant just
changes every couple years.

I mean the IT books section of the charity shops is a good example of this,
there's so many there for older versions of Office, operating systems, etc.

That said, I had a school book (Structured Computer Organization by Tanenbaum)
that explains a lot of the basics of computers. Sure, it's about the Pentium
architecture and early JVM and doesn't cover multi-core architecture or using
GPU's to crunch numbers, but it goes through a lot of the basics.

------
AFlyingBoom
I find it incredible that Abbott being openly vulnerable about his lack of
competency with computers, has been more effective in making me like him than
anything he has ever done in his political career.

Teams of media advisors and a very favorable alliance with the Murdock press
have paled in comparison to this one blog post that didn't even have that as
an aim.

------
sygma
Great talk [0] given during the 2016 congress touching on the Amadeus flight
booking system and the danger of posting your boarding pass on social media

[0]:
[https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme...](https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carmen_sandiego)

~~~
aneutron
This was an amazing watch. Thank you very much for the link.

------
rvz
We blame these social networks for collecting vast amounts of our private data
(yes we should), yet these folk have no problem of posting already sensitive
information under a hashtag - creating an Aladdin's cave of identities waiting
to be stolen for fraud as this blog-post has demonstrated.

'If you have something that you don't want anyone to know, maybe you shouldn't
be doing it in the first place' \- Eric Schmidt

I guess they will learn the hard way given that they aren't really 'tech
savvy' or internet wise these days.

~~~
Polylactic_acid
The problem is people have no idea what is sensitive. Until just now I would
have thought a boarding pass was safe to share.

Its more the airlines fault for making this info so easy to access with what
looks like unsensitive info.

~~~
bjoli
I have told people at airports to not friggin post their boarding passes or
documents containing their booking refeeence on Instagram. Back when I was 20
I didn't lot of stupid things. One was to change tine obnoxious details about
their reservations. When they were in air (and presumably had their phones
off) I sent them a text message. "Never put booking information on asocial
media".

I could probably have gotten in a lot of trouble.

------
seesawtron
>> Instagram, in case you don’t know it, is an app you can open up on your
phone any time to look at ads).

Nailed it.

------
mrg2k8
Imagine doing something similar to a government application of an EU country
and in 15 minutes finding a way to expose all citizen requests for an EORI
number ever (some tens of thousands), with all personal details there for you
to take. This was last year and in the meantime they updated their application
from an ancient 2003 Oracle one to one that's more modern.

Thinking in perspective now, I regret not going out with it because that
ancient application probably cost millions of euro from taxes.

------
orisho
This post was very amusing! It always bordered on silly meme-style writing,
but never doing too much of it at once which I find annoying. The story itself
was also very interesting!

------
0xy
Surprisingly good experience, and even a call from the man himself. I'm
actually impressed, I expected way more incompetence and fumbling from a
government.

------
fahrradflucht
Great read. If somebody is interest in another great talk about boarding pass
data security, there is this one from 33c3:
[https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme...](https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carmen_sandiego)

------
Nextgrid
I don’t know if it’s just me or it’s the fact that I’m reading this on mobile
on a small screen but I couldn’t stand the writing style. Curious to know if
anyone else felt that way.

~~~
stordoff
I found myself rolling my eyes a few times, but the core content was good so I
didn't find it all that off-putting.

"Update: I have been arrested." did leave me slightly confused for a while
though, probably due to the verbosity making me want to scan read.

~~~
mulmen
If you were scanning that would be an easy joke to miss. The giveaway is the
previous paragraph ending mid-word like the authorities just busted in and
hauled the author off to a CIA black site.

------
mulmen
This was a great read but I'm a bit disappointed there are no easter eggs in
the page source. Or maybe I'm just not finding them.

~~~
hayyyyydos
There is one, but it's on the homepage - take a look under the "about" heading
at the bottom and go from there.... (assuming that's the puzzle that ASD
figured out)

------
iamshs
I loved the writing style. That "hard mode" effect had me wheezing though.

------
mikeappell
> If you laid all the people I contacted end to end along the equator, they
> would die, and you would be arrested.

Possibly the best line in an article full of really fantastic lines.

------
gouggoug
Out of curiosity a few months back I spent a few hours looking at this exact
hashtag (#boardingpass) and other travel related hashtags.

I ended up thinking that Instagram was actively removing pictures of boarding
passes because I could only find a surprisingly low amount of pictures
containing valid Lastname/BookingRef. As for the few pictures available, the
references were often either too old, or partially covered.

I'm still wondering if Instagram does remove such photos.

~~~
spyke112
I even get a 501 Not Implemented for
[https://www.instagram.com/explore/tags/boardingpass/](https://www.instagram.com/explore/tags/boardingpass/)
on desktop. May be related?

------
gregjw
Most entertaining post-morterm I've ever read, Australian through and through.

------
thomasfromcdnjs
aha amazing read, quality content.

------
Zealotux
>I personally recommend blacking out (add a black rectangle) instead of
blurring

This can be reversed as well, if you do black things out this way: please make
sure you're using 100% opacity black. I've managed to retrieve data from
plenty "blacked-out" documents simply by playing with contrast and exposure
filters in Photoshop because the opacity wasn't set correctly.

~~~
cricalix
Black it out, print it to paper, scan it back in, embed the image in a Word
document, and print to PDF. Wait, that's just how "most" people do it anyway..

------
beervirus
Well now I feel compelled to read everything this person has ever written.

------
kabacha
Real question here is: should the passport number have any expectations of
privacy? It seems like such an easy thing to expose as you literally put it
down on every document like hotel check ins etc. AFAIK it's not even a random
number and instead it's generated from basic info like birth
year/place/gender.

That being said it was a really good blog!

~~~
rswail
It depends where you are from. Our (Australian) passports have a "series"
letter at the start and then a set of numbers. Not sure whether they are
random or incremental or derived.

YMMV based on nation that issues yours.

------
beatrobot
I like that there was such a good response to the disclosure from all the
different parties, compared to this:
[https://research.digitalinterruption.com/2020/09/10/giggle-l...](https://research.digitalinterruption.com/2020/09/10/giggle-
laughable-security/)

------
starpilot
The tl;dr:

> Your boarding pass for a flight can sometimes be used to get your passport
> number. Don’t post your boarding pass or baggage receipt online, keep it as
> secret as your passport.

> How it works: The Booking Reference on the boarding pass can be used to log
> in to the airline’s “Manage Booking” page, which sometimes contains the
> passport number, depending on the airline. I saw that Tony Abbott had posted
> a photo of his boarding pass on Instagram, and used it to get his passport
> details, phone number, and internal messages between Qantas flight staff
> about his flight booking.

------
XCSme
Amazingly written post, really enjoyable to read!

It's amazing that we have all those security protocols (HTTPS, e2e encryption,
secure log-in, etc.) but in the end most of the "hacks" are just people being
stupid or manipulated through social engineering.

------
maxden
This got picked up by the news in Australia [0], they also interviewed the
author [1].

[0] [https://www.abc.net.au/news/2020-09-19/tony-abbott-
boarding-...](https://www.abc.net.au/news/2020-09-19/tony-abbott-boarding-
pass-online-cyber-safety-mistake/12678776)

[1]
[https://www.abc.net.au/radio/melbourne/programs/drive/alex-h...](https://www.abc.net.au/radio/melbourne/programs/drive/alex-
hope-hacking-tony-abbott-boarding-pass/12675504)

------
thdrdt
Lately I am thinking about building a framework for web APIs where the
database stores the owner, group and other's rights for each entity. The
framework will then fetch data based on the user and fills the models based on
the rights set for each field.

Exactly for the reason shown in the article.

I believe right now it is still too difficult to do this in any framework.
That's why developers take shortcuts and just expose all entity data or just
make a mistake and forget about it.

Does anyone know if such a framework already exists? So per field rights, not
per entity rights.

~~~
throwawaynothx
or... GraphQL.

~~~
thdrdt
How does GraphQL fix the problem of showing different fields depending on
rights?

------
iandanforth
This is a long read, but trust me, _keep reading_ it's great.

------
jasomill
Reminds me of the time I learned Jim Morrison's social security number from a
framed form hanging on the wall next to my table at a Hard Rock Café, written
in ballpoint pen, "redacted" with a magic marker that did nothing, obviously,
to obfuscate the impression made by the pen in the paper.

While I have no idea how the SSN of a long-dead rock star could ever be
useful, I'm certain I still have a copy saved around here somewhere...

------
WrtCdEvrydy
For anyone who wants to do this easier... ZAP Proxy has a HUD display that
will allow you to see the data flying on a page after you load it.

No need to do funky Inspect Element magic. Works wonders for reverse
engineering how your fancy UI talks to the fancy API to do the fancy things.

If you can't figure out ZAP with HUD, you can alternatively use the Network
tab on Chrome and switch to AJAX (if it's something that happens without the
page loading)

~~~
bigiain
> funky Inspect Element magic

Are you sure you're on the right website?

------
xyzal
Is it just me, or did anyone else try to clean up their monitor from dust,
realizing eventually the "dust" is the websites background image?

~~~
WebDanube
TFW your monitor is dirty enough for you to _not_ notice the dusty BG image.

~~~
efreak
Could be worse. I'm pretty sure some of the dirt on one of my monitors is
actually dead pixels.

------
fardeem
This is easily top 1% of all writing on the internet

------
inoffensivename
This was a thoroughly entertaining read, thank you!

------
philipdavis
Question: do you think you will be arrested for doing the same thing if it was
in your country? (A from myself: yes absolutely)

------
reillyse
What a well written article. Really enjoyed that. If the hacking doesn't work
out get a job writing about hacking...wait.

------
juststeve
Australian here, he’s doing the best he can

------
abanayev
Did anyone notice the line, “Update: I have been arrested”? Chekhov’s gun is
just hanging there.

------
andrewnicolalde
This has to be the funniest and most gratifying thing I’ve ever read on Hacker
News. Great job!

------
ChrisRR
That's a long read, has anyone got a blurb so I know what I'm getting myself
into?

~~~
pmontra
Search for "tl; dr". It's a section at the end of the page with the summary.

~~~
ChrisRR
Thanks

------
jeffbee
Are passport numbers secrets?

~~~
macintux
Yes. The bottom of the post covers some of the things you can do with the
number.

~~~
zbrozek
Yet good luck traveling without actually surrendering them to all kinds of
places you'd rather not. Like hotel clerks basically everywhere.

------
dependenttypes
Is the passport number supposed to be secret? You show them when you buy
alcohol in some countries as well to the police if they ask for it - all of
these people can copy the number if they so wish.

------
razki
Really enjoyed reading this. Thanks for redirecting my time brotheeeRRRR

------
half-kh-hacker
I love Alex's stuff.

------
Aeolun
To be honest, I find it ridiculous (just like with social security numbers)
how much you can apparently do just by virtue of knowing a passport number.

It shouldn’t work like that.

------
lanevorockz
We are trying to fix this in the language ... It's just hard to convince
people around that the change is worth it, I guess that I found the perfect
use case.

------
seapunk
That is one of the best blog post I read for a long time.

------
Lorin
"Unblending the smoothie" is such a great line.

------
nl
Interestingly (and strangely) some frequent flyer _numbers_ are treated by
Australian airlines as confidential information.

------
ztgasdf
Really entertaining read. I'm amazed how much information they were able to
get from the airline website.

------
pachico
What a fun article to read! Congratulations!

------
gkanai
This was a great read! Highly recommended.

------
bassie2
Clicking Inspect Element in this post results in some fun as well (NSA
Tracking cookies). A true Droste effect.

------
michaelsitver
One of the better blog posts I’ve read

------
pragmaticpandy
> I’ve been practicing every morning at sunrise, but still can’t scan barcodes
> with my eyes.

rofl. Great writer.

------
dis-sys
What is the big deal of knowing Tony Abbott's diplomatic passport number?

------
Lerain
That was extremely entertaining and so much fun to read, thanks!

------
pietroppeter
is there a book about basics of IT?

[https://news.ycombinator.com/item?id=24492554](https://news.ycombinator.com/item?id=24492554)

------
ironfootnz
That’s the best funny post about “CVE” I’ve ever read.

~~~
sellyme
How about this one:
[http://tom7.org/chess/cve.pdf](http://tom7.org/chess/cve.pdf)

Sarcastic PDFs never stop being amusing to me.

------
marvinblum
What a brilliant blog post. Thank you for posting it!

------
imwm
I can't believe how funny this writer is

------
spyder
It would've been faster and easier to report it to Instagram but this way it
made a better story and educated the user better than instagram just removing
the picture.

------
jslakro
Most hilarious techie post I've read ever

------
soulofmischief
When your simple blog page is crashing Spice and virt-viewer, there is a
serious bloat problem. I can't even view this blog because it immediately
crashes.

------
pragmaticpandy
TIL McAfee® Gamer Security is a thing...

------
dmje
Bloody love the way this guy writes...

------
kulesh
Enjoyed the read very much, thanks.

------
nmeofthestate
Looked interesting, but as an old fogey I just couldn't get past the "omg u
guise yikes jklsflsfdjfds" style.

------
rootsudo
Narrative is cute, but too much.

------
alottafunchata
This was a great read--thanks!

------
JoachimS
Highly entertaining reading.

------
kdtsh
This is certifiably grouse.

------
tunnuz
This entertained me a lot.

------
cottsak
Alex, you are so funny!

------
FerretFred
This is a great read!

------
brlnwest
this is such a great story. Love the way he writes!

------
ddiddu
it is easy to figure out passport number in a picture of ticket posted on
Instagram

------
jezze
A friendly advice to the author of this article. Even though I enjoyed reading
the whole thing, if you are gonna have a tl;dr in your article; put it at the
start, not at the end. Almost felt lika a mockery.

------
tdy721
This write up... irreverent and dumb. Did you study any Dave Barry? <3 I would
love to buy a book. I mean probably not me, but if you need any moneys

