
Operation Luigi: How I hacked my friend without her noticing (2017) - petethomas
https://mango.pdf.zone/operation-luigi-how-i-hacked-my-friend-without-her-noticing
======
rhacker
> She explains to me how she got an email from Apple about her account and
> there was a phone number in it. I tug my collar several meters into the next
> room, knocking over several carefully-potted indoor plants.

That line was fucking gold.

~~~
neilalexander
> Shout outs to Aerobatic for the smooth smooth phishing UX. Use the referral
> code DIANA to be immediately reported to the NSA.

This one definitely got me!

~~~
chilledheat
"I reach under my desk, unwrap a parcel addressed to “DIRECTOR OF CYBER, NSA”,
slide out a yellow and black canister labelled “CHINA”, break open the safety
seal, and use safety tongs to extract the following red-hot phish."

Gold.

------
edoo
Banks and the rest hate me. I use keypass to generate random alpha numeric
'passwords' I use for the answers to personal questions.

~~~
nothrabannosir
I have personally experienced a CS rep accepting “it’s just a bunch of random
characters” as an answer. Combined with the fact that you just went on the
record as using that scheme, your opsec just took a dramatic hit.

Use plausible sounding, but random answers.

~~~
jgtrosh
In this case a password like “to be repeated exactly: <random string>” has the
same properties and can be divulged without affecting opsec particularly.

~~~
nothrabannosir
(Un)fortunately, normal people don't think like programmers. That's why
security questions exist, in the first place. Do you think they won't accept
"It's to be repeated exactly, and then gschgschgsch. Ahh, youth. Those were
the days."

If you think that's bad: I always enter a fake phone nr. Once, a company
turned out to use them as verification for phone support. I didn't know, and
had forgotten, so gave my actual number. "Oh, it says something else here.
Shall I just go ahead and remove that, then?". I wanted to cry.

Don't play games.

~~~
function_seven
Not that I condone this strategy, but what is the threat model where an
impersonator knows to say, "It's to be repeated exactly, and then
adso&#fjsou..."?

~~~
nothrabannosir
I'd go with "putting your security question strategy on a public forum", for
starters.

Security through obscurity strikes again.

~~~
function_seven
Well yeah, in this case that's the weakness. But before parent announced their
strategy on this forum, what was the threat model? Hell, let's assume OP
obfuscated the introductory part in their comment to avoid that leak.

~~~
ChristianBundy
If they're willing to brag about their passwords on the internet, I'd be
willing to bet that family and friends have the same information.

Assuming that wasn't true, a customer service rep for the phone company could
call the customer's bank and try to impersonate the customer, assuming it's
used often (like the poster stated).

------
mdrzn
> At this point Diana has been completely gaslighted as to what her hotmail
> password is, because my phishing site said the wrong password was right, and
> then said the right password was wrong, and she thinks it’s the real
> Hotmail.

Most underrated footnote.

------
Insanity
the content of the article is good - but the writing style does not sit well
with me. It's an odd sense of humour and a writing style more suited to
instant messages perhaps rather than a blog.

~~~
deckar01
Going off on quirky tangents can be an effective tool for keeping a reader
interested. It reminds me a little of Douglas Adams. He punctuates the hard
science fiction with goofy anecdotes to get the reader thinking about the
subject from another perspective and to keep them entertained.

It is not a tutorial on how to phish or a vulnerability report, but rather a
story about how motivation is potentially more important to phishing than
technical skill. Without the casual writing style, the main character (and
author) might have seemed more sophisticated, which would have diminished the
point of the story.

~~~
y_tho
A joke here and there is fine, but this person injects his jokes attempts
pretty much every sentence. That gets annoying quickly.

~~~
GiuseppaAcciaio
I guess the threshold isn't the same for all of us, I didn't get irked by he
jokes at all... however around halfway through I started wishing for it to be
over soon(tm)

------
thunderbong
My goal here is to figure out what Diana’s actual password is, given that I
have her password hash. This process is commonly known as “hacking”.

This is hilarious!!

------
NPMaxwell
This is an interesting model for how to provide training/education

------
godelmachine
This post periodically makes it way back to the top. Last I checked it was 6
months ago

------
5555624
Posted numerous times, a year ago, including:
[https://news.ycombinator.com/item?id=14919845](https://news.ycombinator.com/item?id=14919845)

~~~
baud147258
On the site ([https://mango.pdf.zone/](https://mango.pdf.zone/)), the above
link is called 'Salty Hacker News comments'

~~~
bspammer
That's pretty funny. I didn't like the writing style at first either, but it
got funnier as I carried on (or maybe the writing got better too). By the end
I was questioning why I was so resistant to light-heartedness in the first
place.

Overall, a really great breakdown of a textbook phishing attack.

------
lgierth
This is certainly not how trust in human relationships is reinforced :)

Get consent before hacking your friends.~~

Edit: This is awkward - I was sure I read it one of the previous times it was
posted. Chapeau!

~~~
hyperpower
Did you read the article? The author got consent.

~~~
craftyguy
> Please don't insinuate that someone hasn't read an article. "Did you even
> read the article? It mentions that" can be shortened to "The article
> mentions that."

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

~~~
smus
To be fair to the above it's a pretty central factoid that is mentioned more
than a few times, but yes, I agree with you.

