
Plead HN: Please be careful with your information - icey
There is an active Hacker News contributor currently making plans to phish Hacker News and reddit because "there is this 'smug' attitude on HN about HN'ers being 'better' than your average computer user in this respect".<p>Please be careful when filling out forms that contain any personal information or passwords. There are people out there who are looking to shame &#38; ridicule you (and worse).<p>There's no need to mention any names, because it doesn't really matter who the threat comes from.<p>To the user hatching this plan: Consider this an antibody to your plan. If your theory is true, then this posting won't make a difference anyways and you'll have the chance to shame all the people you want.<p>[Edit: I had genuinely hoped to avoid turning this into yet another cult of personality thread on HN, and unfortunately that's failed. I don't think there was an intention to cause financial harm; but I do believe there was the possibility of harm to reputation given the information I had available.<p>There was an email that was evidently sent out to many HN users today discussing this plan; but I have not been privy to that email.]
======
jacquesm
So, time to own up then, it seems the cat is firmly out of the bag, apparently
icey thinks the chances of success are better than I do ;)

The evil part in me could not help but wonder about how everybody seems to be
so psyched about receiving a chrome notebook that they throw caution to the
wind and enter anything and everything in to a form on some server somewhere
allowing the google marketing department to _significantly_ update their
profiles with all that data they supply, and all that for the _chance_ of
getting a laptop.

This sort of action is a very common marketing tactic, but I was actually
quite surprised to see how popular it was on HN. Also, the fact that google
was happy to collect your information even when you can't receive the notebook
was an interesting detail, and lots of people only realized that _after_
filling out the form.

Then the other day a second thing happened, someone solved the contest that
was embedded in the video that was used for the launch of the product.

The evil part of me again thought wow, what a large amount of work that was
done here, I wonder how people would respond to a second contest, with a much
larger number of notebooks to be won?

So, within a few minutes a plan was hatched, a simple idea to see how
susceptible a security conscious community is to stuff like this. The domain
is plainly in my name and just about all the tell tale signs of a phishing
scam are present. Over the course of the last couple of days the text was
polished to make it more clear what the intent is.

The url of the site is <http://www.freechromelaptop.com/> , the url of the
payoff page is <http://www.freechromelaptop.com/process.html>

Since I'm the main 'driver' behind this little prank I take full
responsibility for it and for the fall-out if any, the other co-conspirators
would have never done this without me asking for it.

I hope you'll forgive me for having a devious side to me, but I intended for
nothing but good to come out of this, and I hope that even if the project
never got underway that you will take these words to heart, please be very
careful with what you fill out in online forms, even if the page looks genuine
and it is google that is giving you a chance to win some laptop you have to
wonder if the collective value of the information given up does not exceed
greatly the value of the goods they are shipping.

    
    
      Jacques

~~~
thirdstation
"I hope you'll forgive me for having a devious side to me, but I intended for
nothing but good to come out of this ..."

People don't like being duped, even if it's for their own good. You're likely
to get more "f--k you's" than "thank you's".

If you want to teach someone a lesson, you don't start out by telling them
they are stupid.

To create some real, lasting value you could have created the app and then
said something like, "Hey everybody! I made this fake marketing web app that
will steal your information and show you how it's done step-by-step. If you
want to see how web scams are done, follow this link: ..." Then make some fake
Google accounts for people to use (instead of their own).

"... you have to wonder if the collective value of the information given up
does not exceed greatly the value of the goods they are shipping."

+1 for that sentiment. If your info wasn't more valuable, they wouldn't be
doing it.

~~~
Evgeny
_If you want to teach someone a lesson, you don't start out by telling them
they are stupid._

I think it depends on the person. Let's consider two scenarios.

1\. "Never fill in your details on suspicious sites."

2\. "You recently filled in your details on xyz.com. Now I know that your
credit card number is 1234."

In response to (1) I would nod, but would it register deep enough? Not so
sure. Now if someone actually shows me that he duped me into giving out
sensitive details, I would be way more impressed and remember the lesson for
longer.

------
DanielStraight
I avoid phishing with some basic rules:

1\. Never give passwords to a third party (so, for example, no Mint).

2\. Never give anything more than an email address to someone you wouldn't
also give your credit card number to. I only give an address or phone number
when I'm planning on buying something.

3\. Never log in after following a link. Always log in by manually (either
through typing the URL or a bookmark) visiting the site.

~~~
jey
Can you explain (3)? Isn't it enough to check whether you're on the right
domain before logging in? Or is this to prevent logging in at an IDN URL that
looks like the real URL?

~~~
DanielStraight
Domain check is good, but can be misread, especially with IDNs. Of course,
URLs can be mistyped too and a lot of phishing is based on typos of URLs. So
really, in the end, you should always follow a bookmark before logging in.

~~~
pornel
I trust my password manager. It auto-fills my passwords only on correct
domains. When my password manager doesn't work, I'm highly suspicious.

Plus I use passwords that are auto-generated based on domain name, which I
copy & paste to the generator. Hopefully this makes me immune to homograph
attacks.

~~~
francoisdevlin
What pm do you use?

~~~
giu
1Password Password Manager and Form Filler may be an option:
[http://www.apple.com/downloads/macosx/networking_security/1p...](http://www.apple.com/downloads/macosx/networking_security/1passwordpasswordmanagerandformfiller.html)

------
crocowhile
It has already happened on reddit last week. Someone came to /r/favors and
offered a free premium account to a file hosting website he had just built.
The deal was: you open an account on the website, you PM'me your username and
I'll make it premium. Of course he got a load of users giving him data and
then disappeared, along with the website.

Any other "HN Rate my webapp" thread could do the same.

There are ways of hashing nice password with custom-modified algorithms and
bookmarklets. Use them guys.

------
swombat
So, wait a minute... jacquesm contacted you with an idea for a relatively
harmless experiment (I was contacted too, so I know what it was about), and
your response was to post it all on HN without even talking to him first?

~~~
wwortiz
It seems that icey did not think it was so harmless and wanted to inform the
community in case any malice was involved. If this experiment was completely
harmless I don't see why the contributor needed to contact so many people (as
it seems they contacted quite a few active members from the comments) in order
to perform it.

~~~
swombat
Knowing what the phishing in question was, yes, it was pretty harmless. Even
if it was not, jacquesm would not risk his reputation in doing something
malicious to the HN community, so this is a case where a private email might
have done the same as this public notice.

I'm not saying anyone here did anything terrible, but usually when contacted
privately you first respond privately, so this is a bit out of order. It's not
like jacquesm wouldn't have listened to arguments about this, and so an
immediate action in the form of this post is, well, just bad form.

Edit: jacquesm has come forth with it, so I've replaced "a contributor" with
his username.

~~~
jasonlotito
> Even if it was not, jacquesm would not risk his reputation in doing
> something malicious to the HN community,

Not intending to get into this specific debate, but that's precisely the wrong
way to think. Well respected individuals with a good reputation risk their's
every day. More importantly, for many, jacquesm is a faceless individual. How
can you be certain he's the one who concocted this plan and it wasn't someone
who fished out his information in order to utilize his reputation to gain
something? Especially when this so-called "jacquesm" is trying to phish out
information from the HN community, something that could hurt his reputation
regardless of the intent.

I'm not suggesting he wasn't who he said he was, nor should be distrust him.
Rather, we need to always be aware of what we trust (and an email from a
friend is merely that, an email, not your friend).

~~~
jacquesm
> and an email from a friend is merely that, an email, not your friend

Excellent point, and one that can't be stressed enough.

------
citricsquid
I assume his idea is "hey hackernews do you like my startup please sign up to
try it out" and then (edit: after signing up) the login page will have a
"server error" when you try to view the idea and that way he doesn't have to
build a product and won't attract suspicion. "oh sorry you hammered my server,
it'll be back later today".

~~~
tptacek
No, it's dumber than that.

------
phpnode
Icey, I'm presuming you knew that the point of the plan was to educate and
remind us all that we're not immune from this kind of thing. So it's quite
clear jacquesm had no malice here, if he did do you think he'd discuss it so
openly? Since you've come out and spoiled this quite valuable opportunity, do
you believe your post is in any way more effective at communicating the
message than submitting the fake phishing site would have been?

~~~
icey
That's how it's being spun now, and perhaps in the email that went out today
that I have not been privy to (probably because I voiced my disagreement with
the idea at the time).

That's not how it was being discussed at the time.

~~~
jacquesm
Anybody that wants to check up on that, here is the chat log:

<http://www.freechromelaptop.com/irc.txt>

This was in open channel on #startups, I've redacted the names of the other
participants.

~~~
icey
This is missing parts of the conversation; but seriously Jacques, I've got no
appetite for making this about you.

We both agree that it's easy to phish people. I disagreed then and still
disagree now that the right way to do that is to embarrass them.

If I wanted to "shame" you somehow, I could have easily done that by naming
names to begin with. The only intention of this submission was to warn people
that you must be careful with your information because you never know who
might be out to get it.

I don't believe you were out to snag people's financial data, but beyond that
it was pretty tough to tell what you were after other than "teaching other
people a lesson" (yes, this is paraphrased).

I fail to see what positive outcome could occur from essentially pointing and
laughing at people because they fell for your scheme.

[Edit: I did a bad and edited this comment. Originally it only said "This is
missing parts of the conversation", which is what jacquesm is replying to.]

~~~
jacquesm
It absolutely is not, that's a 1:1 log of my stuff and no parts were removed
other than the lines not spoken by me or referring to me.

I don't think posting a full log of the channel is appropriate, if the other
people that were there wish to publish their parts with their ids in there
that's fine with me.

~~~
icey
Okay, then why are people responding to me at the bottom of the log when I
haven't said anything in it?

~~~
jacquesm
Because my name does not appear in those lines, so grep does not show them.
Again, I'm not going to post other peoples words without their permission.

~~~
icey
Okay, but just so we're clear: This is missing parts of the conversation.

~~~
jacquesm
working on getting permission to post an unredacted log. But you'd be hard
pressed to distill malice out of my words, 'just so we're clear'.

~~~
icey
I would be happy to have whatever conversation you'd like over email. There's
not much point in bickering like this here.

~~~
jacquesm
I did not post the article above, and I did not use the words 'that's how it
is being spun now', those were yours and they are what prompted this, you
chose the forum.

The email you refer to which explained the whole thing in some detail was sent
to the _one_ person whose reputation might have been harmed but if I had not I
would not have been able to tell if he had fallen for it or not (highly
unlikely anyway) because identifying information is hashed to make sure that
even I can't accidentally leak who fell for it.

My email is in my profile, feel free.

------
x0ner
I can't say I see anything wrong with the crude learning lesson he was trying
to put out there. I myself wrote a quick Wachovia Chrome Extension that never
stored credentials, but tracked if someone actually put them in. Upon a
"login" the user would be presented with a warning about the dangers of
phishing and how to be safe. It blew my mind to see people actually writing
comments telling me they tried to log in multiple times, but never had
success. Sometimes learning the hard way is the only way.

[https://chrome.google.com/extensions/detail/pcgpfcjfajapilli...](https://chrome.google.com/extensions/detail/pcgpfcjfajapillikcncobfmmjfapphn)

------
micheljansen
Good idea, as long as it is only to demonstrate proof of concept (or in this
case, opinion). Better be pointed to your own failures like this than wait for
someone with more malicious intentions :)

------
MisterWebz
Sounds like this guy has way too much time on his hands. And what did you mean
by "his theory"?

~~~
noodle
i think his theory is that HNers and redditors have a more elitist attitude
about themselves and their tech skills, but will fall for the same basic traps
as their grandma. (or, thats what it sounds like to me)

~~~
aerique
Sounds like a reasonable theory. All it takes is a moment of carelessness or
not being up to date to the latest exploit.

That said, we do step into fewer digital traps than a less technical person.

~~~
noodle
agreed, and i think that we'd be more likely to fall to a specially tailored
trap than a generic bank account email type of thing. as would anyone.

------
maxklein
Is the solution to all this not Facebook Connect and Google Login?

~~~
axod
Definitely! Lump all my logins into a single point of failure, so that if
something is compromized, _everything_ is!!! Awesome idea. :/

~~~
maxklein
It's also a single point to defend.

------
NathanKP
I don't think that it would be possible for me to fall for a HN phishing
attack seeing as how I don't even have a password with HN. I logged in over a
year ago using one click authentication linked to my Google account. The only
way I could theoretically be effected by a phishing attack would be if the
attacker somehow logged me out, then made a page which tricked me into
thinking that I was clicking on HN's one click login.

------
GHFigs
I don't want to be a part of a community where supposedly respectable members
might try to phish me if they don't like my attitude.

The particulars in this situation only keep me from being angry. Was it
malicious or harmful? No. But is it irritating to know that crap like this
going on and that I might be punished for not lurking the right IRC channels?
Hell yeah. I don't need that kind of attention-theft in my life.

------
rl1987
To avoid giving out too much information about myself on the web, I try to
follow these rules: 1\. Never give my actual name or address unless I'm
intending to buy something. 2\. Unless the website looks fairly reputable, I
register with wh4f.org throw-away email account. 3\. Third parties have no
need to know any of my passwords. 4\. Nigerian prime ministers don't contact
random people on the internet.

------
levesque
Has 4chan got the black eye for HN/reddit?

