Hacker Newsnew | comments | ask | jobs | submitlogin
Ask HN: What is this? 158268a350000000
125 points by DonnyV 540 days ago | comments
Found this twitter account https://twitter.com/googuns_prod posting these weird encrypted tweets. The locations are all over the globe. You can find them using this site http://onemilliontweetmap.com/. Anyone know what it is?


chrisacky 539 days ago | link

This is highly relevant for the conspiracy theorists.

Random number radio stations.

http://en.wikipedia.org/wiki/Numbers_station

    A numbers station (or number station) is a type of shortwave radio station 
    characterized by their unusual broadcasts, which consist of spoken words,
    but mostly numbers, often created by artificially generated voices reading 
    streams of numbers, words, letters, tunes or Morse code.
Now, if you take a look at any random tweet, you will notice that the location that it was tweeted from changes every time (often in the middle of the Sea). This could also be a hidden chunk of information that encodes/hides other relevant data.

It is certainly not by accident that the lat/lngs change on each Tweet. If I had the time as an experiment, I'd probably try and find patterns between the lng/lats to see if the decimal equivalent means anything? How hilariously awesome would it be if when mapped on a globe, it builds up a large picture. (Fair warning.. this runs WebGL and will most likely nuke your browser for a few seconds http://data-arts.appspot.com/globe-search/ )

-----

JackWebbHeller 539 days ago | link

The creepiest Numbers Station of them all: UVB-76 - http://en.wikipedia.org/wiki/UVB-76

Just listen to the buzzing sound clip... Sends chills down my spine. Then after years of 24/7/365 buzzing, a Russian voice reads a bizarre encoded message. Spooky.

-----

samwilliams 539 days ago | link

I am sure this is just interference or something and please excuse me if this is stupid thing to point out but I decided to check this out and listen to the live stream of this linked to via Wikipedia and after 5 minutes or so I started to hear a distorted conversation. It has continued ever since. Is this normal?

-----

xentronium 539 days ago | link

It's said to be quite active since 2010 [1]

[1] http://priyom.org/number-stations/slavic/s28.aspx

-----

samwilliams 539 days ago | link

I see, I was under the impression that had died down since feb 2011 though? That was the impression the Wikipedia article gave anyway.

-----

zalew 539 days ago | link

I bet they are probably forgotten military/security projects who now just live their own lives. Creepy anyway.

-----

xentronium 539 days ago | link

Huge archive of info about number stations (including recordings and technical errors) can be found here:

http://www.priyom.org/number-stations.aspx

'Priyom' is Russian for copy/over.

-----

blauwbilgorgel 539 days ago | link

Seems to change too often for a number station. I wonder if foreign intelligence agencies would even consider using an American company for their covert communications.

I think it is less spooky: My bet is on it being an iPhone app from years ago, maybe long pulled from the store. Its dev was using the Twitter account as a logging system. Maybe for something silly as highscores from around the world. "_dev" and "_prod" seem far too innocent names for an account that is trying to fly under the radar.

EDIT: Perhaps it is used for indexation benchmarks? Deploy a tweet with a unique string and location, and check how long it takes before it shows up in the index or notification inbox?

-----

elliottcarlson 539 days ago | link

there is also a _staging one - obviously it's some kind of output for an app of some sort. googuns itself seems to be owned by Google Notifications

-----

andyjohnson0 539 days ago | link

Check out The Conet Project [1], a set of four CDs containing recorings of numbers stations. Downloadable/listenable via the Internet Archive [2].

[1] http://en.wikipedia.org/wiki/The_Conet_Project

[2] http://archive.org/details/ird059

-----

fuzzix 539 days ago | link

If you'd like to listen in on these, you could try the Wide-band Web SDR:

http://websdr.ewi.utwente.nl:8901/

(Requires Java plugin)

-----

shanelja 540 days ago | link

The keys it is sending appear to be in pairs, in sets of 16, if you concatenate them you get the 32bit entire key. All of the keys are presented in hexadecmial format, you will notice none of the letters go above f. Most of the keys sent end in eight 0's, this would me to believe that this is padding and infact, the two keys concatenate to build up one 32bit string, but if you look carefully you will note that some of them only have 7bits of padding on the end, so I will disregard this assumption.

These tweets appear to originate from Russia.

Now, common uses of 16bit (and 32bit) encryption keys are for WEP keys, traditionally used in router password protection, which can be provided either in a full ASCII spectrum or in merely hexadecimal format.

Taking these points together I can conclude that these could possibly be the encrypted WEP keys of a Russian router.

Or I could be totally wrong, but I really wasn't given much to work with :)

-----

DonnyV 540 days ago | link

Whats it monitoring?

-----

shanelja 539 days ago | link

Sorry, dyslexia, I spelt router wrong, just went through and spell checked it, unfortunately, my spell checker saw Monitor as being spelled correctly.

-----

jgrahamc 539 days ago | link

I suspect what you are seeing is the output of a password cracking program that is dumping out cracked MD5s or similar. The zeroes at the end is a technique that's been seen before to mark a password as cracked, see for example with the dump of the LinkedIn hack: http://news.ycombinator.com/item?id=4073309

-----

danielweber 539 days ago | link

The lesson I learn from that is that I should come up with a password that starts with 5 zeros when Sha-1'd!

-----

parktheredcar 539 days ago | link

Here's a way to easily pull down the data without all of that extra gui stuff: https://api.twitter.com/1/statuses/user_timeline.xml?screen_...

The maximum is 200, but you can move down the line by using since_id or max_id optional parameters. 'xml' can be replaced with 'json' or 'rss' if you'd prefer a different format.

Looking over the data briefly reveals the additonal fact that the 'source' field is populated with a link to Google. That, combined with the other accounts including one that outright says it's associated with google on its profile. So this is either google maybe doing some sort of recruiting thing, or somebody that wants us to think it's google for whatever reason. One guess is that the account name could mean Google User Notification Service.

Additionally, the tweets are published at a (more or less, this is the web) regular interval. Always around the HH:M9:30, HH:M0:00, and HH:M4:30 and HH:M5:00 marks. As stbullard speculated (https://news.ycombinator.com/item?id=4697813), there could be two instances of whatever this is running, publishing every 5 minutes independently, with one instance having the code baf200000000 associated with it and another having the id of 2350000000. Note that the length of these two are different- the former is 12 while the latter is 10. This could mean a variety of things regarding the format in which the data is published, or variance in the data itself.

It might be worth looking at the unique parts of the 235 ones as color.

If anyone can pull these tweets down into a single file and share them that would be amazing.

-----

46Bit 540 days ago | link

Can't find anything related to this account, so I'd speculate it could be C&C for a botnet.

-----

madmaze 539 days ago | link

True this is likely some botnet coordinating where/who the C&C is currently. I wonder if this can be reverse engineered.

EDIT: I wonder if it does some sort of transform on the number to get an IP addr? perhaps its part of a IPv6 Addr?

Perhaps its a distributed brute-force on a password or checksum being carried out by a botnet? Its interesting distributed this is, too bad we dont have IP addrs associated with the posts

-----

madmaze 539 days ago | link

Interesting to note is that all tweets from https://twitter.com/googuns_staging have random Lat/Long coordinates associated with it..

see: https://twitter.com/googuns_staging/status/22294385659595980...

https://maps.google.com/maps?q=-20.73906235%2C-145.82847672&...

-----

icoder 539 days ago | link

Or perhaps the GPS numbers are not random but do contain 'information'? Perhaps totally unrelated to geolocation?

-----

madmaze 539 days ago | link

Perhaps it is a botnet trying to locate all of its clients.

Each client has his/her own UUID(the tweet) and the geolocation is where the client is located.

It seems as though the googuns_staging was the trial, all fake/useless location and googun_prod(as the name suggests) is the actual "in-the-wild" run of locating all of its clients

Also interesting is at the moment there are many tweets ending in either a350000000 or baf200000000 but that may just be coincidence based on some counter thats incrementing

-----

pyre 539 days ago | link

It can't be the geolocation of compromised machines unless some of them happen to be on boats or planes. Some of the geolocation coordinates are in the middle of the ocean.

-----

madmaze 539 days ago | link

True, or it could be geolocations that it failed to resolve.. but then again it would likely be the same geolocation for every time it fails to resolve

-----

zv 539 days ago | link

Seems so. If we take literally f.e. 1773f27ba0000000, drop off the zeroes (see, most contains zeroes), it's an IP address.

-----

madmaze 539 days ago | link

not quite there is one too many digits for it to be an IPv4 addr

17 73 f2 7b a0 00 00 00

23 115 242 123 160 00 00 00

-----

pyre 539 days ago | link

As noted the elsewhere,

On staging, all posts end in ba0000000. On prod, all posts end in 200000000 or 350000000. Since these sequences are repeated, it seems likely they could be disregarded.

-----

adkatrit 539 days ago | link

hex:fb 92 83 a3 50 00 00 00 dec:251 146 131 163 80 0 0 0

hex:10 37 ba f2 00 00 00 00 dec:16 55 186 242 0 0 0 0

they do indeed look like IP addresses. The extra number is the port(maybe). what's weird is that it's sometimes zero.

-----

tshadwell 539 days ago | link

The second is a valid US ip address, owned by HP 16.55.186.242, the first is in the E-Block.

-----

cpeterso 539 days ago | link

Why would a botnet use such a public C&C channel instead of IRC? And why wouldn't the C&C tweets be encoded in a less suspicious format such as comments about cats or whatever?

-----

aslewofmice 539 days ago | link

My bet is C&C instructions.

IRC traffic is commonly blocked, but HTTP traffic directed to Twitter is generic enough to get through most locked down networks. I doubt whoever is behind this cares if it's public data and that people see what's being posted. Public access just means any newly compromised computer can access it without anything more than a single HTTP request.

If we had access to the IP(s) posting the tweets, it'd be pretty easy to get an idea if they were malicious or not. But where's the fun in that

-----

Permit 540 days ago | link

Wow I was looking at this exact account after that globe post haha. Bizarre.

Also there is an (inactive) GooGuns_Staging: https://twitter.com/googuns_staging

As a note, the last nine digits just alternate between 200000000 and 350000000. On staging they're simply ba0000000.

-----

martindale 539 days ago | link

Also, Goo Guns Dev: https://twitter.com/googuns_dev

-----

tobyjsullivan 539 days ago | link

It's clearly a viral marketing ploy. Standard theme: create some type of countdown website (or some other cryptic message) then seed a few high popularity forums by pretending to have stumbled across this thing nobody would ever actually find.

Yeah, I'm looking at you DonnyV.

-----

DonnyV 539 days ago | link

Sorry to burst your bubble but no. I just happened across this by accident. I'm a GIS Developer and was checking out this site. http://onemilliontweetmap.com/ I noticed there were a lot of single tweets floating out in the ocean.

-----

sukuriant 539 days ago | link

or Valve.

See: Portal

-----

madmaze 539 days ago | link

It could also be a distributed game of battle ships...

each shot is defined by one unique hash and a geo location.. waiting to see a tweet about "hit" or perhaps "miss" but those wouldnt need to be ACKed

-----

unimpressive 539 days ago | link

Even though this almost certainly isn't it, this is the coolest "Telematic Art Demo" idea I've heard in weeks.

-----

emeraldd 539 days ago | link

It probably has nothing to do with this but there is another account https://twitter.com/googuns which claims to be associated with google . . . . In particular the page has a title "Google Notifications".

-----

blauwbilgorgel 539 days ago | link

  "screen_name":"googuns"
  "created_at":"Tue May 05 19:13:53 +0000 2009"

  "screen_name":"googuns_dev"
  "created_at":"Thu Sep 24 19:21:47 +0000 2009"

  "screen_name":"googuns_staging"
  "created_at":"Tue Jul 28 22:48:11 +0000 2009"

  "screen_name":"googuns_prod"
  "created_at":"Tue Jul 28 22:49:22 +0000 2009"

-----

curiousdannii 539 days ago | link

Did it start sending tweets then or some time later?

-----

parktheredcar 539 days ago | link

Additionally the 'source' field of the tweets is as follows:

<a href="http://www.google.com/ rel="nofollow">Google</a>

-----

GotAnyMegadeth 539 days ago | link

44 tweets and no one can see them...

-----

timmclean 539 days ago | link

I poked around the data a bit (I uploaded a JSON file below). First, I separated the tweets into two sets based on the last eight hex digits (00s and 50s). In each set, I parsed each 16-digit message as an integer, converted that to a binary string, and reversed the binary digits. Parsing that as an integer again gives numbers that roughly increase over time.

Here is a chart of the 00s (plotted against tweet number):

http://i48.tinypic.com/svl4jm.png

and of the 50s:

http://i46.tinypic.com/2mn1wg7.png

It's rather strange that the data isn't perfectly monotonic.

I'll look into the tweet coordinates next.

-----

mosburger 539 days ago | link

The pattern of the gap between the times that they are tweeted is somewhat interesting too... 1 minute, 4 minutes, 1 minute, 4 minutes, 1 minute, 4 minutes, etc.

-----

stbullard 539 days ago | link

The gap for https://twitter.com/googuns_staging is 5 minutes; that account was started the same date as @googuns_prod: 28 July 2009.

I would guess googuns_prod is the output from two of whatever googuns_staging is, running at a 1-minute offset, with each thing identifying itself with the last nine digits: 200000000 and 350000000 for the production thing, ba0000000 for the staging thing.

-----

zacharypinter 539 days ago | link

Interesting... If we ignore the zeros and the 20/35/ba, it looks very much like the 7 digit short identifier of a git sha1.

Maybe it's just announcing a continuous deploy script saying that a particular build made it to prod/staging?

-----

tshadwell 539 days ago | link

That... is the most plausible suggestion so far.

-----

fla 539 days ago | link

To me it looks like trying to bruteforce something and post the current sequence every 5 min.

-----

manuscreationis 539 days ago | link

I wonder if this odd placeholder site has anything to do with it...

http://www.googun.com/

-----

madmaze 539 days ago | link

interesting metadata:

<meta name="keywords" content="googun googun googun googun googun googun googun googun gay gay gay gay gay gay gay gay seattle seattle seattle seattle hot hot hot hot hot hot hot hot hot Tshirts t shirt t shirt t shirt t shirt t-shirt t-shirt t-shirt coffee coffee coffee coffee coffee">

-----

lmm 539 days ago | link

Maybe everything including this ask HN is the start of a viral marketing campaign for a new startup? Or am I being too paranoid?

-----

PostOnce 539 days ago | link

Yeah, I look at all out-of-the-blue mysteries with no context as the start of viral campaigns now, they've overused that trope. I can't even get interested in this because I don't want to waste time on something that turns out to be a sales pitch, which would sort of suck if anything ever ends up being genuine.

-----

efa 539 days ago | link

Those keywords make sense when you google Troppio Media Ltd and look at some of the sites. (and urban dictionary "googun").

-----

rrmm 539 days ago | link

I was actually planning on doing something like this for fun. In my case, the numbers would be generated from a random function and wouldn't mean anything. YMMV.

-----

zerostar07 539 days ago | link

Anyone could spoof geolocation, plus why would spies use twitter of all things. this sounds more like a prank

-----

squeed 539 days ago | link

Probably trying to reverse-engineer the Twitter geolocation database instead of buying one.

-----

astrodust 539 days ago | link

It could be part of someone's crazy Twitter-based deployment strategy, using Twitter as RPC or pub-sub.

-----

timmclean 539 days ago | link

I collected the last 3244 tweets (a limit of the Twitter API) and posted them here in JSON for your enjoyment:

http://www.sendspace.com/file/7huqe8

-----

parktheredcar 539 days ago | link

Nice, thanks.

-----

stevejalim 539 days ago | link

There's also a https://twitter.com/googuns_dev account - but 0 tweets

-----

runjake 537 days ago | link

http://pastebin.com/eRbKmmCW

-----

robk 536 days ago | link

Seems like some sort of coordination effort I'd have to guess. Perhaps for a region where Google traffic might normally be blocked, it's an alternative way to get a message in?

-----

ahv 539 days ago | link

Well, here are two plots from the data earlier today showing some patterns: http://i.imgur.com/q2Qc0.png

Left one for the data ending with "f200000000", right one with "50000000". For these I just assumed the numbers were 64-bit little endian integers.

-----

datashaman 539 days ago | link

This is the next stage of Google's Interview Process, post riddles on the Internet, hire the people who solve it.

-----

gizzlon 539 days ago | link

That account has almost as many followers as I do on twitter :'(

-----

datashaman 539 days ago | link

The birth of Skynet?

-----




Lists | RSS | Bookmarklet | Guidelines | FAQ | DMCA | News News | Feature Requests | Bugs | Y Combinator | Apply | Library

Search: