Hacker News new | comments | show | ask | jobs | submit login
Operation Luigi: How I hacked my friend without her noticing (defaultnamehere.tumblr.com)
728 points by adamch on Aug 3, 2017 | hide | past | web | favorite | 162 comments



This is the best commentary on a real-life social engineering hack I've seen. Whats really interesting is how he was able to be undetected mostly, because services like linkedin only had an optional requirement for forcing all devices to re-login when a password was changed, and that the hacked individual wasn't using 2FA on her email.


Agree this is excellent, and demonstrates how straightforward phishing really is. 2FA wouldn't save you here either, as that can easily be phished at the same time (except for U2F tokens).


right the point of u2f is the physical token


The "point" of U2F instead of HOTP/TOTP is that the code you send to evilhacker.com can't be used on google.com - so getting a usable token by phishing is impossible. HOTP/TOTP are flawed in that you can send the generated code to evilhacker.com and they can use it to log in to google.com with you being none the wiser.


Sort of - the point of u2f is challenge-response on the key, which is tied to the URI or https session, which makes it impossible to phish without a browser exploit


How would you phish 2FA "at the same time"?


You ask for the token as well and login with it at the same time.

It'll trip you up later if it asks again (e.g. When changing a password or setting up mail forwarding) but your session cookie will be valid for quite some time.


As I read the part about LinkedIn not mandatorily logging out all your devices, all I could think was that it wouldn't make a difference, because who actually engages with LinkedIn often enough to expect to remain logged in?

Maybe I'm assuming too much that other people are like me, but I interact with Facebook as many times per day as I do per year with LinkedIn.


There are people with the app installed on their phones. They are logged in all the time.


Naturally, of course there are. But the whole article was written about hacking a typical internet user, and my point was that the percentage of people who a) have the LinkedIn app installed on their phone and b) actually open it with any regularity is small enough not to be representative of a typical internet user.


Alex kuza55


One of my favorite low key social engineering hacks is that I used to have a keylogger installed on every machine I own. Whenever a friend needs to hop on my machine to show me something, they'd log into an account they own and I would have their password.

Then I'd do the same Luigi-like low key messing with them for a while. My favorite was when a friend had a VNC server running on their machine with control capabilities. I would sit next to them and subtly jerk the mouse pointer right before they were about to click on something and it drove them mad for a good 20 minutes before I couldn't hold onto the giggles anymore.

edit: To add a bit of context, this was in the Windows 98 era, before the age of social media where we started putting all of our secrets onto our machines. And it was among a group of friends where everyone was trying to hack everyone else and pretty much anything was considered fair game. All of us were high school kids so there wasn't some super serious reputation we had to protect.


Just wow...

>One of my favorite low key social engineering hacks is that I used to have a keylogger installed on every machine I own. Whenever a friend needs to hop on my machine to show me something, they'd log into an account they own and I would have their password.

This isn't a "low key social engineering hack", it's betraying someone's trust.

>I would sit next to them and subtly jerk the mouse pointer right before they were about to click on something and it drove them mad for a good 20 minutes before I couldn't hold onto the giggles anymore.

This isn't actually funny, it's just being obnoxious and mean.

If you're next to them why not just jerk their arm when they are trying to click? It achieves the same "goal" of "entertaining" yourself and pissing the other person off. Jerk their laptop when you walk by. Throw stuff at them. Smack them in the head. Trip them when they get up to pee. "Hilarious."

>among a group of friends where everyone was trying to hack everyone else and pretty much anything was considered fair game.

This sounds like the bully saying "we were all having fun together."

You don't know the difference between having fun with someone and having fun at their expense - and that's just disturbing.

As someone who lived during the Windows 98 era, I wouldn't want others reading my IMs and emails (I had some very sexual and personal communication over those channels) or viewing my browsing habits.


> This isn't a "low key social engineering hack", it's betraying someone's trust.

I've known some kids who went through a phase where you would ask them something like "Did you clean your room?", they'd say "Yes!" and then later, upon confronting them with their messy room, they'd get this self-satisfied sneaky look, and cackle: "Hah! I tricked you!"

While I sympathize with the David-and-Goliath allure of reversing the power-relationship between them and the adults in the household, I tried to explain that such direct lies weren't quite the kind of devious tricksterhood that gets a celebration.


Cmon, man. You've never heard of someone "hacking" a facebook account and changing the profile picture to a poop emoji or something?

It is juvenile prank, sure, but high schoolers are literally juveniles.

Obviously, you shouldn't do stuff like this to someone who will freak out and get upset about it.

Persistent bullying and harassment is, of course, not ok. But most "cyber crimes" that high schoolers commit against each other are NOT that. They are dumb pranks like changing a person's sexual orientation on facebook.

For most situations, the vast majority of kids would just be embarrassed for like 10 seconds, laugh, and maybe try to prank the person back.


Yeah but there's a big difference between 'hacking' a friend's Facebook or MySpace account, since it usually happens if they just leave the account open on a computer, and actually keylogging their password.


> For most situations, the vast majority of kids would just be embarrassed for like 10 seconds, laugh, and maybe try to prank the person back.

That seems to imply that very little bullying occurs through such means. I'm sceptical of that.


Entirely depends on age and context. When I was a teen the group of friends I ran with would be constantly attempting to "hack" the other, so you were always on guard. Honestly I attribute that more than most things to my early interest in computer security and getting my foot in the door with programming. It turned into a pretty nice career so far. Sure it got tiring sometimes, but overall it was a great life experience I wouldn't trade for anything.

We also kept this between ourselves. It's a much different situation if I "pwn" my friend who is attempting to do the same back to me vs. a typical normal kid.

Those practices learned put myself and my friends in a pretty unique mental space for the time. It was an age in time where all this stuff was new, computers truly did not do as much important life stuff, and being a teenager playing pranks and cat and mouse was fun. Just this stupid "real world" experience in your mid/late teens was enough to typically get an entry level job in IT - typically starting off with more skills than your superiors.

What was NOT OK were the few guys who never grew out of that BS. I ended a business partnership after I found out my "partner" had opened my workstation and removed the BIOS battery to reset things, and install a keylogger. At that point it's no longer funny, it was not a novel or interesting attack, and was simply being an untrustworthy asshole.


I'm really happy you weren't a friend of mine in those days. Turnabout was fair play and compromising each others machines was a way to learn the basics of security. People would see a good prank as a being handed a choice bit of meat: time for revenge :)


Jesus what an overreaction. You've never played a prank on someone or had one played on you? My friends and I in high school did this exact kind of stuff and it was a lot of fun. We just learned to be paranoid about being pranked, it wasn't some pseudo bullying outlet. If anything it taught us that people can hack your stuff, so don't be an idiot. To this day I still don't log on to any accounts on any public computer or even a friend's computer. How often do you go to a computer lab or library and see that somebody forgot to log out of their Facebook or Gmail account or something? Maybe if their friends screwed with them when they were kids they would know better.


Sure, I've been pranked (old shaving cream on the hand while sleeping comes to mind) and I'm sure I've participated in pranks but none come to mind right now.

HOWEVER, there's a huge difference between a harmless prank and betraying someone's trust to be mean to them. I consider keylogging and pwning someone's machine deep into the in the "asshole" category. I also think that jerking someone's mouse when they are trying to click is not clever, just annoying, not funny. Especially because it could more effectively be done physically. It's in the same league as tripping someone when they walk by - just dick behavior.

A prank is something the pranked can laugh at, not just the pranker.

Since I was just leaning to explore my sexuality during that time and my IM messages and emails reflected that I'd be pretty horrified to know someone stole my password, pwned my machine, and read them. Like, seriously horrified and very violated.


You call shaving cream on the hand a prank? VANILLA! (just kidding) Idk. I guess we were bad kids when I grew up because we would hack each other's runscape accounts and stuff and drop each other's stuff or transfer it to a fake account and hold for IRL ransom until somebody made you breakfast or something along those lines. Or we would watch somebody type their password on their laptop and if we caught it we would put a gross or lame picture on the desktop. I think if anything it actually built trust and friendship between us. Of course there was some drama once in awhile or you'd really make somebody mad, but at the end of the day we all stayed friends, and still are over a decade later. We had a lot of laughs, but it was like, ok who has the group not picked on recently? Time to prank them.

So while I understand in cases like yours it can be bad, I think calling for legal action and generally freaking out about it as a general rule is pretty lame. Kids will be kids. Shit happens. Life happens. Don't let people use your computer.


So you steal passwords from people who trust you and consider you a friend?

If you were befriending someone with the sole intention of getting their passwords, that might be considered social engineering.

If you are just exploiting the existing trust of friends and family for fun, that's sociopathy.


> One of my favorite low key social engineering hacks is that I used to have a keylogger installed on every machine I own. Whenever a friend needs to hop on my machine to show me something, they'd log into an account they own and I would have their password.

Is that legal? Seems like a good way to get sued/arrested if you annoy the wrong person, or your 'friends' ever report you for it.

But seriously, that's pretty messed up either way really. You're exploiting people that think you're friends with them to get information from their computers without their knowledge. It's at best not ethical and worst not legal.


He was talking about high school shenanigans. ¯\_(ツ)_/¯

Kids play pranks on each other. Thats not going to be the end of the world, and nobody is going to be sent to jail.

He also explicitly said that everyone was doing it to everyone else, so obviously this isn't some cyber bullying scenario where someone is getting seriously hurt.

I remember people doing lots of dumb pranks like this in high school, and nobody ever got emotionally scared because someone "hacked" their facebook page (because it was left open as someone went to the bathroom) and changed their "interested in" profile section to "men".


Jeez let's call the FBI because of these high school friends playing pranks on each other. Maybe we can get one a criminal record or a large fine. That'll really solve this "problem" and teach those kids "lessons". I can't believe that on hacker news of all places people are talking about the legality of kids in high school playing pranks on each other with computers. You guys sound just like the government.


HN has been a site for the masses for quite some time now. In other words, the quality is severely degraded.


I mean, apart from the moral issues here, what you are doing is illegal.

And that's fine, if it wasn't for the fact that your HN profile advertises your business.

Do you also do this to your clients?


Ahahahah

What a great world we live in!


I also did this as a stupid teenager. Regretted ever doing it, friends got super mad at me when I came clean. There are some things that you just shouldn't know about, reading private conversations where your friends talk about you and say what they really think of you can be really depressing.


You could easily see something you shouldn't want to see. Not cool.


You can never un-see or un-know something. If you wonder just what kind of spot that can put you in, just keep hacking your own friends... I suspect any one of us would eventually see something we'd rather not have.


Where's the social engineering part? Trying to convince people you aren't a scumbag so they become your friend long enough for you to swipe their password?


I mean, I'm pretty sure that is social engineering, doesn't make them any less of an asshole though.


I'm apparently the only person who thinks this is indeed funny. Wouldn't be cool with it as an adult, would find it totally hilarious as a teenager.


so you would act like a bro and then stab your friends in the back by exploiting your fake friendship with them to get their most personal information and then leverage that to mess with them (after you have explored their accounts a bit looking for anything that was funny or that you could use to exploit, of course), but later you would giggle about it.

so it was just a prank?


what part of this is social engineering and not you just being a piece of shit?


I'm happy not to be your friend.


That's just being an asshole, don't use fancy words about it.


I wrote a keystroke logger for Windows, but I've never used it outside of demonstrations. Doing so may be illegal, so talk to a lawyer in your state to get the facts. Here's the source code:

https://github.com/w8rbt/keycap


This post was at bit hard to read with the buzzfeed-esque jokes and writing style.

Here's my summary:

  1. Someone gets permission to hack their friend
  2. They find their email / phone number online
  3. They lookup old password leaks for the email (passwords don't work)
  4. They end up setting up a fake page to phish their friend (it works)
  5. They wait until their friend falls asleep to reset the twitter password
  6. They make their friend follow a bunch of fake Mario accounts on Twitter
  7. Friend notices, they meetup to swap stories (the friend doesn't follow the fake Mario accounts)


I think the details were pretty interesting, so let me expand your summary:

  1. Someone gets permission to hack their friend
  2. They find their email / phone number online
  3. They lookup old password leaks for the email
    3.1. They find their password hash (salted) in the Tumblr dump
    3.2. Tumblr turned out to use the same hash for everybody, so the author
         finds other accounts with the same hash, follows them to a LinkedIn
         leak (unsalted), and successfully recovers the password
    3.3. The password turns out not to work (changed some time ago)
  4. They end up setting up a fake page to phish their friend
    4.1. First phishing attempt produces... the old password that is already
         known through point 3.
    4.2. Second attempt is modified to reject user input a few times, producing
         another password, which happens to work
    4.3. The victim grows suspicious of the phishing e-mails, but another
         message puts those suspicions to rest
  5. They wait until their friend falls asleep to reset the Twitter password and (later, in the same way) capture
     their LinkedIn account
  6. They photoshop their profile pictures to subtly include a Mario character, and they
     make their friend follow a bunch of fake Mario accounts on Twitter
    6.1. When that doesn't get noticed, they redo the trick in a much less subtle way
  7. Friend notices, they meetup to swap stories (the friend doesn't follow the fake Mario accounts)


I appreciate you summarising the article, thanks!

I really couldn't stand the writing style the author used — I understand peppering your writing with jokes, but there were far too many attempts at 'humour' for my taste.


I had hard time following the text too. I usually don't mind jokes, but when joke/content ratio gets > 1, I think it's too much.

Fortunately, I had a few minutes to kill while eating lunch, so I read it all.


I actually found it pretty easy to skim the article by simply ignoring the jokes. It was about 3 joke sentences to 1 relevant sentence and fortunately he was reasonably consistent in his unconventional sentence formation in his joke writing, making it really easy to skip them.


I would pay good money to have all HN articles summarized like this


It might not be the digest you asked for, but it's the summary we deserve: http://n-gate.com/hackernews/2017/07/31/0/


I am exhausted just imagining that this bucko is still at this project. It's like a perpetual motion machine of self-hatred.

Irony is only irony if it is not greater than 73% of your life, according to scientists. This person long ago passed that threshold.


You're assuming they actually read the threads. It would be easier, and yield the same results, to merely read the headline, and write based on that. In fact, I'm sure a simple script could cover the majority of cases, leaving them to only need to write for the odd one their script can't cover.


Knowing them, I don't think that's what they do tho.


Yeah, they definitely read the threads. This is some pinpoint-accuracy hate and idiocy.


>In fact, I'm sure a simple script could cover the majority of cases

I'm sure you could get some funding to provide that as a service.


This project definitely tells more about the author than about the HN community.


well I find it hard to think that website encompasses more than 10% of his/her life.


I just discovered it, and I wouldn't have clicked on the link but the negative comments got me into it.

I have been laughing out loud for the past hour.


It warms my heart that this is still going strong.


This makes me unreasonably happy.


Wow, you just saved me like 19 hours a week.


n-gate is pure gold


There was a community-driven project for exactly this. It was hosted on http://tldr.io. There was a browser extension showing you the summary of an article when you visited it and you could contribute your own summaries. And I started creating a Windows Store app (back in the time of Windows 8.0) for browsing all TL;DRs.

But sadly, the project has been discontinued for a couple of years already. I think it lacked incentives for summary writers (for example micro payments from summary readers) and also a monetarization model for the project creators.

The code is still on GitHub: https://github.com/tldrio

I thought about contacting them to get the web service running again on some cheap AWS VM or so, but haven't done it yet.


Correction on the password part:

3.2 Tumblr used same salt for everybody, but author don't know the salt. He searched the hashed password and found 20 other users have same password hash, using same password.

3.3 Linkedin leak have no salt, by looking for the 20 other users he found the plain text password, which should be the target password.

3.4 The password no longer worked.


Thanks!

Also, when I noticed my typo in the 3.2 ("hash" instead of "salt"), I pretty much hit myself in the head :/.


Unfortunately HN cannot render blockquotes readably.


> 4. They end up setting up a fake page to phish their friend

An important part of the story was that the phishing attempt failed, but was followed up by a spear-phishing attempt that was eventually successful.


Thank you. That really was a long and convoluted read.


I wish I had seen this comment before wasting 20 minutes of my life reading the real thing.


Luigi


While slightly enjoyable (for the first few paragraphs) I couldn't finish reading it. The author is trying _way_ too hard to be funny.

I suppose it is written to another audience, perhaps the people that use tumblr find this funnier.


That's what I thought at first but as I kept going I ended up enjoying it more and more as it was so blatant at poking fun at terrible hacker/script kiddie tropes.

I will mention that with the number of footnotes Marco Arment's little in-place footnote pop-up script he uses on his blog and Ben Thompson uses on Stratechery would have been appriciated. I forgot how useful that was compared to 'true' footnotes on long articles with lots of them.


I think that they are using Bigfoot. Personally I prefer the jQuery-less version littlefoot.


You're right. It's Bigfoot.


Speaking as a regular Tumblr user, Tumblr very much has its own dialect, which this piece is written in. It's not really meant for the Hacker News audience.


Quite true, this is tumblr dialect + overthetop scriptkiddie lingo. The only thing missing from the dialect is maybe??? these question marks?????? i guess???


It is for people who are a member of both audiences


this is an obvious parody


> That’s REAL nice of you to offer old mate LinkedIn but I’m absolutely golden as it is in terms of logouts so don’t even worry about it I’ll be just fine how it is NO REALLY don’t trouble yourself, I’m sure your CPU cycles are busy displaying everyone’s 6000 word Thinkpieces about “Cyber” for “Non-technical Business Decision Makers”.

You can't tell me you didn't find this hysterical


I found the length of that sentence hysterical.


I felt like I was having a stroke.


Is that copy/pasted? The writing is atrocious.


I ended up reading it like I read man pages. By which I mean, I skim through it really quickly and then do something else.


I found it funny, but that's okay that's why everyone has a different favorite comedian.


Yeah, I got to the first "this isn't her real name but that's what journalists do..." and rolled my eyes. I thought that was a one time thing, but it continued. I'll look for a summary in the comments here.


Agree, that could have been a great article, but the cool bro attitude and writing style is just too much for me. It's hard to read if I'm rolling my eyes every 3 sentences.


TL;DR: phishing


Terribly annoying to read his overly saturated banter. Serious regret not reading the comments first.


If he doesn't try to be funny he goes to jail.


Quite long ago, I read a fairly similar article (without this ridiculous commentary, of course). It went something like this:

- a friend asks author to try and hack him

- author tries a bunch of things in vain, finally decides to use a rogue wireless AP and does a MITM

- identifies that notepad++ has automatic updates turned on and that it's over HTTP

- creates a custom executable and writes a script (or something) to serve this payload when notepad++ tries to download a EXE

- fakes an update (by returning true when notepad++ queries an HTTP endpoint for the latest version on startup)

I'd be really thankful if someone could link me to this post. My usually powerful google-fu has let me down this time (I tried all _sorts_ of things). Notepad++ and MITM are the only things I strongly remember.



While that uses a similar exploit, it's not the one alas! The article I'm referring to used a rogue AP where the author essentially created a pineapple-like device (or something; I'm probably misremembering this part).

Thanks anyway! :)

Edit: this was also more of a story than a how-to like guide.


I found it really enjoyable and rather funny. I really liked the attention to detail as well, e.g. replicating last 5 searches in order to stay stealthy. I imagine that lots of effort went into the hacking exercise and the write-up. Nicely done.


> I use the incredibly cutting edge “Inspect Element” feature of the popular hacking software, Google Chrome, to edit the text of the email but keep the look.

I used do this to fake screenshots as well. People assumed I edited them with Photoshop!


I actually found this post really good. The buzzfeed-esque jokes are made this way with the only purpose of helping raise awareness about online security and how anyone with a minimum knowledge of the Internet can easily breach into your accs.


Social Engineering is a thing to watch out for. I've learnt to never answer honestly when they're asking stuff like "Where were you born?" "What's your first pet" etc.

Instead I've made up some answers that I'll never tell anyone else.

However that doesn't really make those details secure. 2FA is where it's at.


Yeah you can just scroll through someone's Facebook account for 'secret' answers. They're bound to have answered one of those "Your porn star is your first pet's name followed by the street you grew up on" things


I store them as a "note" in my password manager, all generated passwords that have no basis in reality.


> Instead I've made up some answers that I'll never tell anyone else.

You should make up some answers like ighe9Chik9oorooy. That's what I do.


Yes. My first girlfriend is ntnOFT(#9TNSONROe.

I'll never forget you, ntnOFT(#9TNSONROe. We had such good times together.


A (random) English word is a better answer. Otherwise you can be phished by someone communicating with a phone rep.

"For security what's your pet's name?"

"I don't have a pet, I just put a bunch of random characters."

--

Due to implementation these questions are actually sometimes hard to answer truthfully sometimes. My fav teacher has a . in her name but "special characters" are not allowed in answers. My pet's name is 4 characters, too short. How did I answer my first car? Year, make, model? Make? Year and model? Just model? Who can remember?


Only, how is the phisher supposed to know that I used a randomized password?


1) Guess

2) The HN post I replied to.


Yeah, I use lastpass for my passwords, and another application for 2FA... I get REALLY suspicious when a site isn't in my lastpass.


my notes from this article:

  * don't use linkedin
  * don't use hotmail
  * always use 2FA
  * use complicated and different passwords
  * security questions matter
  * avocado toast?
  * change passwords periodically


> avocado toast?

A couple of Australian doofuses said that it's millenials' own fault they can't afford homes, because some of them buy expensive meals sometimes. http://time.com/money/4778942/avocados-millennials-home-buyi...

The internet has had a lot of fun with it. https://www.washingtonpost.com/news/food/wp/2017/05/15/dont-...


"Warren and Tyagi demonstrated that buying common luxury items wasn’t the issue for most Americans. The problem was the fixed costs, the things that are difficult to cut back on. Housing, health care, and education cost the average family 75 percent of their discretionary income in the 2000s. The comparable figure in 1973: 50 percent."

Whoa.


I found it rich the millionaire said that given that his grandfather gave him $34k to buy as house(0).

(0):https://www.cnbc.com/2017/05/16/millionaire-tells-millennial...


Steps to becoming a millionaire:

1) Family gives you money.

2) Don't squander the money on hookers and blow.

3) Use life opportunities that having wealth brings to create more wealth.[1]

4) Congrats, you're a millionaire.

Anyone can do it!

[1] They say "you need money to make money" and speaking as someone who has both lived with no money and now lives with lots of money, it's sooooooo true. The more money you have the easier it is to acquire even more money.


well i saw the storm on twitter where the lady was all "i am old enough o be your damn mama and also i'm black and you should eat the avocado toast because carpe diem" or some shit and it got like 36K likes and 15K retweets. so i figured it was just more of that.

https://twitter.com/tangelaekhoff/status/864667137138360320?...


>security questions matter

This sucks and I wish I could turn it off on accounts that I've set up my yubi key on. It's a strong password at best and my mothers maiden name at worst.

Name of childhood physician: dr. EeNohsh3yaiw3vaHaic4


I am still so pissed about the Linkedin leak. I will never use them again.


still confused about why people use them in the first place.i see no benefits of having a linkedin account. i'm probably just confused about what they are and how they work.


In my experience it exists so that lazy recruiters can relentlessly spam users with completely irrelevant job vacancies based on odd keywords that appear in their profiles.

A year ago I made the transition from contract developer to employer and therefore have a lot of "developer" keywords and experience on there. My profile makes it very clear that I'm busy running a business and not looking for entry-level contract positions. It also clearly says "no agencies" in the contact details. I still get multiple messages and connection requests from clueless recruiters playing the numbers game to the point where the site actually has a net negative value to me due to wasted time.

Still, I'll probably go check it out now that I've been reminded that it exists... If only to go and clear out my inbox again.


I’m now realizing you could easily social engineer my S Questions out of me.

Beside that I follow basically everything on this list (not avocado toast) :)


> always use 2FA

Well if you are using your phone and change countries you end up with lot of issues as I found out the hard way :(


U2F. Just sad support is growing so slowly.


avocado toast!


This is the same guy who did a great blog post about finding his friends tinder accounts by spoofing a new tinder service. They're absolutely hysterical, and I hope he keeps doing more.



I had no problems with the humor parts. Good article.


"Hello and welcome to a blog post. I am writing it and you are reading it. It’s amazing what we can do with computers these days."

Ugh. And I'm closing the tab. Appreciate the effort with humor, but you really should concentrate on being able to write something that's informative and enjoyable to read, and THEN try your hand at making your writing funny. The first sentence/paragraph needs to be a hook to get people interested, not some meta jokey blurb that doesn't have anything to do with anything.


> The first sentence/paragraph needs to be a hook to get people interested, not some meta jokey blurb that doesn't have anything to do with anything.

The first sentence/paragraph needs to be the first sentence/paragraph. I'm personally sick of people optimizing things to "hook" their "audience". I much prefer when people simply write honestly and to the point. Not everything in life has to be a sales pitch.

(This post was definitely not "to the point", but that's a stylistic choice of the author; I can respect that even if I don't like it.)


The blurb did its job -- I can assure you that you wouldn't have enjoyed the rest of the post. It's not really about cutting-edge social engineering. It's just a funny story.


It's possible to discover this girls full name, twitter, Instagram, Linkedin, etc (full identity) based on a few careless clues left by the author. Very irresponsible considering he has revealed her password habits and other personal vulnerabilities.

Loved the write up though.


The author acknowledged as much in the footnotes:

> If you really tried you could probably find Diana’s Twitter from these. You would then be a hacking genius, binary flowing through your veins, and have a CVE number assigned to your personally. I, a humble wannabee, am relying on your strict ethics to prevent you from, uh, stalking the friend of some guy whose blog post you read. You can do it. I believe in you.

> Having said that, I don’t really have an overwhelming amount of faith in the idea that someone won’t try to do that. You can stay chilled out, dear reader, since before this blog was published Diana and I had a nice chat and fixed up her personal security.


I didn't believe you at first but you're right. It's so easy to leak information these days :S


>There are entire criminal industries built on the idea that people use the same password all over the place because nobody cares enough to remember more than a few passwords because they’ve got things to scroll on their phone okay.

Or... because having to remember more than 3 random combinations of arbitrary letters, numbers, and a subset of extended ASCII, is not a tenable solution. Of course people use things like l33tspeak. We can remember words. I wouldn't say laziness has anything to do with it.


If you liked this, the same guy has also written other stuff in the past - https://defaultnamehere.tumblr.com/post/139351766005/graphin...


An opsec screwup in that post has told me what's possibly the real first name of “Diana”.

Opsec is hard.


He screwed up big time. You can google her tweets :|


So basically we've learned that the best defense to getting hacked is to not become a target of bored script kiddies, because those bastards are as ingenious as they are terrible writers.


Really it's "look at the address bar".


Pop quiz: without investigating, is https://www.capitalonecredit.com/sign-in/ a valid URL owned by Capital One?

Second quiz: Without investigating, can you tell me when this domain expires, if it is registrar locked, if anyone can purchase this domain once it expires, what the mechanism used to verify a request for certificate for an existing domain is, if anyone can use a free TLS certificate service to create a valid signed site once they own it, and how much time it would take for this to happen if it was automated?

(spoiler alert: the address bar will not tell you any of this)


> (spoiler alert: the address bar will not tell you any of this)

Related: who on the Chrome team had that "bright" idea to dumb down the website security popup that shows when you click on the padlock next to the address bar? All the relevant info seems to have moved somewhere to Security tab in the Chrome Dev Tools...


If there was no salt in the database, it looks Tumblr used a secret "pepper" (https://en.wikipedia.org/wiki/Pepper_(cryptography))? Why wouldn't they include a salt as well? Or did the database dump just not have the salt column?


> If there was no salt in the database, it looks Tumblr used a secret "pepper"

It's absolutely clear that Tumblr did not use a pepper to create the dumped hash values in the article. Multiple users had the same hash, and most of those users had the same password as each other on another site.


A pepper is shared among all users of a site. That's what makes it different from a salt.

Or are you saying that the exact same hash was found in multiple separate database dumps? I didn't see any indication of that in the article.


What you say seems to directly contradict the Wikipedia link above, which says:

"The pepper is randomly generated for each value to be hashed (within a limited set of values), and is never stored. When data is tested against a hashed value for a match, this is done by iterating through the set of values valid for the pepper, and each one in turn is added to the data to be tested (usually by suffixing it to the data), before the cryptographic hash function is run on the combined value."


The talk page mentions "pepper" having two meanings, both of which are mentioned in the article. I wasn't familiar with the one that involves brute-forcing it on every login attempt, and I've never heard of it being used in production on a real site (whereas a global shared secret seems to be reasonably common).


> I wasn't familiar with the one that involves brute-forcing it on every login attempt, and I've never heard of it being used in production on a real site (whereas a global shared secret seems to be reasonably common).

In case you're interested, that is the same scheme as the one used by JoeyH's keysafe[1].

[1]: http://joeyh.name/code/keysafe/


That is not the cryptographic definition of a pepper.


It seems to be how it's typically handled in practice. Example: https://blogs.dropbox.com/tech/2016/09/how-dropbox-securely-...


I understand your point, but a close reading of the dropbox article shows a qualified pepper they term "global pepper."



This has gotta be the funniest blogpost in years, yet so legit that it makes one sad how easy it is to pull this off.


Reminds me strongly of the hacking as shown in https://en.wikipedia.org/wiki/Mr._Robot_%28TV_series%29


Hey, I use inspect! I've run untrusted code every computing day of my life, so I guess that makes me a script kiddie. My advice, keep on script kiddie'ing, because it will definitely pay off.


I really enjoyed this despite it being veeeeeeerry long, nice work!


Even with her permission he is still breaking the law. Unlawful access to a system is not the user's prerogative but the system operator's.


So phishing?. He did it with phishing.


I hope they tried '3ertyui'.


VZerbst


I don't know if I'm in an especially good mood today, but it's quite a while ago I read something that I found as amusing as this.

I'm actually really impressed by the phishing approach.


Well I enjoyed reading it, a little bit too much cringe, but still interesting articel!


I like the personality here.


It is just… great. Did you write that as it happened? It really unfolds like a novel.


This has been posted 3 times in the past 24 hours. And so has the last thing this person has posted.


Can help it but i find the article kind of creepy.

Is he hacking her cause of romantic interests?

Is he hacking her for the thrill?

Is he hacking her to be able to write the article?

Is he hacking her to show her that he can?, or to show her that it is possible, or to show her the world she is living in?


"I’m [...] with my friend Diana. [...] I ask her if it would be okay for me to try and hack all her stuff. She’s instantly visibly excited. I explain how this could result in me seeing everything she’s ever put on a computer ever. She tells me she thinks this is going to be “so good”. "


"I ask her if it would be okay for me to try and hack all her stuff."

Why would he ask that? It is strange.

It is also strange how he tries to trivialize what he is doing. From his perspective it is trivial, but for some people it will not be trivial, why would he write an article about something that he believes is generically trivial. Another alternative is that he does not understand that it might not be trivial to some people.

I did read the article... just quoting is probably not going to answer my question.


> Why would he ask that? It is strange.

To make a blog post about it.

His blog title is The hacker known as "Alex" and his previous articles are similar to this one.

See a discussion about one of his previous articles https://news.ycombinator.com/item?id=11130688


Same reason lock picking is a hobby, because people enjoy solving "puzzles."

The author got permissions of the target.


Hacked? cool, so what new unintended abilities has you friend gained?... yes i'm futilely rejecting the twisted definition perpetuated by the media and co.


The part that perturbed me the most about his account is he didn't even backtrace the IP floppy disk log via the DHCP authenication backtrace. It's a rookie mistake, but so is misspelling 'nothin personnel kid'.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: