Hacker News new | past | comments | ask | show | jobs | submit login
Tell HN: There is a Scammer Amongst Us
333 points by lrm242 on Jan 31, 2011 | hide | past | web | favorite | 75 comments
On January 29th a HN user, 'jiganti', posted this: "Ask HN: I think I've been scammed - what now?" (http://news.ycombinator.com/item?id=2157281)

Starting in the evening of January 30th, posts began to appear on complaint forums with my name. These posts claim that I am a pedophile and that I have stolen money. These posts are false and I find it unsurprising that they began to appear after I provided information about the possible identity of jiganti's scammer. My name and phone number are easily Google-able, however, I provide it here in case anyone wishes to call me: Louis Marascio, 512-964-4569.

I'm posting this because although jiganti's post fell off the front page, this story is not over. Other HN'ers and I dug up some information about the possible scammer in the original thread. Also, I believe jiganti might not be the only person who's been taken by this guy. Please read the post and thread in full. This sub-thread specifically discusses our findings: http://news.ycombinator.com/item?id=2158590

Our most promising evidence is this: the responsible party is a single user that has at least three handles here on HN: pinksoda, sinkfloat, and BrianHolt. This has not been proven nor has it been denied, and I repeat the last sentence of my findings: I encourage the owner(s) of the HN accounts pinksoda, sinkfloat, and BrianHolt to speak up--and if I'm wrong I apologize.

I re-urge you to read the post, the subsequent conversation, and the other linked-to Hacker News posts and make up your own mind. Hacker News is a tight-knit community, and if there is an unsavory character here who's using it as a way to find and exploit young entrepreneurs, then I feel we need to all be made aware of this. If a scammer does exist amongst us, let's all hope a little light will cause him to slither back into the hole he came from.

It is important to note that 'mahmud' is mentioned in the first paragraph of the original post. mahmud IS NOT THE SCAMMER. The original poster lost his ability to edit the post before he could clear up what he meant. This is specifically discussed in this sub-thread on the post: http://news.ycombinator.com/item?id=2157602

As a side note, news.ycombinator.com should really have HTTPS access.

Passwords and cookies in clear HTTP are no good. Anyone here (should) knows it. Firesheep proves it. GMail and Zuckerberg suffered it.

Just buy or get a free SSL certificate, and let nginx or stunnel handles SSL and proxies HTTP to/from Arc. Total cost, being pessimistic: 150$ for the certificate verification, and 2 hours to set-up the certs & nginx.

I know, it's awesome, it's a custom Arc webserver and all, and good practices are for PHBs only, but still. For a "hacker" website, news.ycombinator.com is a shame regarding to privacy/security (see also: passwords stored as shasums (without even a salt), funny things like <img src="http://news.ycombinator.com/logout>, outdated versions of software used [http://news.ycombinator.com/item?id=516122], etc.)

i'm sure the audience of this site is technically savvy enough to all be running modern browsers that recognize startcom as a valid CA (if not, consider it a valid barrier to entry), so it would be free and take just a few hours to receive an SSL certificate for this site.


Although I agree that having free SSL certificates is nice, I question whether it's actually a viable way to certify the authenticity of a site. Seriously, if you make it free, spammers will overrun it. Why should we trust free SSL certs? I think having a cost provides a certain barrier to entry that is good overall.

We don't need SSL certificates for authentication. I know that when I go to news.ycombinator.com, I'm getting Hacker News.

We need SSL certificates for encryption. With the certificate you get a private key that is used for secure communication between your browser and HN (both ways).

If it didn't cause every browser to show a big, scary, your-computer-will-instantly-explode-and-your-children's-social-security-numbers-will-be-stolen-if-you-continue, using self-signed certificates (ie. certificates that anyone can just generate) wouldn't be that big of a deal. It could open you up to a man-in-the-middle attack, but it's still way better than sending everything in the clear.

> I know that when I go to news.ycombinator.com, I'm getting Hacker News.

How do you know that? That's the whole point of SSL - knowing that you've traded private keys with the right party.

SSL for "encryption only" only works to defend against attackers that can listen to your network, but cannot write to it. So, sure, it defends against some passive collection system, and perhaps against some tools that are designed to just listen.

But, if browsers stopped displaying warnings, so that using a "bad" certificate worked just fine, then I'd bet the tools would just switch to allow cert injection and we'd all be worse off.

There was a story I read a while back about a support ticket filed with Mozilla for FireFox complaining about all of these "security warnings" that would pop up at every HTTPS site the user visited.

She was apparently someone who should have known better, but instead was willing to believe that FireFox was just warning her spuriously about valid HTTPS certs -- yes, someone had hacked her computer, and was collecting every bank, credit card, and online shopping password as she fell for an MITM attack over and over.

I believe that this is the bug: https://bugzilla.mozilla.org/show_bug.cgi?id=460374

In that case, Mallory was a fool. Mallory should have installed the MITM cert in the browser's certificate store, to prevent warnings. How many people routinely audit their browser's SSL cert list?

No, the point of SSL is encryption. SSH seems to handle key exchange just fine.

(Hint: https should have been implemented the same way. CAs are fundamentally broken.)

No, SSH does not. Have you ever actually verified a host fingerprint? Of course not, no one does.

That's the way it's supposed to work. You know the first time you logon to a server and it asks if you trust it? You're supposed to call up the server admin and get them to read off the fingerprint, or have them email it to you, or get it from some other out-of-band channel.

And no-one, nowhere actually verifies host fingerprints. Even security conscious people. And what do people do when they get that warning about a modified fingerprint? Just delete the entry from authorized_hosts and re-connect.

So ssh actually does a really shitty job handling key exchange.

Anyway, the closest thing to a real alternative to https and CAs is monkeysphere (OpenPGP WoT for servers), but no-one uses that.

If I got an error about a modified footprint I wouldn't "just delete the entry" and re-connect... unless I know why it's complaining. If there's a reasonable explanation for why the keys are different then I might do that.

While 'security conscious people' might not verify the fingerprint out-of-band when adding it the first time, I'm sure most of them wouldn't just remove the authorized_hosts entry...

Yes, I often see this and it's almost always that a VIP has moved physical hosts for whatever reason (e.g. planned maintenance on the original box). Occasionally it's that someone's re-JumpStart'd the box. That's sufficient to create a false sense of security, if it ever happened "for real" I would likely dismiss it.

but that is the case in which yoiu _already have_ the footprint. Parent^2 is talking about the first connection, which is when you validate the fingerprint the first time.

Why don't people validate?

That doesn't make any sense to me. There are even free services that can perform the validation for you based on a "crowdsourced" approach to verification, like Perspectives:


Several ssh implementations also support using certificates as hostkeys. Of course the ssh client will still need to be configured to trust the issuer but it can help with the 'first-connection-hostkey-fingerprint-verification' problem. In my experience most users will never verify the fingerprint.

How does some corporation that will disclaim liability at the first sign of a light breeze telling you a site is "authentic" trump your own personal judgment? CAs are scams.

Use something like Perspectives instead of CAs:


StartSSL requires you to respond to an email sent to the address listed in the domain registration. That at least shows you have control of the domain. It also has certificates with greater levels of verification.

Being able to pay isn't a very good barrier. Being broke doesn't mean having no meaningful content, and most attackers who can make serious MitM attacks can pay. CAs are supposed to have real barriers (and I think most of them do).

In this case, though, we don't need a CA. PG could publish the key in an essay and we'd just carry it through manually.

The point of collecting payment for certificates is not that attackers can't afford it, but that it enables the CA to do some cursory verification, and creates a trail of evidence if the certificate is used for a scam later.

Here is a link to the relevant feature request (although it is a sin to call this a feature) in the feature requests thread:


All HN needs is a note above the password field saying "don't use an important password". Nobody should care.

Given, however, that many founders and tech journalists use the site, a compromised account could be used to severely damage a startup's credibility. All it would take would be a few posts on HN before a funding round that called into question the founder's ethics, skill, or common sense, and someone from TechCrunch to pick up on it. It could cause sufficient uncertainty, if properly timed, to make potential investors stay away. That, in turn, could spell big trouble for a company.

Granted, that scenario may seem far-fetched, but it's not unreasonable to suppose that some unscrupulous person might have motive to do something of the sort. Rather than deal with the fallout if it does occur, why not simply allow people the option of having a secure login? If they choose not to use it, that's their prerogative.

Exactly. Take a tour of the SF and Mountain View coffee-shops which offer free wifi with a laptop to sniff traffic. Isn't there a not-negligeable chance you might recolt some HN cookies from "interesting" accounts? Once you get them, it's just a matter of imagination before causing some harm.

HN is not the small and unfamous news site it was 2 years ago anymore.

And not just interesting like a high-profile person, but interesting like a YC founder who is a moderator. It's possible that PG has instructed mods not to log in over public connections, but I bet they occasionally do it.

And how much damage could a hacked moderator account do to the site? This whole conversation seems like a symptom of taking this site way too seriously. The community is very valuable and even important. The site is just an artifact of it.

As evidence for my point of view (and, you can say "you're welcome" if my brinkmanship with this sentence is paid off by Graham promptly enabling SSL, which he could easily do in the process of fixing the far-more-important bug of this site not being served through a front-end proxy), note that next week SSL will in all likelihood not have SSL enabled. That request --- provide SSL --- has been outstanding forever. Does Graham also share my cavalier attitude towards the site?

That's true.

But remember that this is also the YC application system. A lot of alumni help read apps, probably just by getting a permission added to their account. So a lucky firesheep-er can probably read every application to YC. And mess up people's applications (if they get the account of an applicant before the deadline). And may reject people/delete apps if they were to get, say, pg's or harj's account.

And possibly other stuff. I don't know what all YC uses it for, but I get the impression that they continue to use it for various things (signing up for office hours?), some of which may be sensitive, once teams are accepted.

I addressed this point in another comment. Briefly: my advice regarding that fact would not be to improve HN's security; it would be to get the YC functionality off HN, stat. HN is way more a target than YC's stuff ever will be. Most of the people who will take a run at this site don't even know what YC is.

Ok, that would work too. But I'd guess that there's significant barriers to doing that (ie. it would take a lot of work to make it happen).

Plus it's never optimal, even for a bs written-in-a-weekend app, to send passwords in the clear, given how many people use the same password on multiple sites. And even though HN isn't that important, we'd certainly prefer to avoid the headache that would result from someone getting a mod's account, banning a bunch of high-karma people, deleting a ton of stuff, etc.

So SSL is a good solution because a) It could be deployed today. b) It's preferable anyway. But I agree that if they decoupled HN from all the other YC stuff, I'd be a lot less concerned.

That doesn't protect from cookie/password steal (for instance if you use a public Wifi hotspot).

I do care about identity usurpation.

You shouldn't. There are more important things to care about.

Like what, in the HN context?

Declining quality of comments? Creeping influence of politics?

SSL is a giant waste of time for Hacker News, modulo the fact that people might be crazy enough to use a shared password here.

> Declining quality of comments? Creeping influence of politics?

It's a fallacious argument in my book. Like comparing apples and oranges.

Say I run a bakery. What I care the most about is the quality of my bread. So much, I spend all my time working on that and only that. So much, I didn't ever bother to have a lock at the door. But it's not even a big deal if someone comes in and poisons one of the bread, as long as the overall quality is increasing!

> SSL is a giant waste of time for Hacker News

Yes, if by "giant" you mean that it takes like 2 hours to set-up, and a small payload for each negociation. But concerning the payload, Arc is not especially fast, so there is room for improvements there to compensate, if needed.

> modulo the fact that people might be crazy enough to use a shared password here.

Not the point, the point is HTTP sniffing.

And anyway, people could use a shared password, making it easier for them (don't overestimate human memory), if HN used (HTTPS and) a "real" password encryption scheme (bcrypt or the like). Why put the burden on the user when you can put it on the computer?

No, that is an extremely bad idea. Even if they use bcrypt. Bcrypt exists to protect the site owner from calamity, like, "thousands of user passwords posted to Rapidshare". It does very little to protect individual users against the attacker who busts into your server; whether you use bcrypt or not, they still get the contents of every input type=PASSWORD that hits the site.

SSL is a giant waste of time for Hacker News,

Waste of time in what sense? The time it takes to set up SSL?


If this was a real product, this would clearly not be my advice. But it's not. It's just HN. The worst case to an attack here is not all that bad.

There's some goofy YC stuff that happens through this site. If asked, my advice regarding security and YC would not be "make HN more secure so the YC stuff is safer". It would be "get the YC stuff the hell off HN."

<really, really dumb question> Hi Thomas, I have checked your profile because I am confused by this whole conversation (I mean the social dynamic of it where you are mostly being downvoted into oblivion -- I have no hope of following the technical points). I can't find the info I want. For the unwashed masses (like myself), can you clarify: Aren't you some kind of security professional?

</really really dumb question>

Thanks in advance.

Yes, tptacek runs a security consultancy. Why are you surprised? He's not wrong that the worst-case scenario isn't that bad, and he's a lot more "practical", for want of a better word, than either e.g. cperciva or me. (cperciva picks his serverside crypto algorithms for side-attack-resilience; tptacek points out that not having buffer overflows is asking too much of most software.)

This is not to say that I agree with him - the worst-case scenario isn't that bad, but setting up SSL is easy and the right thing - but he's not babbling nonsense or anything.

Why are you surprised?

Not surprised. Just trying to verify if he had the subject matter expertise I thought he had or not so I can better understand the discussion. Since I am a member here, security of the site does matter to me as it potentially directly impacts me. But I lack your depth of knowledge of the subject. So the credentials of different speakers matters to my understanding. For someone like me, whether he is being downvoted because he has no clue what he is talking about or for some other reason entirely makes a significant impact on my understanding of the situation.

Thank you for your helpful reply.

I am being downvoted for two direct reasons and one indirect one: (1) people universally think it's trivial to enable SSL for HN --- and it is, in the grand scheme of things, for non-hobby non-side projects, and (2) people care about the security of their HN account, even though virtually nobody else does, and so they have little to worry about. Meta-reason: people assume I'm being argumentative for the sake of it; I'm not. SSL is a waste of time for HN.


For what it's worth, I cofounded it, and I'm a principal, but Dave Goldsmith runs it. Working with me is a hazard of joining us, but working for me isn't, so much.

Oh come on. How long would it take someone who knew what they were doing to set up SSL? Run Apache on the same machine, listen on 443, and reverse proxy to the arc app. It would take less than 30 minutes to set up.

Fifty bucks worth of work, once, which pays a dividend each and every time a security conscious user visits the site. That's not a waste of time, that's a no-brainer.

FWIW, Paul Graham, made a fuss about putting in a simple link to the searchyc page for searching through archives. His reason was that he didn't want to spend time on something that wasn't really focused on the important issues like comment quality.

He took a lot of flack for, what was surely just a 2 minute job editing some html template, but I can kind of see that logic now.

When you add the link, it signals that you deem "Searching Archives" as an important feature of the site and then it's suddenly no longer just a simple href= entry in a text file somewhere.

Dealing with SSL could be in the same boat. By adding it, you're implicitly saying that 'this site is serious enough to warrant proper security measures' and then that's another rabbit hole that's difficult to get out of.


I'm a long time HN user, I created this account and a new e-mail only to provide some new information of identities that I found in the internet of pinksoda, after I give them to you I will not use this account again.

I do realize that maybe it will be difficult to believe in a new user with these claims, but I do assure you that I'm here only to help, your linkedin profile list a domain, send me a mail from this domain (with the correct headers from the correct IP, I know that you use Google Apps in your domain) and I will answer with the links that I found, I do not kow if they will be of any help, but I think they provide trails for you, some of them are right here on HN, and these ones I think there's no problem in post here:


With BrianHolt saying about a past website of him, I do not know if he said the truth.


I did not confirm this, but searching his name in Google will bring some of the links that I found, although not in the front page.

The e-mail: XXX@gmail.com

EDIT: I will try to give the links as early as possible.

EDIT2: I gave the links and some trails for Louis, although I'm not sure if they will be useful, I will not use this account again and will only answer Louis in the e-mail.

EDIT3: Smarter to remove the e-mail... a long day programming.

I'd like to add. If you've been taken by this guy but have felt intimidated or fearful to come forward, please email me. I have a strong suspicion that there are others, but I'm hopeful there are not. If the guy that took jiganti has scammed others, the more we know the better we are. If you don't want to go public with the information I understand, but please contact me. My email is my last name at gmail.

I read this post: http://news.ycombinator.com/item?id=2157281

While anyone who invests money and gets nothing in return has my sympathy, I don't see the relevance of a private business transaction to HN.

You will sometimes find someone plastering notices all over the city. These notices have a picture of someone and the warning not to date them because they are a lying, cheating low-life. Is this a public service intended to save other people from an unhappy fate? Or is it someone trying to get revenge by naming, blaming, and shaming someone else?

Unless the "scamming" in question is happening on HN, such as someone spamming HN with fraudulent posts, I have trouble thinking this kind of thing meets the HN guidelines.

Hacker News is the specific means by which this scammer is finding his victims. That, specifically, is what makes this relevant, IMO.

HN is not a match-making service for founders or consultants. If keeping track of the worst-of-the-worst is relevant, why not keep track of the best-of-the-best? Why don't we track business karma?

Services for vetting people in business already exist, starting with LinkedIn and going on to other sites, many of which are specifically designed for web programmers to showcase their work and show off their reputation.

The situation is unfortunate, but I still don't see it as HN business if one HN user decides to do business with another HN user and things don't work out well. HN is not responsible, we're a "common carrier" so-to-speak.

p.s. JM2C, of course, carry on, I'll be over here coding...

How is HN not a common-carrier if its users decide to police themselves to a certain extent? This wasn't posted by 'HN Staff.'

The post you linked went out of its way not to identify the person in question, but to limit itself to a description of the circumstances and ask for general advice. To equate this with 'name and shame' graffiti is neither accurate nor helpful.

You'd not be so opposed to the submission if you were a lot less cynical. I see this as a genuine warning to the community. Nothing more.

I'm not cynical at all about HN in its context, namely as a site for sharing news about startups and hacking. It does a very good job of those things, and the mechanisms on place like moderating posts and karma all work towards that.

With respect to people going off together and starting companies based on "meeting" each other on HN, I'm not cynical about that either, I just have no opinion of it one way or another. It's as if you told me that two people met at a bus stop, fell in love, got married, but one had an affair and now they are in a bitter custody dispute. I feel very sorry things didn't work out for them, but as far as the bus stop is concerned, my interest is in when the next bus arrives, and I think the interior of the shelter should be devoted to the schedule, not to their story.

All I am saying is that there are established places for entrepreneurs to meet each other for the purpose of doing business, and such places have mechanisms for resolving and/or publicizing such disputes.

p.s. That being said... Perhaps this is a one-time thing and will blow over. Unless the front page starts picking up a few stories like this a day, HN is not in any danger of losing its focus, so I don't have anything really to worry about. Carry on!

A warning to not send money to people you met on an open internet forum? Really?

If someone can help lrm242 great, but I don't think anyone else has delusions that HN is anything but an open forum on the web and therefore entails the most basic precautions.

There are thousands of other bad-actors waiting even if you manage to round up a posse to track this guy down.

So lrm242 has my sympathies but this is definitely a personal problem because making any assumptions based on the fact that someone entered news.ycombinator.com into their address bar (which is the only barrier to membership) is frankly, stupid.

Having read the entire original post, I'm somewhat inclined to agree with you.

HN doesn't purport to be a programmer/money matching service, in this case it's pretty unclear what the original payments were for, and what either party expected from it.

In all reality, you're better off with dedicated outsourcing sites rather than informal relationships created between usernames found on this site.

So the warning stands, but it's pretty irrelevant as someone who has seen fit to create multiple identities would have no problem creating another clean identity to work with. However, I think this post (and the others) are a bad precedent. I'd hate to see an avalanche of 'so and so did me wrong' type posts.

The only thing that people should get from this is that you can't trust anyone you 'meet' over the internet until you have gotten to know them better. Trust no-one, verify everything. Don't do business on the basis of IM conversations. Make it clear and understand what you're delivering. A contract doesn't have to be written by a lawyer (although lawyers make better contracts) but any contract should at least state the terms of the agreement. You make x for y$ and ownership belongs to me. Anything else is just he-said she-said complaining.

It looks like you can add venaltech.com to the list of domains the guy is listed as the admin contact for. It doesn't look like that has been mentioned yet in any of the threads. Google that domain and you find a crap load of "reviews" on sites of questionable origin. A few of the domains of the sites that talk about it follow the pattern of *reviews.com so it looks like he probably paid some service to write them. You might be able to follow that trail.

This BrianHolt dude is obviously NOT clean http://news.ycombinator.com/item?id=1299094. Why did you not do basic research on who you were doing business with?

Is there some kind of circle of trust established-- you know, good old fashioned key-signing plus vouching for people? 10 years ago I would have bet big money that by now people would have well-established cryptographic identities online, verified by a larger circle of trust. Does this exist, or is that a dated idea without a whole lot of merit?

Or maybe that's what LinkedIn was supposed to be before it turned into something that to me feels much more impersonal and spammy.

The only issue with the web-of-trust is that all it takes is trusting someone that turns out to be untrustworthy to bring it all down. Do you really think that the same people that click-through whatever dialogs popup without reading them (just because "it's in front of what I want to see" or "I just let it do whatever it wants to do so that I can get about my work") are going to properly evaluate their trust in someone before just signing away? People today are even less vigilant about the internet because loads of them have grown up with it, and won't learn the 'internet is dangerous' lesson until it bites them (the same with: "don't trust all your data to a single provider" and "always backup all of your data to multiple places, as well as off-site").

Have a look at Avogato for an example of a site with sophisticated WoT reputation management.

"Circle of Trust" ... tee hee, now that was a great movie

can we get a tldr on this?

jiganti was scammed by X

jiganti was helped by mahmud

yesterday, lrm242 investigated X and turned up addresses (Chinese) etc. from DNS

lrm242 is now being libelled on complaints forums, as of yesterday

X appears to have several HN accounts: pinksoda, sinkfloat, and BrianHolt

Vaguely interestingly, Totiboti (now auto-dead - you need to turn on showdead to see his posts) was warning about the guy repeatedly: http://news.ycombinator.com/threads?id=Totiboti

It's of note that those comments were on a HN story that was posted by pinksoda, is hosted on sinkfloat.com, and has BrianHolt responding in the comments as the subject of the article. That alone seems to link them all together and make the whole thing fishy.

It looks like he's responding to each individual comment thread, as if to try to get people to notice via their threads link

I see a lot of upset and accusations without many facts from either side. Without the pertinent information being clearly presented (read: facts and facts only, no accusations), it seems that we can't make an informed decision on what is really going on.

I'm happy to be corrected, and I am sorry that this has happened to you, but we must realize that there is a huge difference between a scam and a private business transaction that was conducted without proper due diligence that ended in one person feeling cheated.

Which of these two has occurred here is difficult to tell with the facts being presented, and without us playing amateur detective.

As raganwald said, "While anyone who invests money and gets nothing in return has my sympathy, I don't see the relevance of a private business transaction to HN." [1]

I hope this gets sorted out for you, and please correct me if I'm wrong.

[1] http://news.ycombinator.com/item?id=2163675

tl;dr: HN is being dragged into a brewing defamation case. One way or the other.

You mean a summary?

Just because a HN user really should be able to look up unknown things with google easily: http://lmgtfy.com/?q=tldr

That link is to tl;dr ... I think for many HN readers, TLDR is a top-level domain registry.

The internet is full of scammers and on any reasonably popular forum you'll find them. Let's not turn HN into witch hunting central.

But what am I going to do with my bonfire now? It's almost a whole year until I get to set it on Guy Fawkes night.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact