

Show HN: Watch strangers talk on Omegle with a MitM attack - berman
https://github.com/olegberman/mitm-omegle

======
fiatpandas
I once did this very thing, with the added feature of being able to send
messages to either user (masquerading as the other). It was fun as a proof of
concept and as a way for me to learn Python Twisted, but using this technique
for an extended length of time is a bad idea for various reasons.

Edit: one example of things going bad for you:

Stranger 1: 13/f/fl, u?

Stranger 2: 18/m/NY. Can I send u pics?

Congrats, your IP is a couple of bad decisions away from committing a felony.

------
berman
This is my first Coffeescript project. This has already been done before, but
I didn't bother to Google before inventing it, so here it is. You can specify
interests that strangers will talk about.

------
blackle
I've done this before with perl and POE::Component::Omegle. IIRC a large
majority of the conversations were insta-disconnects, and those that lasted
longer than that were very, very boring.

------
vilhelm_s
I guess actually _using_ this program would be blatantly illegal. But it's an
interesting problem--how to defend against this? One way is to compute a
fingerprint of the Diffie-Hellman shared secret, and then have the chat
participants vocally compare it (I think one of the "secure chat" programs do
this?). That should be secure as long as the attacker can not imitate voices,
but it's rather heavy-handed.

~~~
unimpressive
>That should be secure as long as the attacker can not imitate voices,

EDIT: Messed up reading. I think the major problem with this idea is that it
makes the barrier to entry for using omegle much higher, suddenly you need a
microphone.

Original post below the cut:

\---

They can.

[https://news.ycombinator.com/item?id=10020701](https://news.ycombinator.com/item?id=10020701)

[https://news.ycombinator.com/item?id=10020710](https://news.ycombinator.com/item?id=10020710)

~~~
vilhelm_s
Hm, did you paste the right URLs? I don't see how they are related to this
thread.

~~~
unimpressive
They seem to point to the right place on my computer. The first should be a
post I made about how this works, in the second somebody talks about doing it
and how he could imitate peoples voices.

EDIT: OHHH, _vocally_. I did a misread ignore me.

------
nxb
I made of these back in the first month that Omegle was launched. I think they
started automatically detecting it and quarantining these types of bots pretty
quickly, though.

One solution I can see now, is to use something like word2vec, or better yet,
skip-thought vectors, to replace each sentence with synonymous sentences and
avoid tripping their detector.

------
MrBra
Question "from the other room": how does this work? Does it come from
exploiting some bug in Omegle code?

~~~
unimpressive
There was a program that could do this for years called omeglespy[0]. How it
works is:

You make two connections to omegle, and are connected to two different
strangers:

You take Stranger A's words and pass them off as your own to stranger B, and
vice versa. From your perspective you're watching the entire conversation,
from their perspective they're talking to each other without interference.

[0]: [https://code.google.com/p/omegle-spy/](https://code.google.com/p/omegle-
spy/)

------
mkishi
That graph is very misleading. It's not a real MitM attack, is it?

~~~
eugenekolo2
It is a MITM. Unknown key share would be the better definition I believe.
Alice connects to Eve, Bob connects to Eve. Eve passes what Alice is telling
Eve to Bob, and Bob to Eve. Alice thinks she's talking to Bob.

~~~
ikeboy
Alice doesn't know who Bob is, though.

~~~
eugenekolo2
Well she's confused. She thinks what Eve is showing Alice is Eve, but it's
actually a copy of Bob.

------
djjdnjsoeksb
How is this even remotely ethical?

~~~
an_ko
When chatting on Omegle, you're paired anonymously with an anonymous stranger,
with no guarantee of whether that stranger will record anything or pretend to
be someone else. I think the front page
[http://www.omegle.com/](http://www.omegle.com/) makes that abundantly clear.

