Hacker News new | comments | show | ask | jobs | submit login
We know what you're doing (weknowwhatyouredoing.com)
408 points by Kenan on June 26, 2012 | hide | past | web | favorite | 114 comments

I'm surprised there isn't a column for people who are reading Hacker News.

This guy for example:


This is a neat trick and reminds me of MCI codes from the BBS days. Basically, for a lot of BBS software (and usually enabled by default) visitors to your BBS when posting in discussion threads could insert escape characters (like "%UN") which at runtime would be replaced with metadata related to the person viewing the post at that time.

So, if I were to post "%UN's mother was a hamster and father smelled of elderberries" as part of a thread when I viewed it it would say "gfodor's mother..." etc. You could have first name, last name, etc, so with some creative thinking you could post fairly convincing posts that would trick people into thinking you were actually legitimately mentioning them.

I can remember many posts filled with angry replies from random users who went off the deep end when seeing that some random person on the BBS was trash talking them personally. Oops.

Edit: And for the curious, the purpose of these codes was usually for people creating assets for the BBS. For example, when designing your home screen (an ANSI text file, basically), inserting the codes made it so the home screen would reflect information on the logged in user. Usually when enabled the interpolation happened anywhere, not just in user defined assets. (Of course as BBS software got more mature these types of pranks were not possible with default settings.)

My favorite BBS hack was that on some standard RA configs, unless explicitly turned off by the sysop, you could save received messages to disk even if you were just a normal user. This meant that you could send a message to yourself, i.e. 'del . /q /s' (or whatever zapped your dos disk, I can't really remember.), and then save it to 'c:\autoexec.bat' ...

Other fun things where nailbombs, small .zip files that would expand to multiple gigs. When you uploaded those to early RA systems the virus scanner would attempt to unpack them and quickly fill up the entire disk, causing the BBS to grind to a halt.

Kids these days have no idea what they missed :3

Kids these days improved on the old pranks: http://research.swtch.com/zip

Haha, oh wow, thanks for that :)

Haha, my heart momentarily jumped out of my chest when I clicked that.

It's kinda scary to see your own facebook profile being posted on HN out of nowhere... =\

Just to set any minds at ease after the initial shock:

The link I posted is just a generic bad id link that ends up redirecting to your own Facebook profile if you are currently logged into Facebook. Anyone logged into Facebook will see their own profile.

The link joering2 posted OTOH is actually to my Facebook profile. But:

A) I don't really care (anything I put on my Facebook profile is assumed to be 1000% publically available information anyway).

B) Turnabout is fair play

I was confused at first because I use Facebook in a different browser, so it just gave me the login screen.

Interestingly, the string of numbers is a real user id. I presume it defaults to your own profile because facebook.com/profile.php goes to your own profile, and fb simply ignores the malformed parameters.

Nope, the trick is that he's skipping the "id=" part between the '?' and the user ID, so the param is not being passed properly and thus the link is processed as just 'profile.php' without params. The link https://www.facebook.com/profile.php?id=yaddayadda would work propperly.

Didn't know that one :)

Um, your goat is trying to eat your head or something.

That said, nice goat!

I don't want to sound gay or anything, but you're handsome... Oh and the guy who's neck your kissing looks okay too.

That's because you're being redirected back to your profile since the URL the parent posted is incorrect.

yeah, but why doesn't it respond with 404 as would be appropriate?

"You want to see a page we don't have? Let me show you some ads instead!"

Technically, a 404 page with ads on would be fine too ..

Most web sites don't 404 when fed unrecognized get params.

While that's true, I would kind of expect Facebook to do better than most sites. Oh, well.

Facebook tries to do whatever maximizes engagement. Technical correctness only matters when it serves that primary goal.

Some times a benefit can be indirect and hard to see immediately. Being "technical correct" reduces complexity, which again reduces costs down the road. For example, it makes it easier for third parties to integrate with your service, to name one benefit.

It may never be clear for each individual feature, but violations compound to form a mess of unpredictability. Facebook generally appears to me as being a company with a very strong engineering culture and so it surprises me a bit that they would let something like this slip. Maybe I'm just not seeing the whole picture and it is a clearly thought-out tradeoff and not simply negligence.

I use PHP every day. I understand how this happens. I've known about this particular trick for years.

... My heart still stopped.

His username is his full name and its in his profile with his real email... thats not exactly noteworthy that you managed to find it.

Searching for '743264506' reveals that it is actually quite an old trick. And the poor chap whose facebook profile number it is doesn't seem to be a geek so he probably didn't invent it


It isn't anyone's profile number. It's a random number in a broken profile URL.

It's a coincidence that any profile exists with that number. It's meaningless too, you could use ANY number.

Sure you could. But do a google search on this one and compare it with a google search for a random number of similar length. Besides you can see from the search that it is this number that is used quite often with this trick

People have copied the URL, that's all. Similar URLs have also been copied.

What is your point?

I was just saying that it's interesting that this number has such a history. I didn't expect it. And from your first reply it seems you didn't either. It is a profile ID not a random number and it has been used multiple times for this exact trick

I'm also a programmer, and I know how it works but I got to admit you freaked me up for a while :-)

Funny thing is that when you try to post it on your facebook wall the preview shows your profile. But when somebody else clicks it it takes them to their profile

Previews on FB are loaded and processed in your own browser, and then results are uploaded to FB (to spare server load, I assume).

OK, that was disconcerting to click.


Oh you sneaky bastard!

A great example that should remind people that it's probably best to assume that everything they say or do online (offline as well) is now (and forevermore) public. Assume that anything you say or do has the ability to be seen by anyone and everyone around the globe instantly - without any methods of recourse. The genie is out of the bottle.

Hence one should adapt one's own behaviour and act accordingly (that doesn't mean that you should get paranoid - just be more careful :).

Reduce risk and watch what you say from now on.

I've been saying this for a while too.

There's no such thing as online privacy - privacy is dead.

It's better that the default for most things online is public since any privacy setting is just an illusion of security. Of course there are some notable exceptions to this (encrypted backup services that encrypt locally before backup), but for the most part if it's online and at least some other people can see it - everyone can see it.

Yeah, if you think that, then you should read this :)


It took me a loooong time to figure out how to do privacy and social networking at the same time, using only web technology. Actually it can't be provably private using web technology because you have to trust the server -- which is why we need this: http://news.ycombinator.com/item?id=2024164

using encryption it's completely possible to make any information exchange as secure as it can possibly be without accounting for humans on the other end leaking the information.

That's exactly the reason it isn't secure.

The other option is to arrange your life such that you don't have to care what other people think about your status messages.

Not necessarily easy for everyone, but much more satisfying in the long run.

It doesn't have to be that way; it's very easy to lock down your facebook settings to friends-only. I think it's quite ridiculous that that's not the default. This pessimistic assumption you mention where anyone can see everything might be the safest, but it's just not how humans work. When you're surrounded by a bunch of friends (or their status messages), you don't assume the rest of the world is overhearing you as well.

As other readers have mentioned, your data is still owned by Facebook and subject to malicious intruders and the like. I just wanted to add that without any malicious intent, Facebook could intentionally or accidentally change your settings so certain information you had set to private is now public, without your consent and without any warning. Remember when Google exposed everyone's contacts through Google Buzz[1]? It's easy for someone to underestimate the difference between what you consider private data compared to what they do.

[1] www.businessinsider.com/warning-google-buzz-has-a-huge-privacy-flaw-2010-2

You are right about that option. But I find it prudent to always reduce the chance of a type 2 error and increase the chance of a type 1 error (http://news.ycombinator.com/item?id=4081972). It is best to assume the worst and trust nothing whilst acting probabilistically than to assume perfection/trust and act deterministically.

Hence, in this case, if you assume everything is public, you reduce the harm that can come to you when the trust you have in a service fails you (as it may well do). Just like an investor - take on risk, minimise uncertainty and price catastrophe correctly. This gives you the best of both worlds - risk priced in proportion to reward. You can have your cake and eat it too - if you only take a slice and no more.

As a completely off-topic side note: Since I was introduced to statistics, I always forgot which error was type 1 and which was type 2. I had to read your link to find out.

In code, "int errorType = 1;" would be a badly chosen variable :)

The expressions "false positive" and "false negative" reveal more semantics than "type 1" and "type 2", and are therefore much easier to remember.

You are correct, my apologies for explaining with improper terms - that's the curse of knowledge I suppose.

I quickly forget that the "map" in my brain is about 10 times more detailed than the vector representation I detail in my answer - and it often lacks ideas that may be critical to understanding.

I will use false positive/negative terminology from now on - apologies for the dense language and propagating difficult to comprehend terms - I'll try to stop doing that :D.

While I do agree that false positive and false negative are better names, they do have one shortcoming in comparison:

Classical statistics suffers from the inference problem, where instead of "tested positive for presence" you have to say "tested negative for absence". So a type I error is a false negative as much as it is false positive, which can get confusing.

I believe that when people say that everything on the internet is in the public domain they imply that even private data is subject to hackers and such. And if someone got root of Zuckerbergs cellar server (or, wait, somethig) they would be able to do what they wished with our data.

In principle it has always been so - whatever you do leaves an permanent imprint in people and things around you. It's just that the Internet is a new, much more efficient way to navigate and explore the Great Web of Causality. So what was true just in principle, now became true in practice.

I can't believe people are still publicly posting stuff about their bosses. Surely there has been enough press coverage about people getting fired for fb/twitter antics

People said stupid things in public before social media. :)

Au contraire, regardless of whether or not it's wise to diss your boss online, the last thing we need more of is mass knee-jerk reactions to information over-reported by the press.

Well according to the Gervais principle, there are two likely possibilities here. If it's a Loser insulting his Clueless boss then he probably has little to lose and probably enjoys the risk of his boss finding out while sharing a good laugh with his friends. On the other hand if it's a Clueless insulting his Sociopath boss then, well, there's probably a good indicator of why he's stuck in the Clueless caste.

Most bosses do not have the time, wherewithal or care enough to do this. There is nothing wrong with people blowing of steam.

I think this is so naive. Sure a "good" boss probably won't be snooping on his or her employees. However, I'm pretty sure most bosses are humans and humans tend to snoop on each other

>>Most bosses do not have the time, wherewithal or care enough to do this.


>>There is nothing wrong with people blowing of steam.

And each to their own, but it's easy to make a post private instead of public, and doing so seems much more prudent to me.

> I can't believe people are still publicly posting stuff about their bosses.

It's a free world. People should be allowed to say whatever they want on whatever medium they want (as long as it's not hate-speech etc.)

I'm not saying they legally shouldn't be allowed to (I doubt you will find anybody here that thinks that). I'm just saying it's a stupid thing to do

It's also free in that the boss can fire you if he feels like it in many places.

I have some doubts about the site's disclaimer: "I cannot be held responsible for any persons actions as a result of using this experiement."

If someone gets fired upon a comment you took out of context and put under "people who want to get fired" then I wouldn't bet the above statement as your best line of defence in a lawsuit.

That's a terrible disclaimer. You can't just disclaim your way out of statutory liability.

There's probably nothing to worry about with re-publishing an already public fact, but the cases where errors are made e.g "I'd hate to be my boss" filled under "People who hate their boss", the casual reader may be confused (some might say mislead).

The solution is just to keep people informed, so your disclaimer may say something like: "the information on this site is automatically collected from public posts to Facebook. Posts are classified automatically, and as such our classification of their sentiment may be inaccurate."

Also, just in case one of the Facebook posts says something defamatory, hate speech, etc. you can gently remind people that you didn't write, edit, or approve of the content so "are not responsible for the content of messages".

Agreed. I up voted the link, but I think the same message could have been conveyed with garbled names and numbers.

You know what? Use that same GET method from the about page, mine for certain words, display analytics on a dashboard next to a stream and you've probably just put a few social media "consultants" out of work.


Reminds me on the who-is-not-at-home syndication from Facebook and Twitter. Even so these are scary, I really think they provide excellent privacy teaching moments. Hope you are going to keep this up for some time and enhance it with other categories.


Am I doing it right?

Sycophancy is more effective in person. You could waste a lot of time like this without getting your nose brown at all.

Another interesting column: "Who's out of town?". I wonder how burglers use social networking.

> I wonder how burglers use social networking.

Allegedly, they do pay attention to tweets from people they can find the home address of.


Sad how most of these people fail to form a coherent sentence.

I find it odd that people are surprised by things like this. The information is very public.

Maybe because they never consciously chose to make it public; that's simply facebook's default and IMO it's counter-intuitive that social interactions are made public.

Here are some more interesting terms courtesy of a TechCrunch article about FacebookSearch (now defunct) http://techcrunch.com/2010/05/14/your-public-facebook-status...

“playing hooky” "don’t tell anyone", "rectal exam", "stupid boss", "HIV test", "control urges"

Great work and also this is a cool tool, makes me think of bing.com/social.(does Google offer something like this?)

I would like to see a basic search implemented into weknowwhatyouredoing, though I understand its purpose as is.

I'd also really like to see a region-based search option in one of these tools (beyond hashtags on Twitter, etc.)

Until I read the comments I didn't get what this was supposed to be --- ghostery for the win, blocks Facebook Social Graph and Facebook Social Plugin.

Right but the data is still being collected via public postings on Facebook etc

In case it's not immediately obvious (no visible sign, even on hover), clicking on the people's names will take you to their facebook profiles.

Hmm, looks like they removed this feature. It at least won't work for me (in neither chrome nor firefox).

It is fairly easy to get a link to the profiles however:

The urls to the profile-images look like this: "https://graph.facebook.com/[facebook profile id]/picture"

By replacing "graph" with "www" and removing "/picture" we get the url to the profile.

This could have been done a little more sophisticated. Now it seems nothing more than some basic text searches.

For instance two people saying "Not Hungover AT ALL, I love these mornings" and "Hungover !" respectively are both in the hungover section. And in the doing drugs section there was one guy who was happy he actually quit.

That's a nontrivial problem to solve. Consider "I avoided becoming hungover again!". In other words, you'd have to do a full semantic analysis and get the scope of negations right. I hear that current sentiment analysis techniques use a heuristic by looking for a nearby negation.

Reading the comments I understand that it grabs public facebook data if you are logged, right ? Since I am currently logged and can't see any of my data it means that my facebook profile isn't public (or at least the data this page fetches aren't public) ?

No. I viewed this on a browser where I'm not logged into Facebook.

Well I think I am totally missing the point then.

The page doesn't display any info/statuses related to my fb profile or any of my fb friends. From my point of view it is just displaying random fb results obtained by keyword related searches performed against the fb public data accessible via fb API. As far as I am concerned and aware of nothing in my profile is public.

It's simply displaying public data that has been scraped before-hand (so nothing to do with your own profile). It abuses the fact the people's profiles are public by default, something that people are probably not aware of.

Some 18 Year Old Made A Site That's Going To Get People Fired For Using Facebook


I can see this blossoming into a very titalating "Juicy Gossip" like startup involving delving deep into other people's lives.

I own Jussip.com (Juicy+Gossip) hit me up if interested. My contact info(s) can be found on my blog ChrisNorstrom.com

I'm guessing the site is making an API call to pull each user's thumbnail. Remember, your capped at 350 API requests per hour per APP ID. You should cache image links to avoid all the broken image icons.

Haha: Who's hungover?

Murray Heather Not Hungover AT ALL, I love these mornings!

Impressively they handle unique well enough. It still caught, "I hätë my böss" under "Who wants to get fired?"

Hilarious. Reminds me a bit of http://pleaserobme.com/

None of the posts have any likes. Now I don't feel so bad about my own ignored facebook posts ;)

If you click one of these profiles, you can't see those messages, so how does this guy do it?

99th percentile of people who either don't care or are not able to care about privacy

Well no, I didn't. But now I do that you're looking for and publicizing it, I guess?

Reminds me of youropenbook, which doesn't exist anymore :(

I wonder if there is a list of other sites like this?

Needs an RSS feed for data mining purposes...

Why use jQuery 1.3.2?

should include twitter as well

This is freakin awesome. Nice work!

the phone number column is really bad form.

Does someone actually think having visible phone numbers put up by unaware people scraped is a good thing? What am I missing here?

What am I doing? Not giving a fuck about who is hung over or takes drugs

It's not a research tool... you're missing the point.

You're missing my point. That information is uninteresting to me no matter what the purpose of this site is

The point isn't that it's uninteresting to you, the point is that it may very well be interesting to stalkers, bosses, insurance companies, thieves, exes, "lost" relatives, arsonists, mother stabbers, father rapers, litterbugs, jaywalkers, identity thieves, nosy neighbors, and other undesirables.

It's a thought experiment. Along the lines of YOU DOLTS, YOU REALLY SHOULDN'T BE PUTTING ALL THIS STUFF OUT HERE!

Yes, I understand that. The fact is that people drink and do drugs. Smart people, stupid people. That's reality.

This is a "thought experiment" that teaches cowardice, IMO

On a purely ideal level I agree with you (the fact that at any time someone has been fired from their job for expressing personal opinions on non-company time does not sit well with me..), but the reality of it is, how many of these people do you think know that their info is on this site and/or accessible to quite literally anyone in the world? Of the people that know that, how many of them do you think understand the implications of that openness?

This is why you lock down your privacy settings.

Yes, I understand the intention of that site and conventional thinking on the subject. Thank you for assisting in my description of an alternative

I've got a fantastic idea: Why don't you make a list of all the pages on the internet that don't interest you, and then tell HN about it. Then I can use that as the starting point for my list.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact