Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: What is this? 158268a350000000
128 points by DonnyV on Oct 25, 2012 | hide | past | web | favorite | 67 comments
Found this twitter account https://twitter.com/googuns_prod posting these weird encrypted tweets. The locations are all over the globe. You can find them using this site http://onemilliontweetmap.com/. Anyone know what it is?

This is highly relevant for the conspiracy theorists.

Random number radio stations.


    A numbers station (or number station) is a type of shortwave radio station 
    characterized by their unusual broadcasts, which consist of spoken words,
    but mostly numbers, often created by artificially generated voices reading 
    streams of numbers, words, letters, tunes or Morse code.
Now, if you take a look at any random tweet, you will notice that the location that it was tweeted from changes every time (often in the middle of the Sea). This could also be a hidden chunk of information that encodes/hides other relevant data.

It is certainly not by accident that the lat/lngs change on each Tweet. If I had the time as an experiment, I'd probably try and find patterns between the lng/lats to see if the decimal equivalent means anything? How hilariously awesome would it be if when mapped on a globe, it builds up a large picture. (Fair warning.. this runs WebGL and will most likely nuke your browser for a few seconds http://data-arts.appspot.com/globe-search/ )

The creepiest Numbers Station of them all: UVB-76 - http://en.wikipedia.org/wiki/UVB-76

Just listen to the buzzing sound clip... Sends chills down my spine. Then after years of 24/7/365 buzzing, a Russian voice reads a bizarre encoded message. Spooky.

I am sure this is just interference or something and please excuse me if this is stupid thing to point out but I decided to check this out and listen to the live stream of this linked to via Wikipedia and after 5 minutes or so I started to hear a distorted conversation. It has continued ever since. Is this normal?

It's said to be quite active since 2010 [1]

[1] http://priyom.org/number-stations/slavic/s28.aspx

I see, I was under the impression that had died down since feb 2011 though? That was the impression the Wikipedia article gave anyway.

I bet they are probably forgotten military/security projects who now just live their own lives. Creepy anyway.

Huge archive of info about number stations (including recordings and technical errors) can be found here:


'Priyom' is Russian for copy/over.

Seems to change too often for a number station. I wonder if foreign intelligence agencies would even consider using an American company for their covert communications.

I think it is less spooky: My bet is on it being an iPhone app from years ago, maybe long pulled from the store. Its dev was using the Twitter account as a logging system. Maybe for something silly as highscores from around the world. "_dev" and "_prod" seem far too innocent names for an account that is trying to fly under the radar.

EDIT: Perhaps it is used for indexation benchmarks? Deploy a tweet with a unique string and location, and check how long it takes before it shows up in the index or notification inbox?

there is also a _staging one - obviously it's some kind of output for an app of some sort. googuns itself seems to be owned by Google Notifications

Check out The Conet Project [1], a set of four CDs containing recorings of numbers stations. Downloadable/listenable via the Internet Archive [2].

[1] http://en.wikipedia.org/wiki/The_Conet_Project

[2] http://archive.org/details/ird059

If you'd like to listen in on these, you could try the Wide-band Web SDR:


(Requires Java plugin)

The keys it is sending appear to be in pairs, in sets of 16, if you concatenate them you get the 32bit entire key. All of the keys are presented in hexadecmial format, you will notice none of the letters go above f. Most of the keys sent end in eight 0's, this would me to believe that this is padding and infact, the two keys concatenate to build up one 32bit string, but if you look carefully you will note that some of them only have 7bits of padding on the end, so I will disregard this assumption.

These tweets appear to originate from Russia.

Now, common uses of 16bit (and 32bit) encryption keys are for WEP keys, traditionally used in router password protection, which can be provided either in a full ASCII spectrum or in merely hexadecimal format.

Taking these points together I can conclude that these could possibly be the encrypted WEP keys of a Russian router.

Or I could be totally wrong, but I really wasn't given much to work with :)

Whats it monitoring?

Sorry, dyslexia, I spelt router wrong, just went through and spell checked it, unfortunately, my spell checker saw Monitor as being spelled correctly.

Here's a way to easily pull down the data without all of that extra gui stuff: https://api.twitter.com/1/statuses/user_timeline.xml?screen_...

The maximum is 200, but you can move down the line by using since_id or max_id optional parameters. 'xml' can be replaced with 'json' or 'rss' if you'd prefer a different format.

Looking over the data briefly reveals the additonal fact that the 'source' field is populated with a link to Google. That, combined with the other accounts including one that outright says it's associated with google on its profile. So this is either google maybe doing some sort of recruiting thing, or somebody that wants us to think it's google for whatever reason. One guess is that the account name could mean Google User Notification Service.

Additionally, the tweets are published at a (more or less, this is the web) regular interval. Always around the HH:M9:30, HH:M0:00, and HH:M4:30 and HH:M5:00 marks. As stbullard speculated (https://news.ycombinator.com/item?id=4697813), there could be two instances of whatever this is running, publishing every 5 minutes independently, with one instance having the code baf200000000 associated with it and another having the id of 2350000000. Note that the length of these two are different- the former is 12 while the latter is 10. This could mean a variety of things regarding the format in which the data is published, or variance in the data itself.

It might be worth looking at the unique parts of the 235 ones as color.

If anyone can pull these tweets down into a single file and share them that would be amazing.

I suspect what you are seeing is the output of a password cracking program that is dumping out cracked MD5s or similar. The zeroes at the end is a technique that's been seen before to mark a password as cracked, see for example with the dump of the LinkedIn hack: http://news.ycombinator.com/item?id=4073309

The lesson I learn from that is that I should come up with a password that starts with 5 zeros when Sha-1'd!

Can't find anything related to this account, so I'd speculate it could be C&C for a botnet.

True this is likely some botnet coordinating where/who the C&C is currently. I wonder if this can be reverse engineered.

EDIT: I wonder if it does some sort of transform on the number to get an IP addr? perhaps its part of a IPv6 Addr?

Perhaps its a distributed brute-force on a password or checksum being carried out by a botnet? Its interesting distributed this is, too bad we dont have IP addrs associated with the posts

Or perhaps the GPS numbers are not random but do contain 'information'? Perhaps totally unrelated to geolocation?

Perhaps it is a botnet trying to locate all of its clients.

Each client has his/her own UUID(the tweet) and the geolocation is where the client is located.

It seems as though the googuns_staging was the trial, all fake/useless location and googun_prod(as the name suggests) is the actual "in-the-wild" run of locating all of its clients

Also interesting is at the moment there are many tweets ending in either a350000000 or baf200000000 but that may just be coincidence based on some counter thats incrementing

It can't be the geolocation of compromised machines unless some of them happen to be on boats or planes. Some of the geolocation coordinates are in the middle of the ocean.

True, or it could be geolocations that it failed to resolve.. but then again it would likely be the same geolocation for every time it fails to resolve

Seems so. If we take literally f.e. 1773f27ba0000000, drop off the zeroes (see, most contains zeroes), it's an IP address.

not quite there is one too many digits for it to be an IPv4 addr

17 73 f2 7b a0 00 00 00

23 115 242 123 160 00 00 00

As noted the elsewhere,

On staging, all posts end in ba0000000. On prod, all posts end in 200000000 or 350000000. Since these sequences are repeated, it seems likely they could be disregarded.

hex:fb 92 83 a3 50 00 00 00 dec:251 146 131 163 80 0 0 0

hex:10 37 ba f2 00 00 00 00 dec:16 55 186 242 0 0 0 0

they do indeed look like IP addresses. The extra number is the port(maybe). what's weird is that it's sometimes zero.

The second is a valid US ip address, owned by HP, the first is in the E-Block.

Why would a botnet use such a public C&C channel instead of IRC? And why wouldn't the C&C tweets be encoded in a less suspicious format such as comments about cats or whatever?

My bet is C&C instructions.

IRC traffic is commonly blocked, but HTTP traffic directed to Twitter is generic enough to get through most locked down networks. I doubt whoever is behind this cares if it's public data and that people see what's being posted. Public access just means any newly compromised computer can access it without anything more than a single HTTP request.

If we had access to the IP(s) posting the tweets, it'd be pretty easy to get an idea if they were malicious or not. But where's the fun in that

Wow I was looking at this exact account after that globe post haha. Bizarre.

Also there is an (inactive) GooGuns_Staging: https://twitter.com/googuns_staging

As a note, the last nine digits just alternate between 200000000 and 350000000. On staging they're simply ba0000000.

Also, Goo Guns Dev: https://twitter.com/googuns_dev

It's clearly a viral marketing ploy. Standard theme: create some type of countdown website (or some other cryptic message) then seed a few high popularity forums by pretending to have stumbled across this thing nobody would ever actually find.

Yeah, I'm looking at you DonnyV.

Sorry to burst your bubble but no. I just happened across this by accident. I'm a GIS Developer and was checking out this site. http://onemilliontweetmap.com/ I noticed there were a lot of single tweets floating out in the ocean.

or Valve.

See: Portal

It probably has nothing to do with this but there is another account https://twitter.com/googuns which claims to be associated with google . . . . In particular the page has a title "Google Notifications".

  "created_at":"Tue May 05 19:13:53 +0000 2009"

  "created_at":"Thu Sep 24 19:21:47 +0000 2009"

  "created_at":"Tue Jul 28 22:48:11 +0000 2009"

  "created_at":"Tue Jul 28 22:49:22 +0000 2009"

Did it start sending tweets then or some time later?

Additionally the 'source' field of the tweets is as follows:

<a href="http://www.google.com/ rel="nofollow">Google</a>

44 tweets and no one can see them...

It could also be a distributed game of battle ships...

each shot is defined by one unique hash and a geo location.. waiting to see a tweet about "hit" or perhaps "miss" but those wouldnt need to be ACKed

Even though this almost certainly isn't it, this is the coolest "Telematic Art Demo" idea I've heard in weeks.

I poked around the data a bit (I uploaded a JSON file below). First, I separated the tweets into two sets based on the last eight hex digits (00s and 50s). In each set, I parsed each 16-digit message as an integer, converted that to a binary string, and reversed the binary digits. Parsing that as an integer again gives numbers that roughly increase over time.

Here is a chart of the 00s (plotted against tweet number):


and of the 50s:


It's rather strange that the data isn't perfectly monotonic.

I'll look into the tweet coordinates next.

To me it looks like trying to bruteforce something and post the current sequence every 5 min.

The pattern of the gap between the times that they are tweeted is somewhat interesting too... 1 minute, 4 minutes, 1 minute, 4 minutes, 1 minute, 4 minutes, etc.

The gap for https://twitter.com/googuns_staging is 5 minutes; that account was started the same date as @googuns_prod: 28 July 2009.

I would guess googuns_prod is the output from two of whatever googuns_staging is, running at a 1-minute offset, with each thing identifying itself with the last nine digits: 200000000 and 350000000 for the production thing, ba0000000 for the staging thing.

Interesting... If we ignore the zeros and the 20/35/ba, it looks very much like the 7 digit short identifier of a git sha1.

Maybe it's just announcing a continuous deploy script saying that a particular build made it to prod/staging?

That... is the most plausible suggestion so far.

I wonder if this odd placeholder site has anything to do with it...


interesting metadata:

<meta name="keywords" content="googun googun googun googun googun googun googun googun gay gay gay gay gay gay gay gay seattle seattle seattle seattle hot hot hot hot hot hot hot hot hot Tshirts t shirt t shirt t shirt t shirt t-shirt t-shirt t-shirt coffee coffee coffee coffee coffee">

Maybe everything including this ask HN is the start of a viral marketing campaign for a new startup? Or am I being too paranoid?

Yeah, I look at all out-of-the-blue mysteries with no context as the start of viral campaigns now, they've overused that trope. I can't even get interested in this because I don't want to waste time on something that turns out to be a sales pitch, which would sort of suck if anything ever ends up being genuine.

Those keywords make sense when you google Troppio Media Ltd and look at some of the sites. (and urban dictionary "googun").

Anyone could spoof geolocation, plus why would spies use twitter of all things. this sounds more like a prank

I was actually planning on doing something like this for fun. In my case, the numbers would be generated from a random function and wouldn't mean anything. YMMV.

There's also a https://twitter.com/googuns_dev account - but 0 tweets

Well, here are two plots from the data earlier today showing some patterns: http://i.imgur.com/q2Qc0.png

Left one for the data ending with "f200000000", right one with "50000000". For these I just assumed the numbers were 64-bit little endian integers.

It could be part of someone's crazy Twitter-based deployment strategy, using Twitter as RPC or pub-sub.

Probably trying to reverse-engineer the Twitter geolocation database instead of buying one.

I collected the last 3244 tweets (a limit of the Twitter API) and posted them here in JSON for your enjoyment:


Nice, thanks.

Seems like some sort of coordination effort I'd have to guess. Perhaps for a region where Google traffic might normally be blocked, it's an alternative way to get a message in?

This is the next stage of Google's Interview Process, post riddles on the Internet, hire the people who solve it.

That account has almost as many followers as I do on twitter :'(

The birth of Skynet?

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact